Security update for chromium SUSE Patch security@suse.de SUSE Security Team openSUSE-SU-2019:1062-1 Final 1 1 2019-03-28T05:34:45Z current 2019-03-28T05:34:45Z 2019-03-28T05:34:45Z cve-database/bin/generate-cvrf.pl 2017-02-24T01:00:00Z Security update for chromium This update for chromium to version 73.0.3683.75 fixes the following issues: Security issues fixed (bsc#1129059): - CVE-2019-5787: Fixed a use after free in Canvas. - CVE-2019-5788: Fixed a use after free in FileAPI. - CVE-2019-5789: Fixed a use after free in WebMIDI. - CVE-2019-5790: Fixed a heap buffer overflow in V8. - CVE-2019-5791: Fixed a type confusion in V8. - CVE-2019-5792: Fixed an integer overflow in PDFium. - CVE-2019-5793: Fixed excessive permissions for private API in Extensions. - CVE-2019-5794: Fixed security UI spoofing. - CVE-2019-5795: Fixed an integer overflow in PDFium. - CVE-2019-5796: Fixed a race condition in Extensions. - CVE-2019-5797: Fixed a race condition in DOMStorage. - CVE-2019-5798: Fixed an out of bounds read in Skia. - CVE-2019-5799: Fixed a CSP bypass with blob URL. - CVE-2019-5800: Fixed a CSP bypass with blob URL. - CVE-2019-5801: Fixed an incorrect Omnibox display on iOS. - CVE-2019-5802: Fixed security UI spoofing. - CVE-2019-5803: Fixed a CSP bypass with Javascript URLs'. - CVE-2019-5804: Fixed a command line injection on Windows. Release notes: https://chromereleases.googleblog.com/2019/03/stable-channel-update-for-desktop_12.html The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). openSUSE-2019-1062 Copyright SUSE LLC under the Creative Commons License 4.0 with Attribution (CC-BY-4.0) https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/UEJ3CRVCTM23JSBBSLBH5OMPDHJF2SQK/#UEJ3CRVCTM23JSBBSLBH5OMPDHJF2SQK E-Mail link for openSUSE-SU-2019:1062-1 https://www.suse.com/support/security/rating/ SUSE Security Ratings https://bugzilla.suse.com/1129059 SUSE Bug 1129059 https://www.suse.com/security/cve/CVE-2019-5787/ SUSE CVE CVE-2019-5787 page https://www.suse.com/security/cve/CVE-2019-5788/ SUSE CVE CVE-2019-5788 page https://www.suse.com/security/cve/CVE-2019-5789/ SUSE CVE CVE-2019-5789 page https://www.suse.com/security/cve/CVE-2019-5790/ SUSE CVE CVE-2019-5790 page https://www.suse.com/security/cve/CVE-2019-5791/ SUSE CVE CVE-2019-5791 page https://www.suse.com/security/cve/CVE-2019-5792/ SUSE CVE CVE-2019-5792 page https://www.suse.com/security/cve/CVE-2019-5793/ SUSE CVE CVE-2019-5793 page https://www.suse.com/security/cve/CVE-2019-5794/ SUSE CVE CVE-2019-5794 page https://www.suse.com/security/cve/CVE-2019-5795/ SUSE CVE CVE-2019-5795 page https://www.suse.com/security/cve/CVE-2019-5796/ SUSE CVE CVE-2019-5796 page https://www.suse.com/security/cve/CVE-2019-5797/ SUSE CVE CVE-2019-5797 page https://www.suse.com/security/cve/CVE-2019-5798/ SUSE CVE CVE-2019-5798 page https://www.suse.com/security/cve/CVE-2019-5799/ SUSE CVE CVE-2019-5799 page https://www.suse.com/security/cve/CVE-2019-5800/ SUSE CVE CVE-2019-5800 page https://www.suse.com/security/cve/CVE-2019-5801/ SUSE CVE CVE-2019-5801 page https://www.suse.com/security/cve/CVE-2019-5802/ SUSE CVE CVE-2019-5802 page https://www.suse.com/security/cve/CVE-2019-5803/ SUSE CVE CVE-2019-5803 page https://www.suse.com/security/cve/CVE-2019-5804/ SUSE CVE CVE-2019-5804 page openSUSE Leap 15.0 chromedriver-73.0.3683.75-lp150.206.1 chromium-73.0.3683.75-lp150.206.1 chromedriver-73.0.3683.75-lp150.206.1 as a component of openSUSE Leap 15.0 chromium-73.0.3683.75-lp150.206.1 