Ubuntu
chromium-browser package

Please update to 27.0.1453.110

  1. Saucy (13.10)
  2. Bug #1183086
Bug #1183086 reported by ilf
358
This bug affects 20 people
Affects Status Importance Assigned to Milestone
chromium-browser (Ubuntu)
Fix Released
High
Unassigned
Precise
Fix Released
High
Unassigned
Quantal
Fix Released
High
Unassigned
Raring
Fix Released
High
Unassigned
Saucy
Fix Released
High
Unassigned

Bug Description

And again a new stable release with lots of security fixes: http://googlechromereleases.blogspot.de/2013/05/stable-channel-release.html

Here are the CVEs:

CVE-2013-2837: Use-after-free in SVG.
CVE-2013-2838: Out-of-bounds read in v8.
CVE-2013-2839: Bad cast in clipboard handling.
CVE-2013-2840: Use-after-free in media loader.
CVE-2013-2841: Use-after-free in Pepper resource handling.
CVE-2013-2842: Use-after-free in widget handling.
CVE-2013-2843: Use-after-free in speech handling.
CVE-2013-2844: Use-after-free in style resolution.
CVE-2013-2845: Memory safety issues in Web Audio.
CVE-2013-2846: Use-after-free in media loader.
CVE-2013-2847: Use-after-free race condition with workers.
CVE-2013-2848: Possible data extraction with XSS Auditor.
CVE-2013-2849: Possible XSS with drag+drop or copy+paste.

Please update and keep current. Thanks.

ilf (ilf)
information type: Private Security → Public Security
Revision history for this message
Phill Whiteside (phillw) wrote : Re: [Bug 1183086] [NEW] Please update to 27.0.1453.93
Download full text (3.7 KiB)

Crikey!

I'm using a dev ppa and am only on Version 27.0.1453.6 Ubuntu

Regards,

Phill.

On 22 May 2013 21:20, ilf <email address hidden> wrote:

> *** This bug is a security vulnerability ***
>
> Public security bug reported:
>
> And again a new stable release with lots of security fixes:
> http://googlechromereleases.blogspot.de/2013/05/stable-channel-
> release.html
>
> Here are the CVEs:
>
> CVE-2013-2837: Use-after-free in SVG.
> CVE-2013-2838: Out-of-bounds read in v8.
> CVE-2013-2839: Bad cast in clipboard handling.
> CVE-2013-2840: Use-after-free in media loader.
> CVE-2013-2841: Use-after-free in Pepper resource handling.
> CVE-2013-2842: Use-after-free in widget handling.
> CVE-2013-2843: Use-after-free in speech handling.
> CVE-2013-2844: Use-after-free in style resolution.
> CVE-2013-2845: Memory safety issues in Web Audio.
> CVE-2013-2846: Use-after-free in media loader.
> CVE-2013-2847: Use-after-free race condition with workers.
> CVE-2013-2848: Possible data extraction with XSS Auditor.
> CVE-2013-2849: Possible XSS with drag+drop or copy+paste.
>
> Please update and keep current. Thanks.
>
> ** Affects: chromium-browser (Ubuntu)
> Importance: Undecided
> Status: New
>
> ** Information type changed from Private Security to Public Security
>
> ** CVE added: http://www.cve.mitre.org/cgi-
> bin/cvename.cgi?name=2013-2837
>
> ** CVE added: http://www.cve.mitre.org/cgi-
> bin/cvename.cgi?name=2013-2838
>
> ** CVE added: http://www.cve.mitre.org/cgi-
> bin/cvename.cgi?name=2013-2839
>
> ** CVE added: http://www.cve.mitre.org/cgi-
> bin/cvename.cgi?name=2013-2840
>
> ** CVE added: http://www.cve.mitre.org/cgi-
> bin/cvename.cgi?name=2013-2841
>
> ** CVE added: http://www.cve.mitre.org/cgi-
> bin/cvename.cgi?name=2013-2842
>
> ** CVE added: http://www.cve.mitre.org/cgi-
> bin/cvename.cgi?name=2013-2843
>
> ** CVE added: http://www.cve.mitre.org/cgi-
> bin/cvename.cgi?name=2013-2844
>
> ** CVE added: http://www.cve.mitre.org/cgi-
> bin/cvename.cgi?name=2013-2847
>
> ** CVE added: http://www.cve.mitre.org/cgi-
> bin/cvename.cgi?name=2013-2848
>
> ** CVE added: http://www.cve.mitre.org/cgi-
> bin/cvename.cgi?name=2013-2845
>
> ** CVE added: http://www.cve.mitre.org/cgi-
> bin/cvename.cgi?name=2013-2846
>
> ** CVE added: http://www.cve.mitre.org/cgi-
> bin/cvename.cgi?name=2013-2849
>
> --
> You received this bug notification because you are a member of Lubuntu
> Packages Team, which is subscribed to chromium-browser in Ubuntu.
> https://bugs.launchpad.net/bugs/1183086
>
> Title:
> Please update to 27.0.1453.93
>
> Status in “chromium-browser” package in Ubuntu:
> New
>
> Bug description:
> And again a new stable release with lots of security fixes:
> http://googlechromereleases.blogspot.de/2013/05/stable-channel-
> release.html
>
> Here are the CVEs:
>
> CVE-2013-2837: Use-after-free in SVG.
> CVE-2013-2838: Out-of-bounds read in v8.
> CVE-2013-2839: Bad cast in clipboard handling.
> CVE-2013-2840: Use-after-free in media loader.
> CVE-2013-2841: Use-after-free in Pepper resource handling.
> CVE-2013-2842: Use-after-free in widget handling.
> CVE-2013-2843: Use-after-free in speech handling....

