-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

- -------------------------------------------------------------------------
Debian Security Advisory DSA-4256-1                   security@debian.org
https://www.debian.org/security/                          Michael Gilbert
July 26, 2018                         https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package        : chromium-browser
CVE ID         : CVE-2018-4117 CVE-2018-6044 CVE-2018-6150 CVE-2018-6151
                 CVE-2018-6152 CVE-2018-6153 CVE-2018-6154 CVE-2018-6155
                 CVE-2018-6156 CVE-2018-6157 CVE-2018-6158 CVE-2018-6159
                 CVE-2018-6161 CVE-2018-6162 CVE-2018-6163 CVE-2018-6164
                 CVE-2018-6165 CVE-2018-6166 CVE-2018-6167 CVE-2018-6168
                 CVE-2018-6169 CVE-2018-6170 CVE-2018-6171 CVE-2018-6172
                 CVE-2018-6173 CVE-2018-6174 CVE-2018-6175 CVE-2018-6176
                 CVE-2018-6177 CVE-2018-6178 CVE-2018-6179

Several vulnerabilities have been discovered in the chromium web browser.

CVE-2018-4117

    AhsanEjaz discovered an information leak.

CVE-2018-6044

    Rob Wu discovered a way to escalate privileges using extensions.

CVE-2018-6150

    Rob Wu discovered an information disclosure issue (this problem was
    fixed in a previous release but was mistakenly omitted from upstream's
    announcement at the time).

CVE-2018-6151

    Rob Wu discovered an issue in the developer tools (this problem  was
    fixed in a previous release but was mistakenly omitted from upstream's
    announcement at the time).

CVE-2018-6152

    Rob Wu discovered an issue in the developer tools (this problem  was
    fixed in a previous release but was mistakenly omitted from upstream's
    announcement at the time).

CVE-2018-6153

    Zhen Zhou discovered a buffer overflow issue in the skia library.

CVE-2018-6154

    Omair discovered a buffer overflow issue in the WebGL implementation.

CVE-2018-6155

    Natalie Silvanovich discovered a use-after-free issue in the WebRTC
    implementation.

CVE-2018-6156

    Natalie Silvanovich discovered a buffer overflow issue in the WebRTC
    implementation.

CVE-2018-6157

    Natalie Silvanovich discovered a type confusion issue in the WebRTC
    implementation.

CVE-2018-6158

    Zhe Jin discovered a use-after-free issue.

CVE-2018-6159

    Jun Kokatsu discovered a way to bypass the same origin policy.

CVE-2018-6161

    Jun Kokatsu discovered a way to bypass the same origin policy.

CVE-2018-6162

    Omair discovered a buffer overflow issue in the WebGL implementation.

CVE-2018-6163

    Khalil Zhani discovered a URL spoofing issue.

CVE-2018-6164

    Jun Kokatsu discovered a way to bypass the same origin policy.

CVE-2018-6165

    evil1m0 discovered a URL spoofing issue.

CVE-2018-6166

    Lynas Zhang discovered a URL spoofing issue.

CVE-2018-6167

    Lynas Zhang discovered a URL spoofing issue.

CVE-2018-6168

    Gunes Acar and Danny Y. Huang discovered a way to bypass the Cross
    Origin Resource Sharing policy.

CVE-2018-6169

    Sam P discovered a way to bypass permissions when installing
    extensions.

CVE-2018-6170

    A type confusion issue was discovered in the pdfium library.

CVE-2018-6171

    A use-after-free issue was discovered in the WebBluetooth
    implementation.

CVE-2018-6172

    Khalil Zhani discovered a URL spoofing issue.

CVE-2018-6173

    Khalil Zhani discovered a URL spoofing issue.

CVE-2018-6174

    Mark Brand discovered an integer overflow issue in the swiftshader
    library.

CVE-2018-6175

    Khalil Zhani discovered a URL spoofing issue.

CVE-2018-6176

    Jann Horn discovered a way to escalate privileges using extensions.

CVE-2018-6177

    Ron Masas discovered an information leak.

CVE-2018-6178

    Khalil Zhani discovered a user interface spoofing issue.

