Debian DSA-4421-1 : chromium - security update

High Nessus Plugin ID 123533

New! Vulnerability Priority Rating (VPR)

Tenable calculates a dynamic VPR for every vulnerability. VPR combines vulnerability information with threat intelligence and machine learning algorithms to predict which vulnerabilities are most likely to be exploited in attacks. Read more about what VPR is and how it's different from CVSS.

VPR Score: 6.7

Synopsis

The remote Debian host is missing a security-related update.

Description

Several vulnerabilities have been discovered in the chromium web browser.

- CVE-2019-5787 Zhe Jin discovered a use-after-free issue.

- CVE-2019-5788 Mark Brand discovered a use-after-free issue in the FileAPI implementation.

- CVE-2019-5789 Mark Brand discovered a use-after-free issue in the WebMIDI implementation.

- CVE-2019-5790 Dimitri Fourny discovered a buffer overflow issue in the v8 JavaScript library.

- CVE-2019-5791 Choongwoo Han discovered a type confusion issue in the v8 JavaScript library.

- CVE-2019-5792 pdknsk discovered an integer overflow issue in the pdfium library.

- CVE-2019-5793 Jun Kokatsu discovered a permissions issue in the Extensions implementation.

- CVE-2019-5794 Juno Im of Theori discovered a user interface spoofing issue.

- CVE-2019-5795 pdknsk discovered an integer overflow issue in the pdfium library.

- CVE-2019-5796 Mark Brand discovered a race condition in the Extensions implementation.

- CVE-2019-5797 Mark Brand discovered a race condition in the DOMStorage implementation.

- CVE-2019-5798 Tran Tien Hung discovered an out-of-bounds read issue in the skia library.

- CVE-2019-5799 sohalt discovered a way to bypass the Content Security Policy.

- CVE-2019-5800 Jun Kokatsu discovered a way to bypass the Content Security Policy.

- CVE-2019-5802 Ronni Skansing discovered a user interface spoofing issue.

- CVE-2019-5803 Andrew Comminos discovered a way to bypass the Content Security Policy.

Solution

Upgrade the chromium packages.

For the stable distribution (stretch), these problems have been fixed in version 73.0.3683.75-1~deb9u1.

See Also

https://security-tracker.debian.org/tracker/CVE-2019-5787

https://security-tracker.debian.org/tracker/CVE-2019-5788

https://security-tracker.debian.org/tracker/CVE-2019-5789

https://security-tracker.debian.org/tracker/CVE-2019-5790

https://security-tracker.debian.org/tracker/CVE-2019-5791

https://security-tracker.debian.org/tracker/CVE-2019-5792

https://security-tracker.debian.org/tracker/CVE-2019-5793

https://security-tracker.debian.org/tracker/CVE-2019-5794

https://security-tracker.debian.org/tracker/CVE-2019-5795

https://security-tracker.debian.org/tracker/CVE-2019-5796

https://security-tracker.debian.org/tracker/CVE-2019-5797

https://security-tracker.debian.org/tracker/CVE-2019-5798

https://security-tracker.debian.org/tracker/CVE-2019-5799

https://security-tracker.debian.org/tracker/CVE-2019-5800

https://security-tracker.debian.org/tracker/CVE-2019-5802

https://security-tracker.debian.org/tracker/CVE-2019-5803

https://security-tracker.debian.org/tracker/source-package/chromium

https://packages.debian.org/source/stretch/chromium

https://www.debian.org/security/2019/dsa-4421

Plugin Details

Severity: High

ID: 123533

File Name: debian_DSA-4421.nasl

Version: 1.5

Type: local

Agent: unix

Published: 2019/04/01

Updated: 2019/05/29

Dependencies: 12634

Risk Information

Risk Factor: High

VPR Score: 6.7

CVSS v2.0

Base Score: 9.3

Temporal Score: 7.3

Vector: CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C

Temporal Vector: CVSS2#E:POC/RL:OF/RC:C

CVSS v3.0

Base Score: 8.8

Temporal Score: 7.9

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Temporal Vector: CVSS:3.0/E:P/RL:O/RC:C

Vulnerability Information

CPE: p-cpe:/a:debian:debian_linux:chromium, cpe:/o:debian:debian_linux:9.0

Required KB Items: Host/local_checks_enabled, Host/Debian/release, Host/Debian/dpkg-l

Exploit Available: true

Exploit Ease: Exploits are available

Patch Publication Date: 2019/03/31

Vulnerability Publication Date: 2019/05/23

Reference Information

CVE: CVE-2019-5787, CVE-2019-5788, CVE-2019-5789, CVE-2019-5790, CVE-2019-5791, CVE-2019-5792, CVE-2019-5793, CVE-2019-5794, CVE-2019-5795, CVE-2019-5796, CVE-2019-5797, CVE-2019-5798, CVE-2019-5799, CVE-2019-5800, CVE-2019-5802, CVE-2019-5803

DSA: 4421