openSUSE-SU-2020:0210

openSUSE-SU-2020:0233

RHSA-2020:0514

https://chromereleases.googleblog.com/2020/02/stable-channel-update-for-desktop.html

https://crbug.com/1042145

The remote NewStart CGSL host, running version MAIN 6.02, has sqlite packages installed that are affected by multiple vulnerabilities:

  - An exploitable use after free vulnerability exists in the window function functionality of Sqlite3 3.26.0.
    A specially crafted SQL command can cause a use after free vulnerability, potentially resulting in remote     code execution. An attacker can send a malicious SQL command to trigger this vulnerability.
    (CVE-2019-5018)

  - In SQLite through 3.29.0, whereLoopAddBtreeIndex in sqlite3.c can crash a browser or other application     because of missing validation of a sqlite_stat1 sz field, aka a severe division by zero in the query     planner. (CVE-2019-16168)

  - In SQLite 3.31.1, isAuxiliaryVtabOperator allows attackers to trigger a NULL pointer dereference and     segmentation fault because of generated column optimizations. (CVE-2020-9327)

  - selectExpander in select.c in SQLite 3.30.1 proceeds with WITH stack unwinding even after a parsing error.
    (CVE-2019-20218)

  - ext/fts3/fts3.c in SQLite before 3.32.0 has a use-after-free in fts3EvalNextRow, related to the snippet     feature. (CVE-2020-13630)

  - SQLite before 3.32.0 allows a virtual table to be renamed to the name of one of its shadow tables, related     to alter.c and build.c. (CVE-2020-13631)

  - ext/fts3/fts3_snippet.c in SQLite before 3.32.0 has a NULL pointer dereference via a crafted matchinfo()     query. (CVE-2020-13632)

  - Out of bounds read in SQLite in Google Chrome prior to 80.0.3987.87 allowed a remote attacker to obtain     potentially sensitive information from process memory via a crafted HTML page. (CVE-2020-6405)

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

The remote CentOS Linux 8 host has packages installed that are affected by multiple vulnerabilities as referenced in the CESA-2020:4442 advisory.

  - sqlite: Division by zero in whereLoopAddBtreeIndex in sqlite3.c (CVE-2019-16168)

  - sqlite: selectExpander in select.c proceeds with WITH stack unwinding even after a parsing error     (CVE-2019-20218)

  - sqlite: Use-after-free in window function leading to remote code execution (CVE-2019-5018)

  - sqlite: Use-after-free in fts3EvalNextRow in ext/fts3/fts3.c (CVE-2020-13630)

  - sqlite: Virtual table can be renamed into the name of one of its shadow tables (CVE-2020-13631)

  - sqlite: NULL pointer dereference in ext/fts3/fts3_snippet.c via a crafted matchinfo() query     (CVE-2020-13632)

  - sqlite: Out-of-bounds read in SELECT with ON/USING clause (CVE-2020-6405)

  - sqlite: NULL pointer dereference and segmentation fault because of generated column optimizations     (CVE-2020-9327)

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

The remote Oracle Linux 8 host has packages installed that are affected by multiple vulnerabilities as referenced in the ELSA-2020-4442 advisory.

  - An exploitable use after free vulnerability exists in the window function functionality of Sqlite3 3.26.0.
    A specially crafted SQL command can cause a use after free vulnerability, potentially resulting in remote     code execution. An attacker can send a malicious SQL command to trigger this vulnerability.
    (CVE-2019-5018)

  - Out of bounds read in SQLite in Google Chrome prior to 80.0.3987.87 allowed a remote attacker to obtain     potentially sensitive information from process memory via a crafted HTML page. (CVE-2020-6405)

  - In SQLite 3.31.1, isAuxiliaryVtabOperator allows attackers to trigger a NULL pointer dereference and     segmentation fault because of generated column optimizations. (CVE-2020-9327)

  - SQLite before 3.32.0 allows a virtual table to be renamed to the name of one of its shadow tables, related     to alter.c and build.c. (CVE-2020-13631)

