Security update for chromium SUSE Patch security@suse.de SUSE Security Team openSUSE-SU-2020:1214-1 Final 1 1 2020-08-15T12:18:31Z current 2020-08-15T12:18:31Z 2020-08-15T12:18:31Z cve-database/bin/generate-cvrf.pl 2017-02-24T01:00:00Z Security update for chromium This update for chromium fixes the following issues: - Chromium updated to 84.0.4147.125 (boo#1175085) * CVE-2020-6542: Use after free in ANGLE * CVE-2020-6543: Use after free in task scheduling * CVE-2020-6544: Use after free in media * CVE-2020-6545: Use after free in audio * CVE-2020-6546: Inappropriate implementation in installer * CVE-2020-6547: Incorrect security UI in media * CVE-2020-6548: Heap buffer overflow in Skia * CVE-2020-6549: Use after free in media * CVE-2020-6550: Use after free in IndexedDB * CVE-2020-6551: Use after free in WebXR * CVE-2020-6552: Use after free in Blink * CVE-2020-6553: Use after free in offline mode * CVE-2020-6554: Use after free in extensions * CVE-2020-6555: Out of bounds read in WebGL * Various fixes from internal audits, fuzzing and other initiatives - Disable wayland everywhere as it breaks headless and middle mouse copy everywhere: boo#1174497 boo#1175044 This update was imported from the openSUSE:Leap:15.1:Update update project. The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). openSUSE-2020-1214 Copyright SUSE LLC under the Creative Commons License 4.0 with Attribution (CC-BY-4.0) https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/I7WN53GENVXTEQIEUETN4C42SMQHSFVS/ E-Mail link for openSUSE-SU-2020:1214-1 https://www.suse.com/support/security/rating/ SUSE Security Ratings https://bugzilla.suse.com/1174497 SUSE Bug 1174497 https://bugzilla.suse.com/1175044 SUSE Bug 1175044 https://bugzilla.suse.com/1175085 SUSE Bug 1175085 https://www.suse.com/security/cve/CVE-2020-6542/ SUSE CVE CVE-2020-6542 page https://www.suse.com/security/cve/CVE-2020-6543/ SUSE CVE CVE-2020-6543 page https://www.suse.com/security/cve/CVE-2020-6544/ SUSE CVE CVE-2020-6544 page https://www.suse.com/security/cve/CVE-2020-6545/ SUSE CVE CVE-2020-6545 page https://www.suse.com/security/cve/CVE-2020-6546/ SUSE CVE CVE-2020-6546 page https://www.suse.com/security/cve/CVE-2020-6547/ SUSE CVE CVE-2020-6547 page https://www.suse.com/security/cve/CVE-2020-6548/ SUSE CVE CVE-2020-6548 page https://www.suse.com/security/cve/CVE-2020-6549/ SUSE CVE CVE-2020-6549 page https://www.suse.com/security/cve/CVE-2020-6550/ SUSE CVE CVE-2020-6550 page https://www.suse.com/security/cve/CVE-2020-6551/ SUSE CVE CVE-2020-6551 page https://www.suse.com/security/cve/CVE-2020-6552/ SUSE CVE CVE-2020-6552 page https://www.suse.com/security/cve/CVE-2020-6553/ SUSE CVE CVE-2020-6553 page https://www.suse.com/security/cve/CVE-2020-6554/ SUSE CVE CVE-2020-6554 page https://www.suse.com/security/cve/CVE-2020-6555/ SUSE CVE CVE-2020-6555 page SUSE Package Hub 15 SP1 chromedriver-84.0.4147.125-bp151.3.100.1 chromium-84.0.4147.125-bp151.3.100.1 chromedriver-84.0.4147.125-bp151.3.100.1 as a component of SUSE Package Hub 15 SP1 chromium-84.0.4147.125-bp151.3.100.1 as a component of SUSE Package Hub 15 SP1 Use after free in ANGLE in Google Chrome prior to 84.0.4147.125 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. CVE-2020-6542 SUSE Package Hub 15 SP1:chromedriver-84.0.4147.125-bp151.3.100.1 SUSE Package Hub 15 SP1:chromium-84.0.4147.125-bp151.3.100.1 important 6.8 AV:N/AC:M/Au:N/C:P/I:P/A:P To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/I7WN53GENVXTEQIEUETN4C42SMQHSFVS/ https://www.suse.com/security/cve/CVE-2020-6542.html CVE-2020-6542 https://bugzilla.suse.com/1175085 SUSE Bug 1175085 Use after free in task scheduling in Google Chrome prior to 84.0.4147.125 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. CVE-2020-6543 SUSE Package Hub 15 SP1:chromedriver-84.0.4147.125-bp151.3.100.1 SUSE Package Hub 15 SP1:chromium-84.0.4147.125-bp151.3.100.1 important 6.8 AV:N/AC:M/Au:N/C:P/I:P/A:P To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/I7WN53GENVXTEQIEUETN4C42SMQHSFVS/ https://www.suse.com/security/cve/CVE-2020-6543.html CVE-2020-6543 https://bugzilla.suse.com/1175085 SUSE Bug 1175085 Use after free in media in Google Chrome prior to 84.0.4147.125 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. CVE-2020-6544 SUSE Package Hub 15 SP1:chromedriver-84.0.4147.125-bp151.3.100.1 SUSE Package Hub 15 SP1:chromium-84.0.4147.125-bp151.3.100.1 important 6.8 AV:N/AC:M/Au:N/C:P/I:P/A:P To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/I7WN53GENVXTEQIEUETN4C42SMQHSFVS/ https://www.suse.com/security/cve/CVE-2020-6544.html CVE-2020-6544 https://bugzilla.suse.com/1175085 SUSE Bug 1175085 Use after free in audio in Google Chrome prior to 84.0.4147.125 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. CVE-2020-6545 SUSE Package Hub 15 SP1:chromedriver-84.0.4147.125-bp151.3.100.1 SUSE Package Hub 15 SP1:chromium-84.0.4147.125-bp151.3.100.1 important 6.8 AV:N/AC:M/Au:N/C:P/I:P/A:P To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/I7WN53GENVXTEQIEUETN4C42SMQHSFVS/ https://www.suse.com/security/cve/CVE-2020-6545.html CVE-2020-6545 https://bugzilla.suse.com/1175085 SUSE Bug 1175085 Inappropriate implementation in installer in Google Chrome prior to 84.0.4147.125 allowed a local attacker to potentially elevate privilege via a crafted filesystem. CVE-2020-6546 SUSE Package Hub 15 SP1:chromedriver-84.0.4147.125-bp151.3.100.1 SUSE Package Hub 15 SP1:chromium-84.0.4147.125-bp151.3.100.1 important 4.6 AV:L/AC:L/Au:N/C:P/I:P/A:P To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/I7WN53GENVXTEQIEUETN4C42SMQHSFVS/ https://www.suse.com/security/cve/CVE-2020-6546.html CVE-2020-6546 https://bugzilla.suse.com/1175085 SUSE Bug 1175085 Incorrect security UI in media in Google Chrome prior to 84.0.4147.125 allowed a remote attacker to potentially obtain sensitive information via a crafted HTML page. CVE-2020-6547 SUSE Package Hub 15 SP1:chromedriver-84.0.4147.125-bp151.3.100.1 SUSE Package Hub 15 SP1:chromium-84.0.4147.125-bp151.3.100.1 moderate 4.3 AV:N/AC:M/Au:N/C:P/I:N/A:N To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/I7WN53GENVXTEQIEUETN4C42SMQHSFVS/ https://www.suse.com/security/cve/CVE-2020-6547.html CVE-2020-6547 https://bugzilla.suse.com/1175085 SUSE Bug 1175085 Heap buffer overflow in Skia in Google Chrome prior to 84.0.4147.125 allowed a remote attacker who had compromised the renderer process to potentially exploit heap corruption via a crafted HTML page. CVE-2020-6548 SUSE Package Hub 15 SP1:chromedriver-84.0.4147.125-bp151.3.100.1 SUSE Package Hub 15 SP1:chromium-84.0.4147.125-bp151.3.100.1 critical 9.3 AV:N/AC:M/Au:N/C:C/I:C/A:C To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/I7WN53GENVXTEQIEUETN4C42SMQHSFVS/ https://www.suse.com/security/cve/CVE-2020-6548.html CVE-2020-6548 https://bugzilla.suse.com/1175085 SUSE Bug 1175085 Use after free in media in Google Chrome prior to 84.0.4147.125 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. CVE-2020-6549 SUSE Package Hub 15 