Debian Bug report logs -
#985142
chromium: CVE-2021-21193 (RCE) in Blink
Reported by: Antonio Russo <aerusso@aerusso.net>
Date: Sat, 13 Mar 2021 15:42:01 UTC
Severity: grave
Tags: security, upstream
Found in versions chromium/89.0.4389.82-1, chromium/87.0.4280.141-0.1
Reply or subscribe to this bug.
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, aerusso@aerusso.net, team@security.debian.org, Debian Chromium Team <chromium@packages.debian.org>
:
Bug#985142
; Package chromium
.
(Sat, 13 Mar 2021 15:42:04 GMT) (full text, mbox, link).
Acknowledgement sent
to Antonio Russo <aerusso@aerusso.net>
:
New Bug report received and forwarded. Copy sent to aerusso@aerusso.net, team@security.debian.org, Debian Chromium Team <chromium@packages.debian.org>
.
(Sat, 13 Mar 2021 15:42:04 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
Package: chromium
Version: 89.0.4389.82-1
Severity: grave
Tags: upstream security
Justification: user security hole
X-Debbugs-Cc: aerusso@aerusso.net, Debian Security Team <team@security.debian.org>
Per [1] (or [2], and allegedly [3] which I cannot access):
> A use after free security issue was found in the Blink component of the
> Chromium browser before version 89.0.4389.90. Google is aware of reports
> that an exploit for this issue exists in the wild.
Does this also affect libqt5webengine5? I know that its upstream derives
in part from the Chromium source tree.
Antonio
[1] https://chromereleases.googleblog.com/2021/03/stable-channel-update-for-desktop_12.html
[2] https://security.archlinux.org/CVE-2021-21193
[3] https://crbug.com/1186287
[OpenPGP_0xB01C53D5DED4A4EE.asc (application/pgp-keys, attachment)]
[OpenPGP_signature (application/pgp-signature, attachment)]
Information forwarded
to debian-bugs-dist@lists.debian.org, Debian Chromium Team <chromium@packages.debian.org>
:
Bug#985142
; Package chromium
.
(Sat, 13 Mar 2021 17:09:03 GMT) (full text, mbox, link).
Acknowledgement sent
to Moritz Muehlenhoff <jmm@inutil.org>
:
Extra info received and forwarded to list. Copy sent to Debian Chromium Team <chromium@packages.debian.org>
.
(Sat, 13 Mar 2021 17:09:03 GMT) (full text, mbox, link).
Message #10 received at submit@bugs.debian.org (full text, mbox, reply):
On Sat, Mar 13, 2021 at 08:38:31AM -0700, Antonio Russo wrote:
> Package: chromium
> Version: 89.0.4389.82-1
> Severity: grave
> Tags: upstream security
> Justification: user security hole
> X-Debbugs-Cc: aerusso@aerusso.net, Debian Security Team <team@security.debian.org>
>
> Per [1] (or [2], and allegedly [3] which I cannot access):
>
> > A use after free security issue was found in the Blink component of the
> > Chromium browser before version 89.0.4389.90. Google is aware of reports
> > that an exploit for this issue exists in the wild.
>
> Does this also affect libqt5webengine5? I know that its upstream derives
> in part from the Chromium source tree.
qtwebengine is not covered by security support, see https://www.debian.org/releases/buster/amd64/release-notes/ch-information.en.html#browser-security
Cheers,
Moritz
Information forwarded
to debian-bugs-dist@lists.debian.org, Debian Chromium Team <chromium@packages.debian.org>
:
Bug#985142
; Package chromium
.
(Sat, 13 Mar 2021 17:09:04 GMT) (full text, mbox, link).
Acknowledgement sent
to Moritz Muehlenhoff <jmm@inutil.org>
:
Extra info received and forwarded to list. Copy sent to Debian Chromium Team <chromium@packages.debian.org>
.
(Sat, 13 Mar 2021 17:09:04 GMT) (full text, mbox, link).
Marked as found in versions chromium/87.0.4280.141-0.1.
Request was from Mattia Rizzolo <mattia@debian.org>
to control@bugs.debian.org
.
(Sun, 14 Mar 2021 17:30:04 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Sun Mar 14 23:15:09 2021;
Machine Name:
buxtehude
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.