Debian DSA-4714-1 : chromium - security update

critical Nessus Plugin ID 138066

Language:

Synopsis

The remote Debian host is missing a security-related update.

Description

Several vulnerabilities have been discovered in the chromium web browser.

- CVE-2020-6423 A use-after-free issue was found in the audio implementation.

- CVE-2020-6430 Avihay Cohen discovered a type confusion issue in the v8 JavaScript library.

- CVE-2020-6431 Luan Herrera discovered a policy enforcement error.

- CVE-2020-6432 Luan Herrera discovered a policy enforcement error.

- CVE-2020-6433 Luan Herrera discovered a policy enforcement error in extensions.

- CVE-2020-6434 HyungSeok Han discovered a use-after-free issue in the developer tools.

- CVE-2020-6435 Sergei Glazunov discovered a policy enforcement error in extensions.

- CVE-2020-6436 Igor Bukanov discovered a use-after-free issue.

- CVE-2020-6437 Jann Horn discovered an implementation error in WebView.

- CVE-2020-6438 Ng Yik Phang discovered a policy enforcement error in extensions.

- CVE-2020-6439 remkoboonstra discovered a policy enforcement error.

- CVE-2020-6440 David Erceg discovered an implementation error in extensions.

- CVE-2020-6441 David Erceg discovered a policy enforcement error.

- CVE-2020-6442 B@rMey discovered an implementation error in the page cache.

- CVE-2020-6443 @lovasoa discovered an implementation error in the developer tools.

- CVE-2020-6444 mlfbrown discovered an uninitialized variable in the WebRTC implementation.

- CVE-2020-6445 Jun Kokatsu discovered a policy enforcement error.

- CVE-2020-6446 Jun Kokatsu discovered a policy enforcement error.

- CVE-2020-6447 David Erceg discovered an implementation error in the developer tools.

- CVE-2020-6448 Guang Gong discovered a use-after-free issue in the v8 JavaScript library.

- CVE-2020-6454 Leecraso and Guang Gong discovered a use-after-free issue in extensions.

- CVE-2020-6455 Nan Wang and Guang Gong discovered an out-of-bounds read issue in the WebSQL implementation.

- CVE-2020-6456 Michal Bentkowski discovered insufficient validation of untrusted input.

- CVE-2020-6457 Leecraso and Guang Gong discovered a use-after-free issue in the speech recognizer.

- CVE-2020-6458 Aleksandar Nikolic discoved an out-of-bounds read and write issue in the pdfium library.

- CVE-2020-6459 Zhe Jin discovered a use-after-free issue in the payments implementation.

- CVE-2020-6460 It was discovered that URL formatting was insufficiently validated.

- CVE-2020-6461 Zhe Jin discovered a use-after-free issue.

- CVE-2020-6462 Zhe Jin discovered a use-after-free issue in task scheduling.

- CVE-2020-6463 Pawel Wylecial discovered a use-after-free issue in the ANGLE library.

- CVE-2020-6464 Looben Yang discovered a type confusion issue in Blink/Webkit.

- CVE-2020-6465 Woojin Oh discovered a use-after-free issue.

- CVE-2020-6466 Zhe Jin discovered a use-after-free issue.

- CVE-2020-6467 ZhanJia Song discovered a use-after-free issue in the WebRTC implementation.

- CVE-2020-6468 Chris Salls and Jake Corina discovered a type confusion issue in the v8 JavaScript library.

- CVE-2020-6469 David Erceg discovered a policy enforcement error in the developer tools.

- CVE-2020-6470 Michal Bentkowski discovered insufficient validation of untrusted input.

- CVE-2020-6471 David Erceg discovered a policy enforcement error in the developer tools.

- CVE-2020-6472 David Erceg discovered a policy enforcement error in the developer tools.

- CVE-2020-6473 Soroush Karami and Panagiotis Ilia discovered a policy enforcement error in Blink/Webkit.

- CVE-2020-6474 Zhe Jin discovered a use-after-free issue in Blink/Webkit.

- CVE-2020-6475 Khalil Zhani discovered a user interface error.

- CVE-2020-6476 Alexandre Le Borgne discovered a policy enforcement error.

- CVE-2020-6478 Khalil Zhani discovered an implementation error in full screen mode.

- CVE-2020-6479 Zhong Zhaochen discovered an implementation error.

- CVE-2020-6480 Marvin Witt discovered a policy enforcement error.

- CVE-2020-6481 Rayyan Bijoora discovered a policy enforcement error.

- CVE-2020-6482 Abdulrahman Alqabandi discovered a policy enforcement error in the developer tools.

- CVE-2020-6483 Jun Kokatsu discovered a policy enforcement error in payments.

