* New upstream release from the Stable Channel (LP: #858744)
This release fixes the following security issues:
+ Chromium issues (13.0.782.220):
- Trust in Diginotar Intermediate CAs revoked
+ Chromium issues (14.0.835.163):
- [49377] High CVE-2011-2835: Race condition in the certificate cache.
Credit to Ryan Sleevi.
- [57908] Low CVE-2011-2837: Use PIC / pie compiler flags. Credit to
wbrana.
- [75070] Low CVE-2011-2838: Treat MIME type more authoritatively when
loading plug-ins. Credit to Michal Zalewski.
- [78639] High CVE-2011-2841: Garbage collection error in PDF. Credit to
Mario Gomes.
- [82438] Medium CVE-2011-2843: Out-of-bounds read with media buffers.
Credit to Kostya Serebryany.
- [85041] Medium CVE-2011-2844: Out-of-bounds read with mp3 files. Credit
to Mario Gomes.
- [89564] Medium CVE-2011-2848: URL bar spoof with forward button. Credit
to Jordi Chancel.
- [89795] Low CVE-2011-2849: Browser NULL pointer crash with WebSockets.
Credit to Arthur Gerkis.
- [90134] Medium CVE-2011-2850: Out-of-bounds read with Khmer characters.
Credit to miaubiz.
- [90173] Medium CVE-2011-2851: Out-of-bounds read in video handling.
Credit to Google Chrome Security Team (Inferno).
- [91197] High CVE-2011-2853: Use-after-free in plug-in handling. Credit
to Google Chrome Security Team (SkyLined).
- [93497] Medium CVE-2011-2859: Incorrect permissions assigned to
non-gallery pages. Credit to Bernhard ‘Bruhns’ Brehm
- [93596] Medium CVE-2011-2861: Bad string read in PDF. Credit to Aki
Helin of OUSPG.
- [95563] Medium CVE-2011-2864: Out-of-bounds read with Tibetan
characters. Credit to Google Chrome Security Team (Inferno).
- [95625] Medium CVE-2011-2858: Out-of-bounds read with triangle arrays.
Credit to Google Chrome Security Team (Inferno).
- [95917] Low CVE-2011-2874: Failure to pin a self-signed cert for a
session. Credit to Nishant Yadant and Craig Chamberlain (@randomuserid).
+ Chromium issues (14.0.835.202):
- [95671] High CVE-2011-2878: Inappropriate cross-origin access to the
window prototype. Credit to Sergey Glazunov.
- [96150] High CVE-2011-2879: Lifetime and threading issues in audio node
handling. Credit to Google Chrome Security Team (Inferno).
- [98089] Critical CVE-2011-3873: Memory corruption in shader translator.
Credit to Zhenyao Mo.
+ Webkit issues (14.0.835.163):
- [78427] [83031] Low CVE-2011-2840: Possible URL bar spoofs with unusual
user interaction. Credit to kuzzcc.
- [89219] High CVE-2011-2846: Use-after-free in unload event handling.
Credit to Arthur Gerkis.
- [89330] High CVE-2011-2847: Use-after-free in document loader. Credit to
miaubiz.
- [89991] Medium CVE-2011-3234: Out-of-bounds read in box handling. Credit
to miaubiz.
- [92651] [94800] High CVE-2011-2854: Use-after-free in ruby / table style
handing. Credit to Sławomir Błażek, and independent later discoveries by
miaubiz and Google Chrome Security Team (Inferno).
- [92959] High CVE-2011-2855: Stale node in stylesheet handling. Credit to
Arthur Gerkis.
- [93420] High CVE-2011-2857: Use-after-free in focus controller. Credit
to miaubiz.
- [93587] High CVE-2011-2860: Use-after-free in table style handling.
Credit to miaubiz.
+ Webkit issues (14.0.835.202):
- [93788] High CVE-2011-2876: Use-after-free in text line box handling.
Credit to miaubiz.
