This bug was fixed in the package chromium-browser -
14.0.835.202~r103287-0ubuntu0.10.10.1
---------------
chromium-browser (14.0.835.202~r103287-0ubuntu0.10.10.1) maverick-security;
urgency=low
* New upstream release from the Stable Channel (LP: #858744)
This release fixes the following security issues:
+ Chromium issues (13.0.782.220):
- Trust in Diginotar Intermediate CAs revoked
+ Chromium issues (14.0.835.163):
- [49377] High CVE-2011-2835: Race condition in the certificate cache.
Credit to Ryan Sleevi.
- [57908] Low CVE-2011-2837: Use PIC / pie compiler flags. Credit to
wbrana.
- [75070] Low CVE-2011-2838: Treat MIME type more authoritatively when
loading plug-ins. Credit to Michal Zalewski.
- [78639] High CVE-2011-2841: Garbage collection error in PDF. Credit to
Mario Gomes.
- [82438] Medium CVE-2011-2843: Out-of-bounds read with media buffers.
Credit to Kostya Serebryany.
- [85041] Medium CVE-2011-2844: Out-of-bounds read with mp3 files. Credit
to Mario Gomes.
- [89564] Medium CVE-2011-2848: URL bar spoof with forward button. Credit
to Jordi Chancel.
- [89795] Low CVE-2011-2849: Browser NULL pointer crash with WebSockets.
Credit to Arthur Gerkis.
- [90134] Medium CVE-2011-2850: Out-of-bounds read with Khmer characters.
Credit to miaubiz.
- [90173] Medium CVE-2011-2851: Out-of-bounds read in video handling.
Credit to Google Chrome Security Team (Inferno).
- [91197] High CVE-2011-2853: Use-after-free in plug-in handling. Credit
to Google Chrome Security Team (SkyLined).
- [93497] Medium CVE-2011-2859: Incorrect permissions assigned to
non-gallery pages. Credit to Bernhard ‘Bruhns’ Brehm
- [93596] Medium CVE-2011-2861: Bad string read in PDF. Credit to Aki
Helin of OUSPG.
- [95563] Medium CVE-2011-2864: Out-of-bounds read with Tibetan
characters. Credit to Google Chrome Security Team (Inferno).
- [95625] Medium CVE-2011-2858: Out-of-bounds read with triangle arrays.
Credit to Google Chrome Security Team (Inferno).
- [95917] Low CVE-2011-2874: Failure to pin a self-signed cert for a
session. Credit to Nishant Yadant and Craig Chamberlain (@randomuserid).
+ Chromium issues (14.0.835.202):
- [95671] High CVE-2011-2878: Inappropriate cross-origin access to the
window prototype. Credit to Sergey Glazunov.
- [96150] High CVE-2011-2879: Lifetime and threading issues in audio node
handling. Credit to Google Chrome Security Team (Inferno).
- [98089] Critical CVE-2011-3873: Memory corruption in shader translator.
Credit to Zhenyao Mo.
+ Webkit issues (14.0.835.163):
- [78427] [83031] Low CVE-2011-2840: Possible URL bar spoofs with unusual
user interaction. Credit to kuzzcc.
- [89219] High CVE-2011-2846: Use-after-free in unload event handling.
Credit to Arthur Gerkis.
- [89330] High CVE-2011-2847: Use-after-free in document loader. Credit to
miaubiz.
- [89991] Medium CVE-2011-3234: Out-of-bounds read in box handling. Credit
to miaubiz.
- [92651] [94800] High CVE-2011-2854: Use-after-free in ruby / table style
handing. Credit to Sławomir Błażek, and independent later discoveries by
miaubiz and Google Chrome Security Team (Inferno).
- [92959] High CVE-2011-2855: Stale node in stylesheet handling. Credit to
Arthur Gerkis.
- [93420] High CVE-2011-2857: Use-after-free in focus controller. Credit
to miaubiz.
- [93587] High CVE-2011-2860: Use-after-free in table style handling.
Credit to miaubiz.
+ Webkit issues (14.0.835.202):
- [93788] High CVE-2011-2876: Use-after-free in text line box handling.
Credit to miaubiz.
- [95072] High CVE-2011-2877: Stale font in SVG text handling. Credit to
miaubiz.
+ LibXML issue (14.0.835.163):
- [93472] High CVE-2011-2834: Double free in libxml XPath handling. Credit
to Yang Dingning
+ V8 issues (14.0.835.163):
- [76771] High CVE-2011-2839: Crash in v8 script object wrappers. Credit
to Kostya Serebryany
- [91120] High CVE-2011-2852: Off-by-one in v8. Credit to Christian Holler
- [93416] High CVE-2011-2856: Cross-origin bypass in v8. Credit to Daniel
Divricean.
- [93906] High CVE-2011-2862: Unintended access to v8 built-in objects.
Credit to Sergey Glazunov.
- [95920] High CVE-2011-2875: Type confusion in v8 object sealing. Credit
to Christian Holler.
+ V8 issues (14.0.835.202):
- [97451] [97520] [97615] High CVE-2011-2880: Use-after-free in the v8
bindings. Credit to Sergey Glazunov.
- [97784] High CVE-2011-2881: Memory corruption with v8 hidden objects.
Credit to Sergey Glazunov.
[ Fabien Tassin ]
* Add libpulse-dev to Build-Depends, needed for WebRTC
- update debian/control
* Rename ui/base/strings/app_strings.grd to ui_strings.grd following
the upstream rename, and add a mapping flag to the grit converter
- update debian/rules
* Refresh Patches
[ Micah Gersten ]
* Switch to internal libvpx (Fixes FTBFS since we now need at least 0.9.6)
- update debian/rules
* Drop build dependency on libvpx due to the switch to internal libvpx
- update debian/control
chromium-browser (13.0.782.215~r97094-0ubuntu0.10.10.1) maverick-
security; urgency=low
[ Fabien Tassin <[email protected]> ]
* New upstream release from the Stable Channel (LP: #834922)
This release fixes the following security issues:
+ Chromium issues:
- [91517] High, CVE-2011-2828: Out-of-bounds write in v8. Credit to Google
Chrome Security Team (SkyLined).
+ Webkit issues:
- [82552] High, CVE-2011-2823: Use-after-free in line box handling. Credit
to Google Chrome Security Team (SkyLined) and independent later
discovery by miaubiz.
- [88216] High, CVE-2011-2824: Use-after-free with counter nodes. Credit
to miaubiz.
- [88670] High, CVE-2011-2825: Use-after-free with custom fonts. Credit to
wushi of team509 reported through ZDI (ZDI-CAN-1283), plus indepdendent
later discovery by miaubiz.
- [87453] High, CVE-2011-2826: Cross-origin violation with empty origins.
Credit to Sergey Glazunov.
- [90668] High, CVE-2011-2827: Use-after-free in text searching. Credit to
miaubiz.
- [32-bit only] [91598] High, CVE-2011-2829: Integer overflow in uniform
arrays. Credit to Sergey Glazunov.
+ libxml2 issue:
- [89402] High, CVE-2011-2821: Double free in libxml XPath handling.
Credit to Yang Dingning from NCNIPC, Graduate University of Chinese
Academy of Sciences.
chromium-browser (13.0.782.107~r94237-0ubuntu0.10.10.1) maverick-
security; urgency=low
[ Fabien Tassin <[email protected]> ]
* New Major upstream release from the Stable Channel (LP: #819991)
This release fixes the following security issues:
+ Chromium issues:
- [75821] Medium, CVE-2011-2358: Always confirm an extension install via a
browser dialog. Credit to Sergey Glazunov.
- [79266] Low, CVE-2011-2360: Potential bypass of dangerous file prompt.
Credit to kuzzcc.
- [79426] Low, CVE-2011-2361: Improve designation of strings in the basic
auth dialog. Credit to kuzzcc.
