The Chrome Stable channel has been updated to 19.0.1084.52 on Windows, Mac, Linux and Chrome Frame.  

Security fixes and rewards:

Please see the Chromium security page for more detail. Note that the referenced bugs may be kept private until a majority of our users are up to date with the fix.

• [117409] High CVE-2011-3103: Crashes in v8 garbage collection. Credit to the Chromium development community (Brett Wilson).
• [118018] Medium CVE-2011-3104: Out-of-bounds read in Skia. Credit to Google Chrome Security Team (Inferno).
• [$1000] [120912] High CVE-2011-3105: Use-after-free in first-letter handling. Credit to miaubiz.
• [122654] Critical CVE-2011-3106: Browser memory corruption with websockets over SSL. Credit to the Chromium development community (Dharani Govindan).
• [124625] High CVE-2011-3107: Crashes in the plug-in JavaScript bindings. Credit to the Chromium development community (Dharani Govindan).
• [$1337] [125159] Critical CVE-2011-3108: Use-after-free in browser cache. Credit to “efbiaiinzinz”.
• [Linux only] [$1000] [126296] High CVE-2011-3109: Bad cast in GTK UI. Credit to Micha Bartholomé.
• [126337] [126343] [126378] [127349] [127819] [127868] High CVE-2011-3110: Out of bounds writes in PDF. Credit to Mateusz Jurczyk of the Google Security Team, with contributions by Gynvael Coldwind of the Google Security Team.
• [$500] [126414] Medium CVE-2011-3111: Invalid read in v8. Credit to Christian Holler.
• [127331] High CVE-2011-3112: Use-after-free with invalid encrypted PDF. Credit to Mateusz Jurczyk of the Google Security Team, with contributions by Gynvael Coldwind of the Google Security Team.
• [127883] High CVE-2011-3113: Invalid cast with colorspace handling in PDF. Credit to Mateusz Jurczyk of the Google Security Team, with contributions by Gynvael Coldwind of the Google Security Team.
• [128014] High CVE-2011-3114: Buffer overflows with PDF functions. Credit to Google Chrome Security Team (scarybeasts).
• [$1000] [128018] High CVE-2011-3115: Type corruption in v8. Credit to Christian Holler.

Many of these bugs were detected using AddressSanitizer.

Full details about what changes are in this release are available in the SVN revision log. If you find a new issue, please let us know by filing a bug.

• [112983] Low CVE-2011-3083: Browser crash with video + FTP. Credit to Aki Helin of OUSPG.
• [113496] Low CVE-2011-3084: Load links from internal pages in their own process. Credit to Brett Wilson of the Chromium development community.
• [118374] Medium CVE-2011-3085: UI corruption with long autofilled values. Credit to “psaldorn”.
• [$1000] [118642] High CVE-2011-3086: Use-after-free with style element. Credit to Arthur Gerkis.
• [118664] Low CVE-2011-3087: Incorrect window navigation. Credit to Charlie Reis of the Chromium development community.
• [$500] [120648] Medium CVE-2011-3088: Out-of-bounds read in hairline drawing. Credit to Aki Helin of OUSPG.
• [$1000] [120711] High CVE-2011-3089: Use-after-free in table handling. Credit to miaubiz.
• [$500] [121223] Medium CVE-2011-3090: Race condition with workers. Credit to Arthur Gerkis.
• [121734] High CVE-2011-3091: Use-after-free with indexed DB. Credit to Google Chrome Security Team (Inferno).
• [$1000] [122337] High CVE-2011-3092: Invalid write in v8 regex. Credit to Christian Holler.
• [$500] [122585] Medium CVE-2011-3093: Out-of-bounds read in glyph handling. Credit to miaubiz.
• [122586] Medium CVE-2011-3094: Out-of-bounds read in Tibetan handling. Credit to miaubiz.
• [$1000] [123481] High CVE-2011-3095: Out-of-bounds write in OGG container. Credit to Hannu Heikkinen.
• [Linux only] [123530] Low CVE-2011-3096: Use-after-free in GTK omnibox handling. Credit to Arthur Gerkis.
• [123733] [124182] High CVE-2011-3097: Out-of-bounds write in sampled functions with PDF. Credit to Kostya Serebryany of Google and Evgeniy Stepanov of Google.
• [Windows only] [124216] Low CVE-2011-3098: Bad search path for Windows Media Player plug-in. Credit to Haifei Li of Microsoft and MSVR (MSVR:159).
• [124479] High CVE-2011-3099: Use-after-free in PDF with corrupt font encoding name. Credit to Mateusz Jurczyk of Google Security Team and Gynvael Coldwind of Google Security Team.
• [124652] Medium CVE-2011-3100: Out-of-bounds read drawing dash paths. Credit to Google Chrome Security Team (Inferno).

