Qt WebEngine: Arbitrary code execution — GLSA 202004-04

A heap use-after-free flaw in Qt WebEngine at worst might allow an attacker to execute arbitrary code.

Affected packages

dev-qt/qtwebengine on all architectures
Affected versions < 5.14.1
Unaffected versions >= 5.14.1

Background

Library for rendering dynamic web content in Qt5 C++ and QML applications.

Description

A use-after-free vulnerability has been found in the audio component of Qt WebEngine.

Impact

A remote attacker could entice a user to open a specially crafted media file in an application linked against Qt WebEngine, possibly resulting in execution of arbitrary code with the privileges of the process or a Denial of Service condition.

Workaround

There is no known workaround at this time.

Resolution

All Qt WebEngine users should upgrade to the latest version:

 # emerge --sync
 # emerge --ask --oneshot --verbose ">=dev-qt/qtwebengine-5.14.1"
 

References

Release date
April 01, 2020

Latest revision
April 01, 2020: 1

Severity
normal

Exploitable
local, remote

Bugzilla entries