Bug 1154806 - VUL-0: chromium: multiple security issues fixed in 78.0.3904.70
VUL-0: chromium: multiple security issues fixed in 78.0.3904.70
Status: RESOLVED FIXED
Classification: openSUSE
Product: openSUSE Distribution
Classification: openSUSE
Component: Security
Leap 15.1
Other Other
: P3 - Medium : Major (vote)
: ---
Assigned To: Security Team bot
Security Team bot
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2019-10-23 06:33 UTC by Andreas Stieger
Modified: 2020-01-15 15:50 UTC (History)
1 user (show)

See Also:
Found By: Corporate Interoperability Test
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Andreas Stieger 2019-10-23 06:33:06 UTC
https://chromereleases.googleblog.com/2019/10/stable-channel-update-for-desktop_22.html

Fixed in 78.0.3904.70:

* CVE-2019-13699: Use-after-free in media
* CVE-2019-13700: Buffer overrun in Blink
* CVE-2019-13701: URL spoof in navigation
* CVE-2019-13702: Privilege elevation in Installer
* CVE-2019-13703: URL bar spoofing
* CVE-2019-13704: CSP bypass
* CVE-2019-13705: Extension permission bypass
* CVE-2019-13706: Out-of-bounds read in PDFium
* CVE-2019-13707: File storage disclosure
* CVE-2019-13708: HTTP authentication spoof
* CVE-2019-13709: File download protection bypass
* CVE-2019-13710: File download protection bypass
* CVE-2019-13711: Cross-context information leak
* CVE-2019-15903: Buffer overflow in expat
* CVE-2019-13713: Cross-origin data leak
* CVE-2019-13714: CSS injection
* CVE-2019-13715: Address bar spoofing
* CVE-2019-13716: Service worker state error
* CVE-2019-13717: Notification obscured
* CVE-2019-13718: IDN spoof
* CVE-2019-13719: Notification obscured
* Various fixes from internal audits, fuzzing and other initiatives
Comment 1 Tomáš Chvátal 2019-10-23 13:31:05 UTC
Submissions sent to TW/15.0 and 15.1 (SLE15 backports inherit from 15.0:Update).
Comment 2 Swamp Workflow Management 2019-10-23 14:10:10 UTC
This is an autogenerated message for OBS integration:
This bug (1154806) was mentioned in
https://build.opensuse.org/request/show/742148 Factory / chromium
Comment 3 Swamp Workflow Management 2019-10-23 16:40:11 UTC
This is an autogenerated message for OBS integration:
This bug (1154806) was mentioned in
https://build.opensuse.org/request/show/742206 15.0+15.1+Backports:SLE-15+Backports:SLE-15-SP1 / chromium+re2
Comment 4 Andreas Stieger 2019-10-23 18:14:29 UTC
(In reply to Tomáš Chvátal from comment #1)
> Submissions sent to TW/15.0 and 15.1

Did not go through - You could accept review on SR#742206 which also bumps re2.
Comment 5 Tomáš Chvátal 2019-10-24 03:53:42 UTC
(In reply to Andreas Stieger from comment #4)
> (In reply to Tomáš Chvátal from comment #1)
> > Submissions sent to TW/15.0 and 15.1
> 
> Did not go through - You could accept review on SR#742206 which also bumps
> re2.