CVE-2018-6179

    It was discovered that information about files local to the system
    could be leaked to extensions.

This version also fixes a regression introduced in the previous security
update that could prevent decoding of particular audio/video codecs.

For the stable distribution (stretch), these problems have been fixed in
version 68.0.3440.75-1~deb9u1.

We recommend that you upgrade your chromium-browser packages.

For the detailed security status of chromium-browser please refer to
its security tracker page at:

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/

Mailing list: debian-security-announce@lists.debian.org

Debian: DSA-4256-1: chromium-browser security update

July 27, 2018
Several vulnerabilities have been discovered in the chromium web browser

Summary

Several vulnerabilities have been discovered in the chromium web browser.

CVE-2018-4117

AhsanEjaz discovered an information leak.

CVE-2018-6044

Rob Wu discovered a way to escalate privileges using extensions.

CVE-2018-6150

Rob Wu discovered an information disclosure issue (this problem was
fixed in a previous release but was mistakenly omitted from upstream's
announcement at the time).

CVE-2018-6151

Rob Wu discovered an issue in the developer tools (this problem was
fixed in a previous release but was mistakenly omitted from upstream's
announcement at the time).

CVE-2018-6152

Rob Wu discovered an issue in the developer tools (this problem was
fixed in a previous release but was mistakenly omitted from upstream's
announcement at the time).

CVE-2018-6153

Zhen Zhou discovered a buffer overflow issue in the skia library.

CVE-2018-6154

Omair discovered a buffer overflow issue in the WebGL implementation.

CVE-2018-6155

Natalie Silvanovich discovered a use-after-free issue in the WebRTC
implementation.

CVE-2018-6156

Natalie Silvanovich discovered a buffer overflow issue in the WebRTC
implementation.

CVE-2018-6157

Natalie Silvanovich discovered a type confusion issue in the WebRTC
implementation.

CVE-2018-6158

Zhe Jin discovered a use-after-free issue.

CVE-2018-6159

Jun Kokatsu discovered a way to bypass the same origin policy.

CVE-2018-6161

Jun Kokatsu discovered a way to bypass the same origin policy.

CVE-2018-6162

Omair discovered a buffer overflow issue in the WebGL implementation.

CVE-2018-6163

Khalil Zhani discovered a URL spoofing issue.

CVE-2018-6164

Jun Kokatsu discovered a way to bypass the same origin policy.

CVE-2018-6165

evil1m0 discovered a URL spoofing issue.

CVE-2018-6166

Lynas Zhang discovered a URL spoofing issue.

CVE-2018-6167

Lynas Zhang discovered a URL spoofing issue.

CVE-2018-6168

Gunes Acar and Danny Y. Huang discovered a way to bypass the Cross
Origin Resource Sharing policy.

CVE-2018-6169

Sam P discovered a way to bypass permissions when installing
extensions.

CVE-2018-6170

A type confusion issue was discovered in the pdfium library.

CVE-2018-6171

A use-after-free issue was discovered in the WebBluetooth
implementation.

CVE-2018-6172

Khalil Zhani discovered a URL spoofing issue.

CVE-2018-6173

Khalil Zhani discovered a URL spoofing issue.

CVE-2018-6174

Mark Brand discovered an integer overflow issue in the swiftshader
library.

CVE-2018-6175

Khalil Zhani discovered a URL spoofing issue.

CVE-2018-6176

Jann Horn discovered a way to escalate privileges using extensions.

CVE-2018-6177

Ron Masas discovered an information leak.

CVE-2018-6178

Khalil Zhani discovered a user interface spoofing issue.

CVE-2018-6179

It was discovered that information about files local to the system
could be leaked to extensions.

This version also fixes a regression introduced in the previous security
update that could prevent decoding of particular audio/video codecs.

For the stable distribution (stretch), these problems have been fixed in
version 68.0.3440.75-1~deb9u1.

We recommend that you upgrade your chromium-browser packages.

For the detailed security status of chromium-browser please refer to
its security tracker page at:

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/



Severity
Package : chromium-browser
CVE ID : CVE-2018-4117 CVE-2018-6044 CVE-2018-6150 CVE-2018-6151

Related News