Ubuntu
chromium-browser package

(CVE-2011-3083) <chromium-browser-19.0.1084.52, <libv8-3.9.24.28: multiple vulnerabilities (CVE-2011-{3103,3104,3105,3106,3107,3108,3109,3111,3115})

Bug #1004795 reported by Karma Dorje
280
This bug affects 4 people
Affects Status Importance Assigned to Milestone
chromium-browser (Ubuntu)
Fix Released
Undecided
Unassigned
libv8 (Ubuntu)
Fix Released
Undecided
Unassigned

Bug Description

The Chrome Stable channel has been updated to 19.0.1084.52 on Windows, Mac, Linux and Chrome Frame.

Security fixes and rewards:

[117409] High CVE-2011-3103: Crashes in v8 garbage collection. Credit to the Chromium development community (Brett Wilson).
[118018] Medium CVE-2011-3104: Out-of-bounds read in Skia. Credit to Google Chrome Security Team (Inferno).
[$1000] [120912] High CVE-2011-3105: Use-after-free in first-letter handling. Credit to miaubiz.
[122654] Critical CVE-2011-3106: Browser memory corruption with websockets over SSL. Credit to the Chromium development community (Dharani Govindan).
[124625] High CVE-2011-3107: Crashes in the plug-in JavaScript bindings. Credit to the Chromium development community (Dharani Govindan).
[$1337] [125159] Critical CVE-2011-3108: Use-after-free in browser cache. Credit to “efbiaiinzinz”.
[Linux only] [$1000] [126296] High CVE-2011-3109: Bad cast in GTK UI. Credit to Micha Bartholomé.
[126337] [126343] [126378] [127349] [127819] [127868] High CVE-2011-3110: Out of bounds writes in PDF. Credit to Mateusz Jurczyk of the Google Security Team, with contributions by Gynvael Coldwind of the Google Security Team.
[$500] [126414] Medium CVE-2011-3111: Invalid read in v8. Credit to Christian Holler.
[127331] High CVE-2011-3112: Use-after-free with invalid encrypted PDF. Credit to Mateusz Jurczyk of the Google Security Team, with contributions by Gynvael Coldwind of the Google Security Team.
[127883] High CVE-2011-3113: Invalid cast with colorspace handling in PDF. Credit to Mateusz Jurczyk of the Google Security Team, with contributions by Gynvael Coldwind of the Google Security Team.
[128014] High CVE-2011-3114: Buffer overflows with PDF functions. Credit to Google Chrome Security Team (scarybeasts).
[$1000] [128018] High CVE-2011-3115: Type corruption in v8. Credit to Christian Holler.

http://googlechromereleases.blogspot.com/2012/05/stable-channel-update_23.html

Jamie Strandboge (jdstrand)
visibility: private → public
Changed in chromium-browser (Ubuntu):
status: New → Triaged
Karma Dorje (taaroa)
summary: - The Chrome Stable channel has been updated to 19.0.1084.52
+ <chromium-browser-19.0.1084.52, <libv8-3.9.24.28: multiple
+ vulnerabilities
+ (CVE-2011-{3103,3104,3105,3106,3107,3108,3109,3111,3115})
summary: - <chromium-browser-19.0.1084.52, <libv8-3.9.24.28: multiple
- vulnerabilities
+ (CVE-2011-3083) <chromium-browser-19.0.1084.52, <libv8-3.9.24.28:
+ multiple vulnerabilities
(CVE-2011-{3103,3104,3105,3106,3107,3108,3109,3111,3115})
Michael Kuhn (suraia)
visibility: public → private
security vulnerability: yes → no
visibility: private → public
security vulnerability: no → yes
Revision history for this message
Launchpad Janitor (janitor) wrote :

Status changed to 'Confirmed' because the bug affects multiple users.

Changed in libv8 (Ubuntu):
status: New → Confirmed
Karma Dorje (taaroa)
affects: chromium-v8 → libv8 (Ubuntu)
Revision history for this message
Chris Cheney (ccheney) wrote :

Is this eventually going into 12.04, or should all chromium-browser users just stop using it?

Revision history for this message
Launchpad Janitor (janitor) wrote :

Status changed to 'Confirmed' because the bug affects multiple users.

Changed in libv8 (Ubuntu):
status: New → Confirmed
Revision history for this message
Marc Deslauriers (mdeslaur) wrote :

Thanks for taking the time to report this bug and helping to make Ubuntu better. Since the package referred to in this bug is in universe or multiverse, it is community maintained.

Someone needs to get chromium-browser into the development release, and then propose packages for the stable release, at which point the security team will review and publish them.

Revision history for this message
Karma Dorje (taaroa) wrote :

Please see https://bugs.launchpad.net/ubuntu/+source/chromium-browser/+bug/1018204

Possible that this bug should be closed.

Revision history for this message
Karma Dorje (taaroa) wrote :

@Chris Cheney
i strongly recommend using the official repository [1] because it is supported by google and it is always up to date.

[1] https://www.google.com/chrome/eula.html?platform=linux&hl=en

Revision history for this message
Micah Gersten (micahg) wrote :

This is fixed in quantal.

Changed in chromium-browser (Ubuntu):
status: Triaged → Fix Released
Revision history for this message
Logan Rosen (logan) wrote :

CVE-2011-3111 was fixed in libv8 3.8.9.20-2 in Debian - can someone please sync?

Revision history for this message
Jeremy Bícha (jbicha) wrote :

This bug was fixed in the package libv8 - 3.8.9.20-2
Sponsored for Logan Rosen (logan)

---------------
libv8 (3.8.9.20-2) unstable; urgency=low

  * Cherry-picked four upstream patches from 3.8.9.29:
    + r11654.patch: fix CVE-2011-3111, closes:bug#687574.
    + r12161.patch: Fix ICs for slow objects with native accessor.
    + r12336.patch: Fix bug in compare IC.
    + r12460.patch: Fix some corner cases in skipping native methods
                    using caller. Fix binding in new Function().

 -- Jérémy Lal <email address hidden> Sat, 29 Sep 2012 01:04:06 +0200

Changed in libv8 (Ubuntu):
status: Confirmed → Fix Released
To post a comment you must log in.
This report contains Public Security information  
Everyone can see this security related information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.