- [81307] Medium, CVE-2011-2782: File permissions error with drag and
drop. Credit to Evan Martin of the Chromium development community.
- [83273] Medium, CVE-2011-2783: Always confirm a developer mode NPAPI
extension install via a browser dialog. Credit to Sergey Glazunov.
- [84402] Low, CVE-2011-2785: Sanitize the homepage URL in extensions.
Credit to kuzzcc.
- [84805] Medium, CVE-2011-2787: Browser crash due to GPU lock re-entrancy
issue. Credit to kuzzcc.
- [85808] Medium, CVE-2011-2789: Use after free in Pepper plug-in
instantiation. Credit to Mario Gomes and kuzzcc.
- [87815] Low, CVE-2011-2798: Prevent a couple of internal schemes from
being web accessible. Credit to sirdarckcat of the Google Security Team.
- [88827] Medium, CVE-2011-2803: Out-of-bounds read in Skia paths. Credit
to Google Chrome Security Team (Inferno).
+ Webkit issues:
- [78841] High, CVE-2011-2359: Stale pointer due to bad line box tracking
in rendering. Credit to miaubiz and Martin Barbella.
- [83841] Low, CVE-2011-2784: Local file path disclosure via GL program
log. Credit to kuzzcc.
- [84600] Low, CVE-2011-2786: Make sure the speech input bubble is always
on-screen. Credit to Olli Pettay of Mozilla.
- [85559] Low, CVE-2011-2788: Buffer overflow in inspector serialization.
Credit to Mikołaj Małecki.
- [86502] High, CVE-2011-2790: Use-after-free with floating styles. Credit
to miaubiz.
- [87148] High, CVE-2011-2792: Use-after-free with float removal. Credit
to miaubiz.
- [87227] High, CVE-2011-2793: Use-after-free in media selectors. Credit
to miaubiz.
- [87298] Medium, CVE-2011-2794: Out-of-bounds read in text iteration.
Credit to miaubiz.
- [87339] Medium, CVE-2011-2795: Cross-frame function leak. Credit to Shih
Wei-Long.
- [87548] High, CVE-2011-2796: Use-after-free in Skia. Credit to Google
Chrome Security Team (Inferno) and Kostya Serebryany of the Chromium
development community.
- [87729] High, CVE-2011-2797: Use-after-free in resource caching. Credit
to miaubiz.
- [87925] High, CVE-2011-2799: Use-after-free in HTML range handling.
Credit to miaubiz.
- [88337] Medium, CVE-2011-2800: Leak of client-side redirect target.
Credit to Juho Nurminen.
- [88591] High, CVE-2011-2802: v8 crash with const lookups. Credit to
Christian Holler.
- [88846] High, CVE-2011-2801: Use-after-free in frame loader. Credit to
miaubiz.
- [88889] High, CVE-2011-2818: Use-after-free in display box rendering.
Credit to Martin Barbella.
- [89520] High, CVE-2011-2805: Cross-origin script injection. Credit to
Sergey Glazunov.
- [90222] High, CVE-2011-2819: Cross-origin violation in base URI
handling. Credit to Sergey Glazunov.
+ ICU 4.6 issue:
- [86900] High, CVE-2011-2791: Out-of-bounds write in ICU. Credit to Yang
Dingning from NCNIPC, Graduate University of Chinese Academy of
Sciences.
Packaging changes:
* Run the gclient hooks when creating the source tarball, as we need files
from the Native Client's integrated runtime (IRT) library.
Install the NaCL IRT files in the main deb
- update debian/rules
- update debian/chromium-browser.install
-- Micah Gersten <[email protected]> Wed, 12 Oct 2011 03:01:05 -0500
** Changed in: chromium-browser (Ubuntu Maverick)
Status: Fix Committed => Fix Released
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/858744
Title:
13.0.782.215 -> 14.0.835.202
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/chromium-browser/+bug/858744/+subscriptions
--
ubuntu-bugs mailing list
[email protected]
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
