Ubuntu
chromium-browser package

9.0.597.107 -> 10.0.648.127

Bug #731520 reported by Fabien Tassin
262
This bug affects 2 people
Affects Status Importance Assigned to Milestone
chromium-browser (Ubuntu)
Fix Released
High
Fabien Tassin
Lucid
Fix Released
High
Micah Gersten
Maverick
Fix Released
High
Micah Gersten
Natty
Fix Released
High
Fabien Tassin

Bug Description

Binary package hint: chromium-browser

Upstream just released a new Major (stable) release also fixing a bunch of security issues.

It contains security fixes for webkit (16), chromium (4), v8 (2), ffmpeg (2) and libxslt (1)

Needed in natty, maverick and lucid.

See original description
Fabien Tassin (fta)
Changed in chromium-browser (Ubuntu Natty):
assignee: nobody → Fabien Tassin (fta)
importance: Undecided → High
status: New → In Progress
Changed in chromium-browser (Ubuntu Maverick):
importance: Undecided → High
status: New → In Progress
Changed in chromium-browser (Ubuntu Lucid):
importance: Undecided → High
status: New → In Progress
description: updated
visibility: private → public
Revision history for this message
Launchpad Janitor (janitor) wrote :
Download full text (3.8 KiB)

This bug was fixed in the package chromium-browser - 10.0.648.127~r76697-0ubuntu1

---------------
chromium-browser (10.0.648.127~r76697-0ubuntu1) natty; urgency=high

  * New upstream major release from the Stable Channel (LP: #731520)
    It includes:
    - New version of V8 - Crankshaft - which greatly improves javascript
      performance
    - New settings pages that open in a tab, rather than a dialog box
    - Improved security with malware reporting and disabling outdated plugins
      by default
    - Password sync as part of Chrome Sync now enabled by default
    - GPU Accelerated Video
    - Background WebApps
    - webNavigation extension API
    This release also fixes the following security issues:
    + Webkit bugs:
      - [42574] [42765] Low, Possible to navigate or close the top location in
        a sandboxed frame. Credit to sirdarckcat of the Google Security Team.
      - [69628] High, Memory corruption with counter nodes. Credit to Martin
        Barbella.
      - [70027] High, Stale node in box layout. Credit to Martin Barbella.
      - [70336] Medium, Cross-origin error message leak with workers. Credit to
        Daniel Divricean.
      - [70442] High, Use after free with DOM URL handling. Credit to Sergey
        Glazunov.
      - [70779] Medium, Out of bounds read handling unicode ranges. Credit to
        miaubiz.
      - [70885] [71167] Low, Pop-up blocker bypasses. Credit to Chamal de
        Silva.
      - [71763] High, Use-after-free in document script lifetime handling.
        Credit to miaubiz.
      - [72028] High, Stale pointer in table painting. Credit to Martin
        Barbella.
      - [73066] High, Crash with the DataView object. Credit to Sergey
        Glazunov.
      - [73134] High, Bad cast in text rendering. Credit to miaubiz.
      - [73196] High, Stale pointer in WebKit context code. Credit to Sergey
        Glazunov.
      - [73746] High, Stale pointer with SVG cursors. Credit to Sergey
        Glazunov.
      - [74030] High, DOM tree corruption with attribute handling. Credit to
        Sergey Glazunov.
    + Chromium bugs:
      - [49747] Low, Work around an X server bug and crash with long messages.
        Credit to Louis Lang.
      - [66962] Low, Possible browser crash with parallel print()s. Credit to
        Aki Helin of OUSPG.
      - [69187] Medium, Cross-origin error message leak. Credit to Daniel
        Divricean.
      - [70877] High, Same origin policy bypass in v8. Credit to Daniel
        Divricean.
    + v8:
      - [74662] High, Corruption via re-entrancy of RegExp code. Credit to
        Christian Holler.
      - [74675] High, Invalid memory access in v8. Credit to Christian Holler.
    + ffmpeg:
      - [71788] High, Out-of-bounds write in the OGG container. Credit to
        Google Chrome Security Team (SkyLined); plus subsequent independent
        discovery by David Weston of Microsoft and MSVR.
      - [73026] High, Use of corrupt out-of-bounds structure in video code.
        Credit to Tavis Ormandy of the Google Security Team.
    + libxslt:
      - [73716] Low, Leak of heap address in XSLT. Credit to Google Chrome
        Security Team (Chris Evans).
  Packaging chan...

