svn commit: r463915 - head/security/vuxml

Thu Mar 8 19:28:07 UTC 2018

Author: riggs
Date: Thu Mar  8 19:28:06 2018
New Revision: 463915
URL: https://svnweb.freebsd.org/changeset/ports/463915

Log:
  Document vulnerabilities in www/chromium before 65.0.3325.146
  
  Submitted by:	Tommi Pernila <tommi.pernila at iki.fi> (via e-mail)

Modified:
  head/security/vuxml/vuln.xml

Modified: head/security/vuxml/vuln.xml
==============================================================================

--- head/security/vuxml/vuln.xml	Thu Mar  8 19:10:29 2018	(r463914)
+++ head/security/vuxml/vuln.xml	Thu Mar  8 19:28:06 2018	(r463915)
@@ -58,6 +58,88 @@ Notes:
   * Do not forget port variants (linux-f10-libxml2, libxml2, etc.)
 -->
 <vuxml xmlns="http://www.vuxml.org/apps/vuxml-1">
+  <vuln vid="555af074-22b9-11e8-9799-54ee754af08e">
+<topic>chromium -- vulnerability</topic>
+ <affects>
+   <package>
+     <name>chromium</name>
+     <range><lt>65.0.3325.146</lt></range>
+   </package>
+ </affects>
+ <description>
+   <body xmlns="http://www.w3.org/1999/xhtml">
+     <p>Google Chrome Releases reports:</p>
+     <blockquote cite="https://chromereleases.googleblog.com/2018/03/stable-channel-update-for-desktop.html">
+       <p>45 security fixes in this release:</p>
+       <ul>
+	 <li>[758848] High CVE-2017-11215: Use after free in Flash. Reported by JieZeng of Tencent Zhanlu Lab on 2017-08-25</li>
+	 <li>[758863] High CVE-2017-11225: Use after free in Flash. Reported by JieZeng of Tencent Zhanlu Lab on 2017-08-25</li>
+	 <li>[780919] High CVE-2018-6060: Use after free in Blink. Reported by Omair on 2017-11-02</li>
+	 <li>[794091] High CVE-2018-6061: Race condition in V8. Reported by Guang Gong of Alpha Team, Qihoo 360 on 2017-12-12</li>
+	 <li>[780104] High CVE-2018-6062: Heap buffer overflow in Skia. Reported by Anonymous on 2017-10-31</li>
+	 <li>[789959] High CVE-2018-6057: Incorrect permissions on shared memory. Reported by Gal Beniamini of Google Project Zero on 2017-11-30</li>
+	 <li>[792900] High CVE-2018-6063: Incorrect permissions on shared memory. Reported by Gal Beniamini of Google Project Zero on 2017-12-07</li>
+	 <li>[798644] High CVE-2018-6064: Type confusion in V8. Reported by lokihardt of Google Project Zero on 2018-01-03</li>
+	 <li>[808192] High CVE-2018-6065: Integer overflow in V8. Reported by Mark Brand of Google Project Zero on 2018-02-01</li>
+	 <li>[799477] Medium CVE-2018-6066: Same Origin Bypass via canvas. Reported by Masato Kinugawa on 2018-01-05</li>
+	 <li>[779428] Medium CVE-2018-6067: Buffer overflow in Skia. Reported by Ned Williamson on 2017-10-30</li>
+	 <li>[779428] Medium CVE-2018-6067: Buffer overflow in Skia. Reported by Ned Williamson on 2017-10-30</li>
+	 <li>[799918] Medium CVE-2018-6069: Stack buffer overflow in Skia. Reported by Wanglu and Yangkang(@dnpushme) of Qihoo360 Qex Team on 2018-01-08</li>
+	 <li>[668645] Medium CVE-2018-6070: CSP bypass through extensions. Reported by Rob Wu on 2016-11-25</li>
