Arch Linux 749 Published by

Updated Chromium packages has been released for Arch Linux



Arch Linux Security Advisory ASA-201903-8
=========================================

Severity: High
Date : 2019-03-13
CVE-ID : CVE-2019-5787 CVE-2019-5788 CVE-2019-5789 CVE-2019-5790
CVE-2019-5791 CVE-2019-5792 CVE-2019-5793 CVE-2019-5794
CVE-2019-5795 CVE-2019-5796 CVE-2019-5797 CVE-2019-5798
CVE-2019-5799 CVE-2019-5800 CVE-2019-5802 CVE-2019-5803
Package : chromium
Type : multiple issues
Remote : Yes
Link : https://security.archlinux.org/AVG-923

Summary
=======

The package chromium before version 73.0.3683.75-1 is vulnerable to
multiple issues including arbitrary code execution, access restriction
bypass, content spoofing and information disclosure.

Resolution
==========

Upgrade to 73.0.3683.75-1.

# pacman -Syu "chromium>=73.0.3683.75-1"

The problems have been fixed upstream in version 73.0.3683.75.

Workaround
==========

None.

Description
===========

- CVE-2019-5787 (arbitrary code execution)

A use-after-free issue has been found in the Canvas component of the
chromium browser before 73.0.3683.75.

- CVE-2019-5788 (arbitrary code execution)

A use-after-free issue has been found in the FileAPI component of the
chromium browser before 73.0.3683.75.

- CVE-2019-5789 (arbitrary code execution)

A use-after-free issue has been found in the WebMIDI component of the
chromium browser before 73.0.3683.75.

- CVE-2019-5790 (arbitrary code execution)

A heap-based buffer overflow has been found in the V8 component of the
chromium browser before 73.0.3683.75.

- CVE-2019-5791 (arbitrary code execution)

A type confusion issue has been found in the V8 component of the
chromium browser before 73.0.3683.75.

- CVE-2019-5792 (arbitrary code execution)

An integer overflow issue has been found in the PDFium component of the
chromium browser before 73.0.3683.75.

- CVE-2019-5793 (access restriction bypass)

An excessive permissions for private API issue has been found in the
Extensions component of the chromium browser before 73.0.3683.75.

- CVE-2019-5794 (content spoofing)

A UI spoofing issue has been found in the chromium browser before
73.0.3683.75.

- CVE-2019-5795 (arbitrary code execution)

An integer overflow issue has been found in the PDFium component of the
chromium browser before 73.0.3683.75.

- CVE-2019-5796 (arbitrary code execution)

A race condition has been found in the Extensions component of the
chromium browser before 73.0.3683.75.

- CVE-2019-5797 (arbitrary code execution)

A race condition has been found in the DOMStorage component of the
chromium browser before 73.0.3683.75.

- CVE-2019-5798 (information disclosure)

An out-of-bounds read has been found in the Skia component of the
chromium browser before 73.0.3683.75.

- CVE-2019-5799 (access restriction bypass)

A CSP bypass issue with blob URLs has been found in the chromium
browser before 73.0.3683.75.

- CVE-2019-5800 (access restriction bypass)

A CSP bypass issue with blob URLs has been found in the chromium
browser before 73.0.3683.75.

- CVE-2019-5802 (content spoofing)

A UI spoofing issue has been found in the chromium browser before
73.0.3683.75.

- CVE-2019-5803 (access restriction bypass)

A CSP bypass issue with Javascript URLs has been found in the chromium
browser before 73.0.3683.75.

Impact
======

A remote attacker can access sensitive information, bypass security
restrictions and execute arbitrary code via crafted web content.

References
==========

https://chromereleases.googleblog.com/2019/03/stable-channel-update-for-desktop_12.html
https://bugs.chromium.org/p/chromium/issues/detail?id=913964
https://bugs.chromium.org/p/chromium/issues/detail?id=925864
https://bugs.chromium.org/p/chromium/issues/detail?id=921581
https://bugs.chromium.org/p/chromium/issues/detail?id=914736
https://bugs.chromium.org/p/chromium/issues/detail?id=926651
https://bugs.chromium.org/p/chromium/issues/detail?id=914983
https://bugs.chromium.org/p/chromium/issues/detail?id=937487
https://bugs.chromium.org/p/chromium/issues/detail?id=935175
https://bugs.chromium.org/p/chromium/issues/detail?id=919643
https://bugs.chromium.org/p/chromium/issues/detail?id=918861
https://bugs.chromium.org/p/chromium/issues/detail?id=916523
https://bugs.chromium.org/p/chromium/issues/detail?id=883596
https://bugs.chromium.org/p/chromium/issues/detail?id=905301
https://bugs.chromium.org/p/chromium/issues/detail?id=894228
https://bugs.chromium.org/p/chromium/issues/detail?id=632514
https://bugs.chromium.org/p/chromium/issues/detail?id=909865
https://security.archlinux.org/CVE-2019-5787
https://security.archlinux.org/CVE-2019-5788
https://security.archlinux.org/CVE-2019-5789
https://security.archlinux.org/CVE-2019-5790
https://security.archlinux.org/CVE-2019-5791
https://security.archlinux.org/CVE-2019-5792
https://security.archlinux.org/CVE-2019-5793
https://security.archlinux.org/CVE-2019-5794
https://security.archlinux.org/CVE-2019-5795
https://security.archlinux.org/CVE-2019-5796
https://security.archlinux.org/CVE-2019-5797
https://security.archlinux.org/CVE-2019-5798
https://security.archlinux.org/CVE-2019-5799
https://security.archlinux.org/CVE-2019-5800
https://security.archlinux.org/CVE-2019-5802
https://security.archlinux.org/CVE-2019-5803
  Chromium Security Update for Arch Linux