  - In SQLite through 3.29.0, whereLoopAddBtreeIndex in sqlite3.c can crash a browser or other application     because of missing validation of a sqlite_stat1 sz field, aka a severe division by zero in the query     planner. (CVE-2019-16168)

  - selectExpander in select.c in SQLite 3.30.1 proceeds with WITH stack unwinding even after a parsing error.
    (CVE-2019-20218)

  - ext/fts3/fts3.c in SQLite before 3.32.0 has a use-after-free in fts3EvalNextRow, related to the snippet     feature. (CVE-2020-13630)

  - ext/fts3/fts3_snippet.c in SQLite before 3.32.0 has a NULL pointer dereference via a crafted matchinfo()     query. (CVE-2020-13632)

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

The remote Redhat Enterprise Linux 8 host has packages installed that are affected by multiple vulnerabilities as referenced in the RHSA-2020:4442 advisory.

  - sqlite: Division by zero in whereLoopAddBtreeIndex in sqlite3.c (CVE-2019-16168)

  - sqlite: selectExpander in select.c proceeds with WITH stack unwinding even after a parsing error     (CVE-2019-20218)

  - sqlite: Use-after-free in window function leading to remote code execution (CVE-2019-5018)

  - sqlite: Use-after-free in fts3EvalNextRow in ext/fts3/fts3.c (CVE-2020-13630)

  - sqlite: Virtual table can be renamed into the name of one of its shadow tables (CVE-2020-13631)

  - sqlite: NULL pointer dereference in ext/fts3/fts3_snippet.c via a crafted matchinfo() query     (CVE-2020-13632)

  - sqlite: Out-of-bounds read in SELECT with ON/USING clause (CVE-2020-6405)

  - sqlite: NULL pointer dereference and segmentation fault because of generated column optimizations     (CVE-2020-9327)

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

The version of Microsoft Edge (Chromium) installed on the remote Windows host is prior to 80.0.361.48. It is, therefore, affected by multiple vulnerabilities:

  - An integer overflow condition exists in the JavaScript component of Google Chrome. An unauthenticated,     remote attacker can exploit this, via a crafted HTML page, to potentially exploit heap corruption.
    (CVE-2020-6381)

  - A type confusion error exists in the JavaScript component of Google Chrome. An unauthenticated, remote     attacker can exploit this, via a crafted HTML page, to potentially exploit heap corruption.
    (CVE-2020-6382)

  - A use-after-free vulnerability exists in the speech component of Google Chrome. An unauthenticated, remote     attacker can exploit this, via a crafted HTML page, to potentially exploit heap corruption.
    (CVE-2020-6406)

In addition, Microsoft Edge (Chromium) is also affected by several additional vulnerabilities including additional use-after-free vulnerabilities, out-of-bounds read/write, insufficient input validation, and insufficient policy enforcements.

Update to 80.0.3987.149. Upstream says it fixes '13' security issues, but only lists these CVEs :

  - CVE-2020-6422: Use after free in WebGL

  - CVE-2020-6424: Use after free in media

  - CVE-2020-6425: Insufficient policy enforcement in     extensions. 

  - CVE-2020-6426: Inappropriate implementation in V8

  - CVE-2020-6427: Use after free in audio

  - CVE-2020-6428: Use after free in audio

  - CVE-2020-6429: Use after free in audio.

  - CVE-2019-20503: Out of bounds read in usersctplib.

  - CVE-2020-6449: Use after free in audio

----

Update to 80.0.3987.132. Lots of security fixes here. VAAPI re-enabled by default except on NVIDIA.

