ArchLinux: 202107-1: electron12: arbitrary code execution | LinuxSe...

Advisories

Arch Linux Security Advisory ASA-202107-1
=========================================

Severity: High
Date    : 2021-07-01
CVE-ID  : CVE-2021-30547 CVE-2021-30553 CVE-2021-30554
Package : electron12
Type    : arbitrary code execution
Remote  : Yes
Link    : https://security.archlinux.org/AVG-2112

Summary
=======

The package electron12 before version 12.0.13-1 is vulnerable to
arbitrary code execution.

Resolution
==========

Upgrade to 12.0.13-1.

# pacman -Syu "electron12>=12.0.13-1"

The problems have been fixed upstream in version 12.0.13.

Workaround
==========

None.

Description
===========

- CVE-2021-30547 (arbitrary code execution)

An out of bounds write security issue has been found in the ANGLE
component of the Chromium browser before version 91.0.4472.101.

- CVE-2021-30553 (arbitrary code execution)

A use after free security issue has been found in the Network service
component of the Chromium browser before version 91.0.4472.101.

- CVE-2021-30554 (arbitrary code execution)

A use after free security issue has been found in the WebGL component
of the Chromium browser engine before version 91.0.4472.114. Google is
aware that an exploit for CVE-2021-30554 exists in the wild.

Impact
======

A remote attacker could execute arbitrary code through a crafted web
page. Google is aware that an exploit for one of the security issues
exists in the wild.

References
==========

https://github.com/electron/electron/releases/tag/v12.0.13
https://chromereleases.googleblog.com/2021/06/stable-channel-update-for-desktop.html
https://crbug.com/1210414
https://crbug.com/1209769
https://chromereleases.googleblog.com/2021/06/stable-channel-update-for-desktop_17.html
https://crbug.com/1219857
https://security.archlinux.org/CVE-2021-30547
https://security.archlinux.org/CVE-2021-30553
https://security.archlinux.org/CVE-2021-30554

ArchLinux: 202107-1: electron12: arbitrary code execution

July 3, 2021
The package electron12 before version 12.0.13-1 is vulnerable to arbitrary code execution

Summary

- CVE-2021-30547 (arbitrary code execution)
An out of bounds write security issue has been found in the ANGLE component of the Chromium browser before version 91.0.4472.101.
- CVE-2021-30553 (arbitrary code execution)
A use after free security issue has been found in the Network service component of the Chromium browser before version 91.0.4472.101.
- CVE-2021-30554 (arbitrary code execution)
A use after free security issue has been found in the WebGL component of the Chromium browser engine before version 91.0.4472.114. Google is aware that an exploit for CVE-2021-30554 exists in the wild.

Resolution

Upgrade to 12.0.13-1.
# pacman -Syu "electron12>=12.0.13-1"
The problems have been fixed upstream in version 12.0.13.

References

https://github.com/electron/electron/releases/tag/v12.0.13 https://chromereleases.googleblog.com/2021/06/stable-channel-update-for-desktop.html https://crbug.com/1210414 https://crbug.com/1209769 https://chromereleases.googleblog.com/2021/06/stable-channel-update-for-desktop_17.html https://crbug.com/1219857 https://security.archlinux.org/CVE-2021-30547 https://security.archlinux.org/CVE-2021-30553 https://security.archlinux.org/CVE-2021-30554

Severity
CVE-ID : CVE-2021-30547 CVE-2021-30553 CVE-2021-30554
Package : electron12
Type : arbitrary code execution
Remote : Yes
Link : https://security.archlinux.org/AVG-2112

Impact

A remote attacker could execute arbitrary code through a crafted web page. Google is aware that an exploit for one of the security issues exists in the wild.

Workaround

None.

Related News

We use cookies to provide and improve our services. By using our site, you consent to our Cookie Policy.