Subject: [ASA-202106-2] chromium: multiple issues Arch Linux Security Advisory ASA-202106-2 ========================================= Severity: High Date : 2021-06-01 CVE-ID : CVE-2021-30522 CVE-2021-30523 CVE-2021-30524 CVE-2021-30525 CVE-2021-30526 CVE-2021-30527 CVE-2021-30529 CVE-2021-30530 CVE-2021-30531 CVE-2021-30532 CVE-2021-30533 CVE-2021-30534 CVE-2021-30535 CVE-2021-30536 CVE-2021-30537 CVE-2021-30538 CVE-2021-30539 CVE-2021-30542 CVE-2021-30543 Package : chromium Type : multiple issues Remote : Yes Link : https://security.archlinux.org/AVG-1990 Summary ======= The package chromium before version 91.0.4472.77-1 is vulnerable to multiple issues including arbitrary code execution, information disclosure and insufficient validation. Resolution ========== Upgrade to 91.0.4472.77-1. # pacman -Syu "chromium>=91.0.4472.77-1" The problems have been fixed upstream in version 91.0.4472.77. Workaround ========== None. Description =========== - CVE-2021-30522 (arbitrary code execution) A use after free security issue has been found in the WebAudio component of the Chromium browser before version 91.0.4472.77. - CVE-2021-30523 (arbitrary code execution) A use after free security issue has been found in the WebRTC component of the Chromium browser before version 91.0.4472.77. - CVE-2021-30524 (arbitrary code execution) A use after free security issue has been found in the TabStrip component of the Chromium browser before version 91.0.4472.77. - CVE-2021-30525 (arbitrary code execution) A use after free security issue has been found in the TabGroups component of the Chromium browser before version 91.0.4472.77. - CVE-2021-30526 (arbitrary code execution) An out of bounds write security issue has been found in the TabStrip component of the Chromium browser before version 91.0.4472.77. - CVE-2021-30527 (arbitrary code execution) A use after free security issue has been found in the WebUI component of the Chromium browser before version 91.0.4472.77. - CVE-2021-30529 (arbitrary code execution) A use after free security issue has been found in the Bookmarks component of the Chromium browser before version 91.0.4472.77. - CVE-2021-30530 (information disclosure) An out of bounds memory access security issue has been found in the WebAudio component of the Chromium browser before version 91.0.4472.77. - CVE-2021-30531 (insufficient validation) An insufficient policy enforcement security issue has been found in the Content Security Policy component of the Chromium browser before version 91.0.4472.77. - CVE-2021-30532 (insufficient validation) An insufficient policy enforcement security issue has been found in the Content Security Policy component of the Chromium browser before version 91.0.4472.77. - CVE-2021-30533 (insufficient validation) An insufficient policy enforcement security issue has been found in the PopupBlocker component of the Chromium browser before version 91.0.4472.77. - CVE-2021-30534 (insufficient validation) An insufficient policy enforcement security issue has been found in the iFrameSandbox component of the Chromium browser before version 91.0.4472.77. - CVE-2021-30535 (arbitrary code execution) A double free security issue has been found in the ICU component of the Chromium browser before version 91.0.4472.77. - CVE-2021-30536 (information disclosure) An out of bounds read security issue has been found in the V8 component of the Chromium browser before version 91.0.4472.77. - CVE-2021-30537 (insufficient validation) An insufficient policy enforcement security issue has been found in the cookies component of the Chromium browser before version 91.0.4472.77. - CVE-2021-30538 (insufficient validation) An insufficient policy enforcement security issue has been found in the content security policy component of the Chromium browser before version 91.0.4472.77. - CVE-2021-30539 (insufficient validation) An insufficient policy enforcement security issue has been found in the content security policy component of the Chromium browser before version 91.0.4472.77. - CVE-2021-30542 (arbitrary code execution) A use after free security issue has been found in the Tab Strip component of the Chromium browser before version 91.0.4472.77. - CVE-2021-30543 (arbitrary code execution) A use after free security issue has been found in the Tab Strip component of the Chromium browser before version 91.0.4472.77. Impact ====== A remote attacker could spoof content, disclose sensitive information, or execute arbitrary code through crafted web pages. References ========== https://chromereleases.googleblog.com/2021/05/stable-channel-update-for-desktop_25.html https://crbug.com/1176218 https://crbug.com/1187797 https://crbug.com/1197146 https://crbug.com/1197888 https://crbug.com/1198717 https://crbug.com/1199198 https://crbug.com/1195278 https://crbug.com/1201033 https://crbug.com/1115628 https://crbug.com/1117687 https://crbug.com/1145553 https://crbug.com/1151507 https://crbug.com/1194899 https://crbug.com/1194358 https://crbug.com/830101 https://crbug.com/1115045 https://crbug.com/971231 https://crbug.com/1184954 https://crbug.com/1203607 https://security.archlinux.org/CVE-2021-30522 https://security.archlinux.org/CVE-2021-30523 https://security.archlinux.org/CVE-2021-30524 https://security.archlinux.org/CVE-2021-30525 https://security.archlinux.org/CVE-2021-30526 https://security.archlinux.org/CVE-2021-30527 https://security.archlinux.org/CVE-2021-30529 https://security.archlinux.org/CVE-2021-30530 https://security.archlinux.org/CVE-2021-30531 https://security.archlinux.org/CVE-2021-30532 https://security.archlinux.org/CVE-2021-30533 https://security.archlinux.org/CVE-2021-30534 https://security.archlinux.org/CVE-2021-30535 https://security.archlinux.org/CVE-2021-30536 https://security.archlinux.org/CVE-2021-30537 https://security.archlinux.org/CVE-2021-30538 https://security.archlinux.org/CVE-2021-30539 https://security.archlinux.org/CVE-2021-30542 https://security.archlinux.org/CVE-2021-30543