Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
===========================================================================
AUSCERT External Security Bulletin Redistribution
ESB-2018.3815
chromium-browser security update
10 December 2018
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: chromium-browser
Publisher: Debian
Operating System: Debian GNU/Linux 9
Impact/Access: Execute Arbitrary Code/Commands -- Remote with User Interaction
Denial of Service -- Remote with User Interaction
Access Confidential Data -- Remote with User Interaction
Reduced Security -- Remote with User Interaction
Resolution: Patch/Upgrade
CVE Names: CVE-2018-18359 CVE-2018-18358 CVE-2018-18357
CVE-2018-18356 CVE-2018-18355 CVE-2018-18354
CVE-2018-18353 CVE-2018-18352 CVE-2018-18351
CVE-2018-18350 CVE-2018-18349 CVE-2018-18348
CVE-2018-18347 CVE-2018-18346 CVE-2018-18345
CVE-2018-18344 CVE-2018-18343 CVE-2018-18342
CVE-2018-18341 CVE-2018-18340 CVE-2018-18339
CVE-2018-18338 CVE-2018-18337 CVE-2018-18336
CVE-2018-18335 CVE-2018-17481 CVE-2018-17480
Reference: ASB-2018.0296
Original Bulletin:
http://www.debian.org/security/2018/dsa-4352
- --------------------------BEGIN INCLUDED TEXT--------------------
- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
- - -------------------------------------------------------------------------
Debian Security Advisory DSA-4352-1 security@debian.org
https://www.debian.org/security/ Michael Gilbert
December 07, 2018 https://www.debian.org/security/faq
- - -------------------------------------------------------------------------
Package : chromium-browser
CVE ID : CVE-2018-17480 CVE-2018-17481 CVE-2018-18335 CVE-2018-18336
CVE-2018-18337 CVE-2018-18338 CVE-2018-18339 CVE-2018-18340
CVE-2018-18341 CVE-2018-18342 CVE-2018-18343 CVE-2018-18344
CVE-2018-18345 CVE-2018-18346 CVE-2018-18347 CVE-2018-18348
CVE-2018-18349 CVE-2018-18350 CVE-2018-18351 CVE-2018-18352
CVE-2018-18353 CVE-2018-18354 CVE-2018-18355 CVE-2018-18356
CVE-2018-18357 CVE-2018-18358 CVE-2018-18359
Several vulnerabilities have been discovered in the chromium web browser.
CVE-2018-17480
Guang Gong discovered an out-of-bounds write issue in the v8 javascript
library.
CVE-2018-17481
Several use-after-free issues were discovered in the pdfium library.
CVE-2018-18335
A buffer overflow issue was discovered in the skia library.
CVE-2018-18336
Huyna discovered a use-after-free issue in the pdfium library.
CVE-2018-18337
cloudfuzzer discovered a use-after-free issue in blink/webkit.
CVE-2018-18338
Zhe Jin discovered a buffer overflow issue in the canvas renderer.
CVE-2018-18339
cloudfuzzer discovered a use-after-free issue in the WebAudio
implementation.
CVE-2018-18340
A use-after-free issue was discovered in the MediaRecorder implementation.
CVE-2018-18341
cloudfuzzer discovered a buffer overflow issue in blink/webkit.
CVE-2018-18342
Guang Gong discovered an out-of-bounds write issue in the v8 javascript
library.
CVE-2018-18343
Tran Tien Hung discovered a use-after-free issue in the skia library.
CVE-2018-18344
Jann Horn discovered an error in the Extensions implementation.
CVE-2018-18345
Masato Kinugawa and Jun Kokatsu discovered an error in the Site Isolation
feature.
CVE-2018-18346
Luan Herrera discovered an error in the user interface.
CVE-2018-18347
Luan Herrera discovered an error in the Navigation implementation.
CVE-2018-18348
Ahmed Elsobky discovered an error in the omnibox implementation.
CVE-2018-18349
David Erceg discovered a policy enforcement error.
CVE-2018-18350
Jun Kokatsu discovered a policy enforcement error.
CVE-2018-18351
Jun Kokatsu discovered a policy enforcement error.
CVE-2018-18352
Jun Kokatsu discovered an error in Media handling.
CVE-2018-18353
Wenxu Wu discovered an error in the network authentication implementation.
CVE-2018-18354
Wenxu Wu discovered an error related to integration with GNOME Shell.
CVE-2018-18355
evil1m0 discovered a policy enforcement error.
CVE-2018-18356
Tran Tien Hung discovered a use-after-free issue in the skia library.
CVE-2018-18357
evil1m0 discovered a policy enforcement error.
CVE-2018-18358
Jann Horn discovered a policy enforcement error.
CVE-2018-18359
cyrilliu discovered an out-of-bounds read issue in the v8 javascript
library.
Several additional security relevant issues are also fixed in this update
that have not yet received CVE identifiers.
For the stable distribution (stretch), these problems have been fixed in
version 71.0.3578.80-1~deb9u1.
We recommend that you upgrade your chromium-browser packages.