as a component of openSUSE Leap 15.0 Use-after-garbage-collection in Blink in Google Chrome prior to 73.0.3683.75 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. CVE-2019-5787 openSUSE Leap 15.0:chromedriver-73.0.3683.75-lp150.206.1 openSUSE Leap 15.0:chromium-73.0.3683.75-lp150.206.1 important 9.3 AV:N/AC:M/Au:N/C:C/I:C/A:C To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/UEJ3CRVCTM23JSBBSLBH5OMPDHJF2SQK/#UEJ3CRVCTM23JSBBSLBH5OMPDHJF2SQK https://www.suse.com/security/cve/CVE-2019-5787.html CVE-2019-5787 https://bugzilla.suse.com/1129059 SUSE Bug 1129059 An integer overflow that leads to a use-after-free in Blink Storage in Google Chrome on Linux prior to 73.0.3683.75 allowed a remote attacker who had compromised the renderer process to execute arbitrary code via a crafted HTML page. CVE-2019-5788 openSUSE Leap 15.0:chromedriver-73.0.3683.75-lp150.206.1 openSUSE Leap 15.0:chromium-73.0.3683.75-lp150.206.1 important 9.3 AV:N/AC:M/Au:N/C:C/I:C/A:C To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/UEJ3CRVCTM23JSBBSLBH5OMPDHJF2SQK/#UEJ3CRVCTM23JSBBSLBH5OMPDHJF2SQK https://www.suse.com/security/cve/CVE-2019-5788.html CVE-2019-5788 https://bugzilla.suse.com/1129059 SUSE Bug 1129059 An integer overflow that leads to a use-after-free in WebMIDI in Google Chrome on Windows prior to 73.0.3683.75 allowed a remote attacker who had compromised the renderer process to execute arbitrary code via a crafted HTML page. CVE-2019-5789 openSUSE Leap 15.0:chromedriver-73.0.3683.75-lp150.206.1 openSUSE Leap 15.0:chromium-73.0.3683.75-lp150.206.1 important 9.3 AV:N/AC:M/Au:N/C:C/I:C/A:C To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/UEJ3CRVCTM23JSBBSLBH5OMPDHJF2SQK/#UEJ3CRVCTM23JSBBSLBH5OMPDHJF2SQK https://www.suse.com/security/cve/CVE-2019-5789.html CVE-2019-5789 https://bugzilla.suse.com/1129059 SUSE Bug 1129059 An integer overflow leading to an incorrect capacity of a buffer in JavaScript in Google Chrome prior to 73.0.3683.75 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page. CVE-2019-5790 openSUSE Leap 15.0:chromedriver-73.0.3683.75-lp150.206.1 openSUSE Leap 15.0:chromium-73.0.3683.75-lp150.206.1 important 6.8 AV:N/AC:M/Au:N/C:P/I:P/A:P To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/UEJ3CRVCTM23JSBBSLBH5OMPDHJF2SQK/#UEJ3CRVCTM23JSBBSLBH5OMPDHJF2SQK https://www.suse.com/security/cve/CVE-2019-5790.html CVE-2019-5790 https://bugzilla.suse.com/1129059 SUSE Bug 1129059 Inappropriate optimization in V8 in Google Chrome prior to 73.0.3683.75 allowed a remote attacker to perform an out of bounds memory read via a crafted HTML page. CVE-2019-5791 openSUSE Leap 15.0:chromedriver-73.0.3683.75-lp150.206.1 openSUSE Leap 15.0:chromium-73.0.3683.75-lp150.206.1 important 6.8 AV:N/AC:M/Au:N/C:P/I:P/A:P To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/UEJ3CRVCTM23JSBBSLBH5OMPDHJF2SQK/#UEJ3CRVCTM23JSBBSLBH5OMPDHJF2SQK https://www.suse.com/security/cve/CVE-2019-5791.html CVE-2019-5791 https://bugzilla.suse.com/1129059 SUSE Bug 1129059 Integer overflow in PDFium in Google Chrome prior to 73.0.3683.75 allowed a remote attacker to potentially perform out of bounds memory access via a crafted PDF file. CVE-2019-5792 openSUSE Leap 15.0:chromedriver-73.0.3683.75-lp150.206.1 openSUSE Leap 15.0:chromium-73.0.3683.75-lp150.206.1 important 6.8 AV:N/AC:M/Au:N/C:P/I:P/A:P To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/UEJ3CRVCTM23JSBBSLBH5OMPDHJF2SQK/#UEJ3CRVCTM23JSBBSLBH5OMPDHJF2SQK