5.0.375.127~r55887 security update

Bug #622823 reported by Fabien Tassin on 2010-08-23
10
This bug affects 1 person
Affects Status Importance Assigned to Milestone
chromium-browser (Ubuntu)
High
Fabien Tassin
Lucid
High
Unassigned
Maverick
High
Fabien Tassin
gyp (Ubuntu)
Undecided
Unassigned
Lucid
Undecided
Unassigned
Maverick
Undecided
Unassigned

Bug Description

Binary package hint: chromium-browser

chromium needs to be updated to 5.0.375.127~r55887, which contains several High/Critical security fixes.

Fabien Tassin (fta) wrote :

it's already in the stable PPA: ppa:chromium-daily/stable

Changed in chromium-browser (Ubuntu):
assignee: nobody → Fabien Tassin (fta)
importance: Undecided → High
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package chromium-browser - 5.0.375.127~r55887-0ubuntu1

---------------
chromium-browser (5.0.375.127~r55887-0ubuntu1) maverick; urgency=low

  * New upstream release from the Stable Channel (LP: #622823)
    This release fixes the following security issues:
    - [45400] Critical, Memory corruption with file dialog. Credit to Sergey
      Glazunov.
    - [49596] High, Memory corruption with SVGs. Credit to wushi of team509.
    - [49628] High, Bad cast with text editing. Credit to wushi of team509.
    - [49964] High, Possible address bar spoofing with history bug. Credit to
      Mike Taylor.
    - [50515] [51835] High, Memory corruption in MIME type handling. Credit to
      Sergey Glazunov.
    - [50553] Critical, Crash on shutdown due to notifications bug. Credit to
      Sergey Glazunov.
    - [51146] Medium, Stop omnibox autosuggest if the user might be about to
      type a password. Credit to Robert Hansen.
    - [51654] High, Memory corruption with Ruby support. Credit to kuzzcc.
    - [51670] High, Memory corruption with Geolocation support. Credit to
      kuzzcc.
  * Add the xul libdir to LD_LIBRARY_PATH in the wrapper to help icedtea6-plugin
    (LP: #529242). This is needed at least for openjdk-6 6b18.
    - update debian/chromium-browser.sh
  * No longer use tar --lzma in get-orig-source now that it silently uses xz
    (since tar 1.23-2) which is not available in the backports. Use "tar | lzma"
    instead so the embedded tarball is always a lzma file
    - update debian/rules
  * Tweak the user agent to include Chromium and the Distro's name and version.
    - add debian/patches/chromium_useragent.patch.in
    - update debian/patches/series
    - update debian/rules
  * Fix a typo in the subst_files rule
    - update debian/rules
  * Fix a gyp file that triggers an error with newer gyp (because of dead code)
    - add debian/patches/drop_unused_rules_to_please_newer_gyp.patch
    - update debian/patches/series
  * Bump gyp Build-Depends to >= 0.1~svn810 to match upstream requirement
    - update debian/control
 -- Fabien Tassin <email address hidden> Fri, 20 Aug 2010 14:09:16 +0200

Changed in chromium-browser (Ubuntu):
status: New → Fix Released
Fabien Tassin (fta) wrote :

on lucid, we need gyp >= 810

Fabien Tassin (fta) wrote :

gyp 0.1~svn810-0ubuntu1 uploaded to lucid-proposed, waiting for approval.

There's no big deal here, it's only used by chromium packages (the browser and its codecs)

Jamie Strandboge (jdstrand) wrote :

Uploaded to the ubuntu-security-proposed PPA

Changed in chromium-browser (Ubuntu Lucid):
importance: Undecided → High
status: New → In Progress
tags: added: security-verification

Accepted gyp into lucid-proposed, the package will build now and be available in a few hours. Please test and give feedback here. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Thank you in advance!

Changed in gyp (Ubuntu Maverick):
status: New → Fix Released
Changed in gyp (Ubuntu Lucid):
status: New → Fix Committed
tags: added: verification-needed
Jamie Strandboge (jdstrand) wrote :

Pocket copied chromium-browser to proposed. Please test and give feedback here. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Thank you in advance!

To ubuntu-sru: if this passes the verification process, please also pocket copy to security. Thanks!

Changed in chromium-browser (Ubuntu Lucid):
status: In Progress → Fix Committed
tags: removed: security-verification
Jamie Strandboge (jdstrand) wrote :

I have tested 5.0.375.127~r55887-0ubuntu0.10.04.1 in lucid-proposed and it works fine (I used test-browser.py from QRT and there are no regressions over the previous release).

Jamie Strandboge (jdstrand) wrote :

I think we can also consider gyp as 'verification-done' since chromium-browser built file against it (fyi-- gyp was in *both* ubuntu-security-propsed and lucid-proposed, but it was the same source package. chromium-browser built against the one in ubuntu-security-proposed. I created a 2nd 'ubuntu2' gyp that I pocket copied to lucid-proposed, so that it can be pocket copied to -security along with chromium-browser).

Martin Pitt (pitti) on 2010-09-02
tags: added: verification-done
removed: verification-needed
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package chromium-browser - 5.0.375.127~r55887-0ubuntu0.10.04.1

---------------
chromium-browser (5.0.375.127~r55887-0ubuntu0.10.04.1) lucid-security; urgency=low

  * New upstream release from the Stable Channel (LP: #622823)
    This release fixes the following security issues:
    - [45400] Critical, Memory corruption with file dialog. Credit to Sergey
      Glazunov.
    - [49596] High, Memory corruption with SVGs. Credit to wushi of team509.
    - [49628] High, Bad cast with text editing. Credit to wushi of team509.
    - [49964] High, Possible address bar spoofing with history bug. Credit to
      Mike Taylor.
    - [50515] [51835] High, Memory corruption in MIME type handling. Credit to
      Sergey Glazunov.
    - [50553] Critical, Crash on shutdown due to notifications bug. Credit to
      Sergey Glazunov.
    - [51146] Medium, Stop omnibox autosuggest if the user might be about to
      type a password. Credit to Robert Hansen.
    - [51654] High, Memory corruption with Ruby support. Credit to kuzzcc.
    - [51670] High, Memory corruption with Geolocation support. Credit to
      kuzzcc.
  * Add the xul libdir to LD_LIBRARY_PATH in the wrapper to help icedtea6-plugin
    (LP: #529242). This is needed at least for openjdk-6 6b18.
    - update debian/chromium-browser.sh
  * No longer use tar --lzma in get-orig-source now that it silently uses xz
    (since tar 1.23-2) which is not available in the backports. Use "tar | lzma"
    instead so the embedded tarball is always a lzma file
    - update debian/rules
  * Tweak the user agent to include Chromium and the Distro's name and version.
    - add debian/patches/chromium_useragent.patch.in
    - update debian/patches/series
    - update debian/rules
  * Fix a typo in the subst_files rule
    - update debian/rules
  * Fix a gyp file that triggers an error with newer gyp (because of dead code)
    - add debian/patches/drop_unused_rules_to_please_newer_gyp.patch
    - update debian/patches/series
  * Bump gyp Build-Depends to >= 0.1~svn810 to match upstream requirement
    - update debian/control
 -- Fabien Tassin <email address hidden> Fri, 20 Aug 2010 14:09:16 +0200

Changed in chromium-browser (Ubuntu Lucid):
status: Fix Committed → Fix Released
Martin Pitt (pitti) wrote :

Copied gyp and chromium-browser to -updates and -security.

Changed in gyp (Ubuntu Lucid):
status: Fix Committed → Fix Released
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers