[ASA-202101-6] chromium: multiple issues

2021-01-08T00:00:00
ID ASA-202101-6
Type archlinux
Reporter ArchLinux
Modified 2021-01-08T00:00:00

Description

Arch Linux Security Advisory ASA-202101-6

Severity: High Date : 2021-01-08 CVE-ID : CVE-2020-15995 CVE-2020-16043 CVE-2021-21106 CVE-2021-21107 CVE-2021-21108 CVE-2021-21109 CVE-2021-21110 CVE-2021-21111 CVE-2021-21112 CVE-2021-21113 CVE-2021-21114 CVE-2021-21115 CVE-2021-21116 Package : chromium Type : multiple issues Remote : Yes Link : https://security.archlinux.org/AVG-1414

Summary

The package chromium before version 87.0.4280.141-1 is vulnerable to multiple issues including access restriction bypass, arbitrary code execution and insufficient validation.

Resolution

Upgrade to 87.0.4280.141-1.

pacman -Syu "chromium>=87.0.4280.141-1"

The problems have been fixed upstream in version 87.0.4280.141.

Workaround

None.

Description

  • CVE-2020-15995 (arbitrary code execution)

An out of bounds write security issue has been found in the V8 component of the Chromium browser before version 87.0.4280.141.

  • CVE-2020-16043 (insufficient validation)

An insufficient data validation security issue has been found in the networking component of the Chromium browser before version 87.0.4280.141.

  • CVE-2021-21106 (arbitrary code execution)

A use after free security issue has been found in the autofill component of the Chromium browser before version 87.0.4280.141.

  • CVE-2021-21107 (arbitrary code execution)

A use after free security issue has been found in the drag and drop component of the Chromium browser before version 87.0.4280.141.

  • CVE-2021-21108 (arbitrary code execution)

A use after free security issue has been found in the media component of the Chromium browser before version 87.0.4280.141.

  • CVE-2021-21109 (arbitrary code execution)

A use after free security issue has been found in the payments component of the Chromium browser before version 87.0.4280.141.

  • CVE-2021-21110 (arbitrary code execution)

A use after free security issue has been found in the safe browsing component of the Chromium browser before version 87.0.4280.141.

  • CVE-2021-21111 (access restriction bypass)

An insufficient policy enforcement security issue has been found in the WebUI component of the Chromium browser before version 87.0.4280.141.

  • CVE-2021-21112 (arbitrary code execution)

A use after free security issue has been found in the Blink component of the Chromium browser before version 87.0.4280.141.

  • CVE-2021-21113 (arbitrary code execution)

A heap buffer overflow security issue has been found in the Skia component of the Chromium browser before version 87.0.4280.141.

  • CVE-2021-21114 (arbitrary code execution)

A use after free security issue has been found in the audio component of the Chromium browser before version 87.0.4280.141.

  • CVE-2021-21115 (arbitrary code execution)

A use after free security issue has been found in the safe browsing component of the Chromium browser before version 87.0.4280.141.

  • CVE-2021-21116 (arbitrary code execution)

A heap buffer overflow security issue has been found in the audio component of the Chromium browser before version 87.0.4280.141.

Impact

A remote attacker might be able to bypass security restrictions and execute arbitrary code.

References

https://chromereleases.googleblog.com/2021/01/stable-channel-update-for-desktop.html https://crbug.com/1157790 https://crbug.com/1148309 https://crbug.com/1148749 https://crbug.com/1153595 https://crbug.com/1155426 https://crbug.com/1152334 https://crbug.com/1152451 https://crbug.com/1149125 https://crbug.com/1151298 https://crbug.com/1155178 https://crbug.com/1150065 https://crbug.com/1157814 https://crbug.com/1151069 https://security.archlinux.org/CVE-2020-15995 https://security.archlinux.org/CVE-2020-16043 https://security.archlinux.org/CVE-2021-21106 https://security.archlinux.org/CVE-2021-21107 https://security.archlinux.org/CVE-2021-21108 https://security.archlinux.org/CVE-2021-21109 https://security.archlinux.org/CVE-2021-21110 https://security.archlinux.org/CVE-2021-21111 https://security.archlinux.org/CVE-2021-21112 https://security.archlinux.org/CVE-2021-21113 https://security.archlinux.org/CVE-2021-21114 https://security.archlinux.org/CVE-2021-21115 https://security.archlinux.org/CVE-2021-21116