SB2019021903 - OpenSUSE Linux update for chromium
Published: February 19, 2019
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 30 vulnerabilities.
1) Input validation error (CVE-ID: CVE-2019-5754)
CWE-ID: CWE-20 - Improper input validation
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber
The vulnerability allows a remote attacker to execute arbitrary code on the target system.
The weakness exists due to inappropriate implementation in QUIC Networking. A remote attacker can trick the victim into visiting a specially crafted website and execute arbitrary code with elevated privileges.
Successful exploitation of the vulnerability may result in system compromise.
2) Input validation error (CVE-ID: CVE-2019-5755)
CWE-ID: CWE-20 - Improper input validation
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber
The vulnerability allows a remote attacker to execute arbitrary code on the target system.
The weakness exists due to inappropriate implementation in V8. A remote attacker can trick the victim into visiting a specially crafted website and execute arbitrary code with elevated privileges.
Successful exploitation of the vulnerability may result in system compromise.
3) Use-after-free (CVE-ID: CVE-2019-5756)
CWE-ID: CWE-416 - Use After Free
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber
The vulnerability allows a remote attacker to execute arbitrary code on the target system.
The weakness exists due to use-after-free error in PDFium. A remote attacker can trick the victim into visiting a specially crafted website, trigger memory corruption and execute arbitrary code with elevated privileges.
Successful exploitation of the vulnerability may result in system compromise.
4) Type confusion (CVE-ID: CVE-2019-5757)
CWE-ID: CWE-843 - Type confusion
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber
The vulnerability allows a remote attacker to execute arbitrary code on the target system.
The weakness exists due to type confusion in SVG. A remote attacker can trick the victim into visiting a specially crafted website and execute arbitrary code with elevated privileges.
Successful exploitation of the vulnerability may result in system compromise.
5) Use-after-free (CVE-ID: CVE-2019-5758)
CWE-ID: CWE-416 - Use After Free
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber
The vulnerability allows a remote attacker to execute arbitrary code on the target system.
The weakness exists due to use-after-free error in Blink. A remote attacker can trick the victim into visiting a specially crafted website, trigger memory corruption and execute arbitrary code with elevated privileges.
Successful exploitation of the vulnerability may result in system compromise.
6) Use-after-free (CVE-ID: CVE-2019-5759)
CWE-ID: CWE-416 - Use After Free
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber
The vulnerability allows a remote attacker to execute arbitrary code on the target system.
The weakness exists due to use-after-free error in HTML select elements. A remote attacker can trick the victim into visiting a specially crafted website, trigger memory corruption and execute arbitrary code with elevated privileges.
Successful exploitation of the vulnerability may result in system compromise.
7) Use-after-free (CVE-ID: CVE-2019-5760)
CWE-ID: CWE-416 - Use After Free
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber
The vulnerability allows a remote attacker to execute arbitrary code on the target system.
The weakness exists due to use-after-free error in WebRTC. A remote attacker can trick the victim into visiting a specially crafted website, trigger memory corruption and execute arbitrary code with elevated privileges.
Successful exploitation of the vulnerability may result in system compromise.
8) Use-after-free (CVE-ID: CVE-2019-5761)
CWE-ID: CWE-416 - Use After Free
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber
The vulnerability allows a remote attacker to execute arbitrary code on the target system.
The weakness exists due to use-after-free error in SwiftShader. A remote attacker can trick the victim into visiting a specially crafted website, trigger memory corruption and execute arbitrary code with elevated privileges.
Successful exploitation of the vulnerability may result in system compromise.
9) Use-after-free (CVE-ID: CVE-2019-5762)
CWE-ID: CWE-416 - Use After Free
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber
The vulnerability allows a remote attacker to execute arbitrary code on the target system.
The weakness exists due to use-after-free error in PDFium. A remote attacker can trick the victim into visiting a specially crafted website, trigger memory corruption and execute arbitrary code with elevated privileges.
Successful exploitation of the vulnerability may result in system compromise.
10) Input validation error (CVE-ID: CVE-2019-5763)
CWE-ID: CWE-20 - Improper input validation
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber
The vulnerability allows a remote attacker to execute arbitrary code on the target system.
The weakness exists due to insufficient validation of untrusted input in V8. A remote attacker can trick the victim into visiting a specially crafted website and execute arbitrary code with elevated privileges.
Successful exploitation of the vulnerability may result in system compromise.
11) Use-after-free (CVE-ID: CVE-2019-5764)
CWE-ID: CWE-416 - Use After Free
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P/U:Amber
The vulnerability allows a remote attacker to execute arbitrary code on the target system.
The weakness exists due to use-after-free error in WebRTC. A remote attacker can trick the victim into visiting a specially crafted website, trigger memory corruption and execute arbitrary code with elevated privileges.
Successful exploitation of the vulnerability may result in system compromise.
12) Input validation error (CVE-ID: CVE-2019-5765)
CWE-ID: CWE-20 - Improper input validation
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber
The vulnerability allows a remote attacker to execute arbitrary code on the target system.
The weakness exists due to insufficient policy enforcement in the browser. A remote attacker can trick the victim into visiting a specially crafted website and execute arbitrary code with elevated privileges.
Successful exploitation of the vulnerability may result in system compromise.
13) Input validation error (CVE-ID: CVE-2019-5766)
CWE-ID: CWE-20 - Improper input validation
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a remote attacker to bypass security restrictions on the target system.
The weakness exists due to insufficient policy enforcement in Canvas. A remote attacker can trick the victim into visiting a specially crafted website and bypass security restrictions to conduct further attacks.
14) Input validation error (CVE-ID: CVE-2019-5767)
CWE-ID: CWE-20 - Improper input validation
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a remote attacker to bypass security restrictions on the target system.
