Please update to 18.0.1025.168

Bug #992352 reported by Micah Gersten on 2012-05-01
272
This bug affects 4 people
Affects Status Importance Assigned to Milestone
chromium-browser (Ubuntu)
Medium
Unassigned
Lucid
Medium
Micah Gersten
Natty
Medium
Micah Gersten
Oneiric
Medium
Micah Gersten
Precise
Medium
Micah Gersten
Quantal
Medium
Unassigned

Bug Description

    [106413] High CVE-2011-3078: Use after free in floats handling. Credit to Google Chrome Security Team (Marty Barbella) and independent later discovery by miaubiz.
    [117110] High CVE-2012-1521: Use after free in xml parser. Credit to Google Chrome Security Team (SkyLined) and independent later discovery by wushi of team509 reported through iDefense VCP (V-874rcfpq7z).
    [117627] Medium CVE-2011-3079: IPC validation failure. Credit to PinkiePie.
    [121726] Medium CVE-2011-3080: Race condition in sandbox IPC. Credit to Willem Pinckaers of Matasano.

    [121899] High CVE-2011-3081: Use after free in floats handling. Credit to miaubiz.

Micah Gersten (micahg) wrote :

Quantal is currently blocked on bug 992212

security vulnerability: no → yes
Changed in chromium-browser (Ubuntu Quantal):
assignee: Micah Gersten (micahg) → nobody
status: In Progress → Triaged
Changed in chromium-browser (Ubuntu Precise):
importance: Undecided → Medium
status: New → In Progress
Changed in chromium-browser (Ubuntu Oneiric):
importance: Undecided → Medium
status: New → In Progress
Changed in chromium-browser (Ubuntu Natty):
importance: Undecided → Medium
status: New → In Progress
Changed in chromium-browser (Ubuntu Lucid):
status: New → In Progress
importance: Undecided → Medium
assignee: nobody → Micah Gersten (micahg)
Changed in chromium-browser (Ubuntu Natty):
assignee: nobody → Micah Gersten (micahg)
Changed in chromium-browser (Ubuntu Oneiric):
assignee: nobody → Micah Gersten (micahg)
Changed in chromium-browser (Ubuntu Precise):
assignee: nobody → Micah Gersten (micahg)
Jamie Strandboge (jdstrand) wrote :

Lucid - Precise have been copied to -proposed.

Changed in chromium-browser (Ubuntu Lucid):
status: In Progress → Fix Committed
Changed in chromium-browser (Ubuntu Natty):
status: In Progress → Fix Committed
Changed in chromium-browser (Ubuntu Oneiric):
status: In Progress → Fix Committed
Changed in chromium-browser (Ubuntu Precise):
status: In Progress → Fix Committed
Micah Gersten (micahg) wrote :

Oneiric amd64 and i386 tested with QRT, no regressions over previous functionality
Precise amd64 and i386 tested, found whoopsie crashes, so this needs further research before promoting to -updates

tags: added: security-verification verification-done-oneiric verification-failed-precise verification-needed
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package chromium-browser - 18.0.1025.168~r134367-0ubuntu0.11.10.1

---------------
chromium-browser (18.0.1025.168~r134367-0ubuntu0.11.10.1) oneiric-security; urgency=low

  * New upstream release from the Stable Channel (LP: #992352)
    - [106413] High CVE-2011-3078: Use after free in floats handling. Credit to
      Google Chrome Security Team (Marty Barbella) and independent later
      discovery by miaubiz.
    - [117110] High CVE-2012-1521: Use after free in xml parser. Credit to
      Google Chrome Security Team (SkyLined) and independent later discovery by
      wushi of team509 reported through iDefense VCP (V-874rcfpq7z).
    - [117627] Medium CVE-2011-3079: IPC validation failure. Credit to PinkiePie
    - [121726] Medium CVE-2011-3080: Race condition in sandbox IPC. Credit to
      Willem Pinckaers of Matasano.
    - [121899] High CVE-2011-3081: Use after free in floats handling.
      Credit to miaubiz.
 -- Micah Gersten <email address hidden> Mon, 30 Apr 2012 23:41:25 -0500

Changed in chromium-browser (Ubuntu Oneiric):
status: Fix Committed → Fix Released
Chris Halse Rogers (raof) wrote :

Do we have any further results on precise? This has been sitting in -proposed for 45 days now; we should either kick it out or accept it soon.

