Created by James Westby and last modified
Get this branch:
bzr branch lp:ubuntu/maverick-security/chromium-browser
Members of Ubuntu branches can upload to this branch. Log in for directions.

Branch merges

Related bugs

Related blueprints

Branch information

Ubuntu branches

Recent revisions

44. By Micah Gersten on 2011-10-12

* New upstream release from the Stable Channel (LP: #858744)
  This release fixes the following security issues:
  + Chromium issues (13.0.782.220):
    - Trust in Diginotar Intermediate CAs revoked
  + Chromium issues (14.0.835.163):
    - [49377] High CVE-2011-2835: Race condition in the certificate cache.
      Credit to Ryan Sleevi.
    - [57908] Low CVE-2011-2837: Use PIC / pie compiler flags. Credit to
    - [75070] Low CVE-2011-2838: Treat MIME type more authoritatively when
      loading plug-ins. Credit to Michal Zalewski.
    - [78639] High CVE-2011-2841: Garbage collection error in PDF. Credit to
      Mario Gomes.
    - [82438] Medium CVE-2011-2843: Out-of-bounds read with media buffers.
      Credit to Kostya Serebryany.
    - [85041] Medium CVE-2011-2844: Out-of-bounds read with mp3 files. Credit
      to Mario Gomes.
    - [89564] Medium CVE-2011-2848: URL bar spoof with forward button. Credit
      to Jordi Chancel.
    - [89795] Low CVE-2011-2849: Browser NULL pointer crash with WebSockets.
      Credit to Arthur Gerkis.
    - [90134] Medium CVE-2011-2850: Out-of-bounds read with Khmer characters.
      Credit to miaubiz.
    - [90173] Medium CVE-2011-2851: Out-of-bounds read in video handling.
      Credit to Google Chrome Security Team (Inferno).
    - [91197] High CVE-2011-2853: Use-after-free in plug-in handling. Credit
      to Google Chrome Security Team (SkyLined).
    - [93497] Medium CVE-2011-2859: Incorrect permissions assigned to
      non-gallery pages. Credit to Bernhard ‘Bruhns’ Brehm
    - [93596] Medium CVE-2011-2861: Bad string read in PDF. Credit to Aki
      Helin of OUSPG.
    - [95563] Medium CVE-2011-2864: Out-of-bounds read with Tibetan
      characters. Credit to Google Chrome Security Team (Inferno).
    - [95625] Medium CVE-2011-2858: Out-of-bounds read with triangle arrays.
      Credit to Google Chrome Security Team (Inferno).
    - [95917] Low CVE-2011-2874: Failure to pin a self-signed cert for a
      session. Credit to Nishant Yadant and Craig Chamberlain (@randomuserid).
  + Chromium issues (14.0.835.202):
    - [95671] High CVE-2011-2878: Inappropriate cross-origin access to the
      window prototype. Credit to Sergey Glazunov.
    - [96150] High CVE-2011-2879: Lifetime and threading issues in audio node
      handling. Credit to Google Chrome Security Team (Inferno).
    - [98089] Critical CVE-2011-3873: Memory corruption in shader translator.
      Credit to Zhenyao Mo.
  + Webkit issues (14.0.835.163):
    - [78427] [83031] Low CVE-2011-2840: Possible URL bar spoofs with unusual
      user interaction. Credit to kuzzcc.
    - [89219] High CVE-2011-2846: Use-after-free in unload event handling.
      Credit to Arthur Gerkis.
    - [89330] High CVE-2011-2847: Use-after-free in document loader. Credit to
    - [89991] Medium CVE-2011-3234: Out-of-bounds read in box handling. Credit
      to miaubiz.
    - [92651] [94800] High CVE-2011-2854: Use-after-free in ruby / table style
      handing. Credit to Sławomir Błażek, and independent later discoveries by
      miaubiz and Google Chrome Security Team (Inferno).
    - [92959] High CVE-2011-2855: Stale node in stylesheet handling. Credit to
      Arthur Gerkis.
    - [93420] High CVE-2011-2857: Use-after-free in focus controller. Credit
      to miaubiz.
    - [93587] High CVE-2011-2860: Use-after-free in table style handling.
      Credit to miaubiz.
  + Webkit issues (14.0.835.202):
    - [93788] High CVE-2011-2876: Use-after-free in text line box handling.
      Credit to miaubiz.
    - [95072] High CVE-2011-2877: Stale font in SVG text handling. Credit to
  + LibXML issue (14.0.835.163):
    - [93472] High CVE-2011-2834: Double free in libxml XPath handling. Credit
      to Yang Dingning
  + V8 issues (14.0.835.163):
    - [76771] High CVE-2011-2839: Crash in v8 script object wrappers. Credit
      to Kostya Serebryany
    - [91120] High CVE-2011-2852: Off-by-one in v8. Credit to Christian Holler
    - [93416] High CVE-2011-2856: Cross-origin bypass in v8. Credit to Daniel
    - [93906] High CVE-2011-2862: Unintended access to v8 built-in objects.
      Credit to Sergey Glazunov.
    - [95920] High CVE-2011-2875: Type confusion in v8 object sealing. Credit
      to Christian Holler.
  + V8 issues (14.0.835.202):
    - [97451] [97520] [97615] High CVE-2011-2880: Use-after-free in the v8
      bindings. Credit to Sergey Glazunov.
    - [97784] High CVE-2011-2881: Memory corruption with v8 hidden objects.
      Credit to Sergey Glazunov.

