Debian DSA-4395-1 : chromium - security update

high Nessus Plugin ID 122272

Language:

New! Plugin Severity Now Using CVSS v3

The calculated severity for Plugins has been updated to use CVSS v3 by default. Plugins that do not have a CVSS v3 score will fall back to CVSS v2 for calculating severity. Severity display preferences can be toggled in the settings dropdown.

Synopsis

The remote Debian host is missing a security-related update.

Description

Several vulnerabilities have been discovered in the chromium web browser.

 - CVE-2018-17481 A use-after-free issue was discovered in the pdfium library.

 - CVE-2019-5754 Klzgrad discovered an error in the QUIC networking implementation.

 - CVE-2019-5755 Jay Bosamiya discovered an implementation error in the v8 JavaScript library.

 - CVE-2019-5756 A use-after-free issue was discovered in the pdfium library.

 - CVE-2019-5757 Alexandru Pitis discovered a type confusion error in the SVG image format implementation.

 - CVE-2019-5758 Zhe Jin discovered a use-after-free issue in blink/webkit.

 - CVE-2019-5759 Almog Benin discovered a use-after-free issue when handling HTML pages containing select elements.

 - CVE-2019-5760 Zhe Jin discovered a use-after-free issue in the WebRTC implementation.

 - CVE-2019-5762 A use-after-free issue was discovered in the pdfium library.

 - CVE-2019-5763 Guang Gon discovered an input validation error in the v8 JavaScript library.

 - CVE-2019-5764 Eyal Itkin discovered a use-after-free issue in the WebRTC implementation.

 - CVE-2019-5765 Sergey Toshin discovered a policy enforcement error.

 - CVE-2019-5766 David Erceg discovered a policy enforcement error.

 - CVE-2019-5767 Haoran Lu, Yifan Zhang, Luyi Xing, and Xiaojing Liao reported an error in the WebAPKs user interface.

 - CVE-2019-5768 Rob Wu discovered a policy enforcement error in the developer tools.

 - CVE-2019-5769 Guy Eshel discovered an input validation error in blink/webkit.

 - CVE-2019-5770 hemidallt discovered a buffer overflow issue in the WebGL implementation.

 - CVE-2019-5772 Zhen Zhou discovered a use-after-free issue in the pdfium library.

 - CVE-2019-5773 Yongke Wong discovered an input validation error in the IndexDB implementation.

 - CVE-2019-5774 Junghwan Kang and Juno Im discovered an input validation error in the SafeBrowsing implementation.

 - CVE-2019-5775 evil1m0 discovered a policy enforcement error.

 - CVE-2019-5776 Lnyas Zhang discovered a policy enforcement error.

 - CVE-2019-5777 Khalil Zhani discovered a policy enforcement error.

 - CVE-2019-5778 David Erceg discovered a policy enforcement error in the Extensions implementation.

 - CVE-2019-5779 David Erceg discovered a policy enforcement error in the ServiceWorker implementation.

 - CVE-2019-5780 Andreas Hegenberg discovered a policy enforcement error.

 - CVE-2019-5781 evil1m0 discovered a policy enforcement error.

 - CVE-2019-5782 Qixun Zhao discovered an implementation error in the v8 JavaScript library.

 - CVE-2019-5783 Shintaro Kobori discovered an input validation error in the developer tools.

 - CVE-2019-5784 Lucas Pinheiro discovered an implementation error in the v8 JavaScript library.

Solution

Upgrade the chromium packages.

For the stable distribution (stretch), these problems have been fixed in version 72.0.3626.96-1~deb9u1.

See Also

https://security-tracker.debian.org/tracker/CVE-2018-17481

https://security-tracker.debian.org/tracker/CVE-2019-5754

https://security-tracker.debian.org/tracker/CVE-2019-5755

https://security-tracker.debian.org/tracker/CVE-2019-5756

https://security-tracker.debian.org/tracker/CVE-2019-5757

https://security-tracker.debian.org/tracker/CVE-2019-5758

https://security-tracker.debian.org/tracker/CVE-2019-5759

https://security-tracker.debian.org/tracker/CVE-2019-5760

https://security-tracker.debian.org/tracker/CVE-2019-5762

https://security-tracker.debian.org/tracker/CVE-2019-5763

https://security-tracker.debian.org/tracker/CVE-2019-5764

https://security-tracker.debian.org/tracker/CVE-2019-5765

https://security-tracker.debian.org/tracker/CVE-2019-5766

https://security-tracker.debian.org/tracker/CVE-2019-5767

https://security-tracker.debian.org/tracker/CVE-2019-5768

https://security-tracker.debian.org/tracker/CVE-2019-5769

https://security-tracker.debian.org/tracker/CVE-2019-5770

https://security-tracker.debian.org/tracker/CVE-2019-5772

https://security-tracker.debian.org/tracker/CVE-2019-5773

https://security-tracker.debian.org/tracker/CVE-2019-5774

https://security-tracker.debian.org/tracker/CVE-2019-5775

https://security-tracker.debian.org/tracker/CVE-2019-5776

https://security-tracker.debian.org/tracker/CVE-2019-5777

https://security-tracker.debian.org/tracker/CVE-2019-5778

https://security-tracker.debian.org/tracker/CVE-2019-5779

https://security-tracker.debian.org/tracker/CVE-2019-5780

https://security-tracker.debian.org/tracker/CVE-2019-5781

https://security-tracker.debian.org/tracker/CVE-2019-5782

https://security-tracker.debian.org/tracker/CVE-2019-5783

https://security-tracker.debian.org/tracker/CVE-2019-5784

https://security-tracker.debian.org/tracker/source-package/chromium

https://packages.debian.org/source/stretch/chromium

https://www.debian.org/security/2019/dsa-4395

Plugin Details

Severity: High

ID: 122272

File Name: debian_DSA-4395.nasl

Version: 1.4

Type: local

Agent: unix

Published: 2/19/2019

Updated: 2/13/2020

Dependencies: ssh_get_info.nasl

Risk Information

CVSS Score Source: CVE-2019-5783

VPR

Risk Factor: High

Score: 8.4

CVSS v2

Risk Factor: Medium

Base Score: 6.8

Temporal Score: 5

Vector: AV:N/AC:M/Au:N/C:P/I:P/A:P

Temporal Vector: E:U/RL:OF/RC:C

CVSS v3

Risk Factor: High

Base Score: 8.8

Temporal Score: 7.7

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Temporal Vector: E:U/RL:O/RC:C

Vulnerability Information

CPE: p-cpe:/a:debian:debian_linux:chromium, cpe:/o:debian:debian_linux:9.0

Required KB Items: Host/local_checks_enabled, Host/Debian/release, Host/Debian/dpkg-l

Exploit Ease: No known exploits are available

Patch Publication Date: 2/18/2019

Vulnerability Publication Date: 12/11/2018

Reference Information

CVE: CVE-2018-17481, CVE-2019-5754, CVE-2019-5755, CVE-2019-5756, CVE-2019-5757, CVE-2019-5758, CVE-2019-5759, CVE-2019-5760, CVE-2019-5762, CVE-2019-5763, CVE-2019-5764, CVE-2019-5765, CVE-2019-5766, CVE-2019-5767, CVE-2019-5768, CVE-2019-5769, CVE-2019-5770, CVE-2019-5772, CVE-2019-5773, CVE-2019-5774, CVE-2019-5775, CVE-2019-5776, CVE-2019-5777, CVE-2019-5778, CVE-2019-5779, CVE-2019-5780, CVE-2019-5781, CVE-2019-5782, CVE-2019-5783, CVE-2019-5784

DSA: 4395