See the release notes at http://googlechromereleases.blogspot.com/2010/09/stable-and-beta-channel-updates.html Some details: [34414] Low Pop-up blocker bypass with blank frame target. Credit to Google Chrome Security Team (Inferno) and “ironfist99”. [37201] Medium URL bar visual spoofing with homographic sequences. Credit to Chris Weber of Casaba Security. [41654] Medium Apply more restrictions on setting clipboard content. Credit to Brook Novak. [45659] High Stale pointer with SVG filters. Credit to Tavis Ormandy of the Google Security Team. [45876] Medium Possible installed extension enumeration. Credit to Lostmon. [46750] [51846] Low Browser NULL crash with WebSockets. Credit to Google Chrome Security Team (SkyLined), Google Chrome Security Team (Justin Schuh) and Keith Campbell. [$1000] [50386] High Use-after-free in Notifications presenter. Credit to Sergey Glazunov. [50839] High Notification permissions memory corruption. Credit to Michal Zalewski of the Google Security Team and Google Chrome Security Team (SkyLined). [$1337] [51630] [51739] High Integer errors in WebSockets. Credit to Keith Campbell and Google Chrome Security Team (Cris Neckar). [$500] [51653] High Memory corruption with counter nodes. Credit to kuzzcc. [51727] Low Avoid storing excessive autocomplete entries. Credit to Google Chrome Security Team (Inferno). [52443] High Stale pointer in focus handling. Credit to VUPEN Vulnerability Research Team (VUPEN-SR-2010-249). [$1000] [52682] High Sandbox parameter deserialization error. Credit to Ashutosh Mehra and Vineet Batra of the Adobe Reader Sandbox Team. [$500] [53001] Medium Cross-origin image theft. Credit to Isaac Dawson. You can read more about the severity ratings at http://sites.google.com/a/chromium.org/dev/developers/severity-guidelines . I suggest to rate it B2 on the Gentoo scale. Security, this bug sort of obsoletes bug #333559 (you now have 5 www-client/chromium bugs in the queue). Arches, please test and stabilize. In case you don't like it, I think we can consider lowering the cups dependency to the previous level. If you want that, please test printing with the current stable cups.
@printing? Is a CUPS from the 1.4 series good to go?
Works fine so far as I can print into a file with CUPS 1.3*, but no real test as my normal setup has CUPS 1.4. Can an archtester please test?
I compiled it on x86: -) Fonts look pretty different from that in the 5.* branch (this is a feature, right?) -) Printing with cups 1.3.* works more or less. Fat black boxes appear instead of drop-down lists on webpages, don't know if this is a cups issue though. I also don't want to migrate this stable box to 1.4 yet.
P.S. It also kind of fails the acid3 test here. The score runs to 100, but instead of the colorful squares I get black lines across the whole thing. When 100 is reached everything looks messed up.
(In reply to comment #3) > I compiled it on x86: > -) Fonts look pretty different from that in the 5.* branch (this is a feature, > right?) No idea. Unless it's clearly bad, I guess it's expected. Feel free to post some screenshots if you think it's important enough (probably shouldn't block security stabilization though). > -) Printing with cups 1.3.* works more or less. Fat black boxes appear instead > of drop-down lists on webpages, don't know if this is a cups issue though. I > also don't want to migrate this stable box to 1.4 yet. I have revbumped it for ~arch, and lowered the CUPS dependency for 6.0.472.53 that we're targeting for stable. Please take another look. Acid3 passes perfectly for me. It might be an issue with gpu rendering, possibly worth a separate bug report (not blocking this one).
(In reply to comment #5) > > -) Printing with cups 1.3.* works more or less. Fat black boxes appear instead > > of drop-down lists on webpages, don't know if this is a cups issue though. I > > also don't want to migrate this stable box to 1.4 yet. > > I have revbumped it for ~arch, and lowered the CUPS dependency for 6.0.472.53 > that we're targeting for stable. Please take another look. I tried another printer and on this one it did not print at all!! The printing dialog pops up, I press "print", the dialog is gone but there are no traces of printing jobs anywhere. Printer does nothing, cups shows no jobs. > Acid3 passes perfectly for me. It might be an issue with gpu rendering, > possibly worth a separate bug report (not blocking this one). Also works now after a restart of chromium. Weird.
(In reply to comment #6) > I tried another printer and on this one it did not print at all!! The printing > dialog pops up, I press "print", the dialog is gone but there are no traces of > printing jobs anywhere. Printer does nothing, cups shows no jobs. So it seems for those cases we'd need cups-1.4.
(In reply to comment #7) > (In reply to comment #6) > > I tried another printer and on this one it did not print at all!! The printing > > dialog pops up, I press "print", the dialog is gone but there are no traces of > > printing jobs anywhere. Printer does nothing, cups shows no jobs. > > So it seems for those cases we'd need cups-1.4. I can confirm that printing works with cups-1.4 on that machine, however the black boxes remain.
What is the plan? Fix cups issues? Backport fixes to version that works with stable cups? Try to get cups 1.4 stabilized? Not sure what the arch teams should be doing at this point...
(In reply to comment #9) > What is the plan? Fix cups issues? Backport fixes to version that works with > stable cups? Try to get cups 1.4 stabilized? Not sure what the arch teams > should be doing at this point... I'd prefer to stabilize cups-1.4 if possible. Backporting fixes to 5.x series would be difficult, because some details are still not publicly disclosed.
(In reply to comment #10) > (In reply to comment #9) > > What is the plan? Fix cups issues? Backport fixes to version that works with > > stable cups? Try to get cups 1.4 stabilized? Not sure what the arch teams > > should be doing at this point... > > I'd prefer to stabilize cups-1.4 if possible. Backporting fixes to 5.x series > would be difficult, because some details are still not publicly disclosed. 1.4 series works fine for a long time here on two mostly stable computers, feedback over identi.ca was positive, too. So I think we can go for it and try to stabilise it...I hate those kind of bugs.
The target for stabilization is now 6.0.472.55.
There is already a tracker for CUPS 1.4 stabilisation. And there is a shit-load of work still to do. Either someone steps up or we have to go with partly broken printing support in Chromium.
I don't think we can put a web-browser security bug on hold while waiting for an orderly CUPS 1.4 stabilization. We could mask the stable versions of chromium so that at least users are made aware that they are using insecure software, or backport the fixes. Or, we could mask until CUPS is ready to go. Or, if "those in charge" agree we could rush in a semi-broken CUPS, but that would seem to me to be much bigger in impact (there are lots of web-browsers - there aren't so many options when your printer doesn't work).
But looks like most of the issues blocking cups-1.4 stabilization already have a patch or fix available that should be applied by printing team, then, I think that would be better to try to fix cups, stabilize ir and stabilize chromium. Does printing team allow other people to work on blocking bugs? Maybe they are overloaded now :-/ Thanks
(In reply to comment #15) > Does printing team allow other people to work on blocking bugs? Maybe they are > overloaded now :-/ Because they lack man-power, we should just do it (TM). Unfortunately, I cannot add much here the next days until Monday. Will prepare a news item tomorrow, we can discuss on the weekend and someone should clean out the remaining bugs, plus updating the printing guide, then commit news item and stabilisation on Monday latest.
As stated on devml I'll have added a new cups revision fixing some QA issues till then. However I've no intention to add any 3rd party patches to CUPS which are not approved upstream. There'll be some fallout and/or upgrade hassle, but that's life. Tommorrow is my last day @paid work before my vacation so I'll have some more time on the weekend and the comming days to discuss things. Thanks for all your help and work in advance, greatly appreciated!
(In reply to comment #6) > (In reply to comment #5) > > > -) Printing with cups 1.3.* works more or less. Fat black boxes appear instead > > > of drop-down lists on webpages, don't know if this is a cups issue though. I > > > also don't want to migrate this stable box to 1.4 yet. > > > > I have revbumped it for ~arch, and lowered the CUPS dependency for 6.0.472.53 > > that we're targeting for stable. Please take another look. > > I tried another printer and on this one it did not print at all!! The printing > dialog pops up, I press "print", the dialog is gone but there are no traces of > printing jobs anywhere. Printer does nothing, cups shows no jobs. > > > Acid3 passes perfectly for me. It might be an issue with gpu rendering, > > possibly worth a separate bug report (not blocking this one). > > Also works now after a restart of chromium. Weird. > (In reply to comment #7) > (In reply to comment #6) > > I tried another printer and on this one it did not print at all!! The printing > > dialog pops up, I press "print", the dialog is gone but there are no traces of > > printing jobs anywhere. Printer does nothing, cups shows no jobs. > > So it seems for those cases we'd need cups-1.4. > cups-1.3 as shipped in stable has broken printing of PDF files for the last 1/2 year - see trivial bug http://bugs.gentoo.org/show_bug.cgi?id=309901 chromium generates PDF's as its output printing format which then can't be printed by CUPS. Could it be that your other printer was able to process raw PDF's ?
(In reply to comment #18) > cups-1.3 as shipped in stable has broken printing of PDF files for the last 1/2 > year - see trivial bug http://bugs.gentoo.org/show_bug.cgi?id=309901 Hmm, that's another reason to get 1.4 stable. > chromium generates PDF's as its output printing format which then can't be > printed by CUPS. Could it be that your other printer was able to process raw > PDF's ? I don't know, and I also don't have access to that printer anymore, but now everything makes complete sense. The only question is: Did chromium-5 also print via pdf, i.e. would it be a regression to stable chromium-6?