[ Fabien Tassin ]
* Add libpulse-dev to Build-Depends, needed for WebRTC
  - update debian/control
* Rename ui/base/strings/app_strings.grd to ui_strings.grd following
  the upstream rename, and add a mapping flag to the grit converter
  - update debian/rules
* Refresh Patches

[ Micah Gersten ]
* Switch to internal libvpx (Fixes FTBFS since we now need at least 0.9.6)
  - update debian/rules
* Drop build dependency on libvpx due to the switch to internal libvpx
  - update debian/control

43. By Micah Gersten on 2011-06-30

[ Fabien Tassin <email address hidden> ]
* New Minor upstream release from the Stable Channel (LP: #803107)
  This release fixes the following security issues:
  + WebKit issues:
    - [84355] High, CVE-2011-2346: Use-after-free in SVG font handling.
      Credit to miaubiz.
    - [85003] High, CVE-2011-2347: Memory corruption in CSS parsing. Credit
      to miaubiz.
    - [85102] High, CVE-2011-2350: Lifetime and re-entrancy issues in the
      HTML parser. Credit to miaubiz.
    - [85211] High, CVE-2011-2351: Use-after-free with SVG use element.
      Credit to miaubiz.
    - [85418] High, CVE-2011-2349: Use-after-free in text selection. Credit
      to miaubiz.
  + Chromium issues:
    - [77493] Medium, CVE-2011-2345: Out-of-bounds read in NPAPI string
      handling. Credit to Philippe Arteau.
    - [85177] High, CVE-2011-2348: Bad bounds check in v8. Credit to Aki
      Helin of OUSPG.

[ Micah Gersten <email address hidden> ]
* Drop armel again from control file to not block on i386/amd64 updates
  - update debian/control

42. By Micah Gersten on 2011-06-07

[ Fabien Tassin <email address hidden> ]
* New upstream release from the Stable Channel (LP: #794197)
  It includes:
  - Hardware accelerated 3D CSS
  - New Safe Browsing protection against downloading malicious files
  - Integrated Sync into new settings pages
  This release fixes the following security issues:
  + WebKit issues:
    - [73962] [79746] High CVE-2011-1808: Use-after-free due to integer
      issues in float handling. Credit to miaubiz.
    - [75496] Medium CVE-2011-1809: Use-after-free in accessibility support.
      Credit to Google Chrome Security Team (SkyLined).
    - [75643] Low CVE-2011-1810: Visit history information leak in CSS.
      Credit to Jesse Mohrland of Microsoft and Microsoft Vulnerability
      Research (MSVR).
    - [80358] Medium CVE-2011-1816: Use-after-free in developer tools. Credit
      to kuzzcc.
    - [81949] High CVE-2011-1818: Use-after-free in image loader. Credit to
    - [83743] High CVE-2011-2342: Same origin bypass in DOM. Credit to Sergey
  + Chromium issues:
    - [76034] Low CVE-2011-1811: Browser crash with lots of form submissions.
      Credit to “DimitrisV22”.
    - [77026] Medium CVE-2011-1812: Extensions permission bypass. Credit to
    - [78516] High CVE-2011-1813: Stale pointer in extension framework.
      Credit to Google Chrome Security Team (Inferno).
    - [79862] Low CVE-2011-1815: Extension script injection into new tab
      page. Credit to kuzzcc.
    - [81916] Medium CVE-2011-1817: Browser memory corruption in history
      deletion. Credit to Collin Payne.
    - [83010] Medium CVE-2011-1819: Extension injection into chrome:// pages.
      Credit to Vladislavas Jarmalis, plus subsequent independent discovery
      by Sergey Glazunov.
    - [83275] High CVE-2011-2332: Same origin bypass in v8. Credit to Sergey
* Drop the stored passwords patch (fixed upstream)
  - remove debian/patches/stored_passwords_lp743494.patch
  - update debian/patches/series
* Empty the -inspector package now that it has been merged into the main
  resources.pak file (so that the Inspector remains usable after an upgrade
  until the next browser restart). Also remove the resources directory,
  now empty
  - remove debian/chromium-browser-inspector.install
  - update debian/chromium-browser.dirs
  - update debian/rules
* Update the location of the app_strings templates
  - update debian/rules
* Don't build with libjpeg-turbo on armel, to prevent a FTBFS
  - update debian/rules
* Rebase the GL dlopen patch
  - update debian/patches/dlopen_sonamed_gl.patch