Read more...

Changed in chromium-browser (Ubuntu Natty):
status: In Progress → Fix Released
Fabien Tassin (fta)
Changed in chromium-browser (Ubuntu Lucid):
status: In Progress → Fix Committed
Changed in chromium-browser (Ubuntu Maverick):
status: In Progress → Fix Committed
Micah Gersten (micahg)
Changed in chromium-browser (Ubuntu Maverick):
assignee: nobody → Micah Gersten (micahg)
status: Fix Committed → In Progress
Changed in chromium-browser (Ubuntu Lucid):
assignee: nobody → Micah Gersten (micahg)
status: Fix Committed → In Progress
Revision history for this message
Micah Gersten (micahg) wrote :

Packages ACKd and uploaded to ubuntu-security-proposed PPA

Revision history for this message
Jamie Strandboge (jdstrand) wrote :

Copied lucid and maverick to -proposed for libvpx and chromium-browser. Tested with QRT (test-libvpx.py and test-browser.py) on amd64 and it passes all tests (minus a small regression in the ogg/audio player where it plays bug doesn't advance the display until mouseover. I'm told by fta and micahg that this is fixed upstream and not release critical).

Changed in chromium-browser (Ubuntu Lucid):
status: In Progress → Fix Committed
Changed in chromium-browser (Ubuntu Maverick):
status: In Progress → Fix Committed
Revision history for this message
Micah Gersten (micahg) wrote :

libvpx and chromium passed regression tests on i386 except for one small regression in the ogg/audio player which we'll pursue in Bug #732976.

Jamie Strandboge (jdstrand)
tags: added: verification-done
Revision history for this message
Launchpad Janitor (janitor) wrote :
Download full text (3.9 KiB)

This bug was fixed in the package chromium-browser - 10.0.648.127~r76697-0ubuntu0.10.10.1

---------------
chromium-browser (10.0.648.127~r76697-0ubuntu0.10.10.1) maverick-security; urgency=high

  * New upstream major release from the Stable Channel (LP: #731520)
    It includes:
    - New version of V8 - Crankshaft - which greatly improves javascript
      performance
    - New settings pages that open in a tab, rather than a dialog box
    - Improved security with malware reporting and disabling outdated plugins
      by default
    - Password sync as part of Chrome Sync now enabled by default
    - GPU Accelerated Video
    - Background WebApps
    - webNavigation extension API
    This release also fixes the following security issues:
    + Webkit bugs:
      - [42574] [42765] Low, Possible to navigate or close the top location in
        a sandboxed frame. Credit to sirdarckcat of the Google Security Team.
      - [69628] High, Memory corruption with counter nodes. Credit to Martin
        Barbella.
      - [70027] High, Stale node in box layout. Credit to Martin Barbella.
      - [70336] Medium, Cross-origin error message leak with workers. Credit to
        Daniel Divricean.
      - [70442] High, Use after free with DOM URL handling. Credit to Sergey
        Glazunov.
      - [70779] Medium, Out of bounds read handling unicode ranges. Credit to
        miaubiz.
      - [70885] [71167] Low, Pop-up blocker bypasses. Credit to Chamal de
        Silva.
      - [71763] High, Use-after-free in document script lifetime handling.
        Credit to miaubiz.
      - [72028] High, Stale pointer in table painting. Credit to Martin
        Barbella.
      - [73066] High, Crash with the DataView object. Credit to Sergey
        Glazunov.
      - [73134] High, Bad cast in text rendering. Credit to miaubiz.
      - [73196] High, Stale pointer in WebKit context code. Credit to Sergey
        Glazunov.
      - [73746] High, Stale pointer with SVG cursors. Credit to Sergey
        Glazunov.
      - [74030] High, DOM tree corruption with attribute handling. Credit to
        Sergey Glazunov.
    + Chromium bugs:
      - [49747] Low, Work around an X server bug and crash with long messages.
        Credit to Louis Lang.
      - [66962] Low, Possible browser crash with parallel print()s. Credit to
        Aki Helin of OUSPG.
      - [69187] Medium, Cross-origin error message leak. Credit to Daniel
        Divricean.
      - [70877] High, Same origin policy bypass in v8. Credit to Daniel
        Divricean.
    + v8:
      - [74662] High, Corruption via re-entrancy of RegExp code. Credit to
        Christian Holler.
      - [74675] High, Invalid memory access in v8. Credit to Christian Holler.
    + ffmpeg:
      - [71788] High, Out-of-bounds write in the OGG container. Credit to
        Google Chrome Security Team (SkyLined); plus subsequent independent
        discovery by David Weston of Microsoft and MSVR.
      - [73026] High, Use of corrupt out-of-bounds structure in video code.
        Credit to Tavis Ormandy of the Google Security Team.
    + libxslt:
      - [73716] Low, Leak of heap address in XSLT. Credit to Google Chrome
        Security Team (Ch...