Now the target for stabilization is www-client/chromium-6.0.472.59, target keywords: "amd64 ~arm x86". This version does not require more recent CUPS. There are bugs in both configurations, but we shouldn't wait more with a browser security update. Security fixes and rewards: Please see the Chromium security page for more detail. Note that the referenced bugs may be kept private until a majority of our users are up to date with the fix. [$500] [50250] High Use-after-free when using document APIs during parse. Credit to David Weston of Microsoft + Microsoft Vulnerability Research (MSVR) and wushi of team 509 (independent discoveries). [$1000] [50712] High Use-after-free in SVG styles. Credit to kuzzcc. [$500] [51252] High Use-after-free with nested SVG elements. Credit to kuzzcc. [Linux only] [51709] Low Possible browser assert in cursor handling. Credit to “magnusmorton”. [$500] [51919] High Race condition in console handling. Credit to kuzzcc. [53176] Low Unlikely browser crash in pop-up blocking. Credit to kuzzcc. [$500 x 2] [Mac only] [53361] Critical Fix bug 45400 properly on the Mac. Credit to Sergey Glazunov and “remy.saissy”. [$500] [53394] High Memory corruption in Geolocation. Credit to kuzzcc. [Linux only] [53930] High Memory corruption in Khmer handling. Credit to Google Chrome Security Team (Chris Evans). [54006] Low Failure to prompt for extension history access. Credit to “adriennefelt”.
x86 stable
amd64 done
(In reply to comment #19) > The only question is: Did chromium-5 also > print via pdf, i.e. would it be a regression to stable chromium-6? > It did, so no regression here
GLSA with bug 326717.
GLSA 201012-01, thanks everyone.
CVE-2010-3417 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-3417): Google Chrome before 6.0.472.59 does not prompt the user before granting access to the extension history, which allows attackers to obtain potentially sensitive information via unspecified vectors. CVE-2010-3416 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-3416): Google Chrome before 6.0.472.59 on Linux does not properly implement the Khmer locale, which allows remote attackers to cause a denial of service (memory corruption) or possibly have unspecified other impact via unknown vectors. CVE-2010-3415 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-3415): Google Chrome before 6.0.472.59 does not properly implement Geolocation, which allows remote attackers to cause a denial of service (memory corruption) or possibly have unspecified other impact via unknown vectors. CVE-2010-3413 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-3413): Unspecified vulnerability in the pop-up blocking functionality in Google Chrome before 6.0.472.59 allows remote attackers to cause a denial of service (application crash) via unknown vectors. CVE-2010-3412 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-3412): Race condition in the console implementation in Google Chrome before 6.0.472.59 has unspecified impact and attack vectors. CVE-2010-3411 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-3411): Google Chrome before 6.0.472.59 on Linux does not properly handle cursors, which might allow attackers to cause a denial of service (assertion failure) via unspecified vectors. CVE-2010-3258 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-3258): The sandbox implementation in Google Chrome before 6.0.472.53 does not properly deserialize parameters, which has unspecified impact and remote attack vectors. CVE-2010-3256 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-3256): Google Chrome before 6.0.472.53 does not properly limit the number of stored autocomplete entries, which has unspecified impact and attack vectors. CVE-2010-3254 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-3254): The WebSockets implementation in Google Chrome before 6.0.472.53 does not properly handle integer values, which allows remote attackers to cause a denial of service or possibly have unspecified other impact via unknown vectors. CVE-2010-3253 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-3253): The implementation of notification permissions in Google Chrome before 6.0.472.53 allows attackers to cause a denial of service (memory corruption) or possibly have unspecified other impact via unknown vectors. CVE-2010-3252 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-3252): Use-after-free vulnerability in the Notifications presenter in Google Chrome before 6.0.472.53 allows attackers to cause a denial of service or possibly have unspecified other impact via unknown vectors. CVE-2010-3251 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-3251): The WebSockets implementation in Google Chrome before 6.0.472.53 allows remote attackers to cause a denial of service (NULL pointer dereference and application crash) via unspecified vectors. CVE-2010-3250 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-3250): Unspecified vulnerability in Google Chrome before 6.0.472.53 allows remote attackers to enumerate the set of installed extensions via unknown vectors. CVE-2010-3249 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-3249): Google Chrome before 6.0.472.53 does not properly implement SVG filters, which allows remote attackers to cause a denial of service or possibly have unspecified other impact via unknown vectors, related to a "stale pointer" issue. CVE-2010-3248 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-3248): Google Chrome before 6.0.472.53 does not properly restrict copying to the clipboard, which has unspecified impact and attack vectors. CVE-2010-3247 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-3247): Google Chrome before 6.0.472.53 does not properly restrict the characters in URLs, which allows remote attackers to spoof the appearance of the URL bar via homographic sequences. CVE-2010-3246 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-3246): Google Chrome before 6.0.472.53 does not properly handle the _blank value for the target attribute of unspecified elements, which allows remote attackers to bypass the pop-up blocker via unknown vectors. CVE-2010-3111 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-3111): Google Chrome before 6.0.472.53 does not properly mitigate an unspecified flaw in the Windows kernel, which has unknown impact and attack vectors, a different vulnerability than CVE-2010-2897.