Debian DSA-4256-1 : chromium-browser - security update

Medium Nessus Plugin ID 111360

New! Vulnerability Priority Rating (VPR)

Tenable calculates a dynamic VPR for every vulnerability. VPR combines vulnerability information with threat intelligence and machine learning algorithms to predict which vulnerabilities are most likely to be exploited in attacks. Read more about what VPR is and how it's different from CVSS.

VPR Score: 7.3

Synopsis

The remote Debian host is missing a security-related update.

Description

Several vulnerabilities have been discovered in the chromium web browser.

- CVE-2018-4117 AhsanEjaz discovered an information leak.

- CVE-2018-6044 Rob Wu discovered a way to escalate privileges using extensions.

- CVE-2018-6150 Rob Wu discovered an information disclosure issue (this problem was fixed in a previous release but was mistakenly omitted from upstream's announcement at the time).

- CVE-2018-6151 Rob Wu discovered an issue in the developer tools (this problem was fixed in a previous release but was mistakenly omitted from upstream's announcement at the time).

- CVE-2018-6152 Rob Wu discovered an issue in the developer tools (this problem was fixed in a previous release but was mistakenly omitted from upstream's announcement at the time).

- CVE-2018-6153 Zhen Zhou discovered a buffer overflow issue in the skia library.

- CVE-2018-6154 Omair discovered a buffer overflow issue in the WebGL implementation.

- CVE-2018-6155 Natalie Silvanovich discovered a use-after-free issue in the WebRTC implementation.

- CVE-2018-6156 Natalie Silvanovich discovered a buffer overflow issue in the WebRTC implementation.

- CVE-2018-6157 Natalie Silvanovich discovered a type confusion issue in the WebRTC implementation.

- CVE-2018-6158 Zhe Jin discovered a use-after-free issue.

- CVE-2018-6159 Jun Kokatsu discovered a way to bypass the same origin policy.

- CVE-2018-6161 Jun Kokatsu discovered a way to bypass the same origin policy.

- CVE-2018-6162 Omair discovered a buffer overflow issue in the WebGL implementation.

- CVE-2018-6163 Khalil Zhani discovered a URL spoofing issue.

- CVE-2018-6164 Jun Kokatsu discovered a way to bypass the same origin policy.

- CVE-2018-6165 evil1m0 discovered a URL spoofing issue.

- CVE-2018-6166 Lynas Zhang discovered a URL spoofing issue.

- CVE-2018-6167 Lynas Zhang discovered a URL spoofing issue.

- CVE-2018-6168 Gunes Acar and Danny Y. Huang discovered a way to bypass the Cross Origin Resource Sharing policy.

- CVE-2018-6169 Sam P discovered a way to bypass permissions when installing extensions.

- CVE-2018-6170 A type confusion issue was discovered in the pdfium library.

- CVE-2018-6171 A use-after-free issue was discovered in the WebBluetooth implementation.

- CVE-2018-6172 Khalil Zhani discovered a URL spoofing issue.

- CVE-2018-6173 Khalil Zhani discovered a URL spoofing issue.

- CVE-2018-6174 Mark Brand discovered an integer overflow issue in the swiftshader library.

- CVE-2018-6175 Khalil Zhani discovered a URL spoofing issue.

- CVE-2018-6176 Jann Horn discovered a way to escalate privileges using extensions.

- CVE-2018-6177 Ron Masas discovered an information leak.

- CVE-2018-6178 Khalil Zhani discovered a user interface spoofing issue.

- CVE-2018-6179 It was discovered that information about files local to the system could be leaked to extensions.

This version also fixes a regression introduced in the previous security update that could prevent decoding of particular audio/video codecs.

Solution

Upgrade the chromium-browser packages.

For the stable distribution (stretch), these problems have been fixed in version 68.0.3440.75-1~deb9u1.

See Also

https://security-tracker.debian.org/tracker/CVE-2018-4117

https://security-tracker.debian.org/tracker/CVE-2018-6044

https://security-tracker.debian.org/tracker/CVE-2018-6150

https://security-tracker.debian.org/tracker/CVE-2018-6151

https://security-tracker.debian.org/tracker/CVE-2018-6152

https://security-tracker.debian.org/tracker/CVE-2018-6153

https://security-tracker.debian.org/tracker/CVE-2018-6154

https://security-tracker.debian.org/tracker/CVE-2018-6155

https://security-tracker.debian.org/tracker/CVE-2018-6156

https://security-tracker.debian.org/tracker/CVE-2018-6157

https://security-tracker.debian.org/tracker/CVE-2018-6158

https://security-tracker.debian.org/tracker/CVE-2018-6159

https://security-tracker.debian.org/tracker/CVE-2018-6161

https://security-tracker.debian.org/tracker/CVE-2018-6162

https://security-tracker.debian.org/tracker/CVE-2018-6163

https://security-tracker.debian.org/tracker/CVE-2018-6164

https://security-tracker.debian.org/tracker/CVE-2018-6165

https://security-tracker.debian.org/tracker/CVE-2018-6166

https://security-tracker.debian.org/tracker/CVE-2018-6167

https://security-tracker.debian.org/tracker/CVE-2018-6168

https://security-tracker.debian.org/tracker/CVE-2018-6169

https://security-tracker.debian.org/tracker/CVE-2018-6170

https://security-tracker.debian.org/tracker/CVE-2018-6171

https://security-tracker.debian.org/tracker/CVE-2018-6172

https://security-tracker.debian.org/tracker/CVE-2018-6173

https://security-tracker.debian.org/tracker/CVE-2018-6174

https://security-tracker.debian.org/tracker/CVE-2018-6175

https://security-tracker.debian.org/tracker/CVE-2018-6176

https://security-tracker.debian.org/tracker/CVE-2018-6177

https://security-tracker.debian.org/tracker/CVE-2018-6178

https://security-tracker.debian.org/tracker/CVE-2018-6179

http://www.nessus.org/u?e33901a2

https://packages.debian.org/source/stretch/chromium-browser

https://www.debian.org/security/2018/dsa-4256

Plugin Details

Severity: Medium

ID: 111360

File Name: debian_DSA-4256.nasl

Version: 1.8

Type: local

Agent: unix

Published: 2018/07/27

Updated: 2019/07/15

Dependencies: 12634

Risk Information

Risk Factor: Medium

VPR Score: 7.3

CVSS v2.0

Base Score: 6.8

Vector: CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:P

CVSS v3.0

Base Score: 9.6

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H

Vulnerability Information

CPE: p-cpe:/a:debian:debian_linux:chromium-browser, cpe:/o:debian:debian_linux:9.0

Required KB Items: Host/local_checks_enabled, Host/Debian/release, Host/Debian/dpkg-l

Patch Publication Date: 2018/07/26

Vulnerability Publication Date: 2018/04/03

Reference Information

CVE: CVE-2018-4117, CVE-2018-6044, CVE-2018-6150, CVE-2018-6151, CVE-2018-6152, CVE-2018-6153, CVE-2018-6154, CVE-2018-6155, CVE-2018-6156, CVE-2018-6157, CVE-2018-6158, CVE-2018-6159, CVE-2018-6161, CVE-2018-6162, CVE-2018-6163, CVE-2018-6164, CVE-2018-6165, CVE-2018-6166, CVE-2018-6167, CVE-2018-6168, CVE-2018-6169, CVE-2018-6170, CVE-2018-6171, CVE-2018-6172, CVE-2018-6173, CVE-2018-6174, CVE-2018-6175, CVE-2018-6176, CVE-2018-6177, CVE-2018-6178, CVE-2018-6179

DSA: 4256