Security update for chromium SUSE Patch security@suse.de SUSE Security Team openSUSE-SU-2021:0762-1 Final 1 1 2021-05-22T05:03:53Z current 2021-05-22T05:03:53Z 2021-05-22T05:03:53Z cve-database/bin/generate-cvrf.pl 2017-02-24T01:00:00Z Security update for chromium This update for chromium fixes the following issues: (This is a rerelease with aarch64 enabled.) Chromium 90.0.4430.212 (boo#1185908) * CVE-2021-30506: Incorrect security UI in Web App Installs * CVE-2021-30507: Inappropriate implementation in Offline * CVE-2021-30508: Heap buffer overflow in Media Feeds * CVE-2021-30509: Out of bounds write in Tab Strip * CVE-2021-30510: Race in Aura * CVE-2021-30511: Out of bounds read in Tab Group * CVE-2021-30512: Use after free in Notifications * CVE-2021-30513: Type Confusion in V8 * CVE-2021-30514: Use after free in Autofill * CVE-2021-30515: Use after free in File API * CVE-2021-30516: Heap buffer overflow in History * CVE-2021-30517: Type Confusion in V8 * CVE-2021-30518: Heap buffer overflow in Reader Mode * CVE-2021-30519: Use after free in Payments * CVE-2021-30520: Use after free in Tab Strip - FTP support disabled at runtime by default since release 88. Chromium 91 will remove support for ftp altogether (boo#1185496) The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). openSUSE-2021-762 Copyright SUSE LLC under the Creative Commons License 4.0 with Attribution (CC-BY-4.0) https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/VXXTVK5FWZGMVLWH6O7ONOFANNOOJNWS/ E-Mail link for openSUSE-SU-2021:0762-1 https://www.suse.com/support/security/rating/ SUSE Security Ratings https://bugzilla.suse.com/1185496 SUSE Bug 1185496 https://bugzilla.suse.com/1185716 SUSE Bug 1185716 https://bugzilla.suse.com/1185908 SUSE Bug 1185908 https://www.suse.com/security/cve/CVE-2021-30506/ SUSE CVE CVE-2021-30506 page https://www.suse.com/security/cve/CVE-2021-30507/ SUSE CVE CVE-2021-30507 page https://www.suse.com/security/cve/CVE-2021-30508/ SUSE CVE CVE-2021-30508 page https://www.suse.com/security/cve/CVE-2021-30509/ SUSE CVE CVE-2021-30509 page https://www.suse.com/security/cve/CVE-2021-30510/ SUSE CVE CVE-2021-30510 page https://www.suse.com/security/cve/CVE-2021-30511/ SUSE CVE CVE-2021-30511 page https://www.suse.com/security/cve/CVE-2021-30512/ SUSE CVE CVE-2021-30512 page https://www.suse.com/security/cve/CVE-2021-30513/ SUSE CVE CVE-2021-30513 page https://www.suse.com/security/cve/CVE-2021-30514/ SUSE CVE CVE-2021-30514 page https://www.suse.com/security/cve/CVE-2021-30515/ SUSE CVE CVE-2021-30515 page https://www.suse.com/security/cve/CVE-2021-30516/ SUSE CVE CVE-2021-30516 page https://www.suse.com/security/cve/CVE-2021-30517/ SUSE CVE CVE-2021-30517 page https://www.suse.com/security/cve/CVE-2021-30518/ SUSE CVE CVE-2021-30518 page https://www.suse.com/security/cve/CVE-2021-30519/ SUSE CVE CVE-2021-30519 page https://www.suse.com/security/cve/CVE-2021-30520/ SUSE CVE CVE-2021-30520 page openSUSE Leap 15.2 chromedriver-90.0.4430.212-lp152.2.95.1 chromium-90.0.4430.212-lp152.2.95.1 chromedriver-90.0.4430.212-lp152.2.95.1 as a component of openSUSE Leap 15.2 chromium-90.0.4430.212-lp152.2.95.1 as a component of openSUSE Leap 15.2 Incorrect security UI in Web App Installs in Google Chrome on Android prior to 90.0.4430.212 allowed an attacker who convinced a user to install a web application to inject scripts or HTML into a privileged page via a crafted HTML page. CVE-2021-30506 openSUSE Leap 15.2:chromedriver-90.0.4430.212-lp152.2.95.1 openSUSE Leap 15.2:chromium-90.0.4430.212-lp152.2.95.1 moderate 6.8 AV:N/AC:M/Au:N/C:P/I:P/A:P To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/VXXTVK5FWZGMVLWH6O7ONOFANNOOJNWS/ https://www.suse.com/security/cve/CVE-2021-30506.html CVE-2021-30506 https://bugzilla.suse.com/1185908 SUSE Bug 1185908 Inappropriate implementation in Offline in Google Chrome on