Arch Linux Security Advisory ASA-202103-19 ========================================== Severity: High Date : 2021-03-25 CVE-ID : CVE-2020-27844 CVE-2021-21159 CVE-2021-21160 CVE-2021-21161 CVE-2021-21162 CVE-2021-21163 CVE-2021-21165 CVE-2021-21166 CVE-2021-21167 CVE-2021-21168 CVE-2021-21169 CVE-2021-21170 CVE-2021-21171 CVE-2021-21172 CVE-2021-21173 CVE-2021-21174 CVE-2021-21175 CVE-2021-21176 CVE-2021-21177 CVE-2021-21178 CVE-2021-21179 CVE-2021-21180 CVE-2021-21181 CVE-2021-21182 CVE-2021-21183 CVE-2021-21184 CVE-2021-21185 CVE-2021-21186 CVE-2021-21187 CVE-2021-21188 CVE-2021-21189 CVE-2021-21190 CVE-2021-21191 CVE-2021-21192 CVE-2021-21193 Package : vivaldi Type : multiple issues Remote : Yes Link : https://security.archlinux.org/AVG-1633 Summary ======= The package vivaldi before version 3.7.2218.45-1 is vulnerable to multiple issues including arbitrary code execution, insufficient validation, access restriction bypass, content spoofing, incorrect calculation and information disclosure. Resolution ========== Upgrade to 3.7.2218.45-1. # pacman -Syu "vivaldi>=3.7.2218.45-1" The problems have been fixed upstream in version 3.7.2218.45. Workaround ========== None. Description =========== - CVE-2020-27844 (arbitrary code execution) A heap-based buffer overflow was discovered in lib/openjp2/t2.c:973 in the current master (commit 18b1138fbe3bb0ae4aa2bf1369f9430a8ec6fa00) of OpenJPEG. - CVE-2021-21159 (arbitrary code execution) A heap buffer overflow security issue was found in the TabStrip component of the Chromium browser before version 89.0.4389.72. - CVE-2021-21160 (arbitrary code execution) A heap buffer overflow security issue was found in the WebAudio component of the Chromium browser before version 89.0.4389.72. - CVE-2021-21161 (arbitrary code execution) A heap buffer overflow security issue was found in the TabStrip component of the Chromium browser before version 89.0.4389.72. - CVE-2021-21162 (arbitrary code execution) A use after free security issue was found in the WebRTC component of the Chromium browser before version 89.0.4389.72. - CVE-2021-21163 (insufficient validation) An insufficient data validation security issue was found in the Reader Mode component of the Chromium browser before version 89.0.4389.72. - CVE-2021-21165 (arbitrary code execution) An object lifecycle security issue was found in the audio component of the Chromium browser before version 89.0.4389.72. - CVE-2021-21166 (arbitrary code execution) An object lifecycle security issue was found in the audio component of the Chromium browser before version 89.0.4389.72. - CVE-2021-21167 (arbitrary code execution) A use after free security issue was found in the bookmarks component of the Chromium browser before version 89.0.4389.72. - CVE-2021-21168 (access restriction bypass) An insufficient policy enforcement security issue was found in the appcache component of the Chromium browser before version 89.0.4389.72. - CVE-2021-21169 (information disclosure) An out of bounds memory access security issue was found in the V8 component of the Chromium browser before version 89.0.4389.72. - CVE-2021-21170 (content spoofing) An incorrect security UI security issue was found in the Loader component of the Chromium browser before version 89.0.4389.72. - CVE-2021-21171 (content spoofing) An incorrect security UI security issue was found in the TabStrip and Navigation components of the Chromium browser before version 89.0.4389.72. - CVE-2021-21172 (access restriction bypass) An insufficient policy enforcement security issue was found in the File System API component of the Chromium browser before version 89.0.4389.72. - CVE-2021-21173 (information disclosure) A side-channel information leakage security issue was found in the Network Internals component of the Chromium browser before version 89.0.4389.72. - CVE-2021-21174 (incorrect calculation) An inappropriate implementation security issue was found in the Referrer component of the Chromium browser before version 89.0.4389.72. - CVE-2021-21175 (incorrect calculation) An inappropriate implementation security issue was found in the Site isolation component of the Chromium browser before version 89.0.4389.72. - CVE-2021-21176 (incorrect calculation) An inappropriate implementation security issue was found in the full screen mode component of the Chromium browser before version 89.0.4389.72. - CVE-2021-21177 (access restriction bypass) An insufficient policy enforcement security issue was found in the Autofill component of the Chromium browser before version 89.0.4389.72. - CVE-2021-21178 (incorrect calculation) An inappropriate implementation security issue was found in the Compositing component of the Chromium browser before version 89.0.4389.72. - CVE-2021-21179 (arbitrary code execution) A use after free security issue was found in the Network Internals component of the Chromium browser before version 89.0.4389.72. - CVE-2021-21180 (arbitrary code execution) A use after free security issue was found in the tab search component of the Chromium browser before version 89.0.4389.72. - CVE-2021-21181 (information disclosure) A side-channel information leakage security issue was found in the autofill component of the Chromium browser before version 89.0.4389.72. - CVE-2021-21182 (access restriction