Arch Linux Security Advisory ASA-202102-4
========================================
Severity: Critical
Date    : 2021-02-06
CVE-ID  : CVE-2020-16044 CVE-2021-21117 CVE-2021-21118 CVE-2021-21119
           CVE-2021-21120 CVE-2021-21121 CVE-2021-21122 CVE-2021-21123
           CVE-2021-21124 CVE-2021-21125 CVE-2021-21126 CVE-2021-21127
           CVE-2021-21128 CVE-2021-21129 CVE-2021-21130 CVE-2021-21131
           CVE-2021-21132 CVE-2021-21133 CVE-2021-21134 CVE-2021-21135
           CVE-2021-21136 CVE-2021-21137 CVE-2021-21138 CVE-2021-21139
           CVE-2021-21140 CVE-2021-21141 CVE-2021-21142 CVE-2021-21143
           CVE-2021-21144 CVE-2021-21145 CVE-2021-21146 CVE-2021-21147
           CVE-2021-21148
Package : vivaldi
Type    : multiple issues
Remote  : Yes
Link    : https://security.archlinux.org/AVG-1478

Summary
======
The package vivaldi before version 3.6.2165.36-1 is vulnerable to
multiple issues including arbitrary code execution, insufficient
validation, content spoofing and incorrect calculation.

Resolution
=========
Upgrade to 3.6.2165.36-1.

# pacman -Syu "vivaldi>=3.6.2165.36-1"

The problems have been fixed upstream in version 3.6.2165.36.

Workaround
=========
None.

Description
==========
- CVE-2020-16044 (arbitrary code execution)

A security issue was found in Firefox before 84.0.2, Thunderbird before
78.6.1 and Chromium before 88.0.4324.96. A malicious peer could have
modified a COOKIE-ECHO chunk in an SCTP packet in a way that
potentially resulted in a use-after-free. Mozilla presumes that with
enough effort it could have been exploited to run arbitrary code.

- CVE-2021-21117 (insufficient validation)

An insufficient policy enforcement security issue was found in the
Cryptohome component of the Chromium browser before version
88.0.4324.96.

- CVE-2021-21118 (insufficient validation)

An insufficient data validation security issue was found in the V8
component of the Chromium browser before version 88.0.4324.96.

- CVE-2021-21119 (arbitrary code execution)

A use after free security issue was found in the Media component of the
Chromium browser before version 88.0.4324.96.

- CVE-2021-21120 (arbitrary code execution)

A use after free security issue was found in the WebSQL component of
the Chromium browser before version 88.0.4324.96.

- CVE-2021-21121 (arbitrary code execution)

A use after free security issue was found in the Omnibox component of
the Chromium browser before version 88.0.4324.96.

- CVE-2021-21122 (arbitrary code execution)

A use after free security issue was found in the Blink component of the
Chromium browser before version 88.0.4324.96.

- CVE-2021-21123 (insufficient validation)

An insufficient data validation security issue was found in the File
System component of the Chromium browser before version 88.0.4324.96.

- CVE-2021-21124 (arbitrary code execution)

A potential use after free security issue was found in the Speech
Recognizer component of the Chromium browser before version
88.0.4324.96.

- CVE-2021-21125 (insufficient validation)

An insufficient policy enforcement security issue was found in the File
System API component of the Chromium browser before version
88.0.4324.96.

- CVE-2021-21126 (insufficient validation)

An insufficient policy enforcement security issue was found in the
extensions component of the Chromium browser before version
88.0.4324.96.

- CVE-2021-21127 (insufficient validation)

An insufficient policy enforcement security issue was found in the
extensions component of the Chromium browser before version
88.0.4324.96.

- CVE-2021-21128 (arbitrary code execution)

A heap buffer overflow security issue was found in the Blink component
of the Chromium browser before version 88.0.4324.96.

- CVE-2021-21129 (insufficient validation)

An insufficient policy enforcement security issue was found in the File
System API component of the Chromium browser before version
88.0.4324.96.

