Alerts This Week
Warning Icon 1 631
Alerts This Week
Warning Icon 1 631

Gentoo: GLSA-202004-04 Normal: Qt WebEngine Arbitrary Code Execution

gentoo
Calendar Grey April 1, 2020
Dist Gentoo Esm H88
An out-of-bounds read vulnerability in Chromium could lead to unauthorized code execution, posing risks for individuals who fail to update their software.
A heap use-after-free flaw in Qt WebEngine at worst might allow an attacker to execute arbitrary code.

Summary

A use-after-free vulnerability has been found in the audio component of Qt WebEngine.

Topics%20covered

Topics Covered

security advisory Gentoo arbitrary code execution normal severity Qt WebEngine

Resolution

All Qt WebEngine users should upgrade to the latest version: # emerge --sync # emerge --ask --oneshot --verbose ">=dev-qt/qtwebengine-5.14.1"

References

[ 1 ] CVE-2019-13720 https://nvd.nist.gov/vuln/detail/CVE-2019-13720

Availability

This GLSA and any updates to it are available for viewing at the Gentoo Security Website: https://security.gentoo.org/glsa/202004-04
style>.gentoo_availability{display:block;}

Concerns

Security is a primary focus of Gentoo Linux and ensuring the confidentiality and security of our users' machines is of utmost importance to us. Any security concerns should be addressed to security@gentoo.org or alternatively, you may file a bug at https://bugs.gentoo.org.

Severity: Normal
Title: Qt WebEngine: Arbitrary code execution
Date: April 01, 2020
Bugs: #699328
ID: 202004-04

Topics%20covered

Topics Covered

security advisory Gentoo arbitrary code execution normal severity Qt WebEngine

Synopsis

A heap use-after-free flaw in Qt WebEngine at worst might allow an attacker to execute arbitrary code.

Background

Library for rendering dynamic web content in Qt5 C++ and QML applications.

Get the latest News and Insights

Get the latest Linux and open source security news straight to your inbox.

Affected Packages

------------------------------------------------------------------- Package / Vulnerable / Unaffected ------------------------------------------------------------------- 1 dev-qt/qtwebengine < 5.14.1 >= 5.14.1

Impact

===== A remote attacker could entice a user to open a specially crafted media file in an application linked against Qt WebEngine, possibly resulting in execution of arbitrary code with the privileges of the process or a Denial of Service condition.

Workaround

There is no known workaround at this time.

Related News

Your message here