bypass) An insufficient policy enforcement security issue was found in the navigations component of the Chromium browser before version 89.0.4389.72. - CVE-2021-21183 (incorrect calculation) An inappropriate implementation security issue was found in the performance APIs component of the Chromium browser before version 89.0.4389.72. - CVE-2021-21184 (incorrect calculation) An inappropriate implementation security issue was found in the performance APIs component of the Chromium browser before version 89.0.4389.72. - CVE-2021-21185 (access restriction bypass) An insufficient policy enforcement security issue was found in the extensions component of the Chromium browser before version 89.0.4389.72. - CVE-2021-21186 (access restriction bypass) An insufficient policy enforcement security issue was found in the QR scanning component of the Chromium browser before version 89.0.4389.72. - CVE-2021-21187 (insufficient validation) An insufficient data validation security issue was found in the URL formatting component of the Chromium browser before version 89.0.4389.72. - CVE-2021-21188 (arbitrary code execution) A use after free security issue was found in the Blink component of the Chromium browser before version 89.0.4389.72. - CVE-2021-21189 (access restriction bypass) An insufficient policy enforcement security issue was found in the payments component of the Chromium browser before version 89.0.4389.72. - CVE-2021-21190 (arbitrary code execution) An uninitialized use security issue was found in the PDFium component of the Chromium browser before version 89.0.4389.72. - CVE-2021-21191 (arbitrary code execution) A use after free security issue was found in the WebRTC component of the Chromium browser before version 89.0.4389.90. - CVE-2021-21192 (arbitrary code execution) A heap buffer overflow security issue was found in the tab groups component of the Chromium browser before version 89.0.4389.90. - CVE-2021-21193 (arbitrary code execution) A use after free security issue was found in the Blink component of the Chromium browser before version 89.0.4389.90. Google is aware of reports that an exploit for this issue exists in the wild. Impact ====== A remote attacker might be able to bypass security measures, trick the user into performing unwanted actions or execute arbitrary code. References ========== https://vivaldi.com/blog/desktop/minor-update-2-for-vivaldi-desktop-3-6/ https://vivaldi.com/blog/vivaldi-fires-up-performance-2/ https://github.com/uclouvain/openjpeg/issues/1299 https://github.com/uclouvain/openjpeg/pull/1301 https://github.com/uclouvain/openjpeg/commit/73fdf28342e4594019af26eb6a347a34eceb6296 https://chromereleases.googleblog.com/2021/03/stable-channel-update-for-desktop.html https://crbug.com/1171049 https://crbug.com/1170531 https://crbug.com/1173702 https://crbug.com/1172054 https://crbug.com/1111239 https://crbug.com/1174582 https://crbug.com/1177465 https://crbug.com/1161144 https://crbug.com/1152226 https://crbug.com/1166138 https://crbug.com/1111646 https://crbug.com/1152894 https://crbug.com/1150810 https://crbug.com/1154250 https://crbug.com/1158010 https://crbug.com/1146651 https://crbug.com/1170584 https://crbug.com/1173879 https://crbug.com/1174186 https://crbug.com/1174943 https://crbug.com/1175507 https://crbug.com/1182767 https://crbug.com/1049265 https://crbug.com/1105875 https://crbug.com/1131929 https://crbug.com/1100748 https://crbug.com/1153445 https://crbug.com/1155516 https://crbug.com/1161739 https://crbug.com/1165392 https://crbug.com/1166091 https://chromereleases.googleblog.com/2021/03/stable-channel-update-for-desktop_12.html https://crbug.com/1167357 https://crbug.com/1181387 https://crbug.com/1186287 https://security.archlinux.org/CVE-2020-27844 https://security.archlinux.org/CVE-2021-21159 https://security.archlinux.org/CVE-2021-21160 https://security.archlinux.org/CVE-2021-21161 https://security.archlinux.org/CVE-2021-21162 https://security.archlinux.org/CVE-2021-21163 https://security.archlinux.org/CVE-2021-21165 https://security.archlinux.org/CVE-2021-21166 https://security.archlinux.org/CVE-2021-21167 https://security.archlinux.org/CVE-2021-21168 https://security.archlinux.org/CVE-2021-21169 https://security.archlinux.org/CVE-2021-21170 https://security.archlinux.org/CVE-2021-21171 https://security.archlinux.org/CVE-2021-21172 https://security.archlinux.org/CVE-2021-21173 https://security.archlinux.org/CVE-2021-21174 https://security.archlinux.org/CVE-2021-21175 https://security.archlinux.org/CVE-2021-21176 https://security.archlinux.org/CVE-2021-21177 https://security.archlinux.org/CVE-2021-21178 https://security.archlinux.org/CVE-2021-21179 https://security.archlinux.org/CVE-2021-21180 https://security.archlinux.org/CVE-2021-21181 https://security.archlinux.org/CVE-2021-21182 https://security.archlinux.org/CVE-2021-21183 https://security.archlinux.org/CVE-2021-21184 https://security.archlinux.org/CVE-2021-21185 https://security.archlinux.org/CVE-2021-21186 https://security.archlinux.org/CVE-2021-21187 https://security.archlinux.org/CVE-2021-21188 https://security.archlinux.org/CVE-2021-21189 https://security.archlinux.org/CVE-2021-21190 https://security.archlinux.org/CVE-2021-21191 https://security.archlinux.org/CVE-2021-21192 https://security.archlinux.org/CVE-2021-21193