List of CVEs fixed (since last update) :

  - CVE-2019-20446

  - CVE-2020-6381 

  - CVE-2020-6382 

  - CVE-2020-6383 

  - CVE-2020-6384

  - CVE-2020-6385 

  - CVE-2020-6386

  - CVE-2020-6387 

  - CVE-2020-6388

  - CVE-2020-6389

  - CVE-2020-6390 

  - CVE-2020-6391

  - CVE-2020-6392 

  - CVE-2020-6393

  - CVE-2020-6394

  - CVE-2020-6395

  - CVE-2020-6396 

  - CVE-2020-6397 

  - CVE-2020-6398

  - CVE-2020-6399 

  - CVE-2020-6400 

  - CVE-2020-6401 

  - CVE-2020-6402 

  - CVE-2020-6403 

  - CVE-2020-6404 

  - CVE-2020-6405 

  - CVE-2020-6406 

  - CVE-2020-6407

  - CVE-2020-6408 

  - CVE-2020-6409 

  - CVE-2020-6410 

  - CVE-2020-6411 

  - CVE-2020-6412 

  - CVE-2020-6413 

  - CVE-2020-6414 

  - CVE-2020-6415 

  - CVE-2020-6416 

  - CVE-2020-6417

  - CVE-2020-6418

  - CVE-2020-6420 

----

Update to 79.0.3945.130. Fixes the following security issues :

  - CVE-2020-6378

  - CVE-2020-6379

  - CVE-2020-6380

Note that Tenable Network Security has extracted the preceding description block directly from the Fedora update system website.
Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

Update to 80.0.3987.132. Lots of security fixes here. VAAPI re-enabled by default except on NVIDIA.

List of CVEs fixed (since last update) :

  - CVE-2019-20446

  - CVE-2020-6381 

  - CVE-2020-6382 

  - CVE-2020-6383 

  - CVE-2020-6384

  - CVE-2020-6385 

  - CVE-2020-6386

  - CVE-2020-6387 

  - CVE-2020-6388

  - CVE-2020-6389

  - CVE-2020-6390 

  - CVE-2020-6391

  - CVE-2020-6392 

  - CVE-2020-6393

  - CVE-2020-6394

  - CVE-2020-6395

  - CVE-2020-6396 

  - CVE-2020-6397 

  - CVE-2020-6398

  - CVE-2020-6399 

  - CVE-2020-6400 

  - CVE-2020-6401 

  - CVE-2020-6402 

  - CVE-2020-6403 

  - CVE-2020-6404 

  - CVE-2020-6405 

  - CVE-2020-6406 

  - CVE-2020-6407

  - CVE-2020-6408 

  - CVE-2020-6409 

  - CVE-2020-6410 

  - CVE-2020-6411 

  - CVE-2020-6412 

  - CVE-2020-6413 

  - CVE-2020-6414 

  - CVE-2020-6415 

  - CVE-2020-6416 

  - CVE-2020-6417

  - CVE-2020-6418

  - CVE-2020-6420

Note that Tenable Network Security has extracted the preceding description block directly from the Fedora update system website.
Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

Several vulnerabilities have been discovered in the chromium web browser.

  - CVE-2019-19880     Richard Lorenz discovered an issue in the sqlite     library.

  - CVE-2019-19923     Richard Lorenz discovered an out-of-bounds read issue in     the sqlite library.

  - CVE-2019-19925     Richard Lorenz discovered an issue in the sqlite     library.

  - CVE-2019-19926     Richard Lorenz discovered an implementation error in the     sqlite library.

  - CVE-2020-6381     UK's National Cyber Security Centre discovered an     integer overflow issue in the v8 JavaScript library.

  - CVE-2020-6382     Soyeon Park and Wen Xu discovered a type error in the v8     JavaScript library.

  - CVE-2020-6383     Sergei Glazunov discovered a type error in the v8     JavaScript library.

  - CVE-2020-6384     David Manoucheri discovered a use-after-free issue in     WebAudio.

  - CVE-2020-6385     Sergei Glazunov discovered a policy enforcement error.

  - CVE-2020-6386     Zhe Jin discovered a use-after-free issue in speech     processing.

  - CVE-2020-6387     Natalie Silvanovich discovered an out-of-bounds write     error in the WebRTC implementation.

  - CVE-2020-6388     Sergei Glazunov discovered an out-of-bounds read error     in the WebRTC implementation.

  - CVE-2020-6389     Natalie Silvanovich discovered an out-of-bounds write     error in the WebRTC implementation.

  - CVE-2020-6390     Sergei Glazunov discovered an out-of-bounds read error.

