Subject: [ASA-202103-8] opera: arbitrary code execution Arch Linux Security Advisory ASA-202103-8 ========================================= Severity: High Date : 2021-03-13 CVE-ID : CVE-2021-21149 CVE-2021-21150 CVE-2021-21151 CVE-2021-21152 CVE-2021-21153 CVE-2021-21154 CVE-2021-21155 CVE-2021-21156 CVE-2021-21157 Package : opera Type : arbitrary code execution Remote : Yes Link : https://security.archlinux.org/AVG-1586 Summary ======= The package opera before version 74.0.3911.203-1 is vulnerable to arbitrary code execution. Resolution ========== Upgrade to 74.0.3911.203-1. # pacman -Syu "opera>=74.0.3911.203-1" The problems have been fixed upstream in version 74.0.3911.203. Workaround ========== None. Description =========== - CVE-2021-21149 (arbitrary code execution) A stack overflow security issue was found in the Data Transfer component of the Chromium browser before version 88.0.4324.182. - CVE-2021-21150 (arbitrary code execution) A use after free security issue was found in the Downloads component of the Chromium browser before version 88.0.4324.182. - CVE-2021-21151 (arbitrary code execution) A use after free security issue was found in the Payments component of the Chromium browser before version 88.0.4324.182. - CVE-2021-21152 (arbitrary code execution) A heap buffer overflow security issue was found in the Media component of the Chromium browser before version 88.0.4324.182. - CVE-2021-21153 (arbitrary code execution) A stack overflow security issue was found in the GPU Process component of the Chromium browser before version 88.0.4324.182. - CVE-2021-21154 (arbitrary code execution) A heap buffer overflow security issue was found in the Tab Strip component of the Chromium browser before version 88.0.4324.182. - CVE-2021-21155 (arbitrary code execution) A heap buffer overflow security issue was found in the Tab Strip component of the Chromium browser before version 88.0.4324.182. - CVE-2021-21156 (arbitrary code execution) A heap buffer overflow security issue was found in the V8 component of the Chromium browser before version 88.0.4324.182. - CVE-2021-21157 (arbitrary code execution) A use after free security issue was found in the Web Sockets component of the Chromium browser before version 88.0.4324.182. Impact ====== A remote attacker might be able to execute arbitrary code on the affected host. References ========== https://blogs.opera.com/desktop/changelog-for-74/ https://blogs.opera.com/desktop/2021/03/opera-74-0-3911-203-stable-update/ https://chromereleases.googleblog.com/2021/02/stable-channel-update-for-desktop_16.html https://crbug.com/1138143 https://crbug.com/1172192 https://crbug.com/1165624 https://crbug.com/1166504 https://crbug.com/1155974 https://crbug.com/1173269 https://crbug.com/1177341 https://crbug.com/1170657 https://security.archlinux.org/CVE-2021-21149 https://security.archlinux.org/CVE-2021-21150 https://security.archlinux.org/CVE-2021-21151 https://security.archlinux.org/CVE-2021-21152 https://security.archlinux.org/CVE-2021-21153 https://security.archlinux.org/CVE-2021-21154 https://security.archlinux.org/CVE-2021-21155 https://security.archlinux.org/CVE-2021-21156 https://security.archlinux.org/CVE-2021-21157