Executive Summary



This Alert is flagged as TOP 25 Common Weakness Enumeration from CWE/SANS. For more information, you can read this.
Summary
Title chromium-browser security update
Informations
Name DSA-4182 First vendor Publication 2018-04-28
Vendor Debian Last vendor Modification 2018-04-28
Severity (Vendor) N/A Revision 1

Security-Database Scoring CVSS v3

Cvss vector : N/A
Overall CVSS Score NA
Base Score NA Environmental Score NA
impact SubScore NA Temporal Score NA
Exploitabality Sub Score NA
 
Calculate full CVSS 3.0 Vectors scores

Security-Database Scoring CVSS v2

Cvss vector : (AV:N/AC:M/Au:N/C:P/I:P/A:P)
Cvss Base Score 6.8 Attack Range Network
Cvss Impact Score 6.4 Attack Complexity Medium
Cvss Expoit Score 8.6 Authentication None Required
Calculate full CVSS 2.0 Vectors scores

Detail

Several vulnerabilities have been discovered in the chromium web browser.

CVE-2018-6056

lokihardt discovered an error in the v8 javascript library.

CVE-2018-6057

Gal Beniamini discovered errors related to shared memory permissions.

CVE-2018-6060

Omair discovered a use-after-free issue in blink/webkit.

CVE-2018-6061

Guang Gong discovered a race condition in the v8 javascript library.

CVE-2018-6062

A heap overflow issue was discovered in the v8 javascript library.

CVE-2018-6063

Gal Beniamini discovered errors related to shared memory permissions.

CVE-2018-6064

lokihardt discovered a type confusion error in the v8 javascript library.

CVE-2018-6065

Mark Brand discovered an integer overflow issue in the v8 javascript library.

CVE-2018-6066

Masato Kinugawa discovered a way to bypass the Same Origin Policy.

CVE-2018-6067

Ned Williamson discovered a buffer overflow issue in the skia library.

CVE-2018-6068

Luan Herrera discovered object lifecycle issues.

CVE-2018-6069

Wanglu and Yangkang discovered a stack overflow issue in the skia library.

CVE-2018-6070

Rob Wu discovered a way to bypass the Content Security Policy.

CVE-2018-6071

A heap overflow issue was discovered in the skia library.

CVE-2018-6072

Atte Kettunen discovered an integer overflow issue in the pdfium library.

CVE-2018-6073

Omair discover a heap overflow issue in the WebGL implementation.

CVE-2018-6074

Abdulrahman Alqabandi discovered a way to cause a downloaded web page to not contain a Mark of the Web.

CVE-2018-6075

Inti De Ceukelaire discovered a way to bypass the Same Origin Policy.

CVE-2018-6076

Mateusz Krzeszowiec discovered that URL fragment identifiers could be handled incorrectly.

CVE-2018-6077

Khalil Zhani discovered a timing issue.

CVE-2018-6078

Khalil Zhani discovered a URL spoofing issue.

CVE-2018-6079

Ivars discovered an information disclosure issue.

CVE-2018-6080

Gal Beniamini discovered an information disclosure issue.

CVE-2018-6081

Rob Wu discovered a cross-site scripting issue.

CVE-2018-6082

WenXu Wu discovered a way to bypass blocked ports.

CVE-2018-6083

Jun Kokatsu discovered that AppManifests could be handled incorrectly.

CVE-2018-6085

Ned Williamson discovered a use-after-free issue.

CVE-2018-6086

Ned Williamson discovered a use-after-free issue.

CVE-2018-6087

A use-after-free issue was discovered in the WebAssembly implementation.

CVE-2018-6088

A use-after-free issue was discovered in the pdfium library.

CVE-2018-6089

Rob Wu discovered a way to bypass the Same Origin Policy.

CVE-2018-6090

ZhanJia Song discovered a heap overflow issue in the skia library.

CVE-2018-6091

Jun Kokatsu discovered that plugins could be handled incorrectly.

CVE-2018-6092

Natalie Silvanovich discovered an integer overflow issue in the WebAssembly implementation.

CVE-2018-6093

Jun Kokatsu discovered a way to bypass the Same Origin Policy.

CVE-2018-6094

Chris Rohlf discovered a regression in garbage collection hardening.

CVE-2018-6095

Abdulrahman Alqabandi discovered files could be uploaded without user interaction.

CVE-2018-6096

WenXu Wu discovered a user interface spoofing issue.

CVE-2018-6097

xisigr discovered a user interface spoofing issue.

CVE-2018-6098

Khalil Zhani discovered a URL spoofing issue.

CVE-2018-6099

Jun Kokatsu discovered a way to bypass the Cross Origin Resource Sharing mechanism.

CVE-2018-6100

Lnyas Zhang dsicovered a URL spoofing issue.

CVE-2018-6101

Rob Wu discovered an issue in the developer tools remote debugging protocol.

CVE-2018-6102

Khalil Zhani discovered a URL spoofing issue.

CVE-2018-6103

Khalil Zhani discovered a user interface spoofing issue.

CVE-2018-6104

Khalil Zhani discovered a URL spoofing issue.

CVE-2018-6105

Khalil Zhani discovered a URL spoofing issue.

CVE-2018-6106

lokihardt discovered that v8 promises could be handled incorrectly.

CVE-2018-6107

Khalil Zhani discovered a URL spoofing issue.

CVE-2018-6108

Khalil Zhani discovered a URL spoofing issue.

