Ubuntu
chromium-browser package

13.0.782.215 -> 14.0.835.202

Bug #858744 reported by Dmitry Shachnev
266
This bug affects 3 people
Affects Status Importance Assigned to Milestone
chromium-browser (Ubuntu)
Fix Released
High
Micah Gersten
Ubuntu ubuntu-11.10
Lucid
Fix Released
High
Micah Gersten
Maverick
Fix Released
High
Micah Gersten
Natty
Fix Released
High
Micah Gersten
Oneiric
Fix Released
High
Micah Gersten
Ubuntu ubuntu-11.10

Bug Description

New major release, fixing many security issues.
http://googlechromereleases.blogspot.com/2011/09/stable-channel-update_16.html

Dmitry Shachnev (mitya57)
visibility: private → public
Micah Gersten (micahg)
Changed in chromium-browser (Ubuntu):
milestone: none → ubuntu-11.10
assignee: nobody → Micah Gersten (micahg)
importance: Undecided → High
status: New → Triaged
Changed in chromium-browser (Ubuntu Natty):
assignee: nobody → Micah Gersten (micahg)
Changed in chromium-browser (Ubuntu Maverick):
assignee: nobody → Micah Gersten (micahg)
Changed in chromium-browser (Ubuntu Lucid):
assignee: nobody → Micah Gersten (micahg)
Changed in chromium-browser (Ubuntu Natty):
importance: Undecided → High
Changed in chromium-browser (Ubuntu Maverick):
importance: Undecided → High
Changed in chromium-browser (Ubuntu Lucid):
importance: Undecided → High
status: New → In Progress
Changed in chromium-browser (Ubuntu Maverick):
status: New → In Progress
Changed in chromium-browser (Ubuntu Natty):
status: New → In Progress
Changed in chromium-browser (Ubuntu Oneiric):
status: Triaged → In Progress
Kate Stewart (kate.stewart)
tags: added: rls-mgr-o-tracking
Revision history for this message
MarianoAbsatz (el-baby) wrote :

Not yet released and old already...
http://googlechromereleases.blogspot.com/2011/10/stable-channel-update.html

CVE-2011-2876: Use-after-free in text line box handling. Credit to miaubiz.
CVE-2011-2877: Stale font in SVG text handling. Credit to miaubiz.
CVE-2011-2878: Inappropriate cross-origin access to the window prototype. Credit to Sergey Glazunov.
CVE-2011-2879: Lifetime and threading issues in audio node handling. Credit to Google Chrome Security Team (Inferno).
CVE-2011-2880: Use-after-free in the v8 bindings. Credit to Sergey Glazunov.
CVE-2011-2881: Memory corruption with v8 hidden objects. Credit to Sergey Glazunov.
CVE-2011-3873: Memory corruption in shader translator. Credit to Zhenyao Mo of the Chromium development community.

Micah Gersten (micahg)
summary: - 13.0.782.215 -> 14.0.835.186
+ 13.0.782.215 -> 14.0.835.202
Revision history for this message
Launchpad Janitor (janitor) wrote :
Download full text (5.5 KiB)

This bug was fixed in the package chromium-browser - 14.0.835.202~r103287-0ubuntu1

---------------
chromium-browser (14.0.835.202~r103287-0ubuntu1) oneiric; urgency=low

