Arch Linux Security Advisory ASA-202110-7
========================================
Severity: High
Date    : 2021-10-29
CVE-ID  : CVE-2021-37997 CVE-2021-37998 CVE-2021-37999 CVE-2021-38000
          CVE-2021-38001 CVE-2021-38002 CVE-2021-38003
Package : chromium
Type    : multiple issues
Remote  : Yes
Link    : https://security.archlinux.org/AVG-2504

Summary
======
The package chromium before version 95.0.4638.69-1 is vulnerable to
multiple issues including arbitrary code execution and insufficient
validation.

Resolution
=========
Upgrade to 95.0.4638.69-1.

# pacman -Syu "chromium>=95.0.4638.69-1"

The problems have been fixed upstream in version 95.0.4638.69.

Workaround
=========
None.

Description
==========
- CVE-2021-37997 (arbitrary code execution)

A use after free security issue has been found in the Sign-In component
of the Chromium browser engine before version 95.0.4638.69.

- CVE-2021-37998 (arbitrary code execution)

A use after free security issue has been found in the Garbage
Collection component of the Chromium browser engine before version
95.0.4638.69.

- CVE-2021-37999 (insufficient validation)

An insufficient data validation security issue has been found in the
New Tab Page component of the Chromium browser engine before version
95.0.4638.69.

- CVE-2021-38000 (insufficient validation)

An insufficient validation of untrusted input security issue has been
found in the Intents component of the Chromium browser engine before
version 95.0.4638.69. Google is aware that an exploit for
CVE-2021-38000 exists in the wild.

- CVE-2021-38001 (arbitrary code execution)

A type confusion security issue has been found in the V8 component of
the Chromium browser engine before version 95.0.4638.69.

- CVE-2021-38002 (arbitrary code execution)

A use after free security issue has been found in the Web Transport
component of the Chromium browser engine before version 95.0.4638.69.

- CVE-2021-38003 (arbitrary code execution)

An inappropriate implementation security issue has been found in the V8
component of the Chromium browser engine before version 95.0.4638.69.
Google is aware that an exploit for CVE-2021-38003 exists in the wild.

Impact
=====
A remote attacker could execute arbitrary code through crafted web
content. Google is aware that exploits for two of the security issues
exist in the wild.

References
=========
https://chromereleases.googleblog.com/2021/10/stable-channel-update-for-desktop_28.html
https://security.archlinux.org/CVE-2021-37997
https://security.archlinux.org/CVE-2021-37998
https://security.archlinux.org/CVE-2021-37999
https://security.archlinux.org/CVE-2021-38000
https://security.archlinux.org/CVE-2021-38001
https://security.archlinux.org/CVE-2021-38002
https://security.archlinux.org/CVE-2021-38003

ArchLinux: 202110-7: chromium: multiple issues

November 1, 2021

Summary

- CVE-2021-37997 (arbitrary code execution) A use after free security issue has been found in the Sign-In component of the Chromium browser engine before version 95.0.4638.69.
- CVE-2021-37998 (arbitrary code execution)
A use after free security issue has been found in the Garbage Collection component of the Chromium browser engine before version 95.0.4638.69.
- CVE-2021-37999 (insufficient validation)
An insufficient data validation security issue has been found in the New Tab Page component of the Chromium browser engine before version 95.0.4638.69.
- CVE-2021-38000 (insufficient validation)
An insufficient validation of untrusted input security issue has been found in the Intents component of the Chromium browser engine before version 95.0.4638.69. Google is aware that an exploit for CVE-2021-38000 exists in the wild.
- CVE-2021-38001 (arbitrary code execution)
A type confusion security issue has been found in the V8 component of the Chromium browser engine before version 95.0.4638.69.
- CVE-2021-38002 (arbitrary code execution)
A use after free security issue has been found in the Web Transport component of the Chromium browser engine before version 95.0.4638.69.
- CVE-2021-38003 (arbitrary code execution)
An inappropriate implementation security issue has been found in the V8 component of the Chromium browser engine before version 95.0.4638.69. Google is aware that an exploit for CVE-2021-38003 exists in the wild.

Resolution

Upgrade to 95.0.4638.69-1. # pacman -Syu "chromium>=95.0.4638.69-1"
The problems have been fixed upstream in version 95.0.4638.69.

References

https://chromereleases.googleblog.com/2021/10/stable-channel-update-for-desktop_28.html https://security.archlinux.org/CVE-2021-37997 https://security.archlinux.org/CVE-2021-37998 https://security.archlinux.org/CVE-2021-37999 https://security.archlinux.org/CVE-2021-38000 https://security.archlinux.org/CVE-2021-38001 https://security.archlinux.org/CVE-2021-38002 https://security.archlinux.org/CVE-2021-38003

Severity
CVE-2021-38001 CVE-2021-38002 CVE-2021-38003
Package : chromium
Type : multiple issues
Remote : Yes
Link : https://security.archlinux.org/AVG-2504

Workaround

None.

Related News

Parrot OS 6.3: Elevating Security with Enhanced Features & Tools
3 - 5 min read
Parrot OS 6.3 has just arrived , bringing crucial updates that security admins should note. This latest version of the popular secure Linux
Linux Kernel 6.14 Released: Top Security Features You Need to Know
3 - 6 min read
With the release of Linux kernel 6.14 , admins and Linux users have many new features and enhancements to look forward to - especially in the realm
Don
2 - 4 min read
Google recently issued a crucial Chrome update that those using a version of the browser prior to version 132.0.6834.110 should implement
Intel Brings Next-Level Security to Linux with Partner Security Engine
3 - 6 min read
Intel recently introduced a game-changer in hardware security with its new Partner Security Engine integrated into the Core Ultra Series 2. This
A Tiny Linux Kernel Tweak with Massive Implications for Datacenter Efficiency
3 - 6 min read
In a groundbreaking development, security researchers have introduced a small but mighty tweak to the Linux kernel that promises to cut data center
Best Practices for Securing Linux Systems Against Malicious Bots
3 - 6 min read
Linux systems have long been an indispensable asset to businesses and individuals alike. From running servers and cloud infrastructure to powering
Securing Open-Source Projects with Automated Testing on Linux
4 - 7 min read
Open-source project security testing focuses on many components, ensuring there are no safety vulnerabilities. These components include physical
KaOS Linux 2025.01: Merging Security with Practicality
3 - 6 min read
As the realm of Linux distribution expands, security admins find themselves faced with choosing a system that fits operational needs and upholds

Get the Latest News & Insights

Sign up to get the latest security news affecting Linux and open source delivered straight to your inbox.

© 2024 Guardian Digital, Inc All Rights Reserved