Subject: [ASA-201911-2] qt5-webengine: arbitrary code execution Arch Linux Security Advisory ASA-201911-2 ========================================= Severity: Critical Date : 2019-11-02 CVE-ID : CVE-2019-13720 Package : qt5-webengine Type : arbitrary code execution Remote : Yes Link : https://security.archlinux.org/AVG-1059 Summary ======= The package qt5-webengine before version 5.13.2-2 is vulnerable to arbitrary code execution. Resolution ========== Upgrade to 5.13.2-2. # pacman -Syu "qt5-webengine>=5.13.2-2" The problem has been fixed upstream but no release is available yet. Workaround ========== None. Description =========== A use-after-free vulnerability has been found in the audio component of the chromium browser before 78.0.3904.87. Google is aware of reports that an exploit for this vulnerability exists in the wild. Impact ====== A remote attacker can execute arbitrary code on the affected host. References ========== https://bugs.archlinux.org/task/64347 https://code.qt.io/cgit/qt/qtwebengine-chromium.git/patch/?id=d6e5fc10e417efdf8665d9fba57c269f0534072f https://chromereleases.googleblog.com/2019/10/stable-channel-update-for-desktop_31.html https://crbug.com/1019226 https://security.archlinux.org/CVE-2019-13720