[manjaro-security] [ASA-201911-2] qt5-webengine: arbitrary code execution
Morten Linderud
foxboron at archlinux.org
Sat Nov 2 19:50:40 CET 2019
Arch Linux Security Advisory ASA-201911-2
=========================================
Severity: Critical
Date : 2019-11-02
CVE-ID : CVE-2019-13720
Package : qt5-webengine
Type : arbitrary code execution
Remote : Yes
Link : https://security.archlinux.org/AVG-1059
Summary
=======
The package qt5-webengine before version 5.13.2-2 is vulnerable to
arbitrary code execution.
Resolution
==========
Upgrade to 5.13.2-2.
# pacman -Syu "qt5-webengine>=5.13.2-2"
The problem has been fixed upstream but no release is available yet.
Workaround
==========
None.
Description
===========
A use-after-free vulnerability has been found in the audio component of
the chromium browser before 78.0.3904.87. Google is aware of reports
that an exploit for this vulnerability exists in the wild.
Impact
======
A remote attacker can execute arbitrary code on the affected host.
References
==========
https://bugs.archlinux.org/task/64347
https://code.qt.io/cgit/qt/qtwebengine-chromium.git/patch/?id=d6e5fc10e417efdf8665d9fba57c269f0534072f
https://chromereleases.googleblog.com/2019/10/stable-channel-update-for-desktop_31.html
https://crbug.com/1019226
https://security.archlinux.org/CVE-2019-13720
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: not available
URL: <http://lists.manjaro.org/pipermail/manjaro-security/attachments/20191102/97057e4c/attachment.sig>
More information about the manjaro-security
mailing list