Security Information / 2020 / Security Information -- DSA-4714-1 chromium

Debian Security Advisory

DSA-4714-1 chromium -- security update

Date Reported:

01 Jul 2020

Affected Packages:

chromium

Vulnerable:

Yes

Security database references:

In Mitre's CVE dictionary: CVE-2020-6423, CVE-2020-6430, CVE-2020-6431, CVE-2020-6432, CVE-2020-6433, CVE-2020-6434, CVE-2020-6435, CVE-2020-6436, CVE-2020-6437, CVE-2020-6438, CVE-2020-6439, CVE-2020-6440, CVE-2020-6441, CVE-2020-6442, CVE-2020-6443, CVE-2020-6444, CVE-2020-6445, CVE-2020-6446, CVE-2020-6447, CVE-2020-6448, CVE-2020-6454, CVE-2020-6455, CVE-2020-6456, CVE-2020-6457, CVE-2020-6458, CVE-2020-6459, CVE-2020-6460, CVE-2020-6461, CVE-2020-6462, CVE-2020-6463, CVE-2020-6464, CVE-2020-6465, CVE-2020-6466, CVE-2020-6467, CVE-2020-6468, CVE-2020-6469, CVE-2020-6470, CVE-2020-6471, CVE-2020-6472, CVE-2020-6473, CVE-2020-6474, CVE-2020-6475, CVE-2020-6476, CVE-2020-6478, CVE-2020-6479, CVE-2020-6480, CVE-2020-6481, CVE-2020-6482, CVE-2020-6483, CVE-2020-6484, CVE-2020-6485, CVE-2020-6486, CVE-2020-6487, CVE-2020-6488, CVE-2020-6489, CVE-2020-6490, CVE-2020-6491, CVE-2020-6493, CVE-2020-6494, CVE-2020-6495, CVE-2020-6496, CVE-2020-6497, CVE-2020-6498, CVE-2020-6505, CVE-2020-6506, CVE-2020-6507, CVE-2020-6509, CVE-2020-6831.

More information:

Several vulnerabilities have been discovered in the chromium web browser.

• CVE-2020-6423

  A use-after-free issue was found in the audio implementation.

• CVE-2020-6430

  Avihay Cohen discovered a type confusion issue in the v8 javascript library.

• CVE-2020-6431

  Luan Herrera discovered a policy enforcement error.

• CVE-2020-6432

  Luan Herrera discovered a policy enforcement error.

• CVE-2020-6433

  Luan Herrera discovered a policy enforcement error in extensions.

• CVE-2020-6434

  HyungSeok Han discovered a use-after-free issue in the developer tools.

• CVE-2020-6435

  Sergei Glazunov discovered a policy enforcement error in extensions.

• CVE-2020-6436

  Igor Bukanov discovered a use-after-free issue.

• CVE-2020-6437

  Jann Horn discovered an implementation error in WebView.

• CVE-2020-6438

  Ng Yik Phang discovered a policy enforcement error in extensions.

• CVE-2020-6439

  remkoboonstra discovered a policy enforcement error.

• CVE-2020-6440

  David Erceg discovered an implementation error in extensions.

• CVE-2020-6441

  David Erceg discovered a policy enforcement error.

• CVE-2020-6442

  B@rMey discovered an implementation error in the page cache.

• CVE-2020-6443

  @lovasoa discovered an implementation error in the developer tools.

• CVE-2020-6444

  mlfbrown discovered an uninitialized variable in the WebRTC implementation.

• CVE-2020-6445

  Jun Kokatsu discovered a policy enforcement error.

• CVE-2020-6446

  Jun Kokatsu discovered a policy enforcement error.

• CVE-2020-6447

  David Erceg discovered an implementation error in the developer tools.

• CVE-2020-6448

  Guang Gong discovered a use-after-free issue in the v8 javascript library.

• CVE-2020-6454

  Leecraso and Guang Gong discovered a use-after-free issue in extensions.

• CVE-2020-6455

  Nan Wang and Guang Gong discovered an out-of-bounds read issue in the WebSQL implementation.

• CVE-2020-6456

  Michał Bentkowski discovered insufficient validation of untrusted input.

• CVE-2020-6457

  Leecraso and Guang Gong discovered a use-after-free issue in the speech recognizer.

