Alerts This Week
Warning Icon 1 758
Alerts This Week
Warning Icon 1 758

Arch Linux 202111-8 High Severity: Opera Multiple Issues Threat

Archlinux Large Esm H446
The package opera before version 81.0.4196.54-1 is vulnerable to multiple issues including arbitrary code execution, insufficient validation and access restriction bypass.
Arch Linux Security Advisory ASA-202111-8
========================================
Severity: High
Date    : 2021-11-18
CVE-ID  : CVE-2021-37997 CVE-2021-37998 CVE-2021-37999 CVE-2021-38000
          CVE-2021-38001 CVE-2021-38002 CVE-2021-38003 CVE-2021-38004
Package : opera
Type    : multiple issues
Remote  : Yes
Link    : https://security.archlinux.org/AVG-2525

Summary
======
The package opera before version 81.0.4196.54-1 is vulnerable to
multiple issues including arbitrary code execution, insufficient
validation and access restriction bypass.

Resolution
=========
Upgrade to 81.0.4196.54-1.

# pacman -Syu "opera>=81.0.4196.54-1"

The problems have been fixed upstream in version 81.0.4196.54.

Workaround
=========
None.

Description
==========
- CVE-2021-37997 (arbitrary code execution)

A use after free security issue has been found in the Sign-In component
of the Chromium browser engine before version 95.0.4638.69.

- CVE-2021-37998 (arbitrary code execution)

A use after free security issue has been found in the Garbage
Collection component of the Chromium browser engine before version
95.0.4638.69.

- CVE-2021-37999 (insufficient validation)

An insufficient data validation security issue has been found in the
New Tab Page component of the Chromium browser engine before version
95.0.4638.69.

- CVE-2021-38000 (insufficient validation)

An insufficient validation of untrusted input security issue has been
found in the Intents component of the Chromium browser engine before
version 95.0.4638.69. Google is aware that an exploit for
CVE-2021-38000 exists in the wild.

- CVE-2021-38001 (arbitrary code execution)

A type confusion security issue has been found in the V8 component of
the Chromium browser engine before version 95.0.4638.69.

- CVE-2021-38002 (arbitrary code execution)

A use after free security issue has been found in the Web Transport
component of the Chromium browser engine before version 95.0.4638.69.

- CVE-2021-38003 (arbitrary code execution)

An inappropriate implementation security issue has been found in the V8
component of the Chromium browser engine before version 95.0.4638.69.
Google is aware that an exploit for CVE-2021-38003 exists in the wild.

- CVE-2021-38004 (access restriction bypass)

An insufficient policy enforcement security issue has been found in the
Autofill component of the Chromium browser engine before version
95.0.4638.69.

Impact
=====
A remote attacker could execute arbitrary code through crafted web
content. Google is aware that exploits for two of the security issues
exist in the wild.

References
=========
https://blogs.opera.com/desktop/changelog-for-81/
https://chromereleases.googleblog.com/2021/10/stable-channel-update-for-desktop_28.html
https://security.archlinux.org/CVE-2021-37997
https://security.archlinux.org/CVE-2021-37998
https://security.archlinux.org/CVE-2021-37999
https://security.archlinux.org/CVE-2021-38000
https://security.archlinux.org/CVE-2021-38001
https://security.archlinux.org/CVE-2021-38002
https://security.archlinux.org/CVE-2021-38003
https://security.archlinux.org/CVE-2021-38004
Your message here