SB2020092332 - OpenSUSE Linux update for chromium

Description

This security bulletin contains information about 19 secuirty vulnerabilities.

1) Permissions, Privileges, and Access Controls (CVE-ID: CVE-2020-15959)

The vulnerability allows a remote attacker to bypass implemented security restrictions.

The vulnerability exists due to insufficient policy enforcement in networking in Google Chrome. A remote attacker can trick the victim to visit a specially crafted website, bypass implemented security measures and compromise the affected system.

2) Permissions, Privileges, and Access Controls (CVE-ID: CVE-2020-6558)

The vulnerability allows a remote attacker to bypass implemented security restrictions.

The vulnerability exists due to insufficient policy enforcement in iOS in Google Chrome. A remote attacker can trick the victim to visit a specially crafted website, bypass implemented security measures and compromise the affected system.

3) Use-after-free (CVE-ID: CVE-2020-6559)

The vulnerability allows a remote attacker to compromise vulnerable system.

The vulnerability exists due to a use-after-free error within the presentation API component in Google Chrome. A remote attacker can create a specially crafted web page, trick the victim into visiting it, trigger use-after-free error and execute arbitrary code on the target system.

Successful exploitation of the vulnerability may allow an attacker to compromise vulnerable system.

4) Permissions, Privileges, and Access Controls (CVE-ID: CVE-2020-6560)

The vulnerability allows a remote attacker to bypass implemented security restrictions.

The vulnerability exists due to insufficient policy enforcement in autofill in Google Chrome. A remote attacker can trick the victim to visit a specially crafted website, bypass implemented security measures and gain access to sensitive information.

5) Improperly implemented security check for standard (CVE-ID: CVE-2020-6561)

The vulnerability allows a remote attacker to gain access to sensitive information.

The vulnerability exists due to incorrect implementation in Content Security Policy in Google Chrome. A remote attacker can create a specially crafted web page, trick the victim into visiting it and gain access to sensitive information.

6) Permissions, Privileges, and Access Controls (CVE-ID: CVE-2020-6562)

The vulnerability allows a remote attacker to bypass implemented security restrictions.

The vulnerability exists due to insufficient policy enforcement in Blink in Google Chrome. A remote attacker can trick the victim to visit a specially crafted website, bypass implemented security measures and gain access to sensitive information.

7) Permissions, Privileges, and Access Controls (CVE-ID: CVE-2020-6563)

The vulnerability allows a remote attacker to bypass implemented security restrictions.

The vulnerability exists due to insufficient policy enforcement in intent handling in Google Chrome. A remote attacker can trick the victim to visit a specially crafted website, bypass implemented security measures and gain access to sensitive information.

8) Spoofing attack (CVE-ID: CVE-2020-6564)

The vulnerability allows a remote attacker to perform a spoofing attack.

The vulnerability exists due to insufficient validation of user-supplied input in permissions in Google Chrome. A remote attacker can create a specially crafted web page, trick the victim into visiting it and spoof web page content.

9) Spoofing attack (CVE-ID: CVE-2020-6565)

The vulnerability allows a remote attacker to perform a spoofing attack.

The vulnerability exists due to insufficient validation of user-supplied input in Omnibox in Google Chrome. A remote attacker can create a specially crafted web page, trick the victim into visiting it and spoof web page content.

10) Permissions, Privileges, and Access Controls (CVE-ID: CVE-2020-6566)

The vulnerability allows a remote attacker to bypass implemented security restrictions.

The vulnerability exists due to insufficient policy enforcement in media in Google Chrome. A remote attacker can trick the victim to visit a specially crafted website, bypass implemented security measures and gain access to sensitive information.

11) Input validation error (CVE-ID: CVE-2020-6567)

The vulnerability allows a remote attacker to gain access to crash the browser.

The vulnerability exists due to a improper input validation in command line handling in Google Chrome. A remote attacker can trick the victim to perform certain actions in browser and crash it.

12) Permissions, Privileges, and Access Controls (CVE-ID: CVE-2020-6568)

The vulnerability allows a remote attacker to bypass implemented security restrictions.

The vulnerability exists due to insufficient policy enforcement in intent handling in Google Chrome. A remote attacker can trick the victim to visit a specially crafted website, bypass implemented security measures and gain access to sensitive information.

13) Integer overflow (CVE-ID: CVE-2020-6569)

The vulnerability allows a remote attacker to gain access to crash the browser.

The vulnerability exists due to a integer overflow in WebUSB in Google Chrome. A remote attacker can trick the victim to visit a specially crafted webpage and crash the browser.

14) Cryptographic issues (CVE-ID: CVE-2020-6570)

The vulnerability allows a remote attacker to gain access to sensitive information.

The vulnerability exists due to side-channel information leak in WebRTC. Chrome Low. A remote attacker can create a specially crafted web page, trick the victim into opening it and gain access to sensitive information.

15) Spoofing attack (CVE-ID: CVE-2020-6571)

The vulnerability allows a remote attacker to perform a spoofing attack.

The vulnerability exists due to insufficient validation of user-supplied input in Omnibox in Google Chrome. A remote attacker can create a specially crafted web page, trick the victim into visiting it and spoof web page content.

16) Use-after-free (CVE-ID: CVE-2020-6573)

The vulnerability allows a remote attacker to compromise vulnerable system.

The vulnerability exists due to a use-after-free error within the video component in Google Chrome. A remote attacker can create a specially crafted web page, trick the victim into visiting it, trigger use-after-free error and execute arbitrary code on the target system.

Successful exploitation of the vulnerability may allow an attacker to compromise vulnerable system.

17) Permissions, Privileges, and Access Controls (CVE-ID: CVE-2020-6574)

The vulnerability allows a remote attacker to bypass implemented security restrictions.

The vulnerability exists due to insufficient policy enforcement in installer in Google Chrome. A remote attacker can trick the victim to visit a specially crafted website, bypass implemented security measures and compromise the affected system.

18) Race condition (CVE-ID: CVE-2020-6575)

The vulnerability allows a remote attacker to compromise the affected system.

The vulnerability exists due to a race condition in Mojo in Google Chrome. A remote attacker can trick the victim to visit a specially crafted webpage and execute arbitrary code on the target system.

19) Use-after-free (CVE-ID: CVE-2020-6576)

The vulnerability allows a remote attacker to compromise vulnerable system.

The vulnerability exists due to a use-after-free error within the offscreen canvas component in Google Chrome. A remote attacker can create a specially crafted web page, trick the victim into visiting it, trigger use-after-free error and execute arbitrary code on the target system.

Successful exploitation of the vulnerability may allow an attacker to compromise vulnerable system.

Remediation

Install update from vendor's website.

References

• https://lists.opensuse.org/opensuse-security-announce/2020-09/msg00078.html