ArchLinux: 201903-8: chromium: multiple issues

    Date13 Mar 2019
    CategoryArchLinux
    303
    Posted ByLinuxSecurity Advisories
    The package chromium before version 73.0.3683.75-1 is vulnerable to multiple issues including arbitrary code execution, access restriction bypass, content spoofing and information disclosure.
    Arch Linux Security Advisory ASA-201903-8
    =========================================
    
    Severity: High
    Date    : 2019-03-13
    CVE-ID  : CVE-2019-5787 CVE-2019-5788 CVE-2019-5789 CVE-2019-5790
              CVE-2019-5791 CVE-2019-5792 CVE-2019-5793 CVE-2019-5794
              CVE-2019-5795 CVE-2019-5796 CVE-2019-5797 CVE-2019-5798
              CVE-2019-5799 CVE-2019-5800 CVE-2019-5802 CVE-2019-5803
    Package : chromium
    Type    : multiple issues
    Remote  : Yes
    Link    : https://security.archlinux.org/AVG-923
    
    Summary
    =======
    
    The package chromium before version 73.0.3683.75-1 is vulnerable to
    multiple issues including arbitrary code execution, access restriction
    bypass, content spoofing and information disclosure.
    
    Resolution
    ==========
    
    Upgrade to 73.0.3683.75-1.
    
    # pacman -Syu "chromium>=73.0.3683.75-1"
    
    The problems have been fixed upstream in version 73.0.3683.75.
    
    Workaround
    ==========
    
    None.
    
    Description
    ===========
    
    - CVE-2019-5787 (arbitrary code execution)
    
    A use-after-free issue has been found in the Canvas component of the
    chromium browser before 73.0.3683.75.
    
    - CVE-2019-5788 (arbitrary code execution)
    
    A use-after-free issue has been found in the FileAPI component of the
    chromium browser before 73.0.3683.75.
    
    - CVE-2019-5789 (arbitrary code execution)
    
    A use-after-free issue has been found in the WebMIDI component of the
    chromium browser before 73.0.3683.75.
    
    - CVE-2019-5790 (arbitrary code execution)
    
    A heap-based buffer overflow has been found in the V8 component of the
    chromium browser before 73.0.3683.75.
    
    - CVE-2019-5791 (arbitrary code execution)
    
    A type confusion issue has been found in the V8 component of the
    chromium browser before 73.0.3683.75.
    
    - CVE-2019-5792 (arbitrary code execution)
    
    An integer overflow issue has been found in the PDFium component of the
    chromium browser before 73.0.3683.75.
    
    - CVE-2019-5793 (access restriction bypass)
    
    An excessive permissions for private API issue has been found in the
    Extensions component of the chromium browser before 73.0.3683.75.
    
    - CVE-2019-5794 (content spoofing)
    
    A UI spoofing issue has been found in the chromium browser before
    73.0.3683.75.
    
    - CVE-2019-5795 (arbitrary code execution)
    
    An integer overflow issue has been found in the PDFium component of the
    chromium browser before 73.0.3683.75.
    
    - CVE-2019-5796 (arbitrary code execution)
    
    A race condition has been found in the Extensions component of the
    chromium browser before 73.0.3683.75.
    
    - CVE-2019-5797 (arbitrary code execution)
    
    A race condition has been found in the DOMStorage component of the
    chromium browser before 73.0.3683.75.
    
    - CVE-2019-5798 (information disclosure)
    
    An out-of-bounds read has been found in the Skia component of the
    chromium browser before 73.0.3683.75.
    
    - CVE-2019-5799 (access restriction bypass)
    
    A CSP bypass issue with blob URLs has been found in the chromium
    browser before 73.0.3683.75.
    
    - CVE-2019-5800 (access restriction bypass)
    
    A CSP bypass issue with blob URLs has been found in the chromium
    browser before 73.0.3683.75.
    
    - CVE-2019-5802 (content spoofing)
    
    A UI spoofing issue has been found in the chromium browser before
    73.0.3683.75.
    
    - CVE-2019-5803 (access restriction bypass)
    
    A CSP bypass issue with Javascript URLs has been found in the chromium
    browser before 73.0.3683.75.
    
    Impact
    ======
    
    A remote attacker can access sensitive information, bypass security
    restrictions and execute arbitrary code via crafted web content.
    
    References
    ==========
    
    https://chromereleases.googleblog.com/2019/03/stable-channel-update-for-desktop_12.html
    https://bugs.chromium.org/p/chromium/issues/detail?id=913964
    https://bugs.chromium.org/p/chromium/issues/detail?id=925864
    https://bugs.chromium.org/p/chromium/issues/detail?id=921581
    https://bugs.chromium.org/p/chromium/issues/detail?id=914736
    https://bugs.chromium.org/p/chromium/issues/detail?id=926651
    https://bugs.chromium.org/p/chromium/issues/detail?id=914983
    https://bugs.chromium.org/p/chromium/issues/detail?id=937487
    https://bugs.chromium.org/p/chromium/issues/detail?id=935175
    https://bugs.chromium.org/p/chromium/issues/detail?id=919643
    https://bugs.chromium.org/p/chromium/issues/detail?id=918861
    https://bugs.chromium.org/p/chromium/issues/detail?id=916523
    https://bugs.chromium.org/p/chromium/issues/detail?id=883596
    https://bugs.chromium.org/p/chromium/issues/detail?id=905301
    https://bugs.chromium.org/p/chromium/issues/detail?id=894228
    https://bugs.chromium.org/p/chromium/issues/detail?id=632514
    https://bugs.chromium.org/p/chromium/issues/detail?id=909865
    https://security.archlinux.org/CVE-2019-5787
    https://security.archlinux.org/CVE-2019-5788
    https://security.archlinux.org/CVE-2019-5789
    https://security.archlinux.org/CVE-2019-5790
    https://security.archlinux.org/CVE-2019-5791
    https://security.archlinux.org/CVE-2019-5792
    https://security.archlinux.org/CVE-2019-5793
    https://security.archlinux.org/CVE-2019-5794
    https://security.archlinux.org/CVE-2019-5795
    https://security.archlinux.org/CVE-2019-5796
    https://security.archlinux.org/CVE-2019-5797
    https://security.archlinux.org/CVE-2019-5798
    https://security.archlinux.org/CVE-2019-5799
    https://security.archlinux.org/CVE-2019-5800
    https://security.archlinux.org/CVE-2019-5802
    https://security.archlinux.org/CVE-2019-5803
    
    
    You are not authorised to post comments.

    LinuxSecurity Poll

    In your opinion, what is the biggest advantage associated with choosing open-source software/products?

    Message!

    Poll results are hidden from public viewing.

    You are not authorized to vote on this poll.

    No answer selected. Please try again.
    Please select either existing option or enter your own, however not both.
    Please select minimum 0 answer(s) and maximum 4 answer(s).
    /component/communitypolls/?task=poll.vote
    8
    radio
    bottom200

    We use cookies to provide and improve our services. By using our site, you consent to our Cookie Policy.