Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
===========================================================================
AUSCERT External Security Bulletin Redistribution
ESB-2019.3085
chromium security update
13 August 2019
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: chromium
Publisher: Debian
Operating System: Debian GNU/Linux 10
Impact/Access: Execute Arbitrary Code/Commands -- Remote with User Interaction
Increased Privileges -- Remote with User Interaction
Denial of Service -- Remote with User Interaction
Provide Misleading Information -- Remote with User Interaction
Access Confidential Data -- Remote with User Interaction
Reduced Security -- Unknown/Unspecified
Resolution: Patch/Upgrade
CVE Names: CVE-2019-5868 CVE-2019-5867 CVE-2019-5865
CVE-2019-5864 CVE-2019-5862 CVE-2019-5861
CVE-2019-5860 CVE-2019-5859 CVE-2019-5858
CVE-2019-5857 CVE-2019-5856 CVE-2019-5855
CVE-2019-5854 CVE-2019-5853 CVE-2019-5852
CVE-2019-5851 CVE-2019-5850 CVE-2019-5849
CVE-2019-5848 CVE-2019-5847 CVE-2019-5842
CVE-2019-5840 CVE-2019-5839 CVE-2019-5838
CVE-2019-5837 CVE-2019-5836 CVE-2019-5834
CVE-2019-5833 CVE-2019-5832 CVE-2019-5831
CVE-2019-5830 CVE-2019-5829 CVE-2019-5828
CVE-2019-5827 CVE-2019-5826 CVE-2019-5825
CVE-2019-5824 CVE-2019-5823 CVE-2019-5822
CVE-2019-5821 CVE-2019-5820 CVE-2019-5819
CVE-2019-5818 CVE-2019-5815 CVE-2019-5814
CVE-2019-5813 CVE-2019-5811 CVE-2019-5810
CVE-2019-5809 CVE-2019-5808 CVE-2019-5807
CVE-2019-5806 CVE-2019-5805
Reference: ASB-2019.0228
ASB-2019.0225
ASB-2019.0196
ASB-2019.0131
ESB-2019.2210
ESB-2019.1608
Original Bulletin:
http://www.debian.org/security/2019/dsa-4500
- --------------------------BEGIN INCLUDED TEXT--------------------
- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
- - -------------------------------------------------------------------------
Debian Security Advisory DSA-4500-1 security@debian.org
https://www.debian.org/security/ Michael Gilbert
August 12, 2019 https://www.debian.org/security/faq
- - -------------------------------------------------------------------------
Package : chromium
CVE ID : CVE-2019-5805 CVE-2019-5806 CVE-2019-5807 CVE-2019-5808
CVE-2019-5809 CVE-2019-5810 CVE-2019-5811 CVE-2019-5813
CVE-2019-5814 CVE-2019-5815 CVE-2019-5818 CVE-2019-5819
CVE-2019-5820 CVE-2019-5821 CVE-2019-5822 CVE-2019-5823
CVE-2019-5824 CVE-2019-5825 CVE-2019-5826 CVE-2019-5827
CVE-2019-5828 CVE-2019-5829 CVE-2019-5830 CVE-2019-5831
CVE-2019-5832 CVE-2019-5833 CVE-2019-5834 CVE-2019-5836
CVE-2019-5837 CVE-2019-5838 CVE-2019-5839 CVE-2019-5840
CVE-2019-5842 CVE-2019-5847 CVE-2019-5848 CVE-2019-5849
CVE-2019-5850 CVE-2019-5851 CVE-2019-5852 CVE-2019-5853
CVE-2019-5854 CVE-2019-5855 CVE-2019-5856 CVE-2019-5857
CVE-2019-5858 CVE-2019-5859 CVE-2019-5860 CVE-2019-5861
CVE-2019-5862 CVE-2019-5864 CVE-2019-5865 CVE-2019-5867
CVE-2019-5868
Several vulnerabilities have been discovered in the chromium web browser.
CVE-2019-5805
A use-after-free issue was discovered in the pdfium library.
CVE-2019-5806
Wen Xu discovered an integer overflow issue in the Angle library.
CVE-2019-5807
TimGMichaud discovered a memory corruption issue in the v8 javascript
library.
CVE-2019-5808
cloudfuzzer discovered a use-after-free issue in Blink/Webkit.
CVE-2019-5809
Mark Brand discovered a use-after-free issue in Blink/Webkit.
