Arch Linux 804 Published by

A vivaldi security update has been released for Arch Linux.



ASA-202112-7: vivaldi: multiple issues


Arch Linux Security Advisory ASA-202112-7
========================================
Severity: High
Date : 2021-12-11
CVE-ID : CVE-2021-4052 CVE-2021-4053 CVE-2021-4054 CVE-2021-4055
CVE-2021-4056 CVE-2021-4057 CVE-2021-4058 CVE-2021-4059
CVE-2021-4061 CVE-2021-4062 CVE-2021-4063 CVE-2021-4064
CVE-2021-4065 CVE-2021-4066 CVE-2021-4067 CVE-2021-4068
Package : vivaldi
Type : multiple issues
Remote : Yes
Link :   https://security.archlinux.org/AVG-2601

Summary
======
The package vivaldi before version 5.0.2497.28-1 is vulnerable to
multiple issues including arbitrary code execution, content spoofing
and insufficient validation.

Resolution
=========
Upgrade to 5.0.2497.28-1.

# pacman -Syu "vivaldi>=5.0.2497.28-1"

The problems have been fixed upstream in version 5.0.2497.28.

Workaround
=========
None.

Description
==========
- CVE-2021-4052 (arbitrary code execution)

A use after free security issue has been found in the web apps
component of the Chromium browser engine before version 96.0.4664.93.

- CVE-2021-4053 (arbitrary code execution)

A use after free security issue has been found in the UI component of
the Chromium browser engine before version 96.0.4664.93.

- CVE-2021-4054 (content spoofing)

An incorrect security UI security issue has been found in the autofill
component of the Chromium browser engine before version 96.0.4664.93.

- CVE-2021-4055 (arbitrary code execution)

A heap buffer overflow security issue has been found in the extensions
component of the Chromium browser engine before version 96.0.4664.93.

- CVE-2021-4056 (arbitrary code execution)

A type confusion security issue has been found in the loader component
of the Chromium browser engine before version 96.0.4664.93.

- CVE-2021-4057 (arbitrary code execution)

A use after free security issue has been found in the file API
component of the Chromium browser engine before version 96.0.4664.93.

- CVE-2021-4058 (arbitrary code execution)

A heap buffer overflow security issue has been found in the ANGLE
component of the Chromium browser engine before version 96.0.4664.93.

- CVE-2021-4059 (insufficient validation)

An insufficient data validation security issue has been found in the
loader component of the Chromium browser engine before version
96.0.4664.93.

- CVE-2021-4061 (arbitrary code execution)

A type confusion security issue has been found in the V8 component of
the Chromium browser engine before version 96.0.4664.93.

- CVE-2021-4062 (arbitrary code execution)

A heap buffer overflow security issue has been found in the BFCache
component of the Chromium browser engine before version 96.0.4664.93.

- CVE-2021-4063 (arbitrary code execution)

A use after free security issue has been found in the developer tools
component of the Chromium browser engine before version 96.0.4664.93.

- CVE-2021-4064 (arbitrary code execution)

A use after free security issue has been found in the screen capture
component of the Chromium browser engine before version 96.0.4664.93.

- CVE-2021-4065 (arbitrary code execution)

A use after free security issue has been found in the autofill
component of the Chromium browser engine before version 96.0.4664.93.

- CVE-2021-4066 (arbitrary code execution)

An integer underflow security issue has been found in the ANGLE
component of the Chromium browser engine before version 96.0.4664.93.

- CVE-2021-4067 (arbitrary code execution)

A use after free security issue has been found in the window manager
component of the Chromium browser engine before version 96.0.4664.93.

- CVE-2021-4068 (insufficient validation)

An insufficient validation of untrusted input security issue has been
found in the new tab page component of the Chromium browser engine
before version 96.0.4664.93.

Impact
=====
A remote attacker could execute arbitrary code or spoof content through
crafted web content.

References
=========
  https://vivaldi.com/blog/desktop/further-updates-to-theme-sharing-vivaldi-browser-snapshot-2488-3/
  https://vivaldi.com/blog/desktop/minor-update-5-0/
  https://chromereleases.googleblog.com/2021/12/stable-channel-update-for-desktop.html
  https://crbug.com/1267661
  https://crbug.com/1267791
  https://crbug.com/1239760
  https://crbug.com/1266510
  https://crbug.com/1260939
  https://crbug.com/1262183
  https://crbug.com/1267496
  https://crbug.com/1270990
  https://crbug.com/1271456
  https://crbug.com/1272403
  https://crbug.com/1273176
  https://crbug.com/1273197
  https://crbug.com/1273674
  https://crbug.com/1274499
  https://crbug.com/1274641
  https://crbug.com/1265197
  https://security.archlinux.org/CVE-2021-4052
  https://security.archlinux.org/CVE-2021-4053
  https://security.archlinux.org/CVE-2021-4054
  https://security.archlinux.org/CVE-2021-4055
  https://security.archlinux.org/CVE-2021-4056
  https://security.archlinux.org/CVE-2021-4057
  https://security.archlinux.org/CVE-2021-4058
  https://security.archlinux.org/CVE-2021-4059
  https://security.archlinux.org/CVE-2021-4061
  https://security.archlinux.org/CVE-2021-4062
  https://security.archlinux.org/CVE-2021-4063
  https://security.archlinux.org/CVE-2021-4064
  https://security.archlinux.org/CVE-2021-4065
  https://security.archlinux.org/CVE-2021-4066
  https://security.archlinux.org/CVE-2021-4067
  https://security.archlinux.org/CVE-2021-4068