- CVE-2021-21130 (insufficient validation)

An insufficient policy enforcement security issue was found in the File
System API component of the Chromium browser before version
88.0.4324.96.

- CVE-2021-21131 (insufficient validation)

An insufficient policy enforcement security issue was found in the File
System API component of the Chromium browser before version
88.0.4324.96.

- CVE-2021-21132 (incorrect calculation)

An inappropriate implementation security issue was found in the
DevTools component of the Chromium browser before version 88.0.4324.96.

- CVE-2021-21133 (insufficient validation)

An insufficient policy enforcement security issue was found in the
Downloads component of the Chromium browser before version
88.0.4324.96.

- CVE-2021-21134 (content spoofing)

An incorrect security UI security issue was found in the Page Info
component of the Chromium browser before version 88.0.4324.96.

- CVE-2021-21135 (incorrect calculation)

An inappropriate implementation security issue was found in the
Performance API component of the Chromium browser before version
88.0.4324.96.

- CVE-2021-21136 (insufficient validation)

An insufficient policy enforcement security issue was found in the
WebView component of the Chromium browser before version 88.0.4324.96.

- CVE-2021-21137 (incorrect calculation)

An inappropriate implementation security issue was found in the
DevTools component of the Chromium browser before version 88.0.4324.96.

- CVE-2021-21138 (arbitrary code execution)

A use after free security issue was found in the DevTools component of
the Chromium browser before version 88.0.4324.96.

- CVE-2021-21139 (incorrect calculation)

An inappropriate implementation security issue was found in the iframe
sandbox component of the Chromium browser before version 88.0.4324.96.

- CVE-2021-21140 (arbitrary code execution)

An uninitialized use security issue was found in the USB component of
the Chromium browser before version 88.0.4324.96.

- CVE-2021-21141 (insufficient validation)

An insufficient policy enforcement security issue was found in the File
System API component of the Chromium browser before version
88.0.4324.96.

- CVE-2021-21142 (arbitrary code execution)

A use after free security issue was found in the Payments component of
the Chromium browser before version 88.0.4324.146.

- CVE-2021-21143 (arbitrary code execution)

A heap buffer overflow security issue was found in the Extensions
component of the Chromium browser before version 88.0.4324.146.

- CVE-2021-21144 (arbitrary code execution)

A heap buffer overflow security issue was found in the Tab Groups
component of the Chromium browser before version 88.0.4324.146.

- CVE-2021-21145 (arbitrary code execution)

A use after free security issue was found in the Fonts component of the
Chromium browser before version 88.0.4324.146.

- CVE-2021-21146 (arbitrary code execution)

A use after free security issue was found in the Navigation component
of the Chromium browser before version 88.0.4324.146.

- CVE-2021-21147 (incorrect calculation)

An inappropriate implementation security issue was found in the Skia
component of the Chromium browser before version 88.0.4324.146.

- CVE-2021-21148 (arbitrary code execution)

A heap buffer overflow security issue was found in the V8 component of
the Chromium browser before version 88.0.4324.150.

Impact
=====
A remote attacker might be able to bypass security measures, trick the
user into performing unwanted actions or execute arbitrary code.

