This issue was addressed by disabling the rendering feature of HTML in the web view. For more information, see this Chromium issue. Lacros prior to 105.0.5195.52 allowed a remote attacker to cause a denial of service (Lacos OOM condition) via a crafted HTML page. This issue was addressed by limiting the amount of IO that can be generated when a page is loaded. For example, this can be mitigated by limiting the number of images that can be requested. The amount of IO that can be generated is controlled by setting a limit in the web view configuration. For example, setting a limit of 1 MB can mitigate this issue.
CVE-2019-0387
This issue was addressed by removing the rendering feature of HTML in the web view, which prevents a remote attacker from causing issues.
Summary of the Issue
A remote attacker can cause a denial of service (Lacos OOM condition) via a crafted HTML page.
Networking vulnerabilities
The following vulnerabilities were addressed by updating the networking libraries to use the current recommended practices for SSL/TLS: CVE-2012-6548, CVE-2013-6456, CVE-2014-1685.
CVE-2023-3050
This issue was addressed by not allowing the user to select any text on a PDF file that has been opened in a text editor. For example, this can be mitigated by disabling selected text selection when opening documents in the web view.
How do I know if my web browser is vulnerable?
The following web browsers are affected by this issue:
- Microsoft Edge
- Firefox ESR
- Google Chrome
Timeline
Published on: 09/26/2022 16:15:00 UTC
Last modified on: 10/03/2022 02:15:00 UTC
References
- https://crbug.com/1316892
- https://chromereleases.googleblog.com/2022/08/stable-channel-update-for-desktop_30.html
- https://security.gentoo.org/glsa/202209-23
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/T4NMJURTG5RO3TGD7ZMIQ6Z4ZZ3SAVYE/
- https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-3049