[ Micah Gersten <email address hidden> ]
* Don't have chromium-browser depend on chromium-browser-inspector anymore
  it's now a transitional package; Change text of chromium-browser-inspector
  to reflect its transitional nature
  - update debian/control
* Re-enable armel builds
  - update debian/control

41. By Micah Gersten on 2011-05-25

[ Fabien Tassin <email address hidden> ]
* New Minor upstream release from the Stable Channel (LP: #787846)
  This release fixes the following security issues:
  + WebKit issues:
    - [72189] Low, CVE-2011-1801: Pop-up blocker bypass. Credit to Chamal De
    - [82546] High, CVE-2011-1804: Stale pointer in floats rendering. Credit
      to Martin Barbella.
    - [82903] Critical, CVE-2011-1807: Out-of-bounds write in blob handling.
      Credit to Google Chrome Security Team (Inferno) and Kostya Serebryany
      of the Chromium development community.
  + GPU/WebGL issue:
    - [82873] Critical, CVE-2011-1806: Memory corruption in GPU command
      buffer. Credit to Google Chrome Security Team (Cris Neckar).
* Update the svg icon once again, the previous one contained an embedded png
  (LP: #748881)
  - update debian/chromium-browser.svg

40. By Micah Gersten on 2011-05-14

[ Fabien Tassin <email address hidden> ]
* New Minor upstream release from the Stable Channel (LP: #781822)
  This release fixes the following security issues:
  + WebKit issues:
    - [64046] High, CVE-2011-1799: Bad casts in Chromium WebKit glue. Credit
      to Google Chrome Security Team (SkyLined).
    - [80608] High, CVE-2011-1800: Integer overflows in SVG filters. Credit
      to Google Chrome Security Team (Cris Neckar).

39. By Micah Gersten on 2011-05-08

[ Fabien Tassin <email address hidden> ]
* New Minor upstream release from the Stable Channel (LP: #778822)
  This release fixes the following security issues:
  + WebKit issues:
    - [67923] High, CVE-2011-1793: stale pointer in SVG image handling
      (credit: Mitz)
    - [78327] High, CVE-2011-1794: integer overflow in SVG filters (credit:
    - [78948] High, CVE-2011-1795: integer underflow in forms handling
      (credit: Cris Neckar)
    - [79055] High, CVE-2011-1796: use-after-free in frame handling (credit:
    - [79075] High, CVE-2011-1797: stale pointer in table captioning (credit:
    - [79595] High, CVE-2011-1798: bad cast in SVG text handling (credit:
* Pass --delete_unversioned_trees to gclient and drop the git.chromium.org
  - update debian/rules

[ Micah Gersten <email address hidden> ]
* Switch arch: any to arch: i386 amd64 so that we don't have to wait for armel
  - update debian/control