References
=========
https://www.mozilla.org/en-US/security/advisories/mfsa2021-01/#CVE-2020-16044
https://bugzilla.mozilla.org/show_bug.cgi?id=1683964
https://hg.mozilla.org/mozilla-central/rev/08ba03dc8d4420e04e7c77fee3013e68180e6ead
https://hg.mozilla.org/mozilla-central/rev/8c09f4813fc7e8f44605b6092262199bff15cdd7
https://hg.mozilla.org/mozilla-central/rev/5991645a87d2abf289686d09d943229c9e3e54b5
https://chromereleases.googleblog.com/2021/01/stable-channel-update-for-desktop_19.html
https://bugs.chromium.org/p/chromium/issues/detail
https://bugs.chromium.org/p/chromium/issues/detail
https://bugs.chromium.org/p/chromium/issues/detail
https://bugs.chromium.org/p/chromium/issues/detail
https://bugs.chromium.org/p/chromium/issues/detail
https://bugs.chromium.org/p/chromium/issues/detail
https://bugs.chromium.org/p/chromium/issues/detail
https://bugs.chromium.org/p/chromium/issues/detail
https://bugs.chromium.org/p/chromium/issues/detail
https://bugs.chromium.org/p/chromium/issues/detail
https://bugs.chromium.org/p/chromium/issues/detail
https://bugs.chromium.org/p/chromium/issues/detail
https://bugs.chromium.org/p/chromium/issues/detail
https://bugs.chromium.org/p/chromium/issues/detail
https://bugs.chromium.org/p/chromium/issues/detail
https://bugs.chromium.org/p/chromium/issues/detail
https://bugs.chromium.org/p/chromium/issues/detail
https://bugs.chromium.org/p/chromium/issues/detail
https://bugs.chromium.org/p/chromium/issues/detail
https://bugs.chromium.org/p/chromium/issues/detail
https://bugs.chromium.org/p/chromium/issues/detail
https://bugs.chromium.org/p/chromium/issues/detail
https://bugs.chromium.org/p/chromium/issues/detail
https://bugs.chromium.org/p/chromium/issues/detail
https://bugs.chromium.org/p/chromium/issues/detail
https://chromereleases.googleblog.com/2021/02/stable-channel-update-for-desktop.html
https://bugs.chromium.org/p/chromium/issues/detail
https://bugs.chromium.org/p/chromium/issues/detail
https://bugs.chromium.org/p/chromium/issues/detail
https://bugs.chromium.org/p/chromium/issues/detail
https://bugs.chromium.org/p/chromium/issues/detail
https://bugs.chromium.org/p/chromium/issues/detail
https://chromereleases.googleblog.com/2021/02/stable-channel-update-for-desktop_4.html
https://bugs.chromium.org/p/chromium/issues/detail
https://security.archlinux.org/CVE-2020-16044
https://security.archlinux.org/CVE-2021-21117
https://security.archlinux.org/CVE-2021-21118
https://security.archlinux.org/CVE-2021-21119
https://security.archlinux.org/CVE-2021-21120
https://security.archlinux.org/CVE-2021-21121
https://security.archlinux.org/CVE-2021-21122
https://security.archlinux.org/CVE-2021-21123
https://security.archlinux.org/CVE-2021-21124
https://security.archlinux.org/CVE-2021-21125
https://security.archlinux.org/CVE-2021-21126
https://security.archlinux.org/CVE-2021-21127
https://security.archlinux.org/CVE-2021-21128
https://security.archlinux.org/CVE-2021-21129
https://security.archlinux.org/CVE-2021-21130
https://security.archlinux.org/CVE-2021-21131
https://security.archlinux.org/CVE-2021-21132
https://security.archlinux.org/CVE-2021-21133
https://security.archlinux.org/CVE-2021-21134
https://security.archlinux.org/CVE-2021-21135
https://security.archlinux.org/CVE-2021-21136
https://security.archlinux.org/CVE-2021-21137
https://security.archlinux.org/CVE-2021-21138
https://security.archlinux.org/CVE-2021-21139
https://security.archlinux.org/CVE-2021-21140
https://security.archlinux.org/CVE-2021-21141
https://security.archlinux.org/CVE-2021-21142
https://security.archlinux.org/CVE-2021-21143
https://security.archlinux.org/CVE-2021-21144
https://security.archlinux.org/CVE-2021-21145
https://security.archlinux.org/CVE-2021-21146
https://security.archlinux.org/CVE-2021-21147
https://security.archlinux.org/CVE-2021-21148