+	 <li>[777318] Medium CVE-2018-6071: Heap bufffer overflow in Skia. Reported by Anonymous on 2017-10-23</li>
+	 <li>[791048] Medium CVE-2018-6072: Integer overflow in PDFium. Reported by Atte Kettunen of OUSPG on 2017-12-01</li>
+	 <li>[804118] Medium CVE-2018-6073: Heap bufffer overflow in WebGL. Reported by Omair on 2018-01-20</li>
+	 <li>[809759] Medium CVE-2018-6074: Mark-of-the-Web bypass. Reported by Abdulrahman Alqabandi (@qab) on 2018-02-06</li>
+	 <li>[608669] Medium CVE-2018-6075: Overly permissive cross origin downloads. Reported by Inti De Ceukelaire (intigriti.com) on 2016-05-03</li>
+	 <li>[758523] Medium CVE-2018-6076: Incorrect handling of URL fragment identifiers in Blink. Reported by Mateusz Krzeszowiec on 2017-08-24</li>
+	 <li>[778506] Medium CVE-2018-6077: Timing attack using SVG filters. Reported by Khalil Zhani on 2017-10-26</li>
+	 <li>[793628] Medium CVE-2018-6078: URL Spoof in OmniBox. Reported by Khalil Zhani on 2017-12-10</li>
+	 <li>[788448] Medium CVE-2018-6079: Information disclosure via texture data in WebGL. Reported by Ivars Atteka on 2017-11-24</li>
+	 <li>[792028] Medium CVE-2018-6080: Information disclosure in IPC call. Reported by Gal Beniamini of Google Project Zero on 2017-12-05</li>
+	 <li>[797525] Low CVE-2018-6081: XSS in interstitials. Reported by Rob Wu on 2017-12-24</li>
+	 <li>[767354] Low CVE-2018-6082: Circumvention of port blocking. Reported by WenXu Wu of Tencent's Xuanwu Lab on 2017-09-21</li>
+	 <li>[771709] Low CVE-2018-6083: Incorrect processing of AppManifests. Reported by Jun Kokatsu (@shhnjk) on 2017-10-04</li>
+       </ul>
+     </blockquote>
+   </body>
+ </description>
+ <references>
+   <cvename>CVE-2017-11215</cvename>
+   <cvename>CVE-2017-11225</cvename>
+   <cvename>CVE-2018-6060</cvename>
+   <cvename>CVE-2018-6061</cvename>
+   <cvename>CVE-2018-6060</cvename>
+   <cvename>CVE-2018-6061</cvename>
+   <cvename>CVE-2018-6062</cvename>
+   <cvename>CVE-2018-6057</cvename>
+   <cvename>CVE-2018-6063</cvename>
+   <cvename>CVE-2018-6064</cvename>
+   <cvename>CVE-2018-6065</cvename>
+   <cvename>CVE-2018-6066</cvename>
+   <cvename>CVE-2018-6067</cvename>
+   <cvename>CVE-2018-6069</cvename>
+   <cvename>CVE-2018-6070</cvename>
+   <cvename>CVE-2018-6071</cvename>
+   <cvename>CVE-2018-6072</cvename>
+   <cvename>CVE-2018-6073</cvename>
+   <cvename>CVE-2018-6074</cvename>
+   <cvename>CVE-2018-6075</cvename>
+   <cvename>CVE-2018-6076</cvename>
+   <cvename>CVE-2018-6077</cvename>
+   <cvename>CVE-2018-6078</cvename>
+   <cvename>CVE-2018-6079</cvename>
+   <cvename>CVE-2018-6080</cvename>
+   <cvename>CVE-2018-6081</cvename>
+   <cvename>CVE-2018-6082</cvename>
+   <cvename>CVE-2018-6083</cvename>
+   <url>https://chromereleases.googleblog.com/2018/03/stable-channel-update-for-desktop.html</url>
+ </references>
+ <dates>
+   <discovery>2016-05-03</discovery>
+   <entry>2018-03-08</entry>
+ </dates>
+</vuln>
+
   <vuln vid="c5ab620f-4576-4ad5-b51f-93e4fec9cd0e">
     <topic>wireshark -- multiple security issues</topic>
     <affects>
