Security update for chromium SUSE Patch security@suse.de SUSE Security Team openSUSE-SU-2019:1325-1 Final 1 1 2019-05-04T08:20:05Z current 2019-05-04T08:20:05Z 2019-05-04T08:20:05Z cve-database/bin/generate-cvrf.pl 2017-02-24T01:00:00Z Security update for chromium This update for chromium fixes the following issues: Chromium was updated to 74.0.3729.108 boo#1133313: * CVE-2019-5805: Use after free in PDFium * CVE-2019-5806: Integer overflow in Angle * CVE-2019-5807: Memory corruption in V8 * CVE-2019-5808: Use after free in Blink * CVE-2019-5809: Use after free in Blink * CVE-2019-5810: User information disclosure in Autofill * CVE-2019-5811: CORS bypass in Blink * CVE-2019-5813: Out of bounds read in V8 * CVE-2019-5814: CORS bypass in Blink * CVE-2019-5815: Heap buffer overflow in Blink * CVE-2019-5818: Uninitialized value in media reader * CVE-2019-5819: Incorrect escaping in developer tools * CVE-2019-5820: Integer overflow in PDFium * CVE-2019-5821: Integer overflow in PDFium * CVE-2019-5822: CORS bypass in download manager * CVE-2019-5823: Forced navigation from service worker * CVE-2019-5812: URL spoof in Omnibox on iOS * CVE-2019-5816: Exploit persistence extension on Android * CVE-2019-5817: Heap buffer overflow in Angle on Windows - Update conditions to use system harfbuzz on TW+ - Require java during build - Enable using pipewire when available The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). openSUSE-2019-1325 Copyright SUSE LLC under the Creative Commons License 4.0 with Attribution (CC-BY-4.0) https://lists.opensuse.org/opensuse-security-announce/2019-05/msg00009.html E-Mail link for openSUSE-SU-2019:1325-1 https://www.suse.com/support/security/rating/ SUSE Security Ratings https://bugzilla.suse.com/1133313 SUSE Bug 1133313 https://www.suse.com/security/cve/CVE-2019-5805/ SUSE CVE CVE-2019-5805 page https://www.suse.com/security/cve/CVE-2019-5806/ SUSE CVE CVE-2019-5806 page https://www.suse.com/security/cve/CVE-2019-5807/ SUSE CVE CVE-2019-5807 page https://www.suse.com/security/cve/CVE-2019-5808/ SUSE CVE CVE-2019-5808 page https://www.suse.com/security/cve/CVE-2019-5809/ SUSE CVE CVE-2019-5809 page https://www.suse.com/security/cve/CVE-2019-5810/ SUSE CVE CVE-2019-5810 page https://www.suse.com/security/cve/CVE-2019-5811/ SUSE CVE CVE-2019-5811 page https://www.suse.com/security/cve/CVE-2019-5812/ SUSE CVE CVE-2019-5812 page https://www.suse.com/security/cve/CVE-2019-5813/ SUSE CVE CVE-2019-5813 page https://www.suse.com/security/cve/CVE-2019-5814/ SUSE CVE CVE-2019-5814 page https://www.suse.com/security/cve/CVE-2019-5815/ SUSE CVE CVE-2019-5815 page https://www.suse.com/security/cve/CVE-2019-5816/ SUSE CVE CVE-2019-5816 page https://www.suse.com/security/cve/CVE-2019-5817/ SUSE CVE CVE-2019-5817 page https://www.suse.com/security/cve/CVE-2019-5818/ SUSE CVE CVE-2019-5818 page https://www.suse.com/security/cve/CVE-2019-5819/ SUSE CVE CVE-2019-5819 page https://www.suse.com/security/cve/CVE-2019-5820/ SUSE CVE CVE-2019-5820 page https://www.suse.com/security/cve/CVE-2019-5821/ SUSE CVE CVE-2019-5821 page https://www.suse.com/security/cve/CVE-2019-5822/ SUSE CVE CVE-2019-5822 page https://www.suse.com/security/cve/CVE-2019-5823/ SUSE CVE CVE-2019-5823 page openSUSE Leap 15.0 chromedriver-74.0.3729.108-lp150.209.2 chromium-74.0.3729.108-lp150.209.2 chromedriver-74.0.3729.108-lp150.209.2 