Arch Linux 802 Published by

Updated electron packages has been released for Arch Linux to address an arbitrary code execution




Arch Linux Security Advisory ASA-201911-7

=========================================


Severity: Critical

Date    : 2019-11-04

CVE-ID  : CVE-2019-13720

Package : electron

Type    : arbitrary code execution

Remote  : Yes

Link    : https://security.archlinux.org/AVG-1061


Summary

=======


The package electron before version 7.0.1-1 is vulnerable to arbitrary

code execution.


Resolution

==========


Upgrade to 7.0.1-1.


# pacman -Syu "electron>=7.0.1-1"


The problem has been fixed upstream in version 7.0.1.


Workaround

==========


None.


Description

===========


A use-after-free vulnerability has been found in the audio component of

the chromium browser before 78.0.3904.87. Google is aware of reports

that an exploit for this vulnerability exists in the wild.


Impact

======


A remote attacker can execute arbitrary code on the affected host.


References

==========


https://github.com/electron/electron/commit/25b3ee29cf9a8e3f59dcbabf7345b5b1360cd056

https://chromereleases.googleblog.com/2019/10/stable-channel-update-for-desktop_31.html

https://crbug.com/1019226

https://security.archlinux.org/CVE-2019-13720