SP1:chromedriver-84.0.4147.125-bp151.3.100.1 SUSE Package Hub 15 SP1:chromium-84.0.4147.125-bp151.3.100.1 critical 9.3 AV:N/AC:M/Au:N/C:C/I:C/A:C To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/I7WN53GENVXTEQIEUETN4C42SMQHSFVS/ https://www.suse.com/security/cve/CVE-2020-6549.html CVE-2020-6549 https://bugzilla.suse.com/1175085 SUSE Bug 1175085 Use after free in IndexedDB in Google Chrome prior to 84.0.4147.125 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. CVE-2020-6550 SUSE Package Hub 15 SP1:chromedriver-84.0.4147.125-bp151.3.100.1 SUSE Package Hub 15 SP1:chromium-84.0.4147.125-bp151.3.100.1 critical 9.3 AV:N/AC:M/Au:N/C:C/I:C/A:C To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/I7WN53GENVXTEQIEUETN4C42SMQHSFVS/ https://www.suse.com/security/cve/CVE-2020-6550.html CVE-2020-6550 https://bugzilla.suse.com/1175085 SUSE Bug 1175085 Use after free in WebXR in Google Chrome prior to 84.0.4147.125 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. CVE-2020-6551 SUSE Package Hub 15 SP1:chromedriver-84.0.4147.125-bp151.3.100.1 SUSE Package Hub 15 SP1:chromium-84.0.4147.125-bp151.3.100.1 critical 9.3 AV:N/AC:M/Au:N/C:C/I:C/A:C To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/I7WN53GENVXTEQIEUETN4C42SMQHSFVS/ https://www.suse.com/security/cve/CVE-2020-6551.html CVE-2020-6551 https://bugzilla.suse.com/1175085 SUSE Bug 1175085 Use after free in Blink in Google Chrome prior to 84.0.4147.125 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. CVE-2020-6552 SUSE Package Hub 15 SP1:chromedriver-84.0.4147.125-bp151.3.100.1 SUSE Package Hub 15 SP1:chromium-84.0.4147.125-bp151.3.100.1 critical 9.3 AV:N/AC:M/Au:N/C:C/I:C/A:C To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/I7WN53GENVXTEQIEUETN4C42SMQHSFVS/ https://www.suse.com/security/cve/CVE-2020-6552.html CVE-2020-6552 https://bugzilla.suse.com/1175085 SUSE Bug 1175085 Use after free in offline mode in Google Chrome on iOS prior to 84.0.4147.125 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. CVE-2020-6553 SUSE Package Hub 15 SP1:chromedriver-84.0.4147.125-bp151.3.100.1 SUSE Package Hub 15 SP1:chromium-84.0.4147.125-bp151.3.100.1 critical 9.3 AV:N/AC:M/Au:N/C:C/I:C/A:C To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/I7WN53GENVXTEQIEUETN4C42SMQHSFVS/ https://www.suse.com/security/cve/CVE-2020-6553.html CVE-2020-6553 https://bugzilla.suse.com/1175085 SUSE Bug 1175085 Use after free in extensions in Google Chrome prior to 84.0.4147.125 allowed a remote attacker to potentially perform a sandbox escape via a crafted Chrome Extension. CVE-2020-6554 SUSE Package Hub 15 SP1:chromedriver-84.0.4147.125-bp151.3.100.1 SUSE Package Hub 15 SP1:chromium-84.0.4147.125-bp151.3.100.1 important 6.8 AV:N/AC:M/Au:N/C:P/I:P/A:P To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/I7WN53GENVXTEQIEUETN4C42SMQHSFVS/ https://www.suse.com/security/cve/CVE-2020-6554.html CVE-2020-6554 https://bugzilla.suse.com/1175085 SUSE Bug 1175085 Out of bounds read in WebGL in Google Chrome prior to 84.0.4147.125 allowed a remote attacker to obtain potentially sensitive information from process memory via a crafted HTML page. CVE-2020-6555 SUSE Package Hub 15 SP1:chromedriver-84.0.4147.125-bp151.3.100.1 SUSE Package Hub 15 SP1:chromium-84.0.4147.125-bp151.3.100.1 important 6.8 AV:N/AC:M/Au:N/C:P/I:P/A:P To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/I7WN53GENVXTEQIEUETN4C42SMQHSFVS/ https://www.suse.com/security/cve/CVE-2020-6555.html CVE-2020-6555 https://bugzilla.suse.com/1175085 SUSE Bug 1175085