  * New upstream release from the Stable Channel (LP: #858744)
    This release fixes the following security issues:
    + Chromium issues (13.0.782.220):
      - Trust in Diginotar Intermediate CAs revoked
    + Chromium issues (14.0.835.163):
      - [49377] High CVE-2011-2835: Race condition in the certificate cache.
        Credit to Ryan Sleevi.
      - [57908] Low CVE-2011-2837: Use PIC / pie compiler flags. Credit to
        wbrana.
      - [75070] Low CVE-2011-2838: Treat MIME type more authoritatively when
        loading plug-ins. Credit to Michal Zalewski.
      - [78639] High CVE-2011-2841: Garbage collection error in PDF. Credit to
        Mario Gomes.
      - [82438] Medium CVE-2011-2843: Out-of-bounds read with media buffers.
        Credit to Kostya Serebryany.
      - [85041] Medium CVE-2011-2844: Out-of-bounds read with mp3 files. Credit
        to Mario Gomes.
      - [89564] Medium CVE-2011-2848: URL bar spoof with forward button. Credit
        to Jordi Chancel.
      - [89795] Low CVE-2011-2849: Browser NULL pointer crash with WebSockets.
        Credit to Arthur Gerkis.
      - [90134] Medium CVE-2011-2850: Out-of-bounds read with Khmer characters.
        Credit to miaubiz.
      - [90173] Medium CVE-2011-2851: Out-of-bounds read in video handling.
        Credit to Google Chrome Security Team (Inferno).
      - [91197] High CVE-2011-2853: Use-after-free in plug-in handling. Credit
        to Google Chrome Security Team (SkyLined).
      - [93497] Medium CVE-2011-2859: Incorrect permissions assigned to
        non-gallery pages. Credit to Bernhard ‘Bruhns’ Brehm
      - [93596] Medium CVE-2011-2861: Bad string read in PDF. Credit to Aki
        Helin of OUSPG.
      - [95563] Medium CVE-2011-2864: Out-of-bounds read with Tibetan
        characters. Credit to Google Chrome Security Team (Inferno).
      - [95625] Medium CVE-2011-2858: Out-of-bounds read with triangle arrays.
        Credit to Google Chrome Security Team (Inferno).
      - [95917] Low CVE-2011-2874: Failure to pin a self-signed cert for a
        session. Credit to Nishant Yadant and Craig Chamberlain (@randomuserid).
    + Chromium issues (14.0.835.202):
      - [95671] High CVE-2011-2878: Inappropriate cross-origin access to the
        window prototype. Credit to Sergey Glazunov.
      - [96150] High CVE-2011-2879: Lifetime and threading issues in audio node
        handling. Credit to Google Chrome Security Team (Inferno).
      - [98089] Critical CVE-2011-3873: Memory corruption in shader translator.
        Credit to Zhenyao Mo.
    + Webkit issues (14.0.835.163):
      - [78427] [83031] Low CVE-2011-2840: Possible URL bar spoofs with unusual
        user interaction. Credit to kuzzcc.
      - [89219] High CVE-2011-2846: Use-after-free in unload event handling.
        Credit to Arthur Gerkis.
      - [89330] High CVE-2011-2847: Use-after-free in document loader. Credit to
        miaubiz.
      - [89991] Medium CVE-2011-3234: Out-of-bounds read in box handling. Credit
        to ...

Read more...

Changed in chromium-browser (Ubuntu Oneiric):
status: In Progress → Fix Released
Revision history for this message
Anonymous (sjklfjalkfsakl) wrote :

Bug #837557 specifically deals with a security problem in Chromium which is solved by applying this update. I suppose that the other bug should be marked as solved as far as Chromium is concerned whenever this update has been made.

Revision history for this message
Jamie Strandboge (jdstrand) wrote :

14.0.835.202~r103287-0ubuntu0.10.10.1 copied to maverick-proposed.

Changed in chromium-browser (Ubuntu Maverick):
status: In Progress → Fix Committed
Revision history for this message
Jamie Strandboge (jdstrand) wrote :

14.0.835.202~r103287-0ubuntu0.10.04.2 copied to lucid-proposed.

Changed in chromium-browser (Ubuntu Lucid):
status: In Progress → Fix Committed
Revision history for this message
Jamie Strandboge (jdstrand) wrote :

14.0.835.202~r103287-0ubuntu0.11.04.1 copied to natty-proposed.

Changed in chromium-browser (Ubuntu Natty):
status: In Progress → Fix Committed
Revision history for this message
Dmitry Shachnev (mitya57) wrote :

This package failes to build on armel, which is a regression (build https://launchpad.net/ubuntu/+source/chromium-browser/13.0.782.215~r97094-0ubuntu2 was successful).