  - CVE-2020-6391     Michal Bentkowski discoverd that untrusted input was     insufficiently validated.

  - CVE-2020-6392     The Microsoft Edge Team discovered a policy enforcement     error.

  - CVE-2020-6393     Mark Amery discovered a policy enforcement error.

  - CVE-2020-6394     Phil Freo discovered a policy enforcement error.

  - CVE-2020-6395     Pierre Langlois discovered an out-of-bounds read error     in the v8 JavaScript library.

  - CVE-2020-6396     William Luc Ritchie discovered an error in the skia     library.

  - CVE-2020-6397     Khalil Zhani discovered a user interface error.

  - CVE-2020-6398     pdknsk discovered an uninitialized variable in the     pdfium library.

  - CVE-2020-6399     Luan Herrera discovered a policy enforcement error.

  - CVE-2020-6400     Takashi Yoneuchi discovered an error in Cross-Origin     Resource Sharing.

  - CVE-2020-6401     Tzachy Horesh discovered that user input was     insufficiently validated.

  - CVE-2020-6402     Vladimir Metnew discovered a policy enforcement error.

  - CVE-2020-6403     Khalil Zhani discovered a user interface error.

  - CVE-2020-6404     kanchi discovered an error in Blink/Webkit.

  - CVE-2020-6405     Yongheng Chen and Rui Zhong discovered an out-of-bounds     read issue in the sqlite library.

  - CVE-2020-6406     Sergei Glazunov discovered a use-after-free issue.

  - CVE-2020-6407     Sergei Glazunov discovered an out-of-bounds read error.

  - CVE-2020-6408     Zhong Zhaochen discovered a policy enforcement error in     Cross-Origin Resource Sharing.

  - CVE-2020-6409     Divagar S and Bharathi V discovered an error in the     omnibox implementation.

  - CVE-2020-6410     evil1m0 discovered a policy enforcement error.

  - CVE-2020-6411     Khalil Zhani discovered that user input was     insufficiently validated.

  - CVE-2020-6412     Zihan Zheng discovered that user input was     insufficiently validated.

  - CVE-2020-6413     Michal Bentkowski discovered an error in Blink/Webkit.

  - CVE-2020-6414     Lijo A.T discovered a policy safe browsing policy     enforcement error.

  - CVE-2020-6415     Avihay Cohen discovered an implementation error in the     v8 JavaScript library.

  - CVE-2020-6416     Woojin Oh discovered that untrusted input was     insufficiently validated.

  - CVE-2020-6418     Clement Lecigne discovered a type error in the v8     JavaScript library.

  - CVE-2020-6420     Taras Uzdenov discovered a policy enforcement error.

The remote Redhat Enterprise Linux 6 host has a package installed that is affected by multiple vulnerabilities as referenced in the RHSA-2020:0514 advisory.

  - libxslt: use after free in xsltCopyText in transform.c could lead to information disclosure     (CVE-2019-18197)

  - CVE-2019-19926 sqlite: error mishandling because of incomplete fix of (CVE-2019-19880)

  - sqlite: mishandling of certain uses of SELECT DISTINCT involving a LEFT JOIN in flattenSubquery in     select.c leads to a NULL pointer dereference (CVE-2019-19923)

  - sqlite: zipfileUpdate in ext/misc/zipfile.c mishandles a NULL pathname during an update of a ZIP archive     (CVE-2019-19925)

  - sqlite: error mishandling because of incomplete fix of CVE-2019-19880 (CVE-2019-19926)

  - chromium-browser: Integer overflow in JavaScript (CVE-2020-6381)

  - chromium-browser: Type Confusion in JavaScript (CVE-2020-6382)

  - chromium-browser: Insufficient policy enforcement in storage (CVE-2020-6385)

  - chromium-browser: Out of bounds write in WebRTC (CVE-2020-6387, CVE-2020-6389)

  - chromium-browser: Out of bounds memory access in WebAudio (CVE-2020-6388)

  - chromium-browser: Out of bounds memory access in streams (CVE-2020-6390)

  - chromium-browser: Insufficient validation of untrusted input in Blink (CVE-2020-6391)