Read more...

Revision history for this message
Launchpad Janitor (janitor) wrote : Re: Please update to 27.0.1453.93

Status changed to 'Confirmed' because the bug affects multiple users.

Changed in chromium-browser (Ubuntu):
status: New → Confirmed
Revision history for this message
ilf (ilf) wrote :

And 27.0.1453.110: http://googlechromereleases.blogspot.com/2013/06/stable-channel-update.html

CVE-2013-2854: Bad handle passed to renderer.
CVE-2013-2855: Memory corruption in dev tools API.
CVE-2013-2856: Use-after-free in input handling.
CVE-2013-2857: Use-after-free in image handling.
CVE-2013-2858: Use-after-free in HTML5 Audio.
CVE-2013-2859: Cross-origin namespace pollution.
CVE-2013-2860: Use-after-free with workers accessing database APIs.
CVE-2013-2861: Use-after-free with SVG.
CVE-2013-2862: Memory corruption in Skia GPU handling.
CVE-2013-2863: Memory corruption in SSL socket handling.
CVE-2013-2864: Bad free in PDF viewer.
CVE-2013-2865: Various fixes from internal audits, fuzzing and other initiatives.

summary: - Please update to 27.0.1453.93
+ Please update to 27.0.1453.110
Revision history for this message
ilf (ilf) wrote :

lol, even Debian Stable managed to do this: http://lists.debian.org/debian-security-announce/2013/msg00114.html

Adolfo Jayme Barrientos (fitojb)
Changed in chromium-browser (Ubuntu):
status: Confirmed → Triaged
importance: Undecided → High
Revision history for this message
Colin O'Brien (insanitybit) wrote :

Either leave it out of the repositories or keep it updated with at least security backports. Anything else is negligent and encouraging users to install *known insecure* software.

Revision history for this message
Florian W. (florian-will) wrote :

The plan for Chromium as the default browser in saucy is probably a joke, seeing how Ubuntu is stuck with Chromium 25 when the latest stable release (for Linux) is 28, and 25 has quite a few known security issues.

Debian has shown much more interest in keeping up to date with chromium security fixes in unstable at least since version 18 or so (I haven't followed the process before that), though there were some larger delays as well.

If you can't fix this problem, maybe think about joining forces with debian and make sure the packages in unstable are quickly copied to Ubuntu as well, and possibly vice-versa.

Revision history for this message
CatchesAStar (catchesastar) wrote :

I was testing the backport earlier, and it appears that 12.04 needs extra patches if we want chromium 27 on there.

13.04 and 12.10 are built/building fine.

ppa for anyone who wants to test: https://launchpad.net/~sandyd/+archive/chromium-browser

Revision history for this message
Florian W. (florian-will) wrote :

There's an updated chromium package available in chad miller's PPA now:
https://launchpad.net/~cmiller/+archive/chromium-browser-stable-daily

28.0.1500.52-0ubuntu1 for precise, quantal, raring, saucy.

Thanks Chad!

Revision history for this message
Histesh Shah (chimak111) wrote :

Re. comment #8, that's nice but let's assume this bug relates to the Chromium version in the software center.

Jeremy Bícha (jbicha)
Changed in chromium-browser (Ubuntu Raring):
status: New → Fix Released
Changed in chromium-browser (Ubuntu Quantal):
status: New → Fix Released
Changed in chromium-browser (Ubuntu Raring):
importance: Undecided → High
Changed in chromium-browser (Ubuntu Quantal):
importance: Undecided → High
Changed in chromium-browser (Ubuntu Precise):
importance: Undecided → High
status: New → Fix Released
Revision history for this message
Gianfranco Costamagna (costamagnagianfranco) wrote :

Hi Jeremy did you forget to set saucy status to fix released?

Revision history for this message
Dmitry Shachnev (mitya57) wrote :

LocutusOfBorg: it didn't migrate to release pocket yet, as it failed to build on armhf.

Chad Miller (cmiller)
Changed in chromium-browser (Ubuntu Saucy):
status: Triaged → Fix Released
To post a comment you must log in.
This report contains Public Security information  
Everyone can see this security related information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.