However, this doesn't affect versions prior to oneiric, because packages copied from a PPA don't have armel & powerpc builds at all.

tags: added: verification-needed
Revision history for this message
Micah Gersten (micahg) wrote :

@Dmitry Shachnev
Normally, our security PPA builds do have the other architectures (well, armel in the case of chromium as powerpc isn't supported). I have disabled them for the moment so that we can hopefully get these builds out quickly. I hope to reenable them on the next update.

tags: added: security-verification
Revision history for this message
Micah Gersten (micahg) wrote :

Tested lucid with QRT on amd64 and i386, no regressions over previous functionality. in fact, bug 795787 is now fixed with this update.

Revision history for this message
Launchpad Janitor (janitor) wrote :
Download full text (10.7 KiB)

This bug was fixed in the package chromium-browser - 14.0.835.202~r103287-0ubuntu0.10.04.2

---------------
chromium-browser (14.0.835.202~r103287-0ubuntu0.10.04.2) lucid-security; urgency=low

  * New upstream release from the Stable Channel (LP: #858744)
    This release fixes the following security issues:
    + Chromium issues (13.0.782.220):
      - Trust in Diginotar Intermediate CAs revoked
    + Chromium issues (14.0.835.163):
      - [49377] High CVE-2011-2835: Race condition in the certificate cache.
        Credit to Ryan Sleevi.
      - [57908] Low CVE-2011-2837: Use PIC / pie compiler flags. Credit to
        wbrana.
      - [75070] Low CVE-2011-2838: Treat MIME type more authoritatively when
        loading plug-ins. Credit to Michal Zalewski.
      - [78639] High CVE-2011-2841: Garbage collection error in PDF. Credit to
        Mario Gomes.
      - [82438] Medium CVE-2011-2843: Out-of-bounds read with media buffers.
        Credit to Kostya Serebryany.
      - [85041] Medium CVE-2011-2844: Out-of-bounds read with mp3 files. Credit
        to Mario Gomes.
      - [89564] Medium CVE-2011-2848: URL bar spoof with forward button. Credit
        to Jordi Chancel.
      - [89795] Low CVE-2011-2849: Browser NULL pointer crash with WebSockets.
        Credit to Arthur Gerkis.
      - [90134] Medium CVE-2011-2850: Out-of-bounds read with Khmer characters.
        Credit to miaubiz.
      - [90173] Medium CVE-2011-2851: Out-of-bounds read in video handling.
        Credit to Google Chrome Security Team (Inferno).
      - [91197] High CVE-2011-2853: Use-after-free in plug-in handling. Credit
        to Google Chrome Security Team (SkyLined).
      - [93497] Medium CVE-2011-2859: Incorrect permissions assigned to
        non-gallery pages. Credit to Bernhard ‘Bruhns’ Brehm
      - [93596] Medium CVE-2011-2861: Bad string read in PDF. Credit to Aki
        Helin of OUSPG.
      - [95563] Medium CVE-2011-2864: Out-of-bounds read with Tibetan
        characters. Credit to Google Chrome Security Team (Inferno).
      - [95625] Medium CVE-2011-2858: Out-of-bounds read with triangle arrays.
        Credit to Google Chrome Security Team (Inferno).
      - [95917] Low CVE-2011-2874: Failure to pin a self-signed cert for a
        session. Credit to Nishant Yadant and Craig Chamberlain (@randomuserid).
    + Chromium issues (14.0.835.202):
      - [95671] High CVE-2011-2878: Inappropriate cross-origin access to the
        window prototype. Credit to Sergey Glazunov.
      - [96150] High CVE-2011-2879: Lifetime and threading issues in audio node
        handling. Credit to Google Chrome Security Team (Inferno).
      - [98089] Critical CVE-2011-3873: Memory corruption in shader translator.
        Credit to Zhenyao Mo.
    + Webkit issues (14.0.835.163):
      - [78427] [83031] Low CVE-2011-2840: Possible URL bar spoofs with unusual
        user interaction. Credit to kuzzcc.
      - [89219] High CVE-2011-2846: Use-after-free in unload event handling.
        Credit to Arthur Gerkis.
      - [89330] High CVE-2011-2847: Use-after-free in document loader. Credit to
        miaubiz.
      - [89991] Medium CVE-2011-3234: Out-of-bounds read in box handl...