Android prior to 90.0.4430.212 allowed a remote attacker who had compromised the renderer process to bypass site isolation via a crafted HTML page. CVE-2021-30507 openSUSE Leap 15.2:chromedriver-90.0.4430.212-lp152.2.95.1 openSUSE Leap 15.2:chromium-90.0.4430.212-lp152.2.95.1 moderate 6.8 AV:N/AC:M/Au:N/C:P/I:P/A:P To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/VXXTVK5FWZGMVLWH6O7ONOFANNOOJNWS/ https://www.suse.com/security/cve/CVE-2021-30507.html CVE-2021-30507 https://bugzilla.suse.com/1185908 SUSE Bug 1185908 Heap buffer overflow in Media Feeds in Google Chrome prior to 90.0.4430.212 allowed an attacker who convinced a user to enable certain features in Chrome to potentially exploit heap corruption via a crafted HTML page. CVE-2021-30508 openSUSE Leap 15.2:chromedriver-90.0.4430.212-lp152.2.95.1 openSUSE Leap 15.2:chromium-90.0.4430.212-lp152.2.95.1 moderate 6.8 AV:N/AC:M/Au:N/C:P/I:P/A:P To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/VXXTVK5FWZGMVLWH6O7ONOFANNOOJNWS/ https://www.suse.com/security/cve/CVE-2021-30508.html CVE-2021-30508 https://bugzilla.suse.com/1185908 SUSE Bug 1185908 Out of bounds write in Tab Strip in Google Chrome prior to 90.0.4430.212 allowed an attacker who convinced a user to install a malicious extension to perform an out of bounds memory write via a crafted HTML page and a crafted Chrome extension. CVE-2021-30509 openSUSE Leap 15.2:chromedriver-90.0.4430.212-lp152.2.95.1 openSUSE Leap 15.2:chromium-90.0.4430.212-lp152.2.95.1 moderate 6.8 AV:N/AC:M/Au:N/C:P/I:P/A:P To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/VXXTVK5FWZGMVLWH6O7ONOFANNOOJNWS/ https://www.suse.com/security/cve/CVE-2021-30509.html CVE-2021-30509 https://bugzilla.suse.com/1185908 SUSE Bug 1185908 Use after free in Aura in Google Chrome prior to 90.0.4430.212 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. CVE-2021-30510 openSUSE Leap 15.2:chromedriver-90.0.4430.212-lp152.2.95.1 openSUSE Leap 15.2:chromium-90.0.4430.212-lp152.2.95.1 moderate 6.8 AV:N/AC:M/Au:N/C:P/I:P/A:P To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/VXXTVK5FWZGMVLWH6O7ONOFANNOOJNWS/ https://www.suse.com/security/cve/CVE-2021-30510.html CVE-2021-30510 https://bugzilla.suse.com/1185908 SUSE Bug 1185908 Out of bounds read in Tab Groups in Google Chrome prior to 90.0.4430.212 allowed an attacker who convinced a user to install a malicious extension to perform an out of bounds memory read via a crafted HTML page. CVE-2021-30511 openSUSE Leap 15.2:chromedriver-90.0.4430.212-lp152.2.95.1 openSUSE Leap 15.2:chromium-90.0.4430.212-lp152.2.95.1 moderate 5.8 AV:N/AC:M/Au:N/C:P/I:N/A:P To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/VXXTVK5FWZGMVLWH6O7ONOFANNOOJNWS/ https://www.suse.com/security/cve/CVE-2021-30511.html CVE-2021-30511 https://bugzilla.suse.com/1185908 SUSE Bug 1185908 Use after free in Notifications in Google Chrome prior to 90.0.4430.212 allowed a remote attacker who had compromised the renderer process to potentially exploit heap corruption via a crafted HTML page. CVE-2021-30512 openSUSE Leap 15.2:chromedriver-90.0.4430.212-lp152.2.95.1 openSUSE Leap 15.2:chromium-90.0.4430.212-lp152.2.95.1 moderate 6.8 AV:N/AC:M/Au:N/C:P/I:P/A:P To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/VXXTVK5FWZGMVLWH6O7ONOFANNOOJNWS/ https://www.suse.com/security/cve/CVE-2021-30512.html CVE-2021-30512 https://bugzilla.suse.com/1185908 SUSE Bug 1185908 Type confusion in V8 in Google Chrome prior to 90.0.4430.212 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. CVE-2021-30513 openSUSE Leap 15.2:chromedriver-90.0.4430.212-lp152.2.95.1 openSUSE Leap 15.2:chromium-90.0.4430.212-lp152.2.95.1 moderate 6.8 AV:N/AC:M/Au:N/C:P/I:P/A:P To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/VXXTVK5FWZGMVLWH6O7ONOFANNOOJNWS/ https://www.suse.com/security/cve/CVE-2021-30513.html CVE-2021-30513 https://bugzilla.suse.com/1185908 SUSE Bug 1185908 Use after free in Autofill in Google Chrome prior to 90.0.4430.212 allowed a remote attacker who had compromised the renderer process to potentially exploit heap corruption via a crafted HTML page. CVE-2021-30514 openSUSE Leap 15.2:chromedriver-90.0.4430.212-lp152.2.95.1 openSUSE Leap 15.2:chromium-90.0.4430.212-lp152.2.95.1 moderate 6.8 AV:N/AC:M/Au:N/C:P/I:P/A:P To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/VXXTVK5FWZGMVLWH6O7ONOFANNOOJNWS/ https://www.suse.com/security/cve/CVE-2021-30514.html CVE-2021-30514 https://bugzilla.suse.com/1185908 SUSE Bug 1185908 Use after free in File API in Google Chrome prior to 90.0.4430.212 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. CVE-2021-30515 openSUSE Leap 15.2:chromedriver-90.0.4430.212-lp152.2.95.1 openSUSE Leap 15.2:chromium-90.0.4430.212-lp152.2.95.1 moderate 6.8 AV:N/AC:M/Au:N/C:P/I:P/A:P To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/VXXTVK5FWZGMVLWH6O7ONOFANNOOJNWS/ https://www.suse.com/security/cve/CVE-2021-30515.html CVE-2021-30515 https://bugzilla.suse.com/1185908 SUSE Bug 1185908 Heap buffer overflow in History in Google Chrome prior to 90.0.4430.212 allowed a remote attacker who had compromised the renderer process to potentially exploit heap corruption via a crafted HTML page. CVE-2021-30516 openSUSE Leap 15.2:chromedriver-90.0.4430.212-lp152.2.95.1 openSUSE Leap 15.2:chromium-90.0.4430.212-lp152.2.95.1 moderate 6.8 AV:N/AC:M/Au:N/C:P/I:P/A:P To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/VXXTVK5FWZGMVLWH6O7ONOFANNOOJNWS/ https://www.suse.com/security/cve/CVE-2021-30516.html CVE-2021-30516 https://bugzilla.suse.com/1185908 SUSE Bug 1185908 Type confusion in V8 in Google Chrome prior to 90.0.4430.212 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. CVE-2021-30517 openSUSE Leap 15.2:chromedriver-90.0.4430.212-lp152.2.95.1 openSUSE Leap 15.2:chromium-90.0.4430.212-lp152.2.95.1 moderate 6.8 AV:N/AC:M/Au:N/C:P/I:P/A:P To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/VXXTVK5FWZGMVLWH6O7ONOFANNOOJNWS/ https://www.suse.com/security/cve/CVE-2021-30517.html CVE-2021-30517 https://bugzilla.suse.com/1185908 SUSE Bug 1185908 Heap buffer overflow in Reader Mode in Google Chrome prior to 90.0.4430.212 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. CVE-2021-30518 openSUSE Leap 15.2:chromedriver-90.0.4430.212-lp152.2.95.1 openSUSE Leap 15.2:chromium-90.0.4430.212-lp152.2.95.1 moderate 6.8 AV:N/AC:M/Au:N/C:P/I:P/A:P To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/VXXTVK5FWZGMVLWH6O7ONOFANNOOJNWS/ https://www.suse.com/security/cve/CVE-2021-30518.html CVE-2021-30518 https://bugzilla.suse.com/1185908 SUSE Bug 1185908 Use after free in Payments in Google Chrome prior to 90.0.4430.212 allowed an attacker who convinced a user to install a malicious payments app to potentially exploit heap corruption via a crafted HTML page. CVE-2021-30519 openSUSE Leap 15.2:chromedriver-90.0.4430.212-lp152.2.95.1 openSUSE Leap 15.2:chromium-90.0.4430.212-lp152.2.95.1 moderate 6.8 AV:N/AC:M/Au:N/C:P/I:P/A:P To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/VXXTVK5FWZGMVLWH6O7ONOFANNOOJNWS/ https://www.suse.com/security/cve/CVE-2021-30519.html CVE-2021-30519 https://bugzilla.suse.com/1185908 SUSE Bug 1185908 Use after free in Tab Strip in Google Chrome prior to 90.0.4430.212 allowed an attacker who convinced a user to install a malicious extension to potentially exploit heap corruption via a crafted HTML page. CVE-2021-30520 openSUSE Leap 15.2:chromedriver-90.0.4430.212-lp152.2.95.1 openSUSE Leap 15.2:chromium-90.0.4430.212-lp152.2.95.1 moderate 6.8 AV:N/AC:M/Au:N/C:P/I:P/A:P To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/VXXTVK5FWZGMVLWH6O7ONOFANNOOJNWS/ https://www.suse.com/security/cve/CVE-2021-30520.html CVE-2021-30520 https://bugzilla.suse.com/1185908 SUSE Bug 1185908