Accepted. Interestingly it takes ages to do the 'osc sr' sending chromium somewhere and when I look on the terminal it just replied with timeout... :(
Comment 6 Swamp Workflow Management 2019-10-25 11:50:07 UTC
This is an autogenerated message for OBS integration:
This bug (1154806) was mentioned in
https://build.opensuse.org/request/show/742853 Factory / chromium
Comment 7 Swamp Workflow Management 2019-10-25 13:10:06 UTC
This is an autogenerated message for OBS integration:
This bug (1154806) was mentioned in
https://build.opensuse.org/request/show/742859 15.0+15.1+Backports:SLE-15+Backports:SLE-15-SP1 / chromium+re2
Comment 8 Swamp Workflow Management 2019-10-29 10:50:07 UTC
This is an autogenerated message for OBS integration:
This bug (1154806) was mentioned in
https://build.opensuse.org/request/show/743804 15.0+15.1 / chromium+re2
Comment 9 Swamp Workflow Management 2019-10-29 12:20:09 UTC
This is an autogenerated message for OBS integration:
This bug (1154806) was mentioned in
https://build.opensuse.org/request/show/743815 Factory / chromium
Comment 10 Swamp Workflow Management 2019-10-29 17:20:07 UTC
This is an autogenerated message for OBS integration:
This bug (1154806) was mentioned in
https://build.opensuse.org/request/show/743876 15.0+15.1 / chromium+re2
Comment 11 Swamp Workflow Management 2019-11-01 12:30:08 UTC
This is an autogenerated message for OBS integration:
This bug (1154806) was mentioned in
https://build.opensuse.org/request/show/744737 15.1 / chromium
https://build.opensuse.org/request/show/744738 15.0 / chromium
Comment 12 Swamp Workflow Management 2019-11-02 02:11:28 UTC
openSUSE-SU-2019:2420-1: An update that fixes 21 vulnerabilities is now available.

Category: security (important)
Bug References: 1154806
CVE References: CVE-2019-13699,CVE-2019-13700,CVE-2019-13701,CVE-2019-13702,CVE-2019-13703,CVE-2019-13704,CVE-2019-13705,CVE-2019-13706,CVE-2019-13707,CVE-2019-13708,CVE-2019-13709,CVE-2019-13710,CVE-2019-13711,CVE-2019-13713,CVE-2019-13714,CVE-2019-13715,CVE-2019-13716,CVE-2019-13717,CVE-2019-13718,CVE-2019-13719,CVE-2019-15903
Sources used:
openSUSE Leap 15.1 (src):    chromium-78.0.3904.70-lp151.2.39.1, re2-20190901-lp151.10.3.1
openSUSE Leap 15.0 (src):    chromium-78.0.3904.70-lp150.248.2, re2-20190901-lp150.25.1
Comment 13 Marcus Meissner 2019-11-02 19:00:34 UTC
released
Comment 14 Swamp Workflow Management 2019-11-03 02:11:14 UTC
openSUSE-SU-2019:2424-1: An update that fixes 21 vulnerabilities is now available.

Category: security (important)
Bug References: 1154806
CVE References: CVE-2019-13699,CVE-2019-13700,CVE-2019-13701,CVE-2019-13702,CVE-2019-13703,CVE-2019-13704,CVE-2019-13705,CVE-2019-13706,CVE-2019-13707,CVE-2019-13708,CVE-2019-13709,CVE-2019-13710,CVE-2019-13711,CVE-2019-13713,CVE-2019-13714,CVE-2019-13715,CVE-2019-13716,CVE-2019-13717,CVE-2019-13718,CVE-2019-13719,CVE-2019-15903
Sources used:
openSUSE Backports SLE-15 (src):    chromium-78.0.3904.70-bp150.240.1, re2-20190901-bp150.25.1
Comment 15 Swamp Workflow Management 2019-11-03 14:11:23 UTC
openSUSE-SU-2019:2425-1: An update that fixes 21 vulnerabilities is now available.

Category: security (important)
Bug References: 1154806
CVE References: CVE-2019-13699,CVE-2019-13700,CVE-2019-13701,CVE-2019-13702,CVE-2019-13703,CVE-2019-13704,CVE-2019-13705,CVE-2019-13706,CVE-2019-13707,CVE-2019-13708,CVE-2019-13709,CVE-2019-13710,CVE-2019-13711,CVE-2019-13713,CVE-2019-13714,CVE-2019-13715,CVE-2019-13716,CVE-2019-13717,CVE-2019-13718,CVE-2019-13719,CVE-2019-15903
Sources used:
openSUSE Backports SLE-15-SP1 (src):    chromium-78.0.3904.70-bp151.3.21.1, re2-20190901-bp151.6.3.1
Comment 16 Swamp Workflow Management 2019-11-04 12:40:06 UTC
This is an autogenerated message for OBS integration:
This bug (1154806) was mentioned in
https://build.opensuse.org/request/show/745163 Backports:SLE-12-SP3 / chromium
Comment 17 Swamp Workflow Management 2019-11-06 23:12:42 UTC
openSUSE-SU-2019:2447-1: An update that fixes 86 vulnerabilities is now available.