Changed in chromium-browser (Ubuntu Lucid):
status: Fix Committed → Fix Released
Revision history for this message
Micah Gersten (micahg) wrote :

Tested maverick with QRT on amd64 and i386, no regressions over previous functionality. in fact, bug 795787 and bug 837825 are now fixed with this update.

Revision history for this message
Launchpad Janitor (janitor) wrote :
Download full text (10.7 KiB)

This bug was fixed in the package chromium-browser - 14.0.835.202~r103287-0ubuntu0.10.10.1

---------------
chromium-browser (14.0.835.202~r103287-0ubuntu0.10.10.1) maverick-security; urgency=low

  * New upstream release from the Stable Channel (LP: #858744)
    This release fixes the following security issues:
    + Chromium issues (13.0.782.220):
      - Trust in Diginotar Intermediate CAs revoked
    + Chromium issues (14.0.835.163):
      - [49377] High CVE-2011-2835: Race condition in the certificate cache.
        Credit to Ryan Sleevi.
      - [57908] Low CVE-2011-2837: Use PIC / pie compiler flags. Credit to
        wbrana.
      - [75070] Low CVE-2011-2838: Treat MIME type more authoritatively when
        loading plug-ins. Credit to Michal Zalewski.
      - [78639] High CVE-2011-2841: Garbage collection error in PDF. Credit to
        Mario Gomes.
      - [82438] Medium CVE-2011-2843: Out-of-bounds read with media buffers.
        Credit to Kostya Serebryany.
      - [85041] Medium CVE-2011-2844: Out-of-bounds read with mp3 files. Credit
        to Mario Gomes.
      - [89564] Medium CVE-2011-2848: URL bar spoof with forward button. Credit
        to Jordi Chancel.
      - [89795] Low CVE-2011-2849: Browser NULL pointer crash with WebSockets.
        Credit to Arthur Gerkis.
      - [90134] Medium CVE-2011-2850: Out-of-bounds read with Khmer characters.
        Credit to miaubiz.
      - [90173] Medium CVE-2011-2851: Out-of-bounds read in video handling.
        Credit to Google Chrome Security Team (Inferno).
      - [91197] High CVE-2011-2853: Use-after-free in plug-in handling. Credit
        to Google Chrome Security Team (SkyLined).
      - [93497] Medium CVE-2011-2859: Incorrect permissions assigned to
        non-gallery pages. Credit to Bernhard ‘Bruhns’ Brehm
      - [93596] Medium CVE-2011-2861: Bad string read in PDF. Credit to Aki
        Helin of OUSPG.
      - [95563] Medium CVE-2011-2864: Out-of-bounds read with Tibetan
        characters. Credit to Google Chrome Security Team (Inferno).
      - [95625] Medium CVE-2011-2858: Out-of-bounds read with triangle arrays.
        Credit to Google Chrome Security Team (Inferno).
      - [95917] Low CVE-2011-2874: Failure to pin a self-signed cert for a
        session. Credit to Nishant Yadant and Craig Chamberlain (@randomuserid).
    + Chromium issues (14.0.835.202):
      - [95671] High CVE-2011-2878: Inappropriate cross-origin access to the
        window prototype. Credit to Sergey Glazunov.
      - [96150] High CVE-2011-2879: Lifetime and threading issues in audio node
        handling. Credit to Google Chrome Security Team (Inferno).
      - [98089] Critical CVE-2011-3873: Memory corruption in shader translator.
        Credit to Zhenyao Mo.
    + Webkit issues (14.0.835.163):
      - [78427] [83031] Low CVE-2011-2840: Possible URL bar spoofs with unusual
        user interaction. Credit to kuzzcc.
      - [89219] High CVE-2011-2846: Use-after-free in unload event handling.
        Credit to Arthur Gerkis.
      - [89330] High CVE-2011-2847: Use-after-free in document loader. Credit to
        miaubiz.
      - [89991] Medium CVE-2011-3234: Out-of-bounds read in box ha...