The weakness exists due to incorrect security UI in WebAPKs. A remote attacker can trick the victim into visiting a specially crafted website and bypass security restrictions to conduct further attacks.
15) Input validation error (CVE-ID: CVE-2019-5768)
CWE-ID: CWE-20 - Improper input validation
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a remote attacker to bypass security restrictions on the target system.
The weakness exists due to insufficient policy enforcement in DevTools. A remote attacker can trick the victim into visiting a specially crafted website and bypass security restrictions to conduct further attacks.
16) Input validation error (CVE-ID: CVE-2019-5769)
CWE-ID: CWE-20 - Improper input validation
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a remote attacker to cause DoS condition on the target system.
The weakness exists due to insufficient validation of untrusted input in Blink. A remote attacker can trick the victim into visiting a specially crafted website and cause the browser to crash.
17) Heap-based buffer overflow (CVE-ID: CVE-2019-5770)
CWE-ID: CWE-122 - Heap-based Buffer Overflow
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a remote attacker to cause DoS condition on the target system.
The weakness exists due to heap-based buffer overflow in WebGL. A remote attacker can trick the victim into visiting a specially crafted website, trigger memory corruption and cause the browser to crash.
18) Heap-based buffer overflow (CVE-ID: CVE-2019-5771)
CWE-ID: CWE-122 - Heap-based Buffer Overflow
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a remote attacker to cause DoS condition on the target system.
The weakness exists due to heap-based buffer overflow in SwiftShader. A remote attacker can trick the victim into visiting a specially crafted website, trigger memory corruption and cause the browser to crash.
19) Use-after-free (CVE-ID: CVE-2019-5772)
CWE-ID: CWE-416 - Use After Free
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a remote attacker to cause DoS condition on the target system.
The weakness exists due to use-after-free error in PDFium. A remote attacker can trick the victim into visiting a specially crafted website, trigger memory corruption and cause the browser to crash.
20) Input validation error (CVE-ID: CVE-2019-5773)
CWE-ID: CWE-20 - Improper input validation
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a remote attacker to cause DoS condition on the target system.
The weakness exists due to insufficient data validation in IndexedDB. A remote attacker can trick the victim into visiting a specially crafted website and cause the browser to crash.
21) Input validation error (CVE-ID: CVE-2019-5774)
CWE-ID: CWE-20 - Improper input validation
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a remote attacker to cause DoS condition on the target system.
The weakness exists due to insufficient validation of untrusted input in SafeBrowsing. A remote attacker can trick the victim into visiting a specially crafted website and cause the browser to crash.
22) Input validation error (CVE-ID: CVE-2019-5775)
CWE-ID: CWE-20 - Improper input validation
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a remote attacker to bypass security restrictions on the target system.
The weakness exists due to insufficient policy enforcement in Omnibox. A remote attacker can trick the victim into visiting a specially crafted website and bypass security restrictions to conduct further attacks.
23) Input validation error (CVE-ID: CVE-2019-5776)
CWE-ID: CWE-20 - Improper input validation
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a remote attacker to bypass security restrictions on the target system.
The weakness exists due to insufficient policy enforcement in Omnibox. A remote attacker can trick the victim into visiting a specially crafted website and bypass security restrictions to conduct further attacks.
24) Input validation error (CVE-ID: CVE-2019-5777)
CWE-ID: CWE-20 - Improper input validation
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a remote attacker to bypass security restrictions on the target system.
The weakness exists due to insufficient policy enforcement in Omnibox. A remote attacker can trick the victim into visiting a specially crafted website and bypass security restrictions to conduct further attacks.
25) Input validation error (CVE-ID: CVE-2019-5778)
CWE-ID: CWE-20 - Improper input validation
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a remote attacker to bypass security restrictions on the target system.
The weakness exists due to insufficient policy enforcement in Extensions. A remote attacker can trick the victim into visiting a specially crafted website and bypass security restrictions to conduct further attacks.
26) Input validation error (CVE-ID: CVE-2019-5779)
CWE-ID: CWE-20 - Improper input validation
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a remote attacker to bypass security restrictions on the target system.
The weakness exists due to insufficient policy enforcement in ServiceWorker. A remote attacker can trick the victim into visiting a specially crafted website and bypass security restrictions to conduct further attacks.
27) Input validation error (CVE-ID: CVE-2019-5780)
CWE-ID: CWE-20 - Improper input validation
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a remote attacker to bypass security restrictions on the target system.
The weakness exists due to insufficient policy enforcement. A remote attacker can trick the victim into visiting a specially crafted website and bypass security restrictions to conduct further attacks.
28) Input validation error (CVE-ID: CVE-2019-5781)
CWE-ID: CWE-20 - Improper input validation
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a remote attacker to bypass security restrictions on the target system.
The weakness exists due to insufficient policy enforcement in Omnibox. A remote attacker can trick the victim into visiting a specially crafted website and bypass security restrictions to conduct further attacks.
29) Input validation error (CVE-ID: CVE-2019-5782)
CWE-ID: CWE-20 - Improper input validation
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P/U:Amber
The vulnerability allows a remote attacker to execute arbitrary code on the target system.
The weakness exists due to inappropriate implementation in V8. A remote attacker can trick the victim into visiting a specially crafted website and execute arbitrary code with elevated privileges.
Successful exploitation of the vulnerability may result in system compromise.
30) Input validation error (CVE-ID: CVE-2019-5784)
CWE-ID: CWE-20 - Improper input validation
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:L/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a remote attacker to cause DoS condition on the target system.
The weakness exists due to inappropriate implementation in V8. A remote attacker can trick the victim into visiting a specially crafted website and cause the service to crash.
Remediation
Install update from vendor's website.