CVE-2019-5810
Mark Amery discovered an information disclosure issue.
CVE-2019-5811
Jun Kokatsu discovered a way to bypass the Cross-Origin Resource Sharing
feature.
CVE-2019-5813
Aleksandar Nikolic discovered an out-of-bounds read issue in the v8
javascript library.
CVE-2019-5814
@AaylaSecura1138 discovered a way to bypass the Cross-Origin Resource
Sharing feature.
CVE-2019-5815
Nicolas Grégoire discovered a buffer overflow issue in Blink/Webkit.
CVE-2019-5818
Adrian Tolbaru discovered an uninitialized value issue.
CVE-2019-5819
Svyat Mitin discovered an error in the developer tools.
CVE-2019-5820
pdknsk discovered an integer overflow issue in the pdfium library.
CVE-2019-5821
pdknsk discovered another integer overflow issue in the pdfium library.
CVE-2019-5822
Jun Kokatsu discovered a way to bypass the Cross-Origin Resource Sharing
feature.
CVE-2019-5823
David Erceg discovered a navigation error.
CVE-2019-5824
leecraso and Guang Gong discovered an error in the media player.
CVE-2019-5825
Genming Liu, Jianyu Chen, Zhen Feng, and Jessica Liu discovered an
out-of-bounds write issue in the v8 javascript library.
CVE-2019-5826
Genming Liu, Jianyu Chen, Zhen Feng, and Jessica Liu discovered a
use-after-free issue.
CVE-2019-5827
mlfbrown discovered an out-of-bounds read issue in the sqlite library.
CVE-2019-5828
leecraso and Guang Gong discovered a use-after-free issue.
CVE-2019-5829
Lucas Pinheiro discovered a use-after-free issue.
CVE-2019-5830
Andrew Krashichkov discovered a credential error in the Cross-Origin
Resource Sharing feature.
CVE-2019-5831
yngwei discovered a map error in the v8 javascript library.
CVE-2019-5832
Sergey Shekyan discovered an error in the Cross-Origin Resource Sharing
feature.
CVE-2019-5833
Khalil Zhani discovered a user interface error.
CVE-2019-5834
Khalil Zhani discovered a URL spoofing issue.
CVE-2019-5836
Omair discovered a buffer overflow issue in the Angle library.
CVE-2019-5837
Adam Iawniuk discovered an information disclosure issue.
CVE-2019-5838
David Erceg discovered an error in extension permissions.
CVE-2019-5839
Masato Kinugawa discovered implementation errors in Blink/Webkit.
CVE-2019-5840
Eliya Stein and Jerome Dangu discovered a way to bypass the popup blocker.
CVE-2019-5842
BUGFENSE discovered a use-after-free issue in Blink/Webkit.
CVE-2019-5847
m3plex discovered an error in the v8 javascript library.
CVE-2019-5848
Mark Amery discovered an information disclosure issue.
CVE-2019-5849
Zhen Zhou discovered an out-of-bounds read in the Skia library.
CVE-2019-5850
Brendon Tiszka discovered a use-after-free issue in the offline page
fetcher.
CVE-2019-5851
Zhe Jin discovered a use-after-poison issue.
CVE-2019-5852
David Erceg discovered an information disclosure issue.
CVE-2019-5853
Yngwei and sakura discovered a memory corruption issue.
CVE-2019-5854
Zhen Zhou discovered an integer overflow issue in the pdfium library.
CVE-2019-5855
Zhen Zhou discovered an integer overflow issue in the pdfium library.
CVE-2019-5856
Yongke Wang discovered an error related to file system URL permissions.
CVE-2019-5857
cloudfuzzer discovered a way to crash chromium.
CVE-2019-5858
evil1m0 discovered an information disclosure issue.
CVE-2019-5859
James Lee discovered a way to launch alternative browsers.
CVE-2019-5860
A use-after-free issue was discovered in the v8 javascript library.
CVE-2019-5861
Robin Linus discovered an error determining click location.
CVE-2019-5862
Jun Kokatsu discovered an error in the AppCache implementation.
CVE-2019-5864
Devin Grindle discovered an error in the Cross-Origin Resourse Sharing
feature for extensions.
CVE-2019-5865
Ivan Fratric discovered a way to bypass the site isolation feature.
CVE-2019-5867
Lucas Pinheiro discovered an out-of-bounds read issue in the v8 javascript
library.
