[ASA-202103-8] opera: arbitrary code execution

Morten Linderud foxboron at archlinux.org
Sat Mar 20 12:14:57 UTC 2021


Arch Linux Security Advisory ASA-202103-8
=========================================

Severity: High
Date    : 2021-03-13
CVE-ID  : CVE-2021-21149 CVE-2021-21150 CVE-2021-21151 CVE-2021-21152
          CVE-2021-21153 CVE-2021-21154 CVE-2021-21155 CVE-2021-21156
          CVE-2021-21157
Package : opera
Type    : arbitrary code execution
Remote  : Yes
Link    : https://security.archlinux.org/AVG-1586

Summary
=======

The package opera before version 74.0.3911.203-1 is vulnerable to
arbitrary code execution.

Resolution
==========

Upgrade to 74.0.3911.203-1.

# pacman -Syu "opera>=74.0.3911.203-1"

The problems have been fixed upstream in version 74.0.3911.203.

Workaround
==========

None.

Description
===========

- CVE-2021-21149 (arbitrary code execution)

A stack overflow security issue was found in the Data Transfer
component of the Chromium browser before version 88.0.4324.182.

- CVE-2021-21150 (arbitrary code execution)

A use after free security issue was found in the Downloads component of
the Chromium browser before version 88.0.4324.182.

- CVE-2021-21151 (arbitrary code execution)

A use after free security issue was found in the Payments component of
the Chromium browser before version 88.0.4324.182.

- CVE-2021-21152 (arbitrary code execution)

A heap buffer overflow security issue was found in the Media component
of the Chromium browser before version 88.0.4324.182.

- CVE-2021-21153 (arbitrary code execution)

A stack overflow security issue was found in the GPU Process component
of the Chromium browser before version 88.0.4324.182.

- CVE-2021-21154 (arbitrary code execution)

A heap buffer overflow security issue was found in the Tab Strip
component of the Chromium browser before version 88.0.4324.182.

- CVE-2021-21155 (arbitrary code execution)

A heap buffer overflow security issue was found in the Tab Strip
component of the Chromium browser before version 88.0.4324.182.

- CVE-2021-21156 (arbitrary code execution)

A heap buffer overflow security issue was found in the V8 component of
the Chromium browser before version 88.0.4324.182.

- CVE-2021-21157 (arbitrary code execution)

A use after free security issue was found in the Web Sockets component
of the Chromium browser before version 88.0.4324.182.

Impact
======

A remote attacker might be able to execute arbitrary code on the
affected host.

References
==========

https://blogs.opera.com/desktop/changelog-for-74/
https://blogs.opera.com/desktop/2021/03/opera-74-0-3911-203-stable-update/
https://chromereleases.googleblog.com/2021/02/stable-channel-update-for-desktop_16.html
https://crbug.com/1138143
https://crbug.com/1172192
https://crbug.com/1165624
https://crbug.com/1166504
https://crbug.com/1155974
https://crbug.com/1173269
https://crbug.com/1177341
https://crbug.com/1170657
https://security.archlinux.org/CVE-2021-21149
https://security.archlinux.org/CVE-2021-21150
https://security.archlinux.org/CVE-2021-21151
https://security.archlinux.org/CVE-2021-21152
https://security.archlinux.org/CVE-2021-21153
https://security.archlinux.org/CVE-2021-21154
https://security.archlinux.org/CVE-2021-21155
https://security.archlinux.org/CVE-2021-21156
https://security.archlinux.org/CVE-2021-21157
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: not available
URL: <https://lists.archlinux.org/pipermail/arch-security/attachments/20210320/8bf6254c/attachment-0001.sig>


More information about the arch-security mailing list