SB2019021921 - OpenSUSE Linux update for chromium 

CSH
CYBERSECURITY HELP
Sign In REGISTER

Main Vulnerability Database SB2019021921

SB2019021921 - OpenSUSE Linux update for chromium

Published: February 19, 2019

Security Bulletin ID SB2019021921
Severity
High
Patch available
YES
Number of vulnerabilities 30
Exploitation vector Remote access
Highest impact Code execution

Breakdown by Severity

High 43% Low 57%
  • Low
  • Medium
  • High
  • Critical

Description

This security bulletin contains information about 30 secuirty vulnerabilities.


1) Input validation error (CVE-ID: CVE-2019-5754)

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The weakness exists due to inappropriate implementation in QUIC Networking. A remote attacker can trick the victim into visiting a specially crafted website and execute arbitrary code with elevated privileges.

Successful exploitation of the vulnerability may result in system compromise.

2) Input validation error (CVE-ID: CVE-2019-5755)

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The weakness exists due to inappropriate implementation in V8. A remote attacker can trick the victim into visiting a specially crafted website and execute arbitrary code with elevated privileges.

Successful exploitation of the vulnerability may result in system compromise.

3) Use-after-free (CVE-ID: CVE-2019-5756)

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The weakness exists due to use-after-free error in PDFium. A remote attacker can trick the victim into visiting a specially crafted website, trigger memory corruption and execute arbitrary code with elevated privileges.

Successful exploitation of the vulnerability may result in system compromise.

4) Type confusion (CVE-ID: CVE-2019-5757)

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The weakness exists due to type confusion in SVG. A remote attacker can trick the victim into visiting a specially crafted website and execute arbitrary code with elevated privileges.

Successful exploitation of the vulnerability may result in system compromise.

5) Use-after-free (CVE-ID: CVE-2019-5758)

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The weakness exists due to use-after-free error in Blink. A remote attacker can trick the victim into visiting a specially crafted website, trigger memory corruption and execute arbitrary code with elevated privileges.

Successful exploitation of the vulnerability may result in system compromise.

6) Use-after-free (CVE-ID: CVE-2019-5759)

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The weakness exists due to use-after-free error in HTML select elements. A remote attacker can trick the victim into visiting a specially crafted website, trigger memory corruption and execute arbitrary code with elevated privileges.

Successful exploitation of the vulnerability may result in system compromise.

7) Use-after-free (CVE-ID: CVE-2019-5760)

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The weakness exists due to use-after-free error in WebRTC. A remote attacker can trick the victim into visiting a specially crafted website, trigger memory corruption and execute arbitrary code with elevated privileges.

Successful exploitation of the vulnerability may result in system compromise.

8) Use-after-free (CVE-ID: CVE-2019-5761)

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The weakness exists due to use-after-free error in SwiftShader. A remote attacker can trick the victim into visiting a specially crafted website, trigger memory corruption and execute arbitrary code with elevated privileges.

Successful exploitation of the vulnerability may result in system compromise.

9) Use-after-free (CVE-ID: CVE-2019-5762)

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The weakness exists due to use-after-free error in PDFium. A remote attacker can trick the victim into visiting a specially crafted website, trigger memory corruption and execute arbitrary code with elevated privileges.

Successful exploitation of the vulnerability may result in system compromise.

10) Input validation error (CVE-ID: CVE-2019-5763)

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The weakness exists due to insufficient validation of untrusted input in V8. A remote attacker can trick the victim into visiting a specially crafted website and execute arbitrary code with elevated privileges.

Successful exploitation of the vulnerability may result in system compromise.

11) Use-after-free (CVE-ID: CVE-2019-5764)

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The weakness exists due to use-after-free error in WebRTC. A remote attacker can trick the victim into visiting a specially crafted website, trigger memory corruption and execute arbitrary code with elevated privileges.

Successful exploitation of the vulnerability may result in system compromise.

12) Input validation error (CVE-ID: CVE-2019-5765)

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The weakness exists due to insufficient policy enforcement in the browser. A remote attacker can trick the victim into visiting a specially crafted website and execute arbitrary code with elevated privileges.

Successful exploitation of the vulnerability may result in system compromise.

13) Input validation error (CVE-ID: CVE-2019-5766)

The vulnerability allows a remote attacker to bypass security restrictions on the target system.

The weakness exists due to insufficient policy enforcement in Canvas. A remote attacker can trick the victim into visiting a specially crafted website and bypass security restrictions to conduct further attacks.

14) Input validation error (CVE-ID: CVE-2019-5767)

The vulnerability allows a remote attacker to bypass security restrictions on the target system.

The weakness exists due to incorrect security UI in WebAPKs. A remote attacker can trick the victim into visiting a specially crafted website and bypass security restrictions to conduct further attacks.