Category: security (important)
Bug References: 1143492,1144625,1145242,1146219,1149143,1150425,1151229,1153660,1154806,1155643
CVE References: CVE-2019-13659,CVE-2019-13660,CVE-2019-13661,CVE-2019-13662,CVE-2019-13663,CVE-2019-13664,CVE-2019-13665,CVE-2019-13666,CVE-2019-13667,CVE-2019-13668,CVE-2019-13669,CVE-2019-13670,CVE-2019-13671,CVE-2019-13673,CVE-2019-13674,CVE-2019-13675,CVE-2019-13676,CVE-2019-13677,CVE-2019-13678,CVE-2019-13679,CVE-2019-13680,CVE-2019-13681,CVE-2019-13682,CVE-2019-13683,CVE-2019-13685,CVE-2019-13686,CVE-2019-13687,CVE-2019-13688,CVE-2019-13693,CVE-2019-13694,CVE-2019-13695,CVE-2019-13696,CVE-2019-13697,CVE-2019-13699,CVE-2019-13700,CVE-2019-13701,CVE-2019-13702,CVE-2019-13703,CVE-2019-13704,CVE-2019-13705,CVE-2019-13706,CVE-2019-13707,CVE-2019-13708,CVE-2019-13709,CVE-2019-13710,CVE-2019-13711,CVE-2019-13713,CVE-2019-13714,CVE-2019-13715,CVE-2019-13716,CVE-2019-13717,CVE-2019-13718,CVE-2019-13719,CVE-2019-13720,CVE-2019-13721,CVE-2019-15903,CVE-2019-5850,CVE-2019-5851,CVE-2019-5852,CVE-2019-5853,CVE-2019-5854,CVE-2019-5855,CVE-2019-5856,CVE-2019-5857,CVE-2019-5858,CVE-2019-5859,CVE-2019-5860,CVE-2019-5861,CVE-2019-5862,CVE-2019-5863,CVE-2019-5864,CVE-2019-5865,CVE-2019-5867,CVE-2019-5868,CVE-2019-5869,CVE-2019-5870,CVE-2019-5871,CVE-2019-5872,CVE-2019-5874,CVE-2019-5875,CVE-2019-5876,CVE-2019-5877,CVE-2019-5878,CVE-2019-5879,CVE-2019-5880,CVE-2019-5881
Sources used:
SUSE Package Hub for SUSE Linux Enterprise 12 (src):    chromium-78.0.3904.87-10.1
Comment 18 Alexander Bergmann 2020-01-07 07:27:21 UTC
The following CVE has also been fixed by chromium 77.0.3865.75:

CVE-2019-13765


References:
https://nvd.nist.gov/vuln/detail/CVE-2019-13765
Comment 19 Swamp Workflow Management 2020-01-13 11:11:04 UTC
openSUSE-SU-2020:0010-1: An update that fixes 21 vulnerabilities is now available.

Category: security (important)
Bug References: 1154806
CVE References: CVE-2019-13699,CVE-2019-13700,CVE-2019-13701,CVE-2019-13702,CVE-2019-13703,CVE-2019-13704,CVE-2019-13705,CVE-2019-13706,CVE-2019-13707,CVE-2019-13708,CVE-2019-13709,CVE-2019-13710,CVE-2019-13711,CVE-2019-13713,CVE-2019-13714,CVE-2019-13715,CVE-2019-13716,CVE-2019-13717,CVE-2019-13718,CVE-2019-13719,CVE-2019-15903
Sources used:
openSUSE Backports SLE-15-SP1 (src):    chromium-78.0.3904.70-bp151.3.50.1, re2-20190901-bp151.6.9.1