Arch Linux Security Advisory ASA-202111-8
========================================
Severity: High
Date    : 2021-11-18
CVE-ID  : CVE-2021-37997 CVE-2021-37998 CVE-2021-37999 CVE-2021-38000
          CVE-2021-38001 CVE-2021-38002 CVE-2021-38003 CVE-2021-38004
Package : opera
Type    : multiple issues
Remote  : Yes
Link    : https://security.archlinux.org/AVG-2525

Summary
======
The package opera before version 81.0.4196.54-1 is vulnerable to
multiple issues including arbitrary code execution, insufficient
validation and access restriction bypass.

Resolution
=========
Upgrade to 81.0.4196.54-1.

# pacman -Syu "opera>=81.0.4196.54-1"

The problems have been fixed upstream in version 81.0.4196.54.

Workaround
=========
None.

Description
==========
- CVE-2021-37997 (arbitrary code execution)

A use after free security issue has been found in the Sign-In component
of the Chromium browser engine before version 95.0.4638.69.

- CVE-2021-37998 (arbitrary code execution)

A use after free security issue has been found in the Garbage
Collection component of the Chromium browser engine before version
95.0.4638.69.

- CVE-2021-37999 (insufficient validation)

An insufficient data validation security issue has been found in the
New Tab Page component of the Chromium browser engine before version
95.0.4638.69.

- CVE-2021-38000 (insufficient validation)

An insufficient validation of untrusted input security issue has been
found in the Intents component of the Chromium browser engine before
version 95.0.4638.69. Google is aware that an exploit for
CVE-2021-38000 exists in the wild.

- CVE-2021-38001 (arbitrary code execution)

A type confusion security issue has been found in the V8 component of
the Chromium browser engine before version 95.0.4638.69.

- CVE-2021-38002 (arbitrary code execution)

A use after free security issue has been found in the Web Transport
component of the Chromium browser engine before version 95.0.4638.69.

- CVE-2021-38003 (arbitrary code execution)

An inappropriate implementation security issue has been found in the V8
component of the Chromium browser engine before version 95.0.4638.69.
Google is aware that an exploit for CVE-2021-38003 exists in the wild.

- CVE-2021-38004 (access restriction bypass)

An insufficient policy enforcement security issue has been found in the
Autofill component of the Chromium browser engine before version
95.0.4638.69.

Impact
=====
A remote attacker could execute arbitrary code through crafted web
content. Google is aware that exploits for two of the security issues
exist in the wild.

References
=========
https://blogs.opera.com/desktop/changelog-for-81/
https://chromereleases.googleblog.com/2021/10/stable-channel-update-for-desktop_28.html
https://bugs.chromium.org/p/chromium/issues/detail
https://bugs.chromium.org/p/chromium/issues/detail
https://bugs.chromium.org/p/chromium/issues/detail
https://bugs.chromium.org/p/chromium/issues/detail
https://bugs.chromium.org/p/chromium/issues/detail
https://bugs.chromium.org/p/chromium/issues/detail
https://bugs.chromium.org/p/chromium/issues/detail
https://bugs.chromium.org/p/chromium/issues/detail
https://security.archlinux.org/CVE-2021-37997
https://security.archlinux.org/CVE-2021-37998
https://security.archlinux.org/CVE-2021-37999
https://security.archlinux.org/CVE-2021-38000
https://security.archlinux.org/CVE-2021-38001
https://security.archlinux.org/CVE-2021-38002
https://security.archlinux.org/CVE-2021-38003
https://security.archlinux.org/CVE-2021-38004