https://www.suse.com/security/cve/CVE-2019-5792.html CVE-2019-5792 https://bugzilla.suse.com/1129059 SUSE Bug 1129059 Insufficient policy enforcement in extensions in Google Chrome prior to 73.0.3683.75 allowed a remote attacker to initiate the extensions installation user interface via a crafted HTML page. CVE-2019-5793 openSUSE Leap 15.0:chromedriver-73.0.3683.75-lp150.206.1 openSUSE Leap 15.0:chromium-73.0.3683.75-lp150.206.1 important 4.3 AV:N/AC:M/Au:N/C:N/I:P/A:N To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/UEJ3CRVCTM23JSBBSLBH5OMPDHJF2SQK/#UEJ3CRVCTM23JSBBSLBH5OMPDHJF2SQK https://www.suse.com/security/cve/CVE-2019-5793.html CVE-2019-5793 https://bugzilla.suse.com/1129059 SUSE Bug 1129059 Incorrect handling of cancelled requests in Navigation in Google Chrome prior to 73.0.3683.75 allowed a remote attacker to perform domain spoofing via a crafted HTML page. CVE-2019-5794 openSUSE Leap 15.0:chromedriver-73.0.3683.75-lp150.206.1 openSUSE Leap 15.0:chromium-73.0.3683.75-lp150.206.1 important 4.3 AV:N/AC:M/Au:N/C:N/I:P/A:N To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/UEJ3CRVCTM23JSBBSLBH5OMPDHJF2SQK/#UEJ3CRVCTM23JSBBSLBH5OMPDHJF2SQK https://www.suse.com/security/cve/CVE-2019-5794.html CVE-2019-5794 https://bugzilla.suse.com/1129059 SUSE Bug 1129059 Integer overflow in PDFium in Google Chrome prior to 73.0.3683.75 allowed a remote attacker to potentially perform out of bounds memory access via a crafted PDF file. CVE-2019-5795 openSUSE Leap 15.0:chromedriver-73.0.3683.75-lp150.206.1 openSUSE Leap 15.0:chromium-73.0.3683.75-lp150.206.1 important 6.8 AV:N/AC:M/Au:N/C:P/I:P/A:P To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/UEJ3CRVCTM23JSBBSLBH5OMPDHJF2SQK/#UEJ3CRVCTM23JSBBSLBH5OMPDHJF2SQK https://www.suse.com/security/cve/CVE-2019-5795.html CVE-2019-5795 https://bugzilla.suse.com/1129059 SUSE Bug 1129059 Data race in extensions guest view in Google Chrome prior to 73.0.3683.75 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. CVE-2019-5796 openSUSE Leap 15.0:chromedriver-73.0.3683.75-lp150.206.1 openSUSE Leap 15.0:chromium-73.0.3683.75-lp150.206.1 important 5.1 AV:N/AC:H/Au:N/C:P/I:P/A:P To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/UEJ3CRVCTM23JSBBSLBH5OMPDHJF2SQK/#UEJ3CRVCTM23JSBBSLBH5OMPDHJF2SQK https://www.suse.com/security/cve/CVE-2019-5796.html CVE-2019-5796 https://bugzilla.suse.com/1129059 SUSE Bug 1129059 Double free in DOMStorage in Google Chrome prior to 73.0.3683.75 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. CVE-2019-5797 openSUSE Leap 15.0:chromedriver-73.0.3683.75-lp150.206.1 openSUSE Leap 15.0:chromium-73.0.3683.75-lp150.206.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/UEJ3CRVCTM23JSBBSLBH5OMPDHJF2SQK/#UEJ3CRVCTM23JSBBSLBH5OMPDHJF2SQK https://www.suse.com/security/cve/CVE-2019-5797.html CVE-2019-5797 https://bugzilla.suse.com/1129059 SUSE Bug 1129059 Lack of correct bounds checking in Skia in Google Chrome prior to 73.0.3683.75 allowed a remote attacker to perform an out of bounds memory read via a crafted HTML page. CVE-2019-5798 openSUSE Leap 15.0:chromedriver-73.0.3683.75-lp150.206.1 openSUSE Leap 15.0:chromium-73.0.3683.75-lp150.206.1 moderate 4.3 AV:N/AC:M/Au:N/C:P/I:N/A:N To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/UEJ3CRVCTM23JSBBSLBH5OMPDHJF2SQK/#UEJ3CRVCTM23JSBBSLBH5OMPDHJF2SQK https://www.suse.com/security/cve/CVE-2019-5798.html CVE-2019-5798 https://bugzilla.suse.com/1129059 SUSE Bug 1129059 https://bugzilla.suse.com/1135824 SUSE Bug 