38. By Fabien Tassin on 2011-04-27

* New Major upstream release from the Stable Channel (LP: #771935)
  This release fixes the following security issues:
  + WebKit issues:
    - [61502] High, CVE-2011-1303: Stale pointer in floating object handling.
      Credit to Scott Hess of the Chromium development community and Martin
    - [70538] Low, CVE-2011-1304: Pop-up block bypass via plug-ins. Credit to
      Chamal De Silva.
    - [70589] Medium, CVE-2011-1305: Linked-list race in database handling.
      Credit to Kostya Serebryany of the Chromium development community.
    - [73526] High, CVE-2011-1437: Integer overflows in float rendering.
      Credit to miaubiz.
    - [74653] High, CVE-2011-1438: Same origin policy violation with blobs.
      Credit to kuzzcc.
    - [75186] High, CVE-2011-1440: Use-after-free with <ruby> tag and CSS.
      Credit to Jose A. Vazquez.
    - [75347] High, CVE-2011-1441: Bad cast with floating select lists.
      Credit to Michael Griffiths.
    - [75801] High, CVE-2011-1442: Corrupt node trees with mutation events.
      Credit to Sergey Glazunov and wushi of team 509.
    - [76001] High, CVE-2011-1443: Stale pointers in layering code. Credit to
      Martin Barbella.
    - [76646] Medium, CVE-2011-1445: Out-of-bounds read in SVG. Credit to
      wushi of team509.
    - [76666] [77507] [78031] High, CVE-2011-1446: Possible URL bar spoofs
      with navigation errors and interrupted loads. Credit to kuzzcc.
    - [76966] High, CVE-2011-1447: Stale pointer in drop-down list handling.
      Credit to miaubiz.
    - [77130] High, CVE-2011-1448: Stale pointer in height calculations.
      Credit to wushi of team509.
    - [77346] High, CVE-2011-1449: Use-after-free in WebSockets. Credit to
      Marek Majkowski.
    - [77463] High, CVE-2011-1451: Dangling pointers in DOM id map. Credit to
      Sergey Glazunov.
    - [79199] High, CVE-2011-1454: Use-after-free in DOM id handling. Credit
      to Sergey Glazunov.
  + Chromium issues:
    - [71586] Medium, CVE-2011-1434: Lack of thread safety in MIME handling.
      Credit to Aki Helin.
    - [72523] Medium, CVE-2011-1435: Bad extension with ‘tabs’ permission can
      capture local files. Credit to Cole Snodgrass.
    - [72910] Low, CVE-2011-1436: Possible browser crash due to bad
      interaction with X. Credit to miaubiz.
    - [76542] High, CVE-2011-1444: Race condition in sandbox launcher. Credit
      to Dan Rosenberg.
    - [77349] Low, CVE-2011-1450: Dangling pointers in file dialogs. Credit
      to kuzzcc.
    - [77786] Medium, CVE-2011-1452: URL bar spoof with redirect and manual
      reload. Credit to Jordi Chancel.
    - [74763] High, CVE-2011-1439: Prevent interference between renderer
      processes. Credit to Julien Tinnes of the Google Security Team.
* Fix the password store regression from the last Chromium 10 update.
  Backport from trunk provided by Elliot Glaysher from upstream (LP: #743494)
  - add debian/patches/stored_passwords_lp743494.patch
  - update debian/patches/series
* Update the SVG logo to match the new simplified 2D logo (LP: #748881)
  - update debian/chromium-browser.svg
* Ship the app icon in all the sizes provided upstream
  - update debian/rules
* Add libpam0g-dev to Build-depends, needed by "Chromoting"
  - update debian/control
* Enable the new use_third_party_translations flag at build time (it enables
  the Launchpad translations already used in Ubuntu since Chromium 8)
  - update debian/rules

37. By Fabien Tassin on 2011-04-14

* New upstream minor release from the Stable Channel (LP: #762275)
  This release fixes the following security issues:
  - [75629] Critical, CVE-2011-1301: Use-after-free in the GPU process.
    Credit to Google Chrome Security Team (Inferno).
  - [78524] Critical, CVE-2011-1302: Heap overflow in the GPU process. Credit
    to Christoph Diehl.
  This releasse also contains the security fixes from 10.0.648.204~r79063
  (which has been skipped by the sponsors) (LP: #742118)
  + Webkit bugs:
    - [73216] High, CVE-2011-1292: Use-after-free in the frame loader. Credit
      to Sławomir Błażek.
    - [73595] High, CVE-2011-1293: Use-after-free in HTMLCollection. Credit
      to Sergey Glazunov.
    - [74562] High, CVE-2011-1294: Stale pointer in CSS handling. Credit to
      Sergey Glazunov.
    - [74991] High, CVE-2011-1295: DOM tree corruption with broken node
      parentage. Credit to Sergey Glazunov.
    - [75170] High, CVE-2011-1296: Stale pointer in SVG text handling. Credit
      to Sergey Glazunov.
  + Chromium bugs:
    - [72517] High, CVE-2011-1291: Buffer error in base string handling.
      Credit to Alex Turpin.
Packaging changes:
* Set arm_fpu=vfpv3-d16 on arm (less restrictive than the default vfpv3)
  preventing a SIGILL crash on some boards (LP: #735877)
  - update debian/control
* Install libppGoogleNaClPluginChrome.so (LP: #738331)
  - update debian/rules
  - update debian/chromium-browser.install
* Fix the apport hooks to pass the expected 'ui' to add_info(), needed when
  called from apport/ubuntu-bug (LP: #759635)
  - update debian/apport/chromium-browser.py
* NaCL may be blacklisted, so only include it when it's actually been
  built (fixes the ftbfs on arm) (LP: #745854)
  - update debian/rules
  - update debian/chromium-browser.install
* Harden the apport hooks in the extensions section
  - update debian/apport/chromium-browser.py