And some additional rewards for issues with a wider scope than Chrome:

• [Linux only] [$500] [118970] Medium CVE-2011-3101: Work around Linux Nvidia driver bug. Credit to Aki Helin of OUSPG.
• [$1500] [125462] High CVE-2011-3102: Off-by-one out-of-bounds write in libxml. Credit to Jüri Aedla.

Many of the above bugs were detected using AddressSanitizer.

We’d also like to thank Aki Helin of OUSPG, Sławomir Błażek, Chamal de Silva, miaubiz, Arthur Gerkis and Christian Holler for working with us during the development cycle and preventing security regressions from ever reaching the stable channel. $9000 of additional rewards were issued for this awesomeness.

The Chrome Stable channel has been updated to 18.0.1025.168 on Windows, Mac, Linux and Chrome Frame.  

Security fixes and rewards:

Please see the Chromium security page for more detail. Note that the referenced bugs may be kept private until a majority of our users are up to date with the fix.

• [106413] High CVE-2011-3078: Use after free in floats handling. Credit to Google Chrome Security Team (Marty Barbella) and independent later discovery by miaubiz.
• [117110] High CVE-2012-1521: Use after free in xml parser. Credit to Google Chrome Security Team (SkyLined) and independent later discovery by  wushi of team509 reported through iDefense VCP (V-874rcfpq7z).
• [117627] Medium CVE-2011-3079: IPC validation failure. Credit to PinkiePie.
• [121726] Medium CVE-2011-3080: Race condition in sandbox IPC. Credit to Willem Pinckaers of Matasano.

• [$1000] [121899] High CVE-2011-3081: Use after free in floats handling. Credit to miaubiz.

The bugs [106413], [117110] and [121899] were detected using AddressSanitizer.

The Chrome Stable channel has been updated to 18.0.1025.165 on Mac.  


This release fixes a top crasher on the Mac. (Issue: 123589).

The Chrome Stable channel has been updated to 18.0.1025.162 on on Windows, Mac, Linux and Chrome Frame.  This release fixes issues including:


Windows

• Facebook page hangs after a while (Issue: 121141)
• black screen on Hybrid Graphics system with GPU accelerated compositing enabled (Issue: 117371)

Mac

• HTML5 audio doesn't work on some Mac computers (Issue: 109441)

The Chrome Stable channel has been updated to 18.0.1025.152 on Windows.  


This release fixes issues with SSL (Issue: 118706). Please note this might reintroduce Issue: 117371 and we are actively working on a fix for it.

The Stable and Beta channels have been updated to 18.0.1025.151 (Platform version: 1660.12.0) for Chromebooks (Acer AC700, Samsung Series 5, and Cr-48). Dev channel has been updated to the same version for Cr-48 systems.

The Chrome Stable and Beta channels have been updated to 18.0.1025.151 on Windows, Mac, Linux and Chrome Frame.  This release fixes issues including:

• black screen on Hybrid Graphics system with GPU accelerated compositing enabled (Issue: 117371)
• CSS not applied to element (Issue: 114667)
• Regression rendering a div with background gradient and borders (Issue: 113726)
• Canvas 2D line drawing bug with GPU acceleration (Issue: 121285)
• Multiple crashes (Issues: 72235, 116825 and 92998)
• Pop-up dialog is at wrong position (Issue: 116045)
• HTML Canvas patterns are broken if you change the transformation matrix (Issue: 112165)
• SSL interstitial error "proceed anyway" / "back to safety" buttons don't work (Issue: 119252)

Known Issues:

• HTML5 audio doesn't work on some Mac computers (Issue: 109441)

Security fixes and rewards:

A new version of Flash Player is included. More details are available in an addendum to this Flash Player advisory.

Please see the Chromium security page for more detail. Note that the referenced bugs may be kept private until a majority of our users are up to date with the fix.

• [$500] [106577] Medium CVE-2011-3066: Out-of-bounds read in Skia clipping. Credit to miaubiz.
• [117583] Medium CVE-2011-3067: Cross-origin iframe replacement. Credit to Sergey Glazunov.
• [$1000] [117698] High CVE-2011-3068: Use-after-free in run-in handling. Credit to miaubiz.
• [$1000] [117728] High CVE-2011-3069: Use-after-free in line box handling. Credit to miaubiz.
• [118185] High CVE-2011-3070: Use-after-free in v8 bindings. Credit to Google Chrome Security Team (SkyLined).
• [118273] High CVE-2011-3071: Use-after-free in HTMLMediaElement. Credit to pa_kt, reporting through HP TippingPoint ZDI (ZDI-CAN-1528).
• [118467] Low CVE-2011-3072: Cross-origin violation parenting pop-up window. Credit to Sergey Glazunov.
• [$1000] [118593] High CVE-2011-3073: Use-after-free in SVG resource handling. Credit to Arthur Gerkis.
• [$500] [119281] Medium CVE-2011-3074: Use-after-free in media handling. Credit to Sławomir Błażek.
• [$1000] [119525] High CVE-2011-3075: Use-after-free applying style command. Credit to miaubiz.
• [$1000] [120037] High CVE-2011-3076: Use-after-free in focus handling. Credit to miaubiz.
• [120189] Medium CVE-2011-3077: Read-after-free in script bindings. Credit to Google Chrome Security Team (Inferno).

Many of these bugs were detected using AddressSanitizer.

The Chrome team is excited to announce the release of Chrome 18 to the Stable Channel for Windows, Mac, Linux and Chrome Frame. 18.0.1025.142 contains a number of new features including faster and fancier graphics. More detailed updates are available on the Chrome Blog and the Chromium Blog.  
Security fixes and rewards:
Please see the Chromium security page for more detail. Note that the referenced bugs may be kept private until a majority of our users are up to date with the fix.

Some of the items listed below represent the start of hardening measures based on study of the exploits submitted to the Pwnium competition.

• [$500] [109574] Medium CVE-2011-3058: Bad interaction possibly leading to XSS in EUC-JP. Credit to Masato Kinugawa.
• [$500] [112317] Medium CVE-2011-3059: Out-of-bounds read in SVG text handling. Credit to Arthur Gerkis.
• [$500] [114056] Medium CVE-2011-3060: Out-of-bounds read in text fragment handling. Credit to miaubiz.
• [116398] Medium CVE-2011-3061: SPDY proxy certificate checking error. Credit to Leonidas Kontothanassis of Google.
• [116524] High CVE-2011-3062: Off-by-one in OpenType Sanitizer. Credit to Mateusz Jurczyk of the Google Security Team.
• [117417] Low CVE-2011-3063: Validate navigation requests from the renderer more carefully. Credit to kuzzcc, Sergey Glazunov, PinkiePie and scarybeasts (Google Chrome Security Team).
• [$1000] [117471] High CVE-2011-3064: Use-after-free in SVG clipping. Credit to Atte Kettunen of OUSPG.
• [$1000] [117588] High CVE-2011-3065: Memory corruption in Skia. Credit to Omair.
• [$500] [117794] Medium CVE-2011-3057: Invalid read in v8. Credit to Christian Holler.

The bugs [112317], [114056] and [117471] were detected using AddressSanitizer.

We’d also like to thank miaubiz, Chamal de Silva, Atte Kettunen of OUSPG, Aki Helin of OUSPG and Arthur Gerkis for working with us during the development cycle and preventing security regressions from ever reaching the stable channel. $8000 of additional rewards were issued for this awesomeness.

The Chrome Stable channel has been updated to 17.0.963.83 on Windows, Mac, Linux and Chrome Frame.  This release fixes issues with Flash games, along with the security fixes listed below.

Security fixes and rewards:

Please see the Chromium security page for more detail. Note that the referenced bugs may be kept private until a majority of our users are up to date with the fix.

