Debian Security Advisory

DSA-4256-1 chromium-browser -- security update

Date Reported:

26 Jul 2018

Affected Packages:

Vulnerable:

Yes

Security database references:

In Mitre's CVE dictionary: CVE-2018-4117, CVE-2018-6044, CVE-2018-6150, CVE-2018-6151, CVE-2018-6152, CVE-2018-6153, CVE-2018-6154, CVE-2018-6155, CVE-2018-6156, CVE-2018-6157, CVE-2018-6158, CVE-2018-6159, CVE-2018-6161, CVE-2018-6162, CVE-2018-6163, CVE-2018-6164, CVE-2018-6165, CVE-2018-6166, CVE-2018-6167, CVE-2018-6168, CVE-2018-6169, CVE-2018-6170, CVE-2018-6171, CVE-2018-6172, CVE-2018-6173, CVE-2018-6174, CVE-2018-6175, CVE-2018-6176, CVE-2018-6177, CVE-2018-6178, CVE-2018-6179.

More information:

Several vulnerabilities have been discovered in the chromium web browser.

CVE-2018-4117
AhsanEjaz discovered an information leak.
CVE-2018-6044
Rob Wu discovered a way to escalate privileges using extensions.
CVE-2018-6150
Rob Wu discovered an information disclosure issue (this problem was fixed in a previous release but was mistakenly omitted from upstream's announcement at the time).
CVE-2018-6151
Rob Wu discovered an issue in the developer tools (this problem was fixed in a previous release but was mistakenly omitted from upstream's announcement at the time).
CVE-2018-6152
Rob Wu discovered an issue in the developer tools (this problem was fixed in a previous release but was mistakenly omitted from upstream's announcement at the time).
CVE-2018-6153
Zhen Zhou discovered a buffer overflow issue in the skia library.
CVE-2018-6154
Omair discovered a buffer overflow issue in the WebGL implementation.
CVE-2018-6155
Natalie Silvanovich discovered a use-after-free issue in the WebRTC implementation.
CVE-2018-6156
Natalie Silvanovich discovered a buffer overflow issue in the WebRTC implementation.
CVE-2018-6157
Natalie Silvanovich discovered a type confusion issue in the WebRTC implementation.
CVE-2018-6158
Zhe Jin discovered a use-after-free issue.
CVE-2018-6159
Jun Kokatsu discovered a way to bypass the same origin policy.
CVE-2018-6161
Jun Kokatsu discovered a way to bypass the same origin policy.
CVE-2018-6162
Omair discovered a buffer overflow issue in the WebGL implementation.
CVE-2018-6163
Khalil Zhani discovered a URL spoofing issue.
CVE-2018-6164
Jun Kokatsu discovered a way to bypass the same origin policy.
CVE-2018-6165
evil1m0 discovered a URL spoofing issue.
CVE-2018-6166
Lynas Zhang discovered a URL spoofing issue.
CVE-2018-6167
Lynas Zhang discovered a URL spoofing issue.
CVE-2018-6168
Gunes Acar and Danny Y. Huang discovered a way to bypass the Cross Origin Resource Sharing policy.
CVE-2018-6169
Sam P discovered a way to bypass permissions when installing extensions.
CVE-2018-6170
A type confusion issue was discovered in the pdfium library.
CVE-2018-6171
A use-after-free issue was discovered in the WebBluetooth implementation.
CVE-2018-6172
Khalil Zhani discovered a URL spoofing issue.
CVE-2018-6173
Khalil Zhani discovered a URL spoofing issue.
CVE-2018-6174
Mark Brand discovered an integer overflow issue in the swiftshader library.
CVE-2018-6175
Khalil Zhani discovered a URL spoofing issue.
CVE-2018-6176
Jann Horn discovered a way to escalate privileges using extensions.
CVE-2018-6177
Ron Masas discovered an information leak.
CVE-2018-6178
Khalil Zhani discovered a user interface spoofing issue.
CVE-2018-6179
It was discovered that information about files local to the system could be leaked to extensions.

This version also fixes a regression introduced in the previous security update that could prevent decoding of particular audio/video codecs.

For the stable distribution (stretch), these problems have been fixed in version 68.0.3440.75-1~deb9u1.

We recommend that you upgrade your chromium-browser packages.

For the detailed security status of chromium-browser please refer to its security tracker page at: https://security-tracker.debian.org/tracker/chromium-browser