Arch Linux 802 Published by

A critical qt5-webengine security update has been released for Arch Linux to fix an arbitrary code execution





Arch Linux Security Advisory ASA-201911-2
========================================

Severity: Critical
Date : 2019-11-02
CVE-ID : CVE-2019-13720
Package : qt5-webengine
Type : arbitrary code execution
Remote : Yes
Link : https://security.archlinux.org/AVG-1059

Summary
======

The package qt5-webengine before version 5.13.2-2 is vulnerable to arbitrary code execution.

Resolution
=========

Upgrade to 5.13.2-2.

# pacman -Syu "qt5-webengine>=5.13.2-2"

The problem has been fixed upstream but no release is available yet.

Workaround
=========

None.

Description
==========

A use-after-free vulnerability has been found in the audio component of the chromium browser before 78.0.3904.87. Google is aware of reports that an exploit for this vulnerability exists in the wild.

Impact
=====
A remote attacker can execute arbitrary code on the affected host.

References
=========

https://bugs.archlinux.org/task/64347
https://code.qt.io/cgit/qt/qtwebengine-chromium.git/patch/?id?e5fc10e417efdf8665d9fba57c269f0534072f
https://chromereleases.googleblog.com/2019/10/stable-channel-update-for-desktop_31.html
https://crbug.com/1019226
https://security.archlinux.org/CVE-2019-13720