ArchLinux: 202102-4: vivaldi: multiple issues

February 12, 2021

Summary

- CVE-2020-16044 (arbitrary code execution) A security issue was found in Firefox before 84.0.2, Thunderbird before 78.6.1 and Chromium before 88.0.4324.96. A malicious peer could have modified a COOKIE-ECHO chunk in an SCTP packet in a way that potentially resulted in a use-after-free. Mozilla presumes that with enough effort it could have been exploited to run arbitrary code.
- CVE-2021-21117 (insufficient validation)
An insufficient policy enforcement security issue was found in the Cryptohome component of the Chromium browser before version 88.0.4324.96.
- CVE-2021-21118 (insufficient validation)
An insufficient data validation security issue was found in the V8 component of the Chromium browser before version 88.0.4324.96.
- CVE-2021-21119 (arbitrary code execution)
A use after free security issue was found in the Media component of the Chromium browser before version 88.0.4324.96.
- CVE-2021-21120 (arbitrary code execution)
A use after free security issue was found in the WebSQL component of the Chromium browser before version 88.0.4324.96.
- CVE-2021-21121 (arbitrary code execution)
A use after free security issue was found in the Omnibox component of the Chromium browser before version 88.0.4324.96.
- CVE-2021-21122 (arbitrary code execution)
A use after free security issue was found in the Blink component of the Chromium browser before version 88.0.4324.96.
- CVE-2021-21123 (insufficient validation)
An insufficient data validation security issue was found in the File System component of the Chromium browser before version 88.0.4324.96.
- CVE-2021-21124 (arbitrary code execution)
A potential use after free security issue was found in the Speech Recognizer component of the Chromium browser before version 88.0.4324.96.
- CVE-2021-21125 (insufficient validation)
An insufficient policy enforcement security issue was found in the File System API component of the Chromium browser before version 88.0.4324.96.
- CVE-2021-21126 (insufficient validation)
An insufficient policy enforcement security issue was found in the extensions component of the Chromium browser before version 88.0.4324.96.
- CVE-2021-21127 (insufficient validation)
An insufficient policy enforcement security issue was found in the extensions component of the Chromium browser before version 88.0.4324.96.
- CVE-2021-21128 (arbitrary code execution)
A heap buffer overflow security issue was found in the Blink component of the Chromium browser before version 88.0.4324.96.
- CVE-2021-21129 (insufficient validation)
An insufficient policy enforcement security issue was found in the File System API component of the Chromium browser before version 88.0.4324.96.
- CVE-2021-21130 (insufficient validation)
An insufficient policy enforcement security issue was found in the File System API component of the Chromium browser before version 88.0.4324.96.
- CVE-2021-21131 (insufficient validation)
An insufficient policy enforcement security issue was found in the File System API component of the Chromium browser before version 88.0.4324.96.
- CVE-2021-21132 (incorrect calculation)
An inappropriate implementation security issue was found in the DevTools component of the Chromium browser before version 88.0.4324.96.
- CVE-2021-21133 (insufficient validation)
An insufficient policy enforcement security issue was found in the Downloads component of the Chromium browser before version 88.0.4324.96.
- CVE-2021-21134 (content spoofing)
An incorrect security UI security issue was found in the Page Info component of the Chromium browser before version 88.0.4324.96.
- CVE-2021-21135 (incorrect calculation)
An inappropriate implementation security issue was found in the Performance API component of the Chromium browser before version 88.0.4324.96.
- CVE-2021-21136 (insufficient validation)
An insufficient policy enforcement security issue was found in the WebView component of the Chromium browser before version 88.0.4324.96.
- CVE-2021-21137 (incorrect calculation)
An inappropriate implementation security issue was found in the DevTools component of the Chromium browser before version 88.0.4324.96.
- CVE-2021-21138 (arbitrary code execution)
A use after free security issue was found in the DevTools component of the Chromium browser before version 88.0.4324.96.
- CVE-2021-21139 (incorrect calculation)
An inappropriate implementation security issue was found in the iframe sandbox component of the Chromium browser before version 88.0.4324.96.
- CVE-2021-21140 (arbitrary code execution)
An uninitialized use security issue was found in the USB component of the Chromium browser before version 88.0.4324.96.
- CVE-2021-21141 (insufficient validation)
An insufficient policy enforcement security issue was found in the File System API component of the Chromium browser before version 88.0.4324.96.
- CVE-2021-21142 (arbitrary code execution)
A use after free security issue was found in the Payments component of the Chromium browser before version 88.0.4324.146.
- CVE-2021-21143 (arbitrary code execution)
A heap buffer overflow security issue was found in the Extensions component of the Chromium browser before version 88.0.4324.146.
- CVE-2021-21144 (arbitrary code execution)
A heap buffer overflow security issue was found in the Tab Groups component of the Chromium browser before version 88.0.4324.146.
- CVE-2021-21145 (arbitrary code execution)
A use after free security issue was found in the Fonts component of the Chromium browser before version 88.0.4324.146.
- CVE-2021-21146 (arbitrary code execution)
A use after free security issue was found in the Navigation component of the Chromium browser before version 88.0.4324.146.
- CVE-2021-21147 (incorrect calculation)
An inappropriate implementation security issue was found in the Skia component of the Chromium browser before version 88.0.4324.146.
- CVE-2021-21148 (arbitrary code execution)
A heap buffer overflow security issue was found in the V8 component of the Chromium browser before version 88.0.4324.150.