CVE-2019-5868
banananapenguin discovered a use-after-free issue in the v8 javascript
library.
For the stable distribution (buster), these problems have been fixed in
version 76.0.3809.100-1~deb10u1.
We recommend that you upgrade your chromium packages.
For the detailed security status of chromium please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/chromium
Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/
Mailing list: debian-security-announce@lists.debian.org
- -----BEGIN PGP SIGNATURE-----
iQKTBAEBCgB9FiEERkRAmAjBceBVMd3uBUy48xNDz0QFAl1SR9VfFIAAAAAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDQ2
NDQ0MDk4MDhDMTcxRTA1NTMxRERFRTA1NENCOEYzMTM0M0NGNDQACgkQBUy48xND
z0QDbxAAhaq23j1gqSxJi5stWewT4rYfirfgWGkuHoCwSwNzdgeQ0bq3jcMFPXUs
kSq4rr6pHfCQlYZHVvi5nUZm3VX67GhMDBNltd/NBr+eDQdVnyTegvBcKHqzzOMu
eZGbEUIe+QdetYCwbJKUhmdwE1aMCtH0z1YzfTj56hrpviFSTOxeGmC/JNr8nnzB
gOBAwAKDFhPRg+bO7Hy/m9AqX/2o5xJRIsrcA0jTfF3fq8xcWBpEbHhWlJgd/ttq
rwfku9Mq2rt0z4woBZ6XA9XblnX86wzX5TfV5VZzt7nUA7DFjdPsyd5du4VoDGAs
SMQGuyfouAQ8Ow9GMKcqJYFr9+ngZQgF1spv1R2zwFVDGPTTIPPC8ON6oMIK7DF6
ctujRCq8OZoR7x/gpvFcq8wiMrxY2hLdg0DLvKp5za4cx5Cfd/dqer4Yzpbj40WP
bZgJHVc9wL+BSh1eVC+aQYu31imHiS11Vy9AAHSlyxFpU6JZLa95XF0KFjo+slxJ
Ie7CN8b/yZE2YOC1Swk/JfK+TwcYJ48js3KLqzzLHAFDP1nfGhM2n60WqUfREtVO
j1clkbicUZixmSP9KhZ5GU/Bdn9p75yUeglvRvPLQiuel1g4b5C72e5VkVoj+w5I
zRs5TuLpmLUkdB0QGGxW2Ke6+p3EPyWU1NKvStH0l1OthqVCxOE=
=WAY4
- -----END PGP SIGNATURE-----
- --------------------------END INCLUDED TEXT--------------------
You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.
NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
https://www.auscert.org.au/bulletins/
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967
iQIVAwUBXVJTGWaOgq3Tt24GAQgMCg/+K69hmsNESCnnLwOtiDRkHtZXSWtVOhaV
12K+ldndVRt5yYBJirw+o1KN/CSNsivDAb8YCr6eLxo/pMejITDzGpb+fWlpmZ37
Uy0KviIrQRxeAVunM7mdCi8x+ICjfBD1p0ySvIGf+0hWpPqVi2lpty3i52goGKlh
BM/zRltpHCbaAn8k36ysrmQJA/MYfTAxiz5Z+dd6xXfFqAIxeOEwRR+PTu++ciyF
che+uuqdiEgUwvy1DdhIWCytf0mopdalJEhHMK46pNaa9z1SGcr71RxPfLYDj2u1
MmHC+zj0No3lTtW6YWdD+uwRVmF0szGsNqy185nHKp3c68BaHye6R4XgoLfiueDX
NCDIFnEN4Yj8GUuTNU/Jkr98eHdkq0dA0SKom9G9+S3I5AJo0AJu82pyAkyIu1dP
Bwuq82ZW0ybkL7oe66hbQGydawBHJqKhKb9O3RYSthvugHT5+qRhpchbQtpwtpDa
Gn1E5eJa0HnW5c9QvgwGXJ1nxW0rYf3il+CaMV7/Q+dVI04i20COnZOhbb1yZtRl
hCVdgL12m2K5JncDkXeyblSzFQDI5T+LzlSDB28UPoMfbBL5EhGCSXHNFOVumzqh
h0rP5m5zqOBiT2lgZ7Kde0WReF4ppNzJJGXH7tdGk6yXc99PtD33qH7FoOYCdk0h
TyShj7DO3uo=
=ujLs
-----END PGP SIGNATURE-----