• CVE-2020-6458

  Aleksandar Nikolic discoved an out-of-bounds read and write issue in the pdfium library.

• CVE-2020-6459

  Zhe Jin discovered a use-after-free issue in the payments implementation.

• CVE-2020-6460

  It was discovered that URL formatting was insufficiently validated.

• CVE-2020-6461

  Zhe Jin discovered a use-after-free issue.

• CVE-2020-6462

  Zhe Jin discovered a use-after-free issue in task scheduling.

• CVE-2020-6463

  Pawel Wylecial discovered a use-after-free issue in the ANGLE library.

• CVE-2020-6464

  Looben Yang discovered a type confusion issue in Blink/Webkit.

• CVE-2020-6465

  Woojin Oh discovered a use-after-free issue.

• CVE-2020-6466

  Zhe Jin discovered a use-after-free issue.

• CVE-2020-6467

  ZhanJia Song discovered a use-after-free issue in the WebRTC implementation.

• CVE-2020-6468

  Chris Salls and Jake Corina discovered a type confusion issue in the v8 javascript library.

• CVE-2020-6469

  David Erceg discovered a policy enforcement error in the developer tools.

• CVE-2020-6470

  Michał Bentkowski discovered insufficient validation of untrusted input.

• CVE-2020-6471

  David Erceg discovered a policy enforcement error in the developer tools.

• CVE-2020-6472

  David Erceg discovered a policy enforcement error in the developer tools.

• CVE-2020-6473

  Soroush Karami and Panagiotis Ilia discovered a policy enforcement error in Blink/Webkit.

• CVE-2020-6474

  Zhe Jin discovered a use-after-free issue in Blink/Webkit.

• CVE-2020-6475

  Khalil Zhani discovered a user interface error.

• CVE-2020-6476

  Alexandre Le Borgne discovered a policy enforcement error.

• CVE-2020-6478

  Khalil Zhani discovered an implementation error in full screen mode.

• CVE-2020-6479

  Zhong Zhaochen discovered an implementation error.

• CVE-2020-6480

  Marvin Witt discovered a policy enforcement error.

• CVE-2020-6481

  Rayyan Bijoora discovered a policy enforcement error.

• CVE-2020-6482

  Abdulrahman Alqabandi discovered a policy enforcement error in the developer tools.

• CVE-2020-6483

  Jun Kokatsu discovered a policy enforcement error in payments.

• CVE-2020-6484

  Artem Zinenko discovered insufficient validation of user data in the ChromeDriver implementation.

• CVE-2020-6485

  Sergei Glazunov discovered a policy enforcement error.

• CVE-2020-6486

  David Erceg discovered a policy enforcement error.

• CVE-2020-6487

  Jun Kokatsu discovered a policy enforcement error.

• CVE-2020-6488

  David Erceg discovered a policy enforcement error.

• CVE-2020-6489

  @lovasoa discovered an implementation error in the developer tools.

• CVE-2020-6490

  Insufficient validation of untrusted data was discovered.

• CVE-2020-6491

  Sultan Haikal discovered a user interface error.

• CVE-2020-6493

  A use-after-free issue was discovered in the WebAuthentication implementation.

• CVE-2020-6494

  Juho Nurimen discovered a user interface error.

• CVE-2020-6495

  David Erceg discovered a policy enforcement error in the developer tools.

• CVE-2020-6496

  Khalil Zhani discovered a use-after-free issue in payments.

• CVE-2020-6497

  Rayyan Bijoora discovered a policy enforcement issue.

• CVE-2020-6498

  Rayyan Bijoora discovered a user interface error.

• CVE-2020-6505

  Khalil Zhani discovered a use-after-free issue.

• CVE-2020-6506

  Alesandro Ortiz discovered a policy enforcement error.

• CVE-2020-6507

  Sergei Glazunov discovered an out-of-bounds write issue in the v8 javascript library.

• CVE-2020-6509

  A use-after-free issue was discovered in extensions.

• CVE-2020-6831

  Natalie Silvanovich discovered a buffer overflow issue in the SCTP library.

For the oldstable distribution (stretch), security support for chromium has been discontinued.

For the stable distribution (buster), these problems have been fixed in version 83.0.4103.116-1~deb10u1.

We recommend that you upgrade your chromium packages.

For the detailed security status of chromium please refer to its security tracker page at: https://security-tracker.debian.org/tracker/chromium