If you find new issues, please let us know by visiting our forum or filing a bug. Interested in switching channels? Find out how. You can submit feedback using ‘Report an issue...’ in the Chrome menu (3 horizontal bars in the upper right corner of the browser).
Note: Access to bug details and links may be kept restricted until a majority of users are updated with a fix. We will also retain restrictions if the bug exists in a third party library that other projects similarly depend on, but haven’t yet fixed.
This update includes 5 security fixes. Below, we highlight fixes that were either contributed by external researchers or particularly interesting. Please see the Chromium security page for more information.
[$1000][292422] High CVE-2013-2925: Use after free in XHR. Credit to Atte Kettunen of OUSPG.
[$2000][294456] High CVE-2013-2926: Use after free in editing. Credit to cloudfuzzer.
[$2000][297478] High CVE-2013-2927: Use after free in forms. Credit to cloudfuzzer.
As usual, our ongoing internal security work responsible for a wide range of fixes:
[305790] CVE-2013-2928: Various fixes from internal audits, fuzzing and other initiatives.
A full list of changes is available in the SVN log. Interested in switching release channels? Find out how. If you find a new issue, please let us know by filing a bug.
If you find new issues, please let us know by visiting our forum or filing a bug. Interested in switching channels? Find out how. You can submit feedback using ‘Report an issue...’ in the Chrome menu (3 horizontal bars in the upper right corner of the browser).
Note: Access to bug details and links may be kept restricted until a majority of users are updated with a fix. We will also retain restrictions if the bug exists in a third party library that other projects similarly depend on, but haven’t yet fixed.
This update includes 50 security fixes. Below, we highlight some fixes that were either contributed by external researchers or particularly interesting. Please see the Chromium security page for more information.
[$2500][223962][270758][271161][284785][284786] Medium CVE-2013-2906: Races in Web Audio. Credit to Atte Kettunen of OUSPG.
[260667] Medium CVE-2013-2907: Out of bounds read in Window.prototype object. Credit to Boris Zbarsky.
[$500][265221] Medium CVE-2013-2908: Address bar spoofing related to the “204 No Content” status code. Credit to Chamal de Silva.
[$4000][265838][279277] High CVE-2013-2909: Use after free in inline-block rendering. Credit to Atte Kettunen of OUSPG.
[$500][269753] Medium CVE-2013-2910: Use-after-free in Web Audio. Credit to Byoungyoung Lee of Georgia Tech Information Security Center (GTISC).
[$1000][271939] High CVE-2013-2911: Use-after-free in XSLT. Credit to Atte Kettunen of OUSPG.
[$1000][276368] High CVE-2013-2912: Use-after-free in PPAPI. Credit to Chamal de Silva and 41.w4r10r(at)garage4hackers.com.
[$1000][278908] High CVE-2013-2913: Use-after-free in XML document parsing. Credit to cloudfuzzer.
[$1000][279263] High CVE-2013-2914: Use after free in the Windows color chooser dialog. Credit to Khalil Zhani.
[280512] Low CVE-2013-2915: Address bar spoofing via a malformed scheme. Credit to Wander Groeneveld.
[$2000][281256] High CVE-2013-2916: Address bar spoofing related to the “204 No Content” status code. Credit to Masato Kinugawa.
[$500][281480] Medium CVE-2013-2917: Out of bounds read in Web Audio. Credit to Byoungyoung Lee and Tielei Wang of Georgia Tech Information Security Center (GTISC).
[$1000][282088] High CVE-2013-2918: Use-after-free in DOM. Credit to Byoungyoung Lee of Georgia Tech Information Security Center (GTISC).
[$1000][282736] High CVE-2013-2919: Memory corruption in V8. Credit to Adam Haile of Concrete Data.
[285742] Medium CVE-2013-2920: Out of bounds read in URL parsing. Credit to Atte Kettunen of OUSPG.
[$1000][286414] High CVE-2013-2921: Use-after-free in resource loader. Credit to Byoungyoung Lee and Tielei Wang of Georgia Tech Information Security Center (GTISC).
[$2000][286975] High CVE-2013-2922: Use-after-free in template element. Credit to Jon Butler.
As usual, our ongoing internal security work responsible for a wide range of fixes:
[299016] CVE-2013-2923: Various fixes from internal audits, fuzzing and other initiatives (Chrome 30).
[275803] Medium CVE-2013-2924: Use-after-free in ICU. Upstream bug here.
We would also like to thank Atte Kettunen, cloudfuzzer and miaubizfor working with us during the development cycle to prevent security bugs from ever reaching the stable channel. $8000 in additional rewards were issued.
Many of the above bugs were detected using AddressSanitizer. The security issue in V8 is fixed in 3.20.17.7.
A partial list of changes is available in the SVN log. Interested in switching to a different release channel? Find out how. If you find a new issue, please let us know by filing a bug. Karen Grunberg