Changed in chromium-browser (Ubuntu Maverick):
status: Fix Committed → Fix Released
Revision history for this message
Micah Gersten (micahg) wrote :

Tested natty with QRT on amd64 and i386, no regressions over previous functionality. in fact, bug 795787 and bug 837825 are now fixed with this update.

tags: added: verification-done
removed: verification-needed
Revision history for this message
Launchpad Janitor (janitor) wrote :
Download full text (10.7 KiB)

This bug was fixed in the package chromium-browser - 14.0.835.202~r103287-0ubuntu0.11.04.1

---------------
chromium-browser (14.0.835.202~r103287-0ubuntu0.11.04.1) natty-security; urgency=low

  * New upstream release from the Stable Channel (LP: #858744)
    This release fixes the following security issues:
    + Chromium issues (13.0.782.220):
      - Trust in Diginotar Intermediate CAs revoked
    + Chromium issues (14.0.835.163):
      - [49377] High CVE-2011-2835: Race condition in the certificate cache.
        Credit to Ryan Sleevi.
      - [57908] Low CVE-2011-2837: Use PIC / pie compiler flags. Credit to
        wbrana.
      - [75070] Low CVE-2011-2838: Treat MIME type more authoritatively when
        loading plug-ins. Credit to Michal Zalewski.
      - [78639] High CVE-2011-2841: Garbage collection error in PDF. Credit to
        Mario Gomes.
      - [82438] Medium CVE-2011-2843: Out-of-bounds read with media buffers.
        Credit to Kostya Serebryany.
      - [85041] Medium CVE-2011-2844: Out-of-bounds read with mp3 files. Credit
        to Mario Gomes.
      - [89564] Medium CVE-2011-2848: URL bar spoof with forward button. Credit
        to Jordi Chancel.
      - [89795] Low CVE-2011-2849: Browser NULL pointer crash with WebSockets.
        Credit to Arthur Gerkis.
      - [90134] Medium CVE-2011-2850: Out-of-bounds read with Khmer characters.
        Credit to miaubiz.
      - [90173] Medium CVE-2011-2851: Out-of-bounds read in video handling.
        Credit to Google Chrome Security Team (Inferno).
      - [91197] High CVE-2011-2853: Use-after-free in plug-in handling. Credit
        to Google Chrome Security Team (SkyLined).
      - [93497] Medium CVE-2011-2859: Incorrect permissions assigned to
        non-gallery pages. Credit to Bernhard ‘Bruhns’ Brehm
      - [93596] Medium CVE-2011-2861: Bad string read in PDF. Credit to Aki
        Helin of OUSPG.
      - [95563] Medium CVE-2011-2864: Out-of-bounds read with Tibetan
        characters. Credit to Google Chrome Security Team (Inferno).
      - [95625] Medium CVE-2011-2858: Out-of-bounds read with triangle arrays.
        Credit to Google Chrome Security Team (Inferno).
      - [95917] Low CVE-2011-2874: Failure to pin a self-signed cert for a
        session. Credit to Nishant Yadant and Craig Chamberlain (@randomuserid).
    + Chromium issues (14.0.835.202):
      - [95671] High CVE-2011-2878: Inappropriate cross-origin access to the
        window prototype. Credit to Sergey Glazunov.
      - [96150] High CVE-2011-2879: Lifetime and threading issues in audio node
        handling. Credit to Google Chrome Security Team (Inferno).
      - [98089] Critical CVE-2011-3873: Memory corruption in shader translator.
        Credit to Zhenyao Mo.
    + Webkit issues (14.0.835.163):
      - [78427] [83031] Low CVE-2011-2840: Possible URL bar spoofs with unusual
        user interaction. Credit to kuzzcc.
      - [89219] High CVE-2011-2846: Use-after-free in unload event handling.
        Credit to Arthur Gerkis.
      - [89330] High CVE-2011-2847: Use-after-free in document loader. Credit to
        miaubiz.
      - [89991] Medium CVE-2011-3234: Out-of-bounds read in box handl...

Changed in chromium-browser (Ubuntu Natty):
status: Fix Committed → Fix Released
To post a comment you must log in.
This report contains Public Security information  
Everyone can see this security related information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.