as a component of openSUSE Leap 15.0 chromium-74.0.3729.108-lp150.209.2 as a component of openSUSE Leap 15.0 Use-after-free in PDFium in Google Chrome prior to 74.0.3729.108 allowed a remote attacker to potentially exploit heap corruption via a crafted PDF file. CVE-2019-5805 openSUSE Leap 15.0:chromedriver-74.0.3729.108-lp150.209.2 openSUSE Leap 15.0:chromium-74.0.3729.108-lp150.209.2 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://lists.opensuse.org/opensuse-security-announce/2019-05/msg00009.html https://www.suse.com/security/cve/CVE-2019-5805.html CVE-2019-5805 https://bugzilla.suse.com/1133313 SUSE Bug 1133313 Integer overflow in ANGLE in Google Chrome on Windows prior to 74.0.3729.108 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. CVE-2019-5806 openSUSE Leap 15.0:chromedriver-74.0.3729.108-lp150.209.2 openSUSE Leap 15.0:chromium-74.0.3729.108-lp150.209.2 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://lists.opensuse.org/opensuse-security-announce/2019-05/msg00009.html https://www.suse.com/security/cve/CVE-2019-5806.html CVE-2019-5806 https://bugzilla.suse.com/1133313 SUSE Bug 1133313 Object lifetime issue in V8 in Google Chrome prior to 74.0.3729.108 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. CVE-2019-5807 openSUSE Leap 15.0:chromedriver-74.0.3729.108-lp150.209.2 openSUSE Leap 15.0:chromium-74.0.3729.108-lp150.209.2 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://lists.opensuse.org/opensuse-security-announce/2019-05/msg00009.html https://www.suse.com/security/cve/CVE-2019-5807.html CVE-2019-5807 https://bugzilla.suse.com/1133313 SUSE Bug 1133313 Use after free in Blink in Google Chrome prior to 74.0.3729.108 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. CVE-2019-5808 openSUSE Leap 15.0:chromedriver-74.0.3729.108-lp150.209.2 openSUSE Leap 15.0:chromium-74.0.3729.108-lp150.209.2 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://lists.opensuse.org/opensuse-security-announce/2019-05/msg00009.html https://www.suse.com/security/cve/CVE-2019-5808.html CVE-2019-5808 https://bugzilla.suse.com/1133313 SUSE Bug 1133313 Use after free in file chooser in Google Chrome prior to 74.0.3729.108 allowed a remote attacker who had compromised the renderer process to perform privilege escalation via a crafted HTML page. CVE-2019-5809 openSUSE Leap 15.0:chromedriver-74.0.3729.108-lp150.209.2 openSUSE Leap 15.0:chromium-74.0.3729.108-lp150.209.2 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://lists.opensuse.org/opensuse-security-announce/2019-05/msg00009.html https://www.suse.com/security/cve/CVE-2019-5809.html CVE-2019-5809 https://bugzilla.suse.com/1133313 SUSE Bug 1133313 Information leak in autofill in Google Chrome prior to 74.0.3729.108 allowed a remote attacker to obtain potentially sensitive information from process memory via a crafted HTML page. CVE-2019-5810 openSUSE Leap 15.0:chromedriver-74.0.3729.108-lp150.209.2 openSUSE Leap 15.0:chromium-74.0.3729.108-lp150.209.2 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://lists.opensuse.org/opensuse-security-announce/2019-05/msg00009.html https://www.suse.com/security/cve/CVE-2019-5810.html CVE-2019-5810 https://bugzilla.suse.com/1133313 SUSE Bug 1133313 Incorrect handling of CORS in ServiceWorker in Google Chrome prior to 74.0.3729.108 allowed a remote attacker to bypass same origin