  - chromium-browser: Insufficient policy enforcement in extensions (CVE-2020-6392)

  - chromium-browser: Insufficient policy enforcement in Blink (CVE-2020-6393, CVE-2020-6394)

  - chromium-browser: Out of bounds read in JavaScript (CVE-2020-6395)

  - chromium-browser: Inappropriate implementation in Skia (CVE-2020-6396)

  - chromium-browser: Incorrect security UI in sharing (CVE-2020-6397)

  - chromium-browser: Uninitialized use in PDFium (CVE-2020-6398)

  - chromium-browser: Insufficient policy enforcement in AppCache (CVE-2020-6399)

  - chromium-browser: Inappropriate implementation in CORS (CVE-2020-6400)

  - chromium-browser: Insufficient validation of untrusted input in Omnibox (CVE-2020-6401, CVE-2020-6411,     CVE-2020-6412)

  - chromium-browser: Insufficient policy enforcement in downloads (CVE-2020-6402)

  - chromium-browser: Incorrect security UI in Omnibox (CVE-2020-6403)

  - chromium-browser: Inappropriate implementation in Blink (CVE-2020-6404, CVE-2020-6413)

  - sqlite: Out-of-bounds read in SELECT with ON/USING clause (CVE-2020-6405)

  - chromium-browser: Use after free in audio (CVE-2020-6406)

  - chromium-browser: Insufficient policy enforcement in CORS (CVE-2020-6408)

  - chromium-browser: Inappropriate implementation in Omnibox (CVE-2020-6409)

  - chromium-browser: Insufficient policy enforcement in navigation (CVE-2020-6410)

  - chromium-browser: Insufficient policy enforcement in Safe Browsing (CVE-2020-6414)

  - chromium-browser: Inappropriate implementation in JavaScript (CVE-2020-6415)

  - chromium-browser: Insufficient data validation in streams (CVE-2020-6416)

  - chromium-browser: Inappropriate implementation in installer (CVE-2020-6417)

  - chromium-browser: Inappropriate implementation in AppCache (CVE-2020-6499)

  - chromium-browser: Inappropriate implementation in interstitials (CVE-2020-6500)

  - chromium-browser: Insufficient policy enforcement in CSP (CVE-2020-6501)

  - chromium-browser: Incorrect security UI in permissions (CVE-2020-6502)

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

This update for chromium fixes the following issues :

Chromium was updated to version 80.0.3987.87 (boo#1162833).

Security issues fixed :

  - CVE-2020-6381: Integer overflow in JavaScript     (boo#1162833).

  - CVE-2020-6382: Type Confusion in JavaScript     (boo#1162833).

  - CVE-2019-18197: Multiple vulnerabilities in XML     (boo#1162833).

  - CVE-2019-19926: Inappropriate implementation in SQLite     (boo#1162833).

  - CVE-2020-6385: Insufficient policy enforcement in     storage (boo#1162833).

  - CVE-2019-19880, CVE-2019-19925: Multiple vulnerabilities     in SQLite (boo#1162833).

  - CVE-2020-6387: Out of bounds write in WebRTC     (boo#1162833).

  - CVE-2020-6388: Out of bounds memory access in WebAudio     (boo#1162833).

  - CVE-2020-6389: Out of bounds write in WebRTC     (boo#1162833).

  - CVE-2020-6390: Out of bounds memory access in streams     (boo#1162833).

  - CVE-2020-6391: Insufficient validation of untrusted     input in Blink (boo#1162833).

  - CVE-2020-6392: Insufficient policy enforcement in     extensions (boo#1162833).

  - CVE-2020-6393: Insufficient policy enforcement in Blink     (boo#1162833).

  - CVE-2020-6394: Insufficient policy enforcement in Blink     (boo#1162833).

  - CVE-2020-6395: Out of bounds read in JavaScript     (boo#1162833).

  - CVE-2020-6396: Inappropriate implementation in Skia     (boo#1162833).

  - CVE-2020-6397: Incorrect security UI in sharing     (boo#1162833).

