Arch Linux Security Advisory ASA-202112-6 ========================================= Severity: High Date : 2021-12-11 CVE-ID : CVE-2021-4052 CVE-2021-4053 CVE-2021-4054 CVE-2021-4055 CVE-2021-4056 CVE-2021-4057 CVE-2021-4058 CVE-2021-4059 CVE-2021-4061 CVE-2021-4062 CVE-2021-4063 CVE-2021-4064 CVE-2021-4065 CVE-2021-4066 CVE-2021-4067 CVE-2021-4068 Package : chromium Type : multiple issues Remote : Yes Link : https://security.archlinux.org/AVG-2600 Summary ======= The package chromium before version 96.0.4664.93-1 is vulnerable to multiple issues including arbitrary code execution, content spoofing and insufficient validation. Resolution ========== Upgrade to 96.0.4664.93-1. # pacman -Syu "chromium>=96.0.4664.93-1" The problems have been fixed upstream in version 96.0.4664.93. Workaround ========== None. Description =========== - CVE-2021-4052 (arbitrary code execution) A use after free security issue has been found in the web apps component of the Chromium browser engine before version 96.0.4664.93. - CVE-2021-4053 (arbitrary code execution) A use after free security issue has been found in the UI component of the Chromium browser engine before version 96.0.4664.93. - CVE-2021-4054 (content spoofing) An incorrect security UI security issue has been found in the autofill component of the Chromium browser engine before version 96.0.4664.93. - CVE-2021-4055 (arbitrary code execution) A heap buffer overflow security issue has been found in the extensions component of the Chromium browser engine before version 96.0.4664.93. - CVE-2021-4056 (arbitrary code execution) A type confusion security issue has been found in the loader component of the Chromium browser engine before version 96.0.4664.93. - CVE-2021-4057 (arbitrary code execution) A use after free security issue has been found in the file API component of the Chromium browser engine before version 96.0.4664.93. - CVE-2021-4058 (arbitrary code execution) A heap buffer overflow security issue has been found in the ANGLE component of the Chromium browser engine before version 96.0.4664.93. - CVE-2021-4059 (insufficient validation) An insufficient data validation security issue has been found in the loader component of the Chromium browser engine before version 96.0.4664.93. - CVE-2021-4061 (arbitrary code execution) A type confusion security issue has been found in the V8 component of the Chromium browser engine before version 96.0.4664.93. - CVE-2021-4062 (arbitrary code execution) A heap buffer overflow security issue has been found in the BFCache component of the Chromium browser engine before version 96.0.4664.93. - CVE-2021-4063 (arbitrary code execution) A use after free security issue has been found in the developer tools component of the Chromium browser engine before version 96.0.4664.93. - CVE-2021-4064 (arbitrary code execution) A use after free security issue has been found in the screen capture component of the Chromium browser engine before version 96.0.4664.93. - CVE-2021-4065 (arbitrary code execution) A use after free security issue has been found in the autofill component of the Chromium browser engine before version 96.0.4664.93. - CVE-2021-4066 (arbitrary code execution) An integer underflow security issue has been found in the ANGLE component of the Chromium browser engine before version 96.0.4664.93. - CVE-2021-4067 (arbitrary code execution) A use after free security issue has been found in the window manager component of the Chromium browser engine before version 96.0.4664.93. - CVE-2021-4068 (insufficient validation) An insufficient validation of untrusted input security issue has been found in the new tab page component of the Chromium browser engine before version 96.0.4664.93. Impact ====== A remote attacker could execute arbitrary code or spoof content through crafted web content. References ========== https://chromereleases.googleblog.com/2021/12/stable-channel-update-for-desktop.html https://crbug.com/1267661 https://crbug.com/1267791 https://crbug.com/1239760 https://crbug.com/1266510 https://crbug.com/1260939 https://crbug.com/1262183 https://crbug.com/1267496 https://crbug.com/1270990 https://crbug.com/1271456 https://crbug.com/1272403 https://crbug.com/1273176 https://crbug.com/1273197 https://crbug.com/1273674 https://crbug.com/1274499 https://crbug.com/1274641 https://crbug.com/1265197 https://security.archlinux.org/CVE-2021-4052 https://security.archlinux.org/CVE-2021-4053 https://security.archlinux.org/CVE-2021-4054 https://security.archlinux.org/CVE-2021-4055 https://security.archlinux.org/CVE-2021-4056 https://security.archlinux.org/CVE-2021-4057 https://security.archlinux.org/CVE-2021-4058 https://security.archlinux.org/CVE-2021-4059 https://security.archlinux.org/CVE-2021-4061 https://security.archlinux.org/CVE-2021-4062 https://security.archlinux.org/CVE-2021-4063 https://security.archlinux.org/CVE-2021-4064 https://security.archlinux.org/CVE-2021-4065 https://security.archlinux.org/CVE-2021-4066 https://security.archlinux.org/CVE-2021-4067 https://security.archlinux.org/CVE-2021-4068