policy via a crafted HTML page. CVE-2019-5811 openSUSE Leap 15.0:chromedriver-74.0.3729.108-lp150.209.2 openSUSE Leap 15.0:chromium-74.0.3729.108-lp150.209.2 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://lists.opensuse.org/opensuse-security-announce/2019-05/msg00009.html https://www.suse.com/security/cve/CVE-2019-5811.html CVE-2019-5811 https://bugzilla.suse.com/1133313 SUSE Bug 1133313 Inadequate security UI in iOS UI in Google Chrome prior to 74.0.3729.108 allowed a remote attacker to perform domain spoofing via a crafted HTML page. CVE-2019-5812 openSUSE Leap 15.0:chromedriver-74.0.3729.108-lp150.209.2 openSUSE Leap 15.0:chromium-74.0.3729.108-lp150.209.2 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://lists.opensuse.org/opensuse-security-announce/2019-05/msg00009.html https://www.suse.com/security/cve/CVE-2019-5812.html CVE-2019-5812 https://bugzilla.suse.com/1133313 SUSE Bug 1133313 Use after free in V8 in Google Chrome prior to 74.0.3729.108 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. CVE-2019-5813 openSUSE Leap 15.0:chromedriver-74.0.3729.108-lp150.209.2 openSUSE Leap 15.0:chromium-74.0.3729.108-lp150.209.2 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://lists.opensuse.org/opensuse-security-announce/2019-05/msg00009.html https://www.suse.com/security/cve/CVE-2019-5813.html CVE-2019-5813 https://bugzilla.suse.com/1133313 SUSE Bug 1133313 Insufficient policy enforcement in Blink in Google Chrome prior to 74.0.3729.108 allowed a remote attacker to leak cross-origin data via a crafted HTML page. CVE-2019-5814 openSUSE Leap 15.0:chromedriver-74.0.3729.108-lp150.209.2 openSUSE Leap 15.0:chromium-74.0.3729.108-lp150.209.2 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://lists.opensuse.org/opensuse-security-announce/2019-05/msg00009.html https://www.suse.com/security/cve/CVE-2019-5814.html CVE-2019-5814 https://bugzilla.suse.com/1133313 SUSE Bug 1133313 Type confusion in xsltNumberFormatGetMultipleLevel prior to libxslt 1.1.33 could allow attackers to potentially exploit heap corruption via crafted XML data. CVE-2019-5815 openSUSE Leap 15.0:chromedriver-74.0.3729.108-lp150.209.2 openSUSE Leap 15.0:chromium-74.0.3729.108-lp150.209.2 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://lists.opensuse.org/opensuse-security-announce/2019-05/msg00009.html https://www.suse.com/security/cve/CVE-2019-5815.html CVE-2019-5815 https://bugzilla.suse.com/1133313 SUSE Bug 1133313 Process lifetime issue in Chrome in Google Chrome on Android prior to 74.0.3729.108 allowed a remote attacker to potentially persist an exploited process via a crafted HTML page. CVE-2019-5816 openSUSE Leap 15.0:chromedriver-74.0.3729.108-lp150.209.2 openSUSE Leap 15.0:chromium-74.0.3729.108-lp150.209.2 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://lists.opensuse.org/opensuse-security-announce/2019-05/msg00009.html https://www.suse.com/security/cve/CVE-2019-5816.html CVE-2019-5816 https://bugzilla.suse.com/1133313 SUSE Bug 1133313 Heap buffer overflow in ANGLE in Google Chrome on Windows prior to 74.0.3729.108 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. CVE-2019-5817 openSUSE Leap 15.0:chromedriver-74.0.3729.108-lp150.209.2 openSUSE Leap 15.0:chromium-74.0.3729.108-lp150.209.2 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://lists.opensuse.org/opensuse-security-announce/2019-05/msg00009.html