Adam Stokes (adam-stokes) wrote :

Im running it with no immediate issues on precise:

ii chromium-browser 18.0.1025.168~r134367-0 Chromium browser

Launchpad Janitor (janitor) wrote :

This bug was fixed in the package chromium-browser - 18.0.1025.168~r134367-0ubuntu0.12.04.1

---------------
chromium-browser (18.0.1025.168~r134367-0ubuntu0.12.04.1) precise-security; urgency=low

  * New upstream release from the Stable Channel (LP: #992352)
    - [106413] High CVE-2011-3078: Use after free in floats handling. Credit to
      Google Chrome Security Team (Marty Barbella) and independent later
      discovery by miaubiz.
    - [117110] High CVE-2012-1521: Use after free in xml parser. Credit to
      Google Chrome Security Team (SkyLined) and independent later discovery by
      wushi of team509 reported through iDefense VCP (V-874rcfpq7z).
    - [117627] Medium CVE-2011-3079: IPC validation failure. Credit to PinkiePie
    - [121726] Medium CVE-2011-3080: Race condition in sandbox IPC. Credit to
      Willem Pinckaers of Matasano.
    - [121899] High CVE-2011-3081: Use after free in floats handling.
      Credit to miaubiz.
 -- Micah Gersten <email address hidden> Tue, 01 May 2012 00:02:53 -0500

Changed in chromium-browser (Ubuntu Precise):
status: Fix Committed → Fix Released
Sebastien Bacher (seb128) wrote :

chromium-browser (20.0.1132.47~r144678-0ubuntu2) quantal; urgency=low

  * debian/control
    - Dropped build depends for libvpx-dev
  * -debian/patches/vpx.patch
    - dropped, build with internal vpx

  [ Matthieu Baerts ]
  * debian/apport:
   - Update apport hook for python3 (LP: #1013171)
     patch made with the help of Edward Donovan

Changed in chromium-browser (Ubuntu Quantal):
status: Triaged → Fix Released
Adam Stokes (adam-stokes) wrote :

Tested on lucid:

ii chromium-browser 18.0.1025.151~r130497-0ubuntu0.10.04.1 Chromium browser

I didnt really see any show stoppers, some rendering errors with Chrome's webstore but seems to be glx related:

[2619:2619:534306080:ERROR:gl_surface.cc(87)] Not implemented reached in virtual bool gfx::GLSurface::Resize(const gfx::Size&)

tags: added: verification-done-lucid

The verification of this Stable Release Update has completed successfully and the package has now been released to -updates. Subsequently, the Ubuntu Stable Release Updates Team is being unsubscribed and will not receive messages about this bug report. In the event that you encounter a regression using the package from -updates please report a new bug using ubuntu-bug and tag the bug report regression-update so we can easily find any regresssions.

Launchpad Janitor (janitor) wrote :

This bug was fixed in the package chromium-browser - 18.0.1025.168~r134367-0ubuntu0.10.04.1

---------------
chromium-browser (18.0.1025.168~r134367-0ubuntu0.10.04.1) lucid-security; urgency=low

  * New upstream release from the Stable Channel (LP: #992352)
    - [106413] High CVE-2011-3078: Use after free in floats handling. Credit to
      Google Chrome Security Team (Marty Barbella) and independent later
      discovery by miaubiz.
    - [117110] High CVE-2012-1521: Use after free in xml parser. Credit to
      Google Chrome Security Team (SkyLined) and independent later discovery by
      wushi of team509 reported through iDefense VCP (V-874rcfpq7z).
    - [117627] Medium CVE-2011-3079: IPC validation failure. Credit to PinkiePie
    - [121726] Medium CVE-2011-3080: Race condition in sandbox IPC. Credit to
      Willem Pinckaers of Matasano.
    - [121899] High CVE-2011-3081: Use after free in floats handling.
      Credit to miaubiz.
 -- Micah Gersten <email address hidden> Mon, 30 Apr 2012 22:29:03 -0500

Changed in chromium-browser (Ubuntu Lucid):
status: Fix Committed → Fix Released
Colin Watson (cjwatson) wrote :

(The script that posted the last comment isn't too clever; of course we're still awaiting verification for natty.)

Changed in chromium-browser (Ubuntu Natty):
status: Fix Committed → Won't Fix
To post a comment you must log in.
This report contains Public Security information  Edit
Everyone can see this security related information.

Other bug subscribers