Debian 9858 Published by

There are currently critical security issues in the Debian packages of the Chromium web browser including a zero-day bug exploited in the wild. The Ubuntu packages in the universe repository are also affected by this issue. Update: An updated package has been released.



The zero-day flaw was found by two researchers from Kaspersky Labs. From their blog:

Chrome 0-day exploit CVE-2019-13720 used in Operation WizardOpium

Kaspersky Exploit Prevention is a component part of Kaspersky products that has successfully detected a number of zero-day attacks in the past. Recently, it caught a new unknown exploit for Google’s Chrome browser. We promptly reported this to the Google Chrome security team. After reviewing of the PoC we provided, Google confirmed there was a zero-day vulnerability and assigned it CVE-2019-13720. Google has released Chrome version 78.0.3904.87 for Windows, Mac, and Linux and we recommend all Chrome users to update to this latest version as soon as possible! You can read Google’s bulletin by clicking here.

Chrome 0-day exploit CVE-2019-13720 used in Operation WizardOpium

Unfortunately, there is still no updated Chromium package for Debian GNU/Linux, so Debian users are vulnerable to this type of attack. There are already two bug reports #941060 and #943909 but no reply from the package maintainer so far.

The Debian package of Chromium for Buster, Bullseye, and Sid based still on version 76.0.3809.100 from August 2019:
Chromiumadeb

I would either upgrade to the regular Chrome, the Chromium based Vivaldi browser, or use an alternative browser such as Firefox ESR at least as a temporary solution. Better safe then sorry. Hopefully the Debian project will update their Chromium packages soon.