Arch Linux Security Advisory ASA-201911-2
=========================================
Severity: Critical
Date : 2019-11-02
CVE-ID : CVE-2019-13720
Package : qt5-webengine
Type : arbitrary code execution
Remote : Yes
Link : https://security.archlinux.org/AVG-1059
Summary
=======
The package qt5-webengine before version 5.13.2-2 is vulnerable to
arbitrary code execution.
Resolution
==========
Upgrade to 5.13.2-2.
# pacman -Syu "qt5-webengine>=5.13.2-2"
The problem has been fixed upstream but no release is available yet.
Workaround
==========
None.
Description
===========
A use-after-free vulnerability has been found in the audio component of
the chromium browser before 78.0.3904.87. Google is aware of reports
that an exploit for this vulnerability exists in the wild.
Impact
======
A remote attacker can execute arbitrary code on the affected host.
References
==========
https://bugs.archlinux.org/task/64347
https://code.qt.io/cgit/qt/qtwebengine-chromium.git/patch/?id=d6e5fc10e417efdf8665d9fba57c269f0534072f
https://chromereleases.googleblog.com/2019/10/stable-channel-update-for-desktop_31.html
https://crbug.com/1019226
https://security.archlinux.org/CVE-2019-13720
A qt5-webengine security update is available for Arch Linux