  - CVE-2020-6398: Uninitialized use in PDFium     (boo#1162833).

  - CVE-2020-6399: Insufficient policy enforcement in     AppCache (boo#1162833).

  - CVE-2020-6400: Inappropriate implementation in CORS     (boo#1162833).

  - CVE-2020-6401: Insufficient validation of untrusted     input in Omnibox (boo#1162833).

  - CVE-2020-6402: Insufficient policy enforcement in     downloads (boo#1162833).

  - CVE-2020-6403: Incorrect security UI in Omnibox     (boo#1162833).

  - CVE-2020-6404: Inappropriate implementation in Blink     (boo#1162833).

  - CVE-2020-6405: Out of bounds read in SQLite     (boo#1162833).

  - CVE-2020-6406: Use after free in audio (boo#1162833).

  - CVE-2019-19923: Out of bounds memory access in SQLite     (boo#1162833).

  - CVE-2020-6408: Insufficient policy enforcement in CORS     (boo#1162833).

  - CVE-2020-6409: Inappropriate implementation in Omnibox     (boo#1162833).

  - CVE-2020-6410: Insufficient policy enforcement in     navigation (boo#1162833).

  - CVE-2020-6411: Insufficient validation of untrusted     input in Omnibox (boo#1162833).

  - CVE-2020-6412: Insufficient validation of untrusted     input in Omnibox (boo#1162833).

  - CVE-2020-6413: Inappropriate implementation in Blink     (boo#1162833).

  - CVE-2020-6414: Insufficient policy enforcement in Safe     Browsing (boo#1162833).

  - CVE-2020-6415: Inappropriate implementation in     JavaScript (boo#1162833).

  - CVE-2020-6416: Insufficient data validation in streams     (boo#1162833).

  - CVE-2020-6417: Inappropriate implementation in installer     (boo#1162833).

The version of Google Chrome installed on the remote Windows host is prior to 80.0.3987.87. It is, therefore, affected by multiple vulnerabilities as referenced in the 2020_02_stable-channel-update-for-desktop advisory. Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

The version of Google Chrome installed on the remote macOS host is prior to 80.0.3987.87. It is, therefore, affected by multiple vulnerabilities as referenced in the 2020_02_stable-channel-update-for-desktop advisory. Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

ID	Name	Product	Family	Severity
147397	NewStart CGSL MAIN 6.02 : sqlite Multiple Vulnerabilities (NS-SA-2021-0064)	Nessus	NewStart CGSL Local Security Checks	high
145815	CentOS 8 : sqlite (CESA-2020:4442)	Nessus	CentOS Local Security Checks	high
142752	Oracle Linux 8 : sqlite (ELSA-2020-4442)	Nessus	Oracle Linux Local Security Checks	high
142429	RHEL 8 : sqlite (RHSA-2020:4442)	Nessus	Red Hat Local Security Checks	high
138174	Microsoft Edge (Chromium) < 80.0.361.48 Multiple Vulnerabilities	Nessus	Windows	high
134990	Fedora 30 : chromium (2020-39e0b8bd14)	Nessus	Fedora Local Security Checks	high
134718	Fedora 31 : chromium (2020-f6271d7afa)	Nessus	Fedora Local Security Checks	high
134433	Debian DSA-4638-1 : chromium - security update	Nessus	Debian Local Security Checks	high
133749	RHEL 6 : chromium-browser (RHSA-2020:0514)	Nessus	Red Hat Local Security Checks	high
133593	openSUSE Security Update : chromium (openSUSE-2020-189)	Nessus	SuSE Local Security Checks	high
133465	Google Chrome < 80.0.3987.87 Multiple Vulnerabilities	Nessus	Windows	high
133464	Google Chrome < 80.0.3987.87 Multiple Vulnerabilities	Nessus	MacOS X Local Security Checks	high

CVE-2020-6405

medium

New! CVE Severity Now Using CVSS v3

Description

References

Details

Risk Information

CVSS v2

CVSS v3

Vulnerable Software

Configuration 1

Tenable Plugins

high

high

high

high

high

high

high

high

high

high

high

high