ArchLinux: 202111-8: opera: multiple issues

November 19, 2021

Summary

- CVE-2021-37997 (arbitrary code execution) A use after free security issue has been found in the Sign-In component of the Chromium browser engine before version 95.0.4638.69.
- CVE-2021-37998 (arbitrary code execution)
A use after free security issue has been found in the Garbage Collection component of the Chromium browser engine before version 95.0.4638.69.
- CVE-2021-37999 (insufficient validation)
An insufficient data validation security issue has been found in the New Tab Page component of the Chromium browser engine before version 95.0.4638.69.
- CVE-2021-38000 (insufficient validation)
An insufficient validation of untrusted input security issue has been found in the Intents component of the Chromium browser engine before version 95.0.4638.69. Google is aware that an exploit for CVE-2021-38000 exists in the wild.
- CVE-2021-38001 (arbitrary code execution)
A type confusion security issue has been found in the V8 component of the Chromium browser engine before version 95.0.4638.69.
- CVE-2021-38002 (arbitrary code execution)
A use after free security issue has been found in the Web Transport component of the Chromium browser engine before version 95.0.4638.69.
- CVE-2021-38003 (arbitrary code execution)
An inappropriate implementation security issue has been found in the V8 component of the Chromium browser engine before version 95.0.4638.69. Google is aware that an exploit for CVE-2021-38003 exists in the wild.
- CVE-2021-38004 (access restriction bypass)
An insufficient policy enforcement security issue has been found in the Autofill component of the Chromium browser engine before version 95.0.4638.69.

Resolution

Upgrade to 81.0.4196.54-1. # pacman -Syu "opera>=81.0.4196.54-1"
The problems have been fixed upstream in version 81.0.4196.54.

References

https://blogs.opera.com/desktop/changelog-for-81/ https://chromereleases.googleblog.com/2021/10/stable-channel-update-for-desktop_28.html https://bugs.chromium.org/p/chromium/issues/detail https://bugs.chromium.org/p/chromium/issues/detail https://bugs.chromium.org/p/chromium/issues/detail https://bugs.chromium.org/p/chromium/issues/detail https://bugs.chromium.org/p/chromium/issues/detail https://bugs.chromium.org/p/chromium/issues/detail https://bugs.chromium.org/p/chromium/issues/detail https://bugs.chromium.org/p/chromium/issues/detail https://security.archlinux.org/CVE-2021-37997 https://security.archlinux.org/CVE-2021-37998 https://security.archlinux.org/CVE-2021-37999 https://security.archlinux.org/CVE-2021-38000 https://security.archlinux.org/CVE-2021-38001 https://security.archlinux.org/CVE-2021-38002 https://security.archlinux.org/CVE-2021-38003 https://security.archlinux.org/CVE-2021-38004

Severity
CVE-2021-38001 CVE-2021-38002 CVE-2021-38003 CVE-2021-38004
Package : opera
Type : multiple issues
Remote : Yes
Link : https://security.archlinux.org/AVG-2525

Workaround

None.

Related News

23.Tablet Connections Esm H320
2 - 3 min read
The release of Ubuntu 24.04 LTS , also known as Noble Numbat, brings various security enhancements and exciting new features . These improvements
4.Lock AbstractDigital Esm H320
2 - 3 min read
Tails 6.2 is a new Linux distribution release that expands its multilingual support and improves security features. The distribution is a
19.Laptop Bed Esm H320
2 - 3 min read
AlmaLinux 9.4 beta has been released and provides compelling reasons to consider it for desktop usage. While AlmaLinux is primarily known as a
32.Lock Code Circular Esm H320
2 - 3 min read
Linux admins and security practitioners face significant challenges in keeping their Linux systems secure amidst the constant threat of kernel bugs.
1.Penguin Landscape Esm H320
2 - 3 min read
A significant security threat, known as the Spectre v2 exploit, has been observed targeting Linux systems running on modern Intel processors. Let's
10.FingerPrint Locks Esm H320
2 - 3 min read
The recent release of I2P 2.5.0 , an anonymous P2P network that protects against online censorship, surveillance, and monitoring, has brought a slew
24.Key Code Esm H320
2 - 3 min read
The Akira ransomware group has extorted approximately $42 million from over 250 victims since January 1, 2024. The group initially focused on
5.ShakingHands Esm H320
2 - 3 min read
At The Linux Foundation's Open Source Summit North America , Linus Torvalds, the creator of Linux, discussed various topics related to Linux
Sign Up

Get the Latest News & Insights

Sign up to get the latest security news affecting Linux and open source delivered straight to your inbox.

© 2024 Guardian Digital, Inc All Rights Reserved