ArchLinux: 202103-20: dotnet-runtime: arbitrary code execution
Summary
A remote code execution vulnerability exists in .NET 5.0 before Runtime 5.0.4 and SDK 5.0.104 as well as .NET Core 3.1 before Runtime 3.1.13 and SDK 3.1.113 due to how text encoding is performed in the System.Text.Encodings.Web package, caused by a buffer overrun.
Resolution
Upgrade to 5.0.4.sdk104-1.
# pacman -Syu "dotnet-runtime>=5.0.4.sdk104-1"
The problem has been fixed upstream in version 5.0.4.sdk104.
References
https://bugs.archlinux.org/task/69317 https://msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-26701 https://github.com/dotnet/announcements/issues/178 https://security.archlinux.org/CVE-2021-26701
Workaround
None.