[ASA-201911-7] electron: arbitrary code execution

Remi Gacogne rgacogne at archlinux.org
Mon Nov 4 19:36:06 UTC 2019


Arch Linux Security Advisory ASA-201911-7
=========================================

Severity: Critical
Date    : 2019-11-04
CVE-ID  : CVE-2019-13720
Package : electron
Type    : arbitrary code execution
Remote  : Yes
Link    : https://security.archlinux.org/AVG-1061

Summary
=======

The package electron before version 7.0.1-1 is vulnerable to arbitrary
code execution.

Resolution
==========

Upgrade to 7.0.1-1.

# pacman -Syu "electron>=7.0.1-1"

The problem has been fixed upstream in version 7.0.1.

Workaround
==========

None.

Description
===========

A use-after-free vulnerability has been found in the audio component of
the chromium browser before 78.0.3904.87. Google is aware of reports
that an exploit for this vulnerability exists in the wild.

Impact
======

A remote attacker can execute arbitrary code on the affected host.

References
==========

https://github.com/electron/electron/commit/25b3ee29cf9a8e3f59dcbabf7345b5b1360cd056
https://chromereleases.googleblog.com/2019/10/stable-channel-update-for-desktop_31.html
https://crbug.com/1019226
https://security.archlinux.org/CVE-2019-13720

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: OpenPGP digital signature
URL: <https://lists.archlinux.org/pipermail/arch-security/attachments/20191104/d53ce81d/attachment.sig>


More information about the arch-security mailing list