Read more...

Changed in chromium-browser (Ubuntu Maverick):
status: Fix Committed → Fix Released
Revision history for this message
Launchpad Janitor (janitor) wrote :
Download full text (3.9 KiB)

This bug was fixed in the package chromium-browser - 10.0.648.127~r76697-0ubuntu0.10.04.1

---------------
chromium-browser (10.0.648.127~r76697-0ubuntu0.10.04.1) lucid-security; urgency=high

  * New upstream major release from the Stable Channel (LP: #731520)
    It includes:
    - New version of V8 - Crankshaft - which greatly improves javascript
      performance
    - New settings pages that open in a tab, rather than a dialog box
    - Improved security with malware reporting and disabling outdated plugins
      by default
    - Password sync as part of Chrome Sync now enabled by default
    - GPU Accelerated Video
    - Background WebApps
    - webNavigation extension API
    This release also fixes the following security issues:
    + Webkit bugs:
      - [42574] [42765] Low, Possible to navigate or close the top location in
        a sandboxed frame. Credit to sirdarckcat of the Google Security Team.
      - [69628] High, Memory corruption with counter nodes. Credit to Martin
        Barbella.
      - [70027] High, Stale node in box layout. Credit to Martin Barbella.
      - [70336] Medium, Cross-origin error message leak with workers. Credit to
        Daniel Divricean.
      - [70442] High, Use after free with DOM URL handling. Credit to Sergey
        Glazunov.
      - [70779] Medium, Out of bounds read handling unicode ranges. Credit to
        miaubiz.
      - [70885] [71167] Low, Pop-up blocker bypasses. Credit to Chamal de
        Silva.
      - [71763] High, Use-after-free in document script lifetime handling.
        Credit to miaubiz.
      - [72028] High, Stale pointer in table painting. Credit to Martin
        Barbella.
      - [73066] High, Crash with the DataView object. Credit to Sergey
        Glazunov.
      - [73134] High, Bad cast in text rendering. Credit to miaubiz.
      - [73196] High, Stale pointer in WebKit context code. Credit to Sergey
        Glazunov.
      - [73746] High, Stale pointer with SVG cursors. Credit to Sergey
        Glazunov.
      - [74030] High, DOM tree corruption with attribute handling. Credit to
        Sergey Glazunov.
    + Chromium bugs:
      - [49747] Low, Work around an X server bug and crash with long messages.
        Credit to Louis Lang.
      - [66962] Low, Possible browser crash with parallel print()s. Credit to
        Aki Helin of OUSPG.
      - [69187] Medium, Cross-origin error message leak. Credit to Daniel
        Divricean.
      - [70877] High, Same origin policy bypass in v8. Credit to Daniel
        Divricean.
    + v8:
      - [74662] High, Corruption via re-entrancy of RegExp code. Credit to
        Christian Holler.
      - [74675] High, Invalid memory access in v8. Credit to Christian Holler.
    + ffmpeg:
      - [71788] High, Out-of-bounds write in the OGG container. Credit to
        Google Chrome Security Team (SkyLined); plus subsequent independent
        discovery by David Weston of Microsoft and MSVR.
      - [73026] High, Use of corrupt out-of-bounds structure in video code.
        Credit to Tavis Ormandy of the Google Security Team.
    + libxslt:
      - [73716] Low, Leak of heap address in XSLT. Credit to Google Chrome
        Security Team (Chris...

Read more...

Changed in chromium-browser (Ubuntu Lucid):
status: Fix Committed → Fix Released
To post a comment you must log in.
This report contains Public Security information  
Everyone can see this security related information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.