- [95072] High CVE-2011-2877: Stale font in SVG text handling. Credit to
miaubiz.
+ LibXML issue (14.0.835.163):
- [93472] High CVE-2011-2834: Double free in libxml XPath handling. Credit
to Yang Dingning
+ V8 issues (14.0.835.163):
- [76771] High CVE-2011-2839: Crash in v8 script object wrappers. Credit
to Kostya Serebryany
- [91120] High CVE-2011-2852: Off-by-one in v8. Credit to Christian Holler
- [93416] High CVE-2011-2856: Cross-origin bypass in v8. Credit to Daniel
Divricean.
- [93906] High CVE-2011-2862: Unintended access to v8 built-in objects.
Credit to Sergey Glazunov.
- [95920] High CVE-2011-2875: Type confusion in v8 object sealing. Credit
to Christian Holler.
+ V8 issues (14.0.835.202):
- [97451] [97520] [97615] High CVE-2011-2880: Use-after-free in the v8
bindings. Credit to Sergey Glazunov.
- [97784] High CVE-2011-2881: Memory corruption with v8 hidden objects.
Credit to Sergey Glazunov.
[ Fabien Tassin ]
* Add libpulse-dev to Build-Depends, needed for WebRTC
- update debian/control
* Drop the HTML5 video patch, now committed upstream
- remove debian/patches/html5-codecs-fix.patch
- update debian/patches/series
* Rename ui/base/strings/app_strings.grd to ui_strings.grd following
the upstream rename, and add a mapping flag to the grit converter
- update debian/rules
* Add a "Conflicts" with -inspector so that it gets removed
- update debian/control
* Build with the default gcc-4.6 on Oneiric
- update debian/control
- update debian/rules
* Refresh Patches
-- Micah Gersten <email address hidden> Wed, 05 Oct 2011 04:06:44 -0500
This bug was fixed in the package chromium-browser - 14.0.835. 202~r103287- 0ubuntu1
--------------- 202~r103287- 0ubuntu1) oneiric; urgency=low
chromium-browser (14.0.835.
* New upstream release from the Stable Channel (LP: #858744)
This release fixes the following security issues:
+ Chromium issues (13.0.782.220):
- Trust in Diginotar Intermediate CAs revoked
+ Chromium issues (14.0.835.163):
- [49377] High CVE-2011-2835: Race condition in the certificate cache.
Credit to Ryan Sleevi.
- [57908] Low CVE-2011-2837: Use PIC / pie compiler flags. Credit to
wbrana.
- [75070] Low CVE-2011-2838: Treat MIME type more authoritatively when
loading plug-ins. Credit to Michal Zalewski.
- [78639] High CVE-2011-2841: Garbage collection error in PDF. Credit to
Mario Gomes.
- [82438] Medium CVE-2011-2843: Out-of-bounds read with media buffers.
Credit to Kostya Serebryany.
- [85041] Medium CVE-2011-2844: Out-of-bounds read with mp3 files. Credit
to Mario Gomes.
- [89564] Medium CVE-2011-2848: URL bar spoof with forward button. Credit
to Jordi Chancel.
- [89795] Low CVE-2011-2849: Browser NULL pointer crash with WebSockets.
Credit to Arthur Gerkis.
- [90134] Medium CVE-2011-2850: Out-of-bounds read with Khmer characters.
Credit to miaubiz.
- [90173] Medium CVE-2011-2851: Out-of-bounds read in video handling.
Credit to Google Chrome Security Team (Inferno).
- [91197] High CVE-2011-2853: Use-after-free in plug-in handling. Credit
to Google Chrome Security Team (SkyLined).
- [93497] Medium CVE-2011-2859: Incorrect permissions assigned to
non-gallery pages. Credit to Bernhard ‘Bruhns’ Brehm
- [93596] Medium CVE-2011-2861: Bad string read in PDF. Credit to Aki
Helin of OUSPG.