Some of the items listed below represent the start of hardening measures based on study of the exploits submitted to the Pwnium competition.

• [$1000] [113902] High CVE-2011-3050: Use-after-free with first-letter handling. Credit to miaubiz.
• [116162] High CVE-2011-3045: libpng integer issue from upstream. Credit to Glenn Randers-Pehrson of the libpng project.
• [$1000] [116461] High CVE-2011-3051: Use-after-free in CSS cross-fade handling. Credit to Arthur Gerkis.
• [116637] High CVE-2011-3052: Memory corruption in WebGL canvas handling. Credit to Ben Vanik of Google.
• [$1000] [116746] High CVE-2011-3053: Use-after-free in block splitting. Credit to miaubiz.
• [117418] Low CVE-2011-3054: Apply additional isolations to webui privileges. Credit to Sergey Glazunov.
• [117736] Low CVE-2011-3055: Prompt in the browser native UI for unpacked extension installation. Credit to PinkiePie.
• [$2000] [117550] High CVE-2011-3056: Cross-origin violation with “magic iframe”. Credit to Sergey Glazunov.

Also, this single low severity issue was fixed in a previous patch but we forgot to issue proper credit:

• [108648] Low CVE-2011-3049: Extension web request API can interfere with system requests. Credit to Michael Gundlach.

The Stable channel has been updated to 17.0.963.80 (Platform version: 1412.234.0) for Chromebooks (Acer AC700, Samsung Series 5, and Cr-48).

Release highlights:

• Stability & security fixes, as described in the Chrome Stable Update blog post.

Known issues:

• Issue 26698: Time display mismatch

The Chrome Stable channel has been updated to 17.0.963.79 on Windows, Mac, Linux and Chrome Frame.  This release fixes issues with Flash games, along with the security fix listed below.

Security fixes and rewards:

Congratulations to PinkiePie (aka PwniePie) for a beautiful piece of work to close out the Pwnium competition!

We’re delighted at the success of Pwnium and the ability to study full exploits. We anticipate landing additional changes and hardening measures for both CVE-2011-3046 and CVE-2011-3047 in the near future. We also believe that both submissions are works of art and deserve wider sharing and recognition. We plan to do technical reports on both Pwnium submissions in the future.

• [Like a b-b-b-b-boss!!! $60,000] [117620] [117656] Critical CVE-2011-3047: Errant plug-in load and GPU process memory corruption. Credit to PinkiePie.

Please see the Chromium security page for more detail. Note that the referenced bugs may be kept private until a majority of our users are up to date with the fix.

Full details about what changes are in this release are available in the SVN revision log. Interested in hopping on the stable channel? Find out how.  If you find a new issue, please let us know by filing a bug.

The Chrome Stable channel has been updated to 17.0.963.78 on Windows, Mac, Linux and Chrome Frame.  This release fixes issues with Flash games and videos, along with the security fix listed below.

Security fixes and rewards:

Congratulations again to community member Sergey Glazunov for the first submission to Pwnium!

• [Ch-ch-ch-ch-ching!!! $60,000] [117226] [117230] Critical CVE-2011-3046: UXSS and bad history navigation. Credit to Sergey Glazunov.

Please see the Chromium security page for more detail. Note that the referenced bugs may be kept private until a majority of our users are up to date with the fix.

• Pepper flash: release 11.1.31.322
• Stability & security fixes

If you find new issues, please let us know by visiting our help site or filing a bug. Interested in switching to the Beta channel? Find out how. You can submit feedback using ‘Report an issue’ under the wrench menu.

The Chrome Stable channel has been updated to 17.0.963.66 on Windows, Mac, Linux and Chrome Frame.  This release fixes an issue in the DOM.  Interested in hopping on the stable channel?  Find out how.

The Stable channel has been updated to 17.0.963.60 (Platform version: 1412.205.0) for Chromebooks (Acer AC700, Samsung Series 5, and Cr-48).


Release highlights:

• Pepper flash: release 11.1.31.310
• Stability & security fixes

Known issues:

• Deleting 802.1x cert might require a restart to restore access to other wifi networks

If you find new issues, please let us know by visiting our help site or filing a bug. Interested in switching to the Beta channel? Find out how. You can submit feedback using ‘Report an issue’ under the wrench menu.