Resolution

Upgrade to 3.6.2165.36-1. # pacman -Syu "vivaldi>=3.6.2165.36-1"
The problems have been fixed upstream in version 3.6.2165.36.

References

https://www.mozilla.org/en-US/security/advisories/mfsa2021-01/#CVE-2020-16044 https://bugzilla.mozilla.org/show_bug.cgi?id=1683964 https://hg.mozilla.org/mozilla-central/rev/08ba03dc8d4420e04e7c77fee3013e68180e6ead https://hg.mozilla.org/mozilla-central/rev/8c09f4813fc7e8f44605b6092262199bff15cdd7 https://hg.mozilla.org/mozilla-central/rev/5991645a87d2abf289686d09d943229c9e3e54b5 https://chromereleases.googleblog.com/2021/01/stable-channel-update-for-desktop_19.html https://bugs.chromium.org/p/chromium/issues/detail https://bugs.chromium.org/p/chromium/issues/detail https://bugs.chromium.org/p/chromium/issues/detail https://bugs.chromium.org/p/chromium/issues/detail https://bugs.chromium.org/p/chromium/issues/detail https://bugs.chromium.org/p/chromium/issues/detail https://bugs.chromium.org/p/chromium/issues/detail https://bugs.chromium.org/p/chromium/issues/detail https://bugs.chromium.org/p/chromium/issues/detail https://bugs.chromium.org/p/chromium/issues/detail https://bugs.chromium.org/p/chromium/issues/detail https://bugs.chromium.org/p/chromium/issues/detail https://bugs.chromium.org/p/chromium/issues/detail https://bugs.chromium.org/p/chromium/issues/detail https://bugs.chromium.org/p/chromium/issues/detail https://bugs.chromium.org/p/chromium/issues/detail https://bugs.chromium.org/p/chromium/issues/detail https://bugs.chromium.org/p/chromium/issues/detail https://bugs.chromium.org/p/chromium/issues/detail https://bugs.chromium.org/p/chromium/issues/detail https://bugs.chromium.org/p/chromium/issues/detail https://bugs.chromium.org/p/chromium/issues/detail https://bugs.chromium.org/p/chromium/issues/detail https://bugs.chromium.org/p/chromium/issues/detail https://bugs.chromium.org/p/chromium/issues/detail https://chromereleases.googleblog.com/2021/02/stable-channel-update-for-desktop.html https://bugs.chromium.org/p/chromium/issues/detail https://bugs.chromium.org/p/chromium/issues/detail https://bugs.chromium.org/p/chromium/issues/detail https://bugs.chromium.org/p/chromium/issues/detail https://bugs.chromium.org/p/chromium/issues/detail https://bugs.chromium.org/p/chromium/issues/detail https://chromereleases.googleblog.com/2021/02/stable-channel-update-for-desktop_4.html https://bugs.chromium.org/p/chromium/issues/detail https://security.archlinux.org/CVE-2020-16044 https://security.archlinux.org/CVE-2021-21117 https://security.archlinux.org/CVE-2021-21118 https://security.archlinux.org/CVE-2021-21119 https://security.archlinux.org/CVE-2021-21120 https://security.archlinux.org/CVE-2021-21121 https://security.archlinux.org/CVE-2021-21122 https://security.archlinux.org/CVE-2021-21123 https://security.archlinux.org/CVE-2021-21124 https://security.archlinux.org/CVE-2021-21125 https://security.archlinux.org/CVE-2021-21126 https://security.archlinux.org/CVE-2021-21127 https://security.archlinux.org/CVE-2021-21128 https://security.archlinux.org/CVE-2021-21129 https://security.archlinux.org/CVE-2021-21130 https://security.archlinux.org/CVE-2021-21131 https://security.archlinux.org/CVE-2021-21132 https://security.archlinux.org/CVE-2021-21133 https://security.archlinux.org/CVE-2021-21134 https://security.archlinux.org/CVE-2021-21135 https://security.archlinux.org/CVE-2021-21136 https://security.archlinux.org/CVE-2021-21137 https://security.archlinux.org/CVE-2021-21138 https://security.archlinux.org/CVE-2021-21139 https://security.archlinux.org/CVE-2021-21140 https://security.archlinux.org/CVE-2021-21141 https://security.archlinux.org/CVE-2021-21142 https://security.archlinux.org/CVE-2021-21143 https://security.archlinux.org/CVE-2021-21144 https://security.archlinux.org/CVE-2021-21145 https://security.archlinux.org/CVE-2021-21146 https://security.archlinux.org/CVE-2021-21147 https://security.archlinux.org/CVE-2021-21148

