• Security fixes
• Stability fixes

Release highlights:

• Read about improvements to Chrome over on the Google Chome blog
• Support for .zip files
• Onscreen indication when caps lock is enabled
• Warning messages regarding low disk space
• Telegu and Kannada languages now supported
• Updated Pepper Flash version
• Crash fixes
• Security updates

• [81753] Medium CVE-2011-3903: Out-of-bounds read in regex matching. Credit to David Holloway of the Chromium development community.
• [95465] Low CVE-2011-3905: Out-of-bounds reads in libxml. Credit to Google Chrome Security Team (Inferno).
• [$500] [98809] Medium CVE-2011-3906: Out-of-bounds read in PDF parser. Credit to Aki Helin of OUSPG.
• [$1000] [99016] High CVE-2011-3907: URL bar spoofing with view-source. Credit to Luka Treiber of ACROS Security.
• [100863] Low CVE-2011-3908: Out-of-bounds read in SVG parsing. Credit to Aki Helin of OUSPG.
• [101010] Medium CVE-2011-3909: [64-bit only] Memory corruption in CSS property array. Credit to Google Chrome Security Team (scarybeasts) and Chu.
• [101494] Medium CVE-2011-3910: Out-of-bounds read in YUV video frame handling. Credit to Google Chrome Security Team (Cris Neckar).
• [101779] Medium CVE-2011-3911: Out-of-bounds read in PDF. Credit to Google Chrome Security Team (scarybeasts) and Robert Swiecki of the Google Security Team.
• [$1000] [102359] High CVE-2011-3912: Use-after-free in SVG filters. Credit to Arthur Gerkis.
• [$1000] [103921] High CVE-2011-3913: Use-after-free in Range handling. Credit to Arthur Gerkis.
• [$1000] [104011] High CVE-2011-3914: Out-of-bounds write in v8 i18n handling. Credit to Sławomir Błażek.
• [$1000] [104529] High CVE-2011-3915: Buffer overflow in PDF font handling. Credit to Atte Kettunen of OUSPG.
• [$500] [104959] Medium CVE-2011-3916: Out-of-bounds reads in PDF cross references. Credit to Atte Kettunen of OUSPG.
• [105162] Medium CVE-2011-3917: Stack-buffer-overflow in FileWatcher. Credit to Google Chrome Security Team (Marty Barbella).
• [107258] High CVE-2011-3904: Use-after-free in bidi handling. Credit to Google Chrome Security Team (Inferno) and miaubiz.

Full details about what changes have been made in this release are available in the SVN revisions log. Interested in switching to another channel?  Find out how.  If you find a new issue, please let us know by filing a bug.

The bugs [100465], [100492], [100543] and [101458] were detected using AddressSanitizer. 

• [$500] [86758] High CVE-2011-2845: URL bar spoof in history handling. Credit to Jordi Chancel.
• [88949] Medium CVE-2011-3875: URL bar spoof with drag+drop of URLs. Credit to Jordi Chancel.
• [90217] Low CVE-2011-3876: Avoid stripping whitespace at the end of download filenames. Credit to Marc Novak.
• [91218] Low CVE-2011-3877: XSS in appcache internals page. Credit to Google Chrome Security Team (Tom Sepez) plus independent discovery by Juho Nurminen.
• [94487] Medium CVE-2011-3878: Race condition in worker process initialization. Credit to miaubiz.
• [95374] Low CVE-2011-3879: Avoid redirect to chrome scheme URIs. Credit to Masato Kinugawa.
• [95992] Low CVE-2011-3880: Don’t permit as a HTTP header delimiter. Credit to Vladimir Vorontsov, ONsec company.
• [$12174] [96047] [96885] [98053] [99512] [99750] High CVE-2011-3881: Cross-origin policy violations. Credit to Sergey Glazunov.
• [96292] High CVE-2011-3882: Use-after-free in media buffer handling. Credit to Google Chrome Security Team (Inferno).
• [$1000] [96902] High CVE-2011-3883: Use-after-free in counter handling. Credit to miaubiz.
• [97148] High CVE-2011-3884: Timing issues in DOM traversal. Credit to Brian Ryner of the Chromium development community.
• [$6337] [97599] [98064] [98556] [99294] [99880] [100059] High CVE-2011-3885: Stale style bugs leading to use-after-free. Credit to miaubiz.
• [$2000] [98773] [99167] High CVE-2011-3886: Out of bounds writes in v8. Credit to Christian Holler.
• [$1500] [98407] Medium CVE-2011-3887: Cookie theft with javascript URIs. Credit to Sergey Glazunov.
• [$1000] [99138] High CVE-2011-3888: Use-after-free with plug-in and editing. Credit to miaubiz.
• [$2000] [99211] High CVE-2011-3889: Heap overflow in Web Audio. Credit to miaubiz.
• [99553] High CVE-2011-3890: Use-after-free in video source handling. Credit to Ami Fischman of the Chromium development community.
• [100332] High CVE-2011-3891: Exposure of internal v8 functions. Credit to Steven Keuchel of the Chromium development community plus independent discovery by Daniel Divricean.

The bugs [94487], [96292], [96902], [97599], [98064], [98556], [99294], [100059], [99138] and [99211] were detected using AddressSanitizer.

Although Chrome is not directly affected by the attack, the NSS network library was updated to include a defense against so-called BEAST. This defense may expose bugs in Brocade hardware. Brocade is working on the issue. The lighttpd project fixed a compatibility issue at version 1.4.27 and newer.

Security fixes and rewards:
Please see the Chromium security page for more detail. Note that the referenced bugs may be kept private until a majority of our users are up to date with the fix.

