Arch Linux Security Advisory ASA-202001-5 ========================================= Severity: Critical Date : 2020-01-17 CVE-ID : CVE-2020-6378 CVE-2020-6379 CVE-2020-6380 Package : chromium Type : multiple issues Remote : Yes Link : https://security.archlinux.org/AVG-1088 Summary ======= The package chromium before version 79.0.3945.130-1 is vulnerable to multiple issues including arbitrary code execution and insufficient validation. Resolution ========== Upgrade to 79.0.3945.130-1. # pacman -Syu "chromium>=79.0.3945.130-1" The problems have been fixed upstream in version 79.0.3945.130. Workaround ========== None. Description =========== - CVE-2020-6378 (arbitrary code execution) A use-after-free vulnerability has been found in the speech recognizer component of the chromium browser before 79.0.3945.130. - CVE-2020-6379 (arbitrary code execution) A use-after-free vulnerability has been found in the speech recognizer component of the chromium browser before 79.0.3945.130. - CVE-2020-6380 (insufficient validation) An extension message verification error has been found in the chromium browser before 79.0.3945.130. Impact ====== A remote attacker can bypass security measures or execute arbitrary code on the affected host. References ========== https://chromereleases.googleblog.com/2020/01/stable-channel-update-for-desk... https://crbug.com/1018677 https://crbug.com/1033407 https://crbug.com/1032170 https://security.archlinux.org/CVE-2020-6378 https://security.archlinux.org/CVE-2020-6379 https://security.archlinux.org/CVE-2020-6380