Severity
CVE-2021-21120 CVE-2021-21121 CVE-2021-21122 CVE-2021-21123
CVE-2021-21124 CVE-2021-21125 CVE-2021-21126 CVE-2021-21127
CVE-2021-21128 CVE-2021-21129 CVE-2021-21130 CVE-2021-21131
CVE-2021-21132 CVE-2021-21133 CVE-2021-21134 CVE-2021-21135
CVE-2021-21136 CVE-2021-21137 CVE-2021-21138 CVE-2021-21139
CVE-2021-21140 CVE-2021-21141 CVE-2021-21142 CVE-2021-21143
CVE-2021-21144 CVE-2021-21145 CVE-2021-21146 CVE-2021-21147
CVE-2021-21148
Package : vivaldi
Type : multiple issues
Remote : Yes
Link : https://security.archlinux.org/AVG-1478

Workaround

None.

Related News

23.Tablet Connections Esm H320
2 - 3 min read
The release of Ubuntu 24.04 LTS , also known as Noble Numbat, brings various security enhancements and exciting new features . These improvements
4.Lock AbstractDigital Esm H320
2 - 3 min read
Tails 6.2 is a new Linux distribution release that expands its multilingual support and improves security features. The distribution is a
19.Laptop Bed Esm H320
2 - 3 min read
AlmaLinux 9.4 beta has been released and provides compelling reasons to consider it for desktop usage. While AlmaLinux is primarily known as a
32.Lock Code Circular Esm H320
2 - 3 min read
Linux admins and security practitioners face significant challenges in keeping their Linux systems secure amidst the constant threat of kernel bugs.
1.Penguin Landscape Esm H320
2 - 3 min read
A significant security threat, known as the Spectre v2 exploit, has been observed targeting Linux systems running on modern Intel processors. Let's
10.FingerPrint Locks Esm H320
2 - 3 min read
The recent release of I2P 2.5.0 , an anonymous P2P network that protects against online censorship, surveillance, and monitoring, has brought a slew
24.Key Code Esm H320
2 - 3 min read
The Akira ransomware group has extorted approximately $42 million from over 250 victims since January 1, 2024. The group initially focused on
5.ShakingHands Esm H320
2 - 3 min read
At The Linux Foundation's Open Source Summit North America , Linus Torvalds, the creator of Linux, discussed various topics related to Linux
Sign Up

Get the Latest News & Insights

Sign up to get the latest security news affecting Linux and open source delivered straight to your inbox.

© 2024 Guardian Digital, Inc All Rights Reserved