[ASA-201911-7] electron: arbitrary code execution

2019-11-04T00:00:00
ID ASA-201911-7
Type archlinux
Reporter ArchLinux
Modified 2019-11-04T00:00:00

Description

Arch Linux Security Advisory ASA-201911-7

Severity: Critical Date : 2019-11-04 CVE-ID : CVE-2019-13720 Package : electron Type : arbitrary code execution Remote : Yes Link : https://security.archlinux.org/AVG-1061

Summary

The package electron before version 7.0.1-1 is vulnerable to arbitrary code execution.

Resolution

Upgrade to 7.0.1-1.

pacman -Syu "electron>=7.0.1-1"

The problem has been fixed upstream in version 7.0.1.

Workaround

None.

Description

A use-after-free vulnerability has been found in the audio component of the chromium browser before 78.0.3904.87. Google is aware of reports that an exploit for this vulnerability exists in the wild.

Impact

A remote attacker can execute arbitrary code on the affected host.

References

https://github.com/electron/electron/commit/25b3ee29cf9a8e3f59dcbabf7345b5b1360cd056 https://chromereleases.googleblog.com/2019/10/stable-channel-update-for-desktop_31.html https://crbug.com/1019226 https://security.archlinux.org/CVE-2019-13720