- [95563] Medium CVE-2011-2864: Out-of-bounds read with Tibetan
characters. Credit to Google Chrome Security Team (Inferno).
- [95625] Medium CVE-2011-2858: Out-of-bounds read with triangle arrays.
Credit to Google Chrome Security Team (Inferno).
- [95917] Low CVE-2011-2874: Failure to pin a self-signed cert for a
session. Credit to Nishant Yadant and Craig Chamberlain (@randomuserid).
+ Chromium issues (14.0.835.202):
- [95671] High CVE-2011-2878: Inappropriate cross-origin access to the
window prototype. Credit to Sergey Glazunov.
- [96150] High CVE-2011-2879: Lifetime and threading issues in audio node
handling. Credit to Google Chrome Security Team (Inferno).
- [98089] Critical CVE-2011-3873: Memory corruption in shader translator.
Credit to Zhenyao Mo.
+ Webkit issues (14.0.835.163):
- [78427] [83031] Low CVE-2011-2840: Possible URL bar spoofs with unusual
user interaction. Credit to kuzzcc.
- [89219] High CVE-2011-2846: Use-after-free in unload event handling.
Credit to Arthur Gerkis.
- [89330] High CVE-2011-2847: Use-after-free in document loader. Credit to
miaubiz.
- [89991] Medium CVE-2011-3234: Out-of-bounds read in box handling. Credit
to miaubiz.
- [92651] [94800] High CVE-2011-2854: Use-after-free in ruby / table style
handing. Credit to Sławomir Błażek, and independent later discoveries by
miaubiz and Google Chrome Security Team (Inferno).
- [92959] High CVE-2011-2855: Stale node in stylesheet handling. Credit to
Arthur Gerkis.
- [93420] High CVE-2011-2857: Use-after-free in focus controller. Credit
to miaubiz.
- [93587] High CVE-2011-2860: Use-after-free in table style handling.
Credit to miaubiz.
+ Webkit issues (14.0.835.202):
- [93788] High CVE-2011-2876: Use-after-free in text line box handling.
Credit to miaubiz.
- [95072] High CVE-2011-2877: Stale font in SVG text handling. Credit to
miaubiz.
+ LibXML issue (14.0.835.163):
- [93472] High CVE-2011-2834: Double free in libxml XPath handling. Credit
to Yang Dingning
+ V8 issues (14.0.835.163):
- [76771] High CVE-2011-2839: Crash in v8 script object wrappers. Credit
to Kostya Serebryany
- [91120] High CVE-2011-2852: Off-by-one in v8. Credit to Christian Holler
- [93416] High CVE-2011-2856: Cross-origin bypass in v8. Credit to Daniel
Divricean.
- [93906] High CVE-2011-2862: Unintended access to v8 built-in objects.
Credit to Sergey Glazunov.
- [95920] High CVE-2011-2875: Type confusion in v8 object sealing. Credit
to Christian Holler.
+ V8 issues (14.0.835.202):
- [97451] [97520] [97615] High CVE-2011-2880: Use-after-free in the v8
bindings. Credit to Sergey Glazunov.
- [97784] High CVE-2011-2881: Memory corruption with v8 hidden objects.
Credit to Sergey Glazunov.
[ Fabien Tassin ] patches/ html5-codecs- fix.patch patches/ series strings/ app_strings. grd to ui_strings.grd following
* Add libpulse-dev to Build-Depends, needed for WebRTC
- update debian/control
* Drop the HTML5 video patch, now committed upstream
- remove debian/
- update debian/
* Rename ui/base/
the upstream rename, and add a mapping flag to the grit converter
- update debian/rules
* Add a "Conflicts" with -inspector so that it gets removed
- update debian/control
* Build with the default gcc-4.6 on Oneiric
- update debian/control
- update debian/rules
* Refresh Patches
-- Micah Gersten <email address hidden> Wed, 05 Oct 2011 04:06:44 -0500