Arch Linux Security Advisory ASA-202101-6 ========================================= Severity: High Date : 2021-01-08 CVE-ID : CVE-2020-15995 CVE-2020-16043 CVE-2021-21106 CVE-2021-21107 CVE-2021-21108 CVE-2021-21109 CVE-2021-21110 CVE-2021-21111 CVE-2021-21112 CVE-2021-21113 CVE-2021-21114 CVE-2021-21115 CVE-2021-21116 Package : chromium Type : multiple issues Remote : Yes Link : https://security.archlinux.org/AVG-1414 Summary ======= The package chromium before version 87.0.4280.141-1 is vulnerable to multiple issues including access restriction bypass, arbitrary code execution and insufficient validation. Resolution ========== Upgrade to 87.0.4280.141-1. # pacman -Syu "chromium>=87.0.4280.141-1" The problems have been fixed upstream in version 87.0.4280.141. Workaround ========== None. Description =========== - CVE-2020-15995 (arbitrary code execution) An out of bounds write security issue has been found in the V8 component of the Chromium browser before version 87.0.4280.141. - CVE-2020-16043 (insufficient validation) An insufficient data validation security issue has been found in the networking component of the Chromium browser before version 87.0.4280.141. - CVE-2021-21106 (arbitrary code execution) A use after free security issue has been found in the autofill component of the Chromium browser before version 87.0.4280.141. - CVE-2021-21107 (arbitrary code execution) A use after free security issue has been found in the drag and drop component of the Chromium browser before version 87.0.4280.141. - CVE-2021-21108 (arbitrary code execution) A use after free security issue has been found in the media component of the Chromium browser before version 87.0.4280.141. - CVE-2021-21109 (arbitrary code execution) A use after free security issue has been found in the payments component of the Chromium browser before version 87.0.4280.141. - CVE-2021-21110 (arbitrary code execution) A use after free security issue has been found in the safe browsing component of the Chromium browser before version 87.0.4280.141. - CVE-2021-21111 (access restriction bypass) An insufficient policy enforcement security issue has been found in the WebUI component of the Chromium browser before version 87.0.4280.141. - CVE-2021-21112 (arbitrary code execution) A use after free security issue has been found in the Blink component of the Chromium browser before version 87.0.4280.141. - CVE-2021-21113 (arbitrary code execution) A heap buffer overflow security issue has been found in the Skia component of the Chromium browser before version 87.0.4280.141. - CVE-2021-21114 (arbitrary code execution) A use after free security issue has been found in the audio component of the Chromium browser before version 87.0.4280.141. - CVE-2021-21115 (arbitrary code execution) A use after free security issue has been found in the safe browsing component of the Chromium browser before version 87.0.4280.141. - CVE-2021-21116 (arbitrary code execution) A heap buffer overflow security issue has been found in the audio component of the Chromium browser before version 87.0.4280.141. Impact ====== A remote attacker might be able to bypass security restrictions and execute arbitrary code. References ========== https://chromereleases.googleblog.com/2021/01/stable-channel-update-for-desktop.html https://crbug.com/1157790 https://crbug.com/1148309 https://crbug.com/1148749 https://crbug.com/1153595 https://crbug.com/1155426 https://crbug.com/1152334 https://crbug.com/1152451 https://crbug.com/1149125 https://crbug.com/1151298 https://crbug.com/1155178 https://crbug.com/1150065 https://crbug.com/1157814 https://crbug.com/1151069 https://security.archlinux.org/CVE-2020-15995 https://security.archlinux.org/CVE-2020-16043 https://security.archlinux.org/CVE-2021-21106 https://security.archlinux.org/CVE-2021-21107 https://security.archlinux.org/CVE-2021-21108 https://security.archlinux.org/CVE-2021-21109 https://security.archlinux.org/CVE-2021-21110 https://security.archlinux.org/CVE-2021-21111 https://security.archlinux.org/CVE-2021-21112 https://security.archlinux.org/CVE-2021-21113 https://security.archlinux.org/CVE-2021-21114 https://security.archlinux.org/CVE-2021-21115 https://security.archlinux.org/CVE-2021-21116