1135824 Incorrect inheritance of a new document's policy in Content Security Policy in Google Chrome prior to 73.0.3683.75 allowed a remote attacker to bypass content security policy via a crafted HTML page. CVE-2019-5799 openSUSE Leap 15.0:chromedriver-73.0.3683.75-lp150.206.1 openSUSE Leap 15.0:chromium-73.0.3683.75-lp150.206.1 important 4.3 AV:N/AC:M/Au:N/C:N/I:P/A:N To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/UEJ3CRVCTM23JSBBSLBH5OMPDHJF2SQK/#UEJ3CRVCTM23JSBBSLBH5OMPDHJF2SQK https://www.suse.com/security/cve/CVE-2019-5799.html CVE-2019-5799 https://bugzilla.suse.com/1129059 SUSE Bug 1129059 Insufficient policy enforcement in Blink in Google Chrome prior to 73.0.3683.75 allowed a remote attacker to bypass content security policy via a crafted HTML page. CVE-2019-5800 openSUSE Leap 15.0:chromedriver-73.0.3683.75-lp150.206.1 openSUSE Leap 15.0:chromium-73.0.3683.75-lp150.206.1 important 4.3 AV:N/AC:M/Au:N/C:N/I:P/A:N To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/UEJ3CRVCTM23JSBBSLBH5OMPDHJF2SQK/#UEJ3CRVCTM23JSBBSLBH5OMPDHJF2SQK https://www.suse.com/security/cve/CVE-2019-5800.html CVE-2019-5800 https://bugzilla.suse.com/1129059 SUSE Bug 1129059 Incorrect eliding of URLs in Omnibox in Google Chrome on iOS prior to 73.0.3683.75 allowed a remote attacker to perform domain spoofing via a crafted HTML page. CVE-2019-5801 openSUSE Leap 15.0:chromedriver-73.0.3683.75-lp150.206.1 openSUSE Leap 15.0:chromium-73.0.3683.75-lp150.206.1 important 4.3 AV:N/AC:M/Au:N/C:N/I:P/A:N To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/UEJ3CRVCTM23JSBBSLBH5OMPDHJF2SQK/#UEJ3CRVCTM23JSBBSLBH5OMPDHJF2SQK https://www.suse.com/security/cve/CVE-2019-5801.html CVE-2019-5801 https://bugzilla.suse.com/1129059 SUSE Bug 1129059 Incorrect handling of download origins in Navigation in Google Chrome prior to 73.0.3683.75 allowed a remote attacker to perform domain spoofing via a crafted HTML page. CVE-2019-5802 openSUSE Leap 15.0:chromedriver-73.0.3683.75-lp150.206.1 openSUSE Leap 15.0:chromium-73.0.3683.75-lp150.206.1 important 4.3 AV:N/AC:M/Au:N/C:N/I:P/A:N To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/UEJ3CRVCTM23JSBBSLBH5OMPDHJF2SQK/#UEJ3CRVCTM23JSBBSLBH5OMPDHJF2SQK https://www.suse.com/security/cve/CVE-2019-5802.html CVE-2019-5802 https://bugzilla.suse.com/1129059 SUSE Bug 1129059 Insufficient policy enforcement in Content Security Policy in Google Chrome prior to 73.0.3683.75 allowed a remote attacker to bypass content security policy via a crafted HTML page. CVE-2019-5803 openSUSE Leap 15.0:chromedriver-73.0.3683.75-lp150.206.1 openSUSE Leap 15.0:chromium-73.0.3683.75-lp150.206.1 important 4.3 AV:N/AC:M/Au:N/C:N/I:P/A:N To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/UEJ3CRVCTM23JSBBSLBH5OMPDHJF2SQK/#UEJ3CRVCTM23JSBBSLBH5OMPDHJF2SQK https://www.suse.com/security/cve/CVE-2019-5803.html CVE-2019-5803 https://bugzilla.suse.com/1129059 SUSE Bug 1129059 Incorrect command line processing in Chrome in Google Chrome prior to 73.0.3683.75 allowed a local attacker to perform domain spoofing via a crafted domain name. CVE-2019-5804 openSUSE Leap 15.0:chromedriver-73.0.3683.75-lp150.206.1 openSUSE Leap 15.0:chromium-73.0.3683.75-lp150.206.1 important 2.1 AV:L/AC:L/Au:N/C:N/I:P/A:N To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/UEJ3CRVCTM23JSBBSLBH5OMPDHJF2SQK/#UEJ3CRVCTM23JSBBSLBH5OMPDHJF2SQK https://www.suse.com/security/cve/CVE-2019-5804.html CVE-2019-5804 https://bugzilla.suse.com/1129059 SUSE Bug 1129059