For the detailed security status of chromium-browser please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/chromium-browser
Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/
Mailing list: debian-security-announce@lists.debian.org
- -----BEGIN PGP SIGNATURE-----
iQQzBAEBCgAdFiEEluhy7ASCBulP9FUWuNayzQLW9HMFAlwLIaoACgkQuNayzQLW
9HPFMCAAlLLx1FgfN9CHg5auKRnKdIbBDFPdUavLrfUabinBfve7yEcPIrWvdOIi
fD3x7kAdDb1KhbDcVLohjkXyKQo5Hjt8x1qeQhGGzu2W4Fnq8ltYwC1FTZTGWmIt
chpVd/UpuwM//zd0D8DRf1L7koW5IHtG2bOczKq4zn/1cgxTdhr0Wm329FSmJfG+
I6nQQBX5QlwTEquxKS16wYxk3bt+n1DzL5vUTzuizmbhRYxg2oCIZVhzRsCNjRR2
GzauW6utyo2u5VR2zp5alkWQedZNP8VNTbmExuDfB6vWIkpr44ilbRcK1jxulvfQ
MiwVe38uBT52Vapsl39o0O64lnq+01tMwA87fDZVyKRK0wzO422zlBE0M81YRiDd
PHwlEB20BbpYPfCWRWkcQq1ZHphWx6ZnP3zmNCn620lqbZCeyNQFKFcCBIC7TvmW
lohfcFhpTK86DurO3ZZ7dUjhfre/GCehTvgbpE3MeEUjsqjRAfeeE6mnm6ZIblDq
NjdLaj8zKi/xeTMpKjmkfl2OBUeGG0pM0zn3t0IHn2Z47lRQ3nwGzlnVy8woR36Z
YX2WUWTN02xLjL1T4lvE64yAeIj2LG2S2UtFsiZD0Z51A+kDUeYOvhP7QOa9ufBk
sxj7n6G5hfwAfQS4DsuE39LvSepoG+g2i+7rxNWrsFzIytLDYOIefNSs+5csjPkG
3BrCswQEwu+5pyS+RcANWN52Um28gmDkjR743Yqr1BtyD4nDearLHBdIxmHU7Ywo
RcZt1xPIDLgjpwciSCwl+SbStICIb1kZ0KCphJHuB08X+d0BDyOsZ/4iBO3kLvVx
6qpha8guWAd4ZIZLtfRTb6+yWNDn9Jm6OxT4jfvaTAKndgTZvFbYK4HALiouLrxh
iA6Pb6uvR06S6uBzwxXeEXDkCjDnQOS9dG0bEmjbbwVQE44S5vzYGPHae6Nz+KHp
/pZhAwC0lb5qQhZzDtNngR+DzjOvEpFnmycnVsEa8hrg3aRoOORnG9AnUTB3RWAf
N/8uiLUyZY6yOyEzH9cHT/zYV183hQd0LQYSmcNDxy9BML3SE389wOlv7jkDIXAl
MtfSdnzAbtaufTQEZypl8DY0wrPL0FjdpivUmR6/1WRTWIQVySBQ04v+Zqf4n6PU
J/mGWQk/vnkYaJBTbzwONUItPz4EZz04DAZgucIiMaPCQywDY49pwlVFat4UI9dK
nXgqlv+GTt00c0/T41lkWwDZw7DVjoR84Nq8KTpk3fUJZcYlMHwKJnG4mwayeVYh
tWOE2WGtzbRg4MF/MpQ3KAneC48VCBCqCtgd8TnKOtylGdVpZjLpi2kK8wZFNkX7
24nfvb+roYfjWjuwXDoPbINpGMOpxA==
=eQTQ
- -----END PGP SIGNATURE-----
- --------------------------END INCLUDED TEXT--------------------
You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.
NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
https://www.auscert.org.au/bulletins/
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967
iQIVAwUBXA3AiWaOgq3Tt24GAQjzlxAAqrYVhdrwWGdEA9FQ76VaKWL345+iSnkx
Y1JBh5WrJCPHzo18Z/bD7c38wFcaOweBxiRQqFGcnj0M9+V5rAG4c0X4a9gwQwfJ
QyAoqB8Lij3tx42B80p3BDjyepsPzMBsuoEpImtS0G3fdc9/SVo2uy1xcdNpkPVh
dg0xVJ27fgLyGle+GPcQV9di7VEEI1RabXhukYyeb5cZdSncjQTliH3Bawge7P17
uG4ur4vq6mYbR6LiFTGubw0rKNw+0X1surtVWJqDwkX5xn9ndQk3qzLTn+R2rs/G
riqmXzlfsgYXP9Npm2f5hkLwyX5DYydtbtz/YAMSrhNj54Xd9YGayr/MOaIRWUZS
ZoYtcQsUfwy66JhqEUryH40nSHwKCAdZC2igybDA0txHXWMjHar9zAmSv9Bi3TZe
qcWfk6zurkz05Y7M8obj/EbDdQd8fDMRp4dCslKVKfouhk+l5HemZMYhjHIw5T5u
37109mLYxOZg33huWhR4n0U05MzxHwO9Y2DJ6ctZEU3oNxh2mGQJRiVHVTulsauA
KxOi77UVE6kBV6/SKtspAai9KeLx8M55s7RSBslFRycIsErcKGRBVdcFFK7ZX6lK
LcwlgzsYuiC6f6t7pe0loB3yXKl7Jc4B0L1rObk+zXQ9jCYfq88v7TV9rpTKf4+y
ZqOTaQR4I9Q=
=NR8B
-----END PGP SIGNATURE-----