• [$1000] [93788] High CVE-2011-2876: Use-after-free in text line box handling. Credit to miaubiz.
• [$1000] [95072] High CVE-2011-2877: Stale font in SVG text handling. Credit to miaubiz.
• [$2000] [95671] High CVE-2011-2878: Inappropriate cross-origin access to the window prototype. Credit to Sergey Glazunov.
• [96150] High CVE-2011-2879: Lifetime and threading issues in audio node handling. Credit to Google Chrome Security Team (Inferno).
• [$4500] [97451] [97520] [97615] High CVE-2011-2880: Use-after-free in the v8 bindings. Credit to Sergey Glazunov.
• [$1500] [97784] High CVE-2011-2881: Memory corruption with v8 hidden objects. Credit to Sergey Glazunov.
• [98089] Critical CVE-2011-3873: Memory corruption in shader translator. Credit to Zhenyao Mo of the Chromium development community.

Full details about what changes have been made in this release are available in the SVN revision log. Interested in switching to another channel?  Find out how.  If you find a new issue, please let us know by filing a bug.

The Beta and Stable channels have been updated to 14.0.835.186 for Windows, Mac, Linux, and Chrome Frame.

This release includes an update to Flash Player that addresses a zero-day vulnerability.

• [49377] High CVE-2011-2835: Race condition in the certificate cache. Credit to Ryan Sleevi of the Chromium development community.
• [51464] Low CVE-2011-2836: Infobar the Windows Media Player plug-in to avoid click-free access to the system Flash. Credit to electronixtar.
• [Linux only] [57908] Low CVE-2011-2837: Use PIC / pie compiler flags. Credit to wbrana.
• [75070] Low CVE-2011-2838: Treat MIME type more authoritatively when loading plug-ins. Credit to Michal Zalewski of the Google Security Team.
• [76771] High CVE-2011-2839: Crash in v8 script object wrappers. Credit to Kostya Serebryany of the Chromium development community.
• [78427] [83031] Low CVE-2011-2840: Possible URL bar spoofs with unusual user interaction. Credit to kuzzcc.
• [$500] [78639] High CVE-2011-2841: Garbage collection error in PDF. Credit to Mario Gomes.
• [Mac only] [80680] Low CVE-2011-2842: Insecure lock file handling in the Mac installer. Credit to Aaron Sigel of vtty.com.
• [82438] Medium CVE-2011-2843: Out-of-bounds read with media buffers. Credit to Kostya Serebryany of the Chromium development community.
• [85041] Medium CVE-2011-2844: Out-of-bounds read with mp3 files. Credit to Mario Gomes.
• [$1000] [89219] High CVE-2011-2846: Use-after-free in unload event handling. Credit to Arthur Gerkis.
• [$1000] [89330] High CVE-2011-2847: Use-after-free in document loader. Credit to miaubiz.
• [$500] [89564] Medium CVE-2011-2848: URL bar spoof with forward button. Credit to Jordi Chancel.
• [89795] Low CVE-2011-2849: Browser NULL pointer crash with WebSockets. Credit to Arthur Gerkis.
• [$500] [89991] Medium CVE-2011-3234: Out-of-bounds read in box handling. Credit to miaubiz.
• [90134] Medium CVE-2011-2850: Out-of-bounds read with Khmer characters. Credit to miaubiz.
• [90173] Medium CVE-2011-2851: Out-of-bounds read in video handling. Credit to Google Chrome Security Team (Inferno).
• [$500] [91120] High CVE-2011-2852: Off-by-one in v8. Credit to Christian Holler.
• [91197] High CVE-2011-2853: Use-after-free in plug-in handling. Credit to Google Chrome Security Team (SkyLined).
• [$1000] [92651] [94800] High CVE-2011-2854: Use-after-free in ruby / table style handing. Credit to Sławomir Błażek, and independent later discoveries by miaubiz and Google Chrome Security Team (Inferno).
• [$1000] [92959] High CVE-2011-2855: Stale node in stylesheet handling. Credit to Arthur Gerkis.
• [$2000] [93416] High CVE-2011-2856: Cross-origin bypass in v8. Credit to Daniel Divricean.
• [$1000] [93420] High CVE-2011-2857: Use-after-free in focus controller. Credit to miaubiz.
• [$1000] [93472] High CVE-2011-2834: Double free in libxml XPath handling. Credit to Yang Dingning from NCNIPC, Graduate University of Chinese Academy of Sciences.
• [93497] Medium CVE-2011-2859: Incorrect permissions assigned to non-gallery pages. Credit to Bernhard ‘Bruhns’ Brehm of Recurity Labs.
• [$1000] [93587] High CVE-2011-2860: Use-after-free in table style handling. Credit to miaubiz.
• [93596] Medium CVE-2011-2861: Bad string read in PDF. Credit to Aki Helin of OUSPG.
• [$2337] [93906] High CVE-2011-2862: Unintended access to v8 built-in objects. Credit to Sergey Glazunov.
• [95563] Medium CVE-2011-2864: Out-of-bounds read with Tibetan characters. Credit to Google Chrome Security Team (Inferno).
• [95625] Medium CVE-2011-2858: Out-of-bounds read with triangle arrays. Credit to Google Chrome Security Team (Inferno).
• [95917] Low CVE-2011-2874: Failure to pin a self-signed cert for a session. Credit to Nishant Yadant of VMware and Craig Chamberlain (@randomuserid).
• [$1000] [95920] High CVE-2011-2875: Type confusion in v8 object sealing. Credit to Christian Holler.

In addition, we would like to thank “send.my.spam.to”, “Feiler89”, miaubiz, The Microsoft Java Team / Microsoft Vulnerability Research (MSVR), Chris Rohlf of Matasano, Chamal de Silva, Christian Holler, “simon.sarris” and Alexey Proskuryakov of Apple for working with us in the development cycle and preventing bugs from ever reaching the stable channel. Various rewards were issued.