Arch Linux 802 Published by

A qt5-webengine security update is available for Arch Linux





Arch Linux Security Advisory ASA-201911-2

=========================================


Severity: Critical

Date    : 2019-11-02

CVE-ID  : CVE-2019-13720

Package : qt5-webengine

Type    : arbitrary code execution

Remote  : Yes

Link    : https://security.archlinux.org/AVG-1059


Summary

=======


The package qt5-webengine before version 5.13.2-2 is vulnerable to

arbitrary code execution.


Resolution

==========


Upgrade to 5.13.2-2.


# pacman -Syu "qt5-webengine>=5.13.2-2"


The problem has been fixed upstream but no release is available yet.


Workaround

==========


None.


Description

===========


A use-after-free vulnerability has been found in the audio component of

the chromium browser before 78.0.3904.87. Google is aware of reports

that an exploit for this vulnerability exists in the wild.


Impact

======


A remote attacker can execute arbitrary code on the affected host.


References

==========


https://bugs.archlinux.org/task/64347

https://code.qt.io/cgit/qt/qtwebengine-chromium.git/patch/?id=d6e5fc10e417efdf8665d9fba57c269f0534072f

https://chromereleases.googleblog.com/2019/10/stable-channel-update-for-desktop_31.html

https://crbug.com/1019226

https://security.archlinux.org/CVE-2019-13720