36. By Fabien Tassin on 2011-03-11

* New upstream security release from the Stable Channel (LP: #733514)
  + Webkit:
    - CVE-2011-1290 [75712] High, Memory corruption in style handling. Credit
      to Vincenzo Iozzo, Ralf Philipp Weinmann and Willem Pinckaers reported
      through ZDI.

35. By Fabien Tassin on 2011-03-08

* New upstream major release from the Stable Channel (LP: #731520)
  It includes:
  - New version of V8 - Crankshaft - which greatly improves javascript
  - New settings pages that open in a tab, rather than a dialog box
  - Improved security with malware reporting and disabling outdated plugins
    by default
  - Password sync as part of Chrome Sync now enabled by default
  - GPU Accelerated Video
  - Background WebApps
  - webNavigation extension API
  This release also fixes the following security issues:
  + Webkit bugs:
    - [42574] [42765] Low, Possible to navigate or close the top location in
      a sandboxed frame. Credit to sirdarckcat of the Google Security Team.
    - [69628] High, Memory corruption with counter nodes. Credit to Martin
    - [70027] High, Stale node in box layout. Credit to Martin Barbella.
    - [70336] Medium, Cross-origin error message leak with workers. Credit to
      Daniel Divricean.
    - [70442] High, Use after free with DOM URL handling. Credit to Sergey
    - [70779] Medium, Out of bounds read handling unicode ranges. Credit to
    - [70885] [71167] Low, Pop-up blocker bypasses. Credit to Chamal de
    - [71763] High, Use-after-free in document script lifetime handling.
      Credit to miaubiz.
    - [72028] High, Stale pointer in table painting. Credit to Martin
    - [73066] High, Crash with the DataView object. Credit to Sergey
    - [73134] High, Bad cast in text rendering. Credit to miaubiz.
    - [73196] High, Stale pointer in WebKit context code. Credit to Sergey
    - [73746] High, Stale pointer with SVG cursors. Credit to Sergey
    - [74030] High, DOM tree corruption with attribute handling. Credit to
      Sergey Glazunov.
  + Chromium bugs:
    - [49747] Low, Work around an X server bug and crash with long messages.
      Credit to Louis Lang.
    - [66962] Low, Possible browser crash with parallel print()s. Credit to
      Aki Helin of OUSPG.
    - [69187] Medium, Cross-origin error message leak. Credit to Daniel
    - [70877] High, Same origin policy bypass in v8. Credit to Daniel
  + v8:
    - [74662] High, Corruption via re-entrancy of RegExp code. Credit to
      Christian Holler.
    - [74675] High, Invalid memory access in v8. Credit to Christian Holler.
  + ffmpeg:
    - [71788] High, Out-of-bounds write in the OGG container. Credit to
      Google Chrome Security Team (SkyLined); plus subsequent independent
      discovery by David Weston of Microsoft and MSVR.
    - [73026] High, Use of corrupt out-of-bounds structure in video code.
      Credit to Tavis Ormandy of the Google Security Team.
  + libxslt:
    - [73716] Low, Leak of heap address in XSLT. Credit to Google Chrome
      Security Team (Chris Evans).
Packaging changes:
* Promote Uyghur to the list of supported translations
  - update debian/rules
  - update debian/control
* Fix the FTBFS on arm by re-adding the lost arm_neon=0, and really set armv7=1
  on maverick and natty
  - update debian/rules
* Fix the broken symlinks in /usr/share/doc created by CDBS (See LP: #194574)
  - update debian/rules
* Add libxt-dev to Build-deps needed by ppGoogleNaClPluginChrome
  - update debian/control
* Fix the Webkit version in about:version (the build system expects the svn
  or git directories to be available at build time)
  - add debian/patches/webkit_rev_parser.patch
  - update debian/patches/series
* Bump build-depends on libvpx-dev to >= 0.9.5
  - update debian/control

Branch metadata

Branch format:
Branch format 7
Repository format:
Bazaar repository format 2a (needs bzr 1.16 or later)
This branch contains Public information 
Everyone can see this information.