CVE-2018-6109

Dominik Weber discovered a way to misuse the FileAPI feature.

CVE-2018-6110

Wenxiang Qian discovered that local plain text files could be handled incorrectly.

CVE-2018-6111

Khalil Zhani discovered a use-after-free issue in the developer tools.

CVE-2018-6112

Khalil Zhani discovered incorrect handling of URLs in the developer tools.

CVE-2018-6113

Khalil Zhani discovered a URL spoofing issue.

CVE-2018-6114

Lnyas Zhang discovered a way to bypass the Content Security Policy.

CVE-2018-6116

Chengdu Security Response Center discovered an error when memory is low.

CVE-2018-6117

Spencer Dailey discovered an error in form autofill settings.

For the oldstable distribution (jessie), security support for chromium has been discontinued.

For the stable distribution (stretch), these problems have been fixed in version 66.0.3359.117-1~deb9u1.

We recommend that you upgrade your chromium-browser packages.

For the detailed security status of chromium-browser please refer to its security tracker page at: https://security-tracker.debian.org/tracker/chromium-browser

Original Source

Url : http://www.debian.org/security/2018/dsa-4182

CWE : Common Weakness Enumeration

% Id Name
21 % CWE-20 Improper Input Validation
18 % CWE-200 Information Exposure
12 % CWE-787 Out-of-bounds Write (CWE/SANS Top 25)
9 % CWE-416 Use After Free
9 % CWE-190 Integer Overflow or Wraparound (CWE/SANS Top 25)
7 % CWE-19 Data Handling
5 % CWE-125 Out-of-bounds Read
5 % CWE-79 Failure to Preserve Web Page Structure ('Cross-site Scripting') (CWE/SANS Top 25)
4 % CWE-704 Incorrect Type Conversion or Cast
2 % CWE-732 Incorrect Permission Assignment for Critical Resource (CWE/SANS Top 25)
2 % CWE-706 Use of Incorrectly-Resolved Name or Reference
2 % CWE-476 NULL Pointer Dereference
2 % CWE-362 Race Condition
2 % CWE-269 Improper Privilege Management

CPE : Common Platform Enumeration

TypeDescriptionCount
Application 4052
Application 1
Os 2
Os 4
Os 1
Os 1
Os 1
Os 1
Os 1
Os 1

SnortĀ® IPS/IDS

Date Description
2020-02-13 Google V8 engine type confusion attempt
RuleID : 52602 - Revision : 1 - Type : BROWSER-CHROME
2020-02-13 Google V8 engine type confusion attempt
RuleID : 52601 - Revision : 1 - Type : BROWSER-CHROME
2020-01-23 Google Chrome V8 AwaitedPromise memory corruption attempt
RuleID : 52504 - Revision : 1 - Type : BROWSER-CHROME
2020-01-23 Google Chrome V8 AwaitedPromise memory corruption attempt
RuleID : 52503 - Revision : 1 - Type : BROWSER-CHROME
2019-10-08 Google Chrome V8 engine object instantiation heap corruption attempt
RuleID : 51428 - Revision : 2 - Type : BROWSER-CHROME
2019-10-08 Google Chrome V8 engine object instantiation heap corruption attempt
RuleID : 51427 - Revision : 2 - Type : BROWSER-CHROME

NessusĀ® Vulnerability Scanner

Date Description
2019-01-03 Name : The remote Fedora host is missing a security update.
File : fedora_2018-b844991a97.nasl - Type : ACT_GATHER_INFO
2019-01-03 Name : The remote Fedora host is missing a security update.
File : fedora_2018-aafdbb5554.nasl - Type : ACT_GATHER_INFO
2019-01-03 Name : The remote Fedora host is missing a security update.
File : fedora_2018-94e1bc8c23.nasl - Type : ACT_GATHER_INFO
2018-06-06 Name : The remote Fedora host is missing a security update.
File : fedora_2018-812b5d5a71.nasl - Type : ACT_GATHER_INFO
2018-04-30 Name : The remote Debian host is missing a security-related update.
File : debian_DSA-4182.nasl - Type : ACT_GATHER_INFO
2018-04-27 Name : A web browser installed on the remote host is affected by multiple vulnerabil...
File : macosx_google_chrome_66_0_3359_117.nasl - Type : ACT_GATHER_INFO
2018-04-27 Name : A web browser installed on the remote Windows host is affected by multiple vu...
File : google_chrome_66_0_3359_117.nasl - Type : ACT_GATHER_INFO
2018-04-25 Name : The remote FreeBSD host is missing a security-related update.
File : freebsd_pkg_36ff7a7447b111e8a7d654e1ad544088.nasl - Type : ACT_GATHER_INFO
2018-04-24 Name : The remote Gentoo host is missing one or more security-related patches.
File : gentoo_GLSA-201804-22.nasl - Type : ACT_GATHER_INFO
2018-03-28 Name : The remote Fedora host is missing a security update.
File : fedora_2018-faff5f661e.nasl - Type : ACT_GATHER_INFO
2018-03-27 Name : The remote Fedora host is missing a security update.
File : fedora_2018-44e1c23700.nasl - Type : ACT_GATHER_INFO
2018-03-27 Name : The remote Fedora host is missing a security update.
File : fedora_2018-024afa2d48.nasl - Type : ACT_GATHER_INFO
2018-03-14 Name : The remote Gentoo host is missing one or more security-related patches.
File : gentoo_GLSA-201803-05.nasl - Type : ACT_GATHER_INFO