- CVE-2020-6484 Artem Zinenko discovered insufficient validation of user data in the ChromeDriver implementation.

- CVE-2020-6485 Sergei Glazunov discovered a policy enforcement error.

- CVE-2020-6486 David Erceg discovered a policy enforcement error.

- CVE-2020-6487 Jun Kokatsu discovered a policy enforcement error.

- CVE-2020-6488 David Erceg discovered a policy enforcement error.

- CVE-2020-6489 @lovasoa discovered an implementation error in the developer tools.

- CVE-2020-6490 Insufficient validation of untrusted data was discovered.

- CVE-2020-6491 Sultan Haikal discovered a user interface error.

- CVE-2020-6493 A use-after-free issue was discovered in the WebAuthentication implementation.

- CVE-2020-6494 Juho Nurimen discovered a user interface error.

- CVE-2020-6495 David Erceg discovered a policy enforcement error in the developer tools.

- CVE-2020-6496 Khalil Zhani discovered a use-after-free issue in payments.

- CVE-2020-6497 Rayyan Bijoora discovered a policy enforcement issue.

- CVE-2020-6498 Rayyan Bijoora discovered a user interface error.

- CVE-2020-6505 Khalil Zhani discovered a use-after-free issue.

- CVE-2020-6506 Alesandro Ortiz discovered a policy enforcement error.

- CVE-2020-6507 Sergei Glazunov discovered an out-of-bounds write issue in the v8 JavaScript library.

- CVE-2020-6509 A use-after-free issue was discovered in extensions.

- CVE-2020-6831 Natalie Silvanovich discovered a buffer overflow issue in the SCTP library.

Solution

Upgrade the chromium packages.

For the oldstable distribution (stretch), security support for chromium has been discontinued.

For the stable distribution (buster), these problems have been fixed in version 83.0.4103.116-1~deb10u1.

Plugin Details

Severity: Critical

ID: 138066

File Name: debian_DSA-4714.nasl

Version: 1.6

Type: local

Agent: unix

Family: Debian Local Security Checks

Published: 7/2/2020

Updated: 3/4/2024

Supported Sensors: Frictionless Assessment Agent, Nessus Agent, Agentless Assessment, Nessus

Risk Information

VPR

Risk Factor: Critical

Score: 9.4

CVSS v2

Risk Factor: High

Base Score: 7.5

Temporal Score: 6.5

Vector: CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P

CVSS Score Source: CVE-2020-6831

CVSS v3

Risk Factor: Critical

Base Score: 9.8

Temporal Score: 9.4

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Temporal Vector: CVSS:3.0/E:H/RL:O/RC:C

Vulnerability Information

CPE: p-cpe:/a:debian:debian_linux:chromium, cpe:/o:debian:debian_linux:10.0

Required KB Items: Host/local_checks_enabled, Host/Debian/release, Host/Debian/dpkg-l

Exploit Available: true

Exploit Ease: Exploits are available

Patch Publication Date: 7/1/2020

Vulnerability Publication Date: 4/13/2020

Reference Information

CVE: CVE-2020-6423, CVE-2020-6430, CVE-2020-6431, CVE-2020-6432, CVE-2020-6433, CVE-2020-6434, CVE-2020-6435, CVE-2020-6436, CVE-2020-6437, CVE-2020-6438, CVE-2020-6439, CVE-2020-6440, CVE-2020-6441, CVE-2020-6442, CVE-2020-6443, CVE-2020-6444, CVE-2020-6445, CVE-2020-6446, CVE-2020-6447, CVE-2020-6448, CVE-2020-6454, CVE-2020-6455, CVE-2020-6456, CVE-2020-6457, CVE-2020-6458, CVE-2020-6459, CVE-2020-6460, CVE-2020-6461, CVE-2020-6462, CVE-2020-6463, CVE-2020-6464, CVE-2020-6465, CVE-2020-6466, CVE-2020-6467, CVE-2020-6468, CVE-2020-6469, CVE-2020-6470, CVE-2020-6471, CVE-2020-6472, CVE-2020-6473, CVE-2020-6474, CVE-2020-6475, CVE-2020-6476, CVE-2020-6478, CVE-2020-6479, CVE-2020-6480, CVE-2020-6481, CVE-2020-6482, CVE-2020-6483, CVE-2020-6484, CVE-2020-6485, CVE-2020-6486, CVE-2020-6487, CVE-2020-6488, CVE-2020-6489, CVE-2020-6490, CVE-2020-6491, CVE-2020-6493, CVE-2020-6494, CVE-2020-6495, CVE-2020-6496, CVE-2020-6497, CVE-2020-6498, CVE-2020-6505, CVE-2020-6506, CVE-2020-6507, CVE-2020-6509, CVE-2020-6831

DSA: 4714

Detections

Analytics