https://www.suse.com/security/cve/CVE-2019-5817.html CVE-2019-5817 https://bugzilla.suse.com/1133313 SUSE Bug 1133313 Uninitialized data in media in Google Chrome prior to 74.0.3729.108 allowed a remote attacker to obtain potentially sensitive information from process memory via a crafted video file. CVE-2019-5818 openSUSE Leap 15.0:chromedriver-74.0.3729.108-lp150.209.2 openSUSE Leap 15.0:chromium-74.0.3729.108-lp150.209.2 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://lists.opensuse.org/opensuse-security-announce/2019-05/msg00009.html https://www.suse.com/security/cve/CVE-2019-5818.html CVE-2019-5818 https://bugzilla.suse.com/1133313 SUSE Bug 1133313 Insufficient data validation in developer tools in Google Chrome on OS X prior to 74.0.3729.108 allowed a local attacker to execute arbitrary code via a crafted string copied to clipboard. CVE-2019-5819 openSUSE Leap 15.0:chromedriver-74.0.3729.108-lp150.209.2 openSUSE Leap 15.0:chromium-74.0.3729.108-lp150.209.2 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://lists.opensuse.org/opensuse-security-announce/2019-05/msg00009.html https://www.suse.com/security/cve/CVE-2019-5819.html CVE-2019-5819 https://bugzilla.suse.com/1133313 SUSE Bug 1133313 Integer overflow in PDFium in Google Chrome prior to 74.0.3729.108 allowed a remote attacker to potentially exploit heap corruption via a crafted PDF file. CVE-2019-5820 openSUSE Leap 15.0:chromedriver-74.0.3729.108-lp150.209.2 openSUSE Leap 15.0:chromium-74.0.3729.108-lp150.209.2 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://lists.opensuse.org/opensuse-security-announce/2019-05/msg00009.html https://www.suse.com/security/cve/CVE-2019-5820.html CVE-2019-5820 https://bugzilla.suse.com/1133313 SUSE Bug 1133313 Integer overflow in PDFium in Google Chrome prior to 74.0.3729.108 allowed a remote attacker to potentially exploit heap corruption via a crafted PDF file. CVE-2019-5821 openSUSE Leap 15.0:chromedriver-74.0.3729.108-lp150.209.2 openSUSE Leap 15.0:chromium-74.0.3729.108-lp150.209.2 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://lists.opensuse.org/opensuse-security-announce/2019-05/msg00009.html https://www.suse.com/security/cve/CVE-2019-5821.html CVE-2019-5821 https://bugzilla.suse.com/1133313 SUSE Bug 1133313 Inappropriate implementation in Blink in Google Chrome prior to 74.0.3729.108 allowed a remote attacker to bypass same origin policy via a crafted HTML page. CVE-2019-5822 openSUSE Leap 15.0:chromedriver-74.0.3729.108-lp150.209.2 openSUSE Leap 15.0:chromium-74.0.3729.108-lp150.209.2 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://lists.opensuse.org/opensuse-security-announce/2019-05/msg00009.html https://www.suse.com/security/cve/CVE-2019-5822.html CVE-2019-5822 https://bugzilla.suse.com/1133313 SUSE Bug 1133313 Insufficient policy enforcement in service workers in Google Chrome prior to 74.0.3729.108 allowed a remote attacker to bypass navigation restrictions via a crafted HTML page. CVE-2019-5823 openSUSE Leap 15.0:chromedriver-74.0.3729.108-lp150.209.2 openSUSE Leap 15.0:chromium-74.0.3729.108-lp150.209.2 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://lists.opensuse.org/opensuse-security-announce/2019-05/msg00009.html https://www.suse.com/security/cve/CVE-2019-5823.html CVE-2019-5823 https://bugzilla.suse.com/1133313 SUSE Bug 1133313