15) Input validation error (CVE-ID: CVE-2019-5768)

The vulnerability allows a remote attacker to bypass security restrictions on the target system.

The weakness exists due to insufficient policy enforcement in DevTools. A remote attacker can trick the victim into visiting a specially crafted website and bypass security restrictions to conduct further attacks.

16) Input validation error (CVE-ID: CVE-2019-5769)

The vulnerability allows a remote attacker to cause DoS condition on the target system.

The weakness exists due to insufficient validation of untrusted input in Blink. A remote attacker can trick the victim into visiting a specially crafted website and cause the browser to crash.

17) Heap-based buffer overflow (CVE-ID: CVE-2019-5770)

The vulnerability allows a remote attacker to cause DoS condition on the target system.

The weakness exists due to heap-based buffer overflow in WebGL. A remote attacker can trick the victim into visiting a specially crafted website, trigger memory corruption and cause the browser to crash.

18) Heap-based buffer overflow (CVE-ID: CVE-2019-5771)

The vulnerability allows a remote attacker to cause DoS condition on the target system.

The weakness exists due to heap-based buffer overflow in SwiftShader. A remote attacker can trick the victim into visiting a specially crafted website, trigger memory corruption and cause the browser to crash.

19) Use-after-free (CVE-ID: CVE-2019-5772)

The vulnerability allows a remote attacker to cause DoS condition on the target system.

The weakness exists due to use-after-free error in PDFium. A remote attacker can trick the victim into visiting a specially crafted website, trigger memory corruption and cause the browser to crash.

20) Input validation error (CVE-ID: CVE-2019-5773)

The vulnerability allows a remote attacker to cause DoS condition on the target system.

The weakness exists due to insufficient data validation in IndexedDB. A remote attacker can trick the victim into visiting a specially crafted website and cause the browser to crash.

21) Input validation error (CVE-ID: CVE-2019-5774)

The vulnerability allows a remote attacker to cause DoS condition on the target system.

The weakness exists due to insufficient validation of untrusted input in SafeBrowsing. A remote attacker can trick the victim into visiting a specially crafted website and cause the browser to crash.

22) Input validation error (CVE-ID: CVE-2019-5775)

The vulnerability allows a remote attacker to bypass security restrictions on the target system.

The weakness exists due to insufficient policy enforcement in Omnibox. A remote attacker can trick the victim into visiting a specially crafted website and bypass security restrictions to conduct further attacks.

23) Input validation error (CVE-ID: CVE-2019-5776)

The vulnerability allows a remote attacker to bypass security restrictions on the target system.

The weakness exists due to insufficient policy enforcement in Omnibox. A remote attacker can trick the victim into visiting a specially crafted website and bypass security restrictions to conduct further attacks.

24) Input validation error (CVE-ID: CVE-2019-5777)

The vulnerability allows a remote attacker to bypass security restrictions on the target system.

The weakness exists due to insufficient policy enforcement in Omnibox. A remote attacker can trick the victim into visiting a specially crafted website and bypass security restrictions to conduct further attacks.

25) Input validation error (CVE-ID: CVE-2019-5778)

The vulnerability allows a remote attacker to bypass security restrictions on the target system.

The weakness exists due to insufficient policy enforcement in Extensions. A remote attacker can trick the victim into visiting a specially crafted website and bypass security restrictions to conduct further attacks.

26) Input validation error (CVE-ID: CVE-2019-5779)

The vulnerability allows a remote attacker to bypass security restrictions on the target system.

The weakness exists due to insufficient policy enforcement in ServiceWorker. A remote attacker can trick the victim into visiting a specially crafted website and bypass security restrictions to conduct further attacks.

27) Input validation error (CVE-ID: CVE-2019-5780)

The vulnerability allows a remote attacker to bypass security restrictions on the target system.

The weakness exists due to insufficient policy enforcement. A remote attacker can trick the victim into visiting a specially crafted website and bypass security restrictions to conduct further attacks.

28) Input validation error (CVE-ID: CVE-2019-5781)

The vulnerability allows a remote attacker to bypass security restrictions on the target system.

The weakness exists due to insufficient policy enforcement in Omnibox. A remote attacker can trick the victim into visiting a specially crafted website and bypass security restrictions to conduct further attacks.

29) Input validation error (CVE-ID: CVE-2019-5782)

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The weakness exists due to inappropriate implementation in V8. A remote attacker can trick the victim into visiting a specially crafted website and execute arbitrary code with elevated privileges.

Successful exploitation of the vulnerability may result in system compromise.

30) Input validation error (CVE-ID: CVE-2019-5784)

The vulnerability allows a remote attacker to cause DoS condition on the target system.

The weakness exists due to inappropriate implementation in V8. A remote attacker can trick the victim into visiting a specially crafted website and cause the service to crash.

Remediation

Install update from vendor's website.

References