Debian DSA-4906-1 : chromium - security update

critical Nessus Plugin ID 149082

Synopsis

The remote Debian host is missing a security-related update.

Description

Several vulnerabilities have been discovered in the chromium web browser.

- CVE-2021-21201 Gengming Liu and Jianyu Chen discovered a use-after-free issue.

- CVE-2021-21202 David Erceg discovered a use-after-free issue in extensions.

- CVE-2021-21203 asnine discovered a use-after-free issue in Blink/Webkit.

- CVE-2021-21204 Tsai-Simek, Jeanette Ulloa, and Emily Voigtlander discovered a use-after-free issue in Blink/Webkit.

- CVE-2021-21205 Alison Huffman discovered a policy enforcement error.

- CVE-2021-21207 koocola and Nan Wang discovered a use-after-free in the indexed database.

- CVE-2021-21208 Ahmed Elsobky discovered a data validation error in the QR code scanner.

- CVE-2021-21209 Tom Van Goethem discovered an implementation error in the Storage API.

- CVE-2021-21210 @bananabr discovered an error in the networking implementation.

- CVE-2021-21211 Akash Labade discovered an error in the navigation implementation.

- CVE-2021-21212 Hugo Hue and Sze Yui Chau discovered an error in the network configuration user interface.

- CVE-2021-21213 raven discovered a use-after-free issue in the WebMIDI implementation.

- CVE-2021-21214 A use-after-free issue was discovered in the networking implementation.

- CVE-2021-21215 Abdulrahman Alqabandi discovered an error in the Autofill feature.

- CVE-2021-21216 Abdulrahman Alqabandi discovered an error in the Autofill feature.

- CVE-2021-21217 Zhou Aiting discovered use of uninitialized memory in the pdfium library.

- CVE-2021-21218 Zhou Aiting discovered use of uninitialized memory in the pdfium library.

- CVE-2021-21219 Zhou Aiting discovered use of uninitialized memory in the pdfium library.

- CVE-2021-21221 Guang Gong discovered insufficient validation of untrusted input.

- CVE-2021-21222 Guang Gong discovered a buffer overflow issue in the v8 JavaScript library.

- CVE-2021-21223 Guang Gong discovered an integer overflow issue.

- CVE-2021-21224 Jose Martinez discovered a type error in the v8 JavaScript library.

- CVE-2021-21225 Brendon Tiszka discovered an out-of-bounds memory access issue in the v8 JavaScript library.

- CVE-2021-21226 Brendon Tiszka discovered a use-after-free issue in the networking implementation.

Solution

Upgrade the chromium packages.

For the stable distribution (buster), these problems have been fixed in version 90.0.4430.85-1~deb10u1.

See Also

https://security-tracker.debian.org/tracker/CVE-2021-21201

https://security-tracker.debian.org/tracker/CVE-2021-21202

https://security-tracker.debian.org/tracker/CVE-2021-21203

https://security-tracker.debian.org/tracker/CVE-2021-21204

https://security-tracker.debian.org/tracker/CVE-2021-21205

https://security-tracker.debian.org/tracker/CVE-2021-21207

https://security-tracker.debian.org/tracker/CVE-2021-21208

https://security-tracker.debian.org/tracker/CVE-2021-21209

https://security-tracker.debian.org/tracker/CVE-2021-21210

https://security-tracker.debian.org/tracker/CVE-2021-21211

https://security-tracker.debian.org/tracker/CVE-2021-21212

https://security-tracker.debian.org/tracker/CVE-2021-21213

https://security-tracker.debian.org/tracker/CVE-2021-21214

https://security-tracker.debian.org/tracker/CVE-2021-21215

https://security-tracker.debian.org/tracker/CVE-2021-21216

https://security-tracker.debian.org/tracker/CVE-2021-21217

https://security-tracker.debian.org/tracker/CVE-2021-21218

https://security-tracker.debian.org/tracker/CVE-2021-21219

https://security-tracker.debian.org/tracker/CVE-2021-21221

https://security-tracker.debian.org/tracker/CVE-2021-21222

https://security-tracker.debian.org/tracker/CVE-2021-21223

https://security-tracker.debian.org/tracker/CVE-2021-21224

https://security-tracker.debian.org/tracker/CVE-2021-21225

https://security-tracker.debian.org/tracker/CVE-2021-21226

https://security-tracker.debian.org/tracker/source-package/chromium

https://packages.debian.org/source/buster/chromium

https://www.debian.org/security/2021/dsa-4906

Plugin Details

Severity: Critical

ID: 149082

File Name: debian_DSA-4906.nasl

Version: 1.6

Type: local

Agent: unix

Published: 4/29/2021

Updated: 11/30/2021

Supported Sensors: Frictionless Assessment Agent, Nessus Agent

Risk Information

VPR

Risk Factor: Critical

Score: 9.6

CVSS v2

Risk Factor: Medium

Base Score: 6.8

Temporal Score: 5.9

Vector: AV:N/AC:M/Au:N/C:P/I:P/A:P

Temporal Vector: E:H/RL:OF/RC:C

CVSS v3

Risk Factor: Critical

Base Score: 9.6

Temporal Score: 9.2

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H

Temporal Vector: E:H/RL:O/RC:C

Vulnerability Information

CPE: p-cpe:/a:debian:debian_linux:chromium, cpe:/o:debian:debian_linux:10.0

Required KB Items: Host/local_checks_enabled, Host/Debian/release, Host/Debian/dpkg-l

Exploit Available: true

Exploit Ease: Exploits are available

Patch Publication Date: 4/27/2021

Vulnerability Publication Date: 4/26/2021

CISA Known Exploited Dates: 11/17/2021

Reference Information

CVE: CVE-2021-21201, CVE-2021-21202, CVE-2021-21203, CVE-2021-21204, CVE-2021-21205, CVE-2021-21207, CVE-2021-21208, CVE-2021-21209, CVE-2021-21210, CVE-2021-21211, CVE-2021-21212, CVE-2021-21213, CVE-2021-21214, CVE-2021-21215, CVE-2021-21216, CVE-2021-21217, CVE-2021-21218, CVE-2021-21219, CVE-2021-21221, CVE-2021-21222, CVE-2021-21223, CVE-2021-21224, CVE-2021-21225, CVE-2021-21226

DSA: 4906