=====================================================================
                                    CERT-Renater

                         Note d'Information No. 2011/VULN206
_____________________________________________________________________

DATE                      : 09/03/2011

HARDWARE PLATFORM(S)      : /

OPERATING SYSTEM(S)       :  Systems running Google Chrome version prior to 10.0.648.127.

======================================================================
http://googlechromereleases.blogspot.com/2011/03/chrome-stable-release.html
______________________________________________________________________

Chrome Stable Release

Tuesday, March 8, 2011 | 08:00

Labels: Stable updates

The Google Chrome team is excited to announce the arrival of Chrome 10.0.648.127
to the Stable Channel for Windows, Mac, Linux, and Chrome Frame.
Chrome 10 contains some really great improvements including:

     * New version of V8 - Crankshaft - which greatly improves javascript
performance
     * New settings pages that open in a tab, rather than a dialog box
     * Improved security with malware reporting and disabling outdated
plugins by default
     * Sandboxed Adobe Flash on Windows
     * Password sync as part of Chrome Sync now enabled by default
     * GPU Accelerated Video
     * Background WebApps
     * webNavigation extension API


Security fixes and rewards:
Please see the Chromium security page for more detail. Note that the
referenced bugs may be kept private until a majority of our users are
up to date with the fix.

As can be seen, a few lower-severity issues were rewarded on account of
being particularly interesting or clever. And some rewards were issued
at the $1500 and $2000 level, reflecting bug reports where the reporter
also worked with Chromium developers to provide an accepted patch.

     * [42574] [42765] Low Possible to navigate or close the top location
in a sandboxed frame. Credit to sirdarckcat of the Google Security Team.
     * [Linux only] [49747] Low Work around an X server bug and crash with
long messages. Credit to Louis Lang.
     * [Linux only] [66962] Low Possible browser crash with parallel print()s.
Credit to Aki Helin of OUSPG.
     * [$1337] [69187] Medium Cross-origin error message leak.
Credit to Daniel Divricean.
     * [$500] [69628] High Memory corruption with counter nodes.
Credit to Martin Barbella.
     * [$1000] [70027] High Stale node in box layout.
Credit to Martin Barbella.
     * [$500] [70336] Medium Cross-origin error message leak with workers.
Credit to Daniel Divricean.
     * [$1000] [70442] High Use after free with DOM URL handling.
Credit to Sergey Glazunov.
     * [Linux only] [70779] Medium Out of bounds read handling unicode
ranges. Credit to miaubiz.
     * [$1337] [70877] High Same origin policy bypass in v8. Credit to
Daniel Divricean.
     * [70885] [71167] Low Pop-up blocker bypasses. Credit to Chamal
de Silva.
     * [$1000] [71763] High Use-after-free in document script lifetime handling.
Credit to miaubiz.
     * [71788] High Out-of-bounds write in the OGG container. Credit to
Google Chrome Security Team (SkyLined); plus subsequent independent
discovery by David Weston of Microsoft and MSVR.
     * [$1000] [72028] High Stale pointer in table painting. Credit to
Martin Barbella.
     * [73026] High Use of corrupt out-of-bounds structure in video code.
Credit to Tavis Ormandy of the Google Security Team.
     * [$1000] [73066] High Crash with the DataView object. Credit to
Sergey Glazunov.
     * [$1000] [73134] High Bad cast in text rendering. Credit to miaubiz.
     * [$2000] [73196] High Stale pointer in WebKit context code. Credit
to Sergey Glazunov.
     * [73716] Low Leak of heap address in XSLT. Credit to
Google Chrome Security Team (Chris Evans).
     * [$1500] [73746] High Stale pointer with SVG cursors. Credit to
Sergey Glazunov.
     * [$1000] [74030] High DOM tree corruption with attribute handling.
Credit to Sergey Glazunov.
     * [$1000] [74662] High Corruption via re-entrancy of RegExp code.
Credit to Christian Holler.
     * [$1000] [74675] High Invalid memory access in v8. Credit to
Christian Holler.

We would also like to thank Ben Hawkes of the Google Security Team,
Sergey Glazunov, Martin Barbella and “temp01irc” for working with us during
the development cycle and helping prevent bugs from ever reaching the stable
channel.

Last, but not least, we’d like to offer special thanks (plus additional rewards
to those listed above) to Christian Holler. This is for working with us on his
grammar-based fuzzing project, resulting in a more stable and secure “Crankshaft”
engine for v8.

More on what's new at the Official Chrome Blog.  You can find full details about
the changes that are in Chrome 10 in the SVN revision log. If you find new issues,
please let us know by filing a bug. Want to change to another Chrome release
channel? Find out how.

Jason Kersey
Google Chrome


======================================================================

           =========================================================
           Les serveurs de référence du CERT-Renater
           http://www.urec.fr/securite
           http://www.cru.fr/securite
           http://www.renater.fr
           =========================================================
           + CERT-RENATER          | tel : 01-53-94-20-44          +
           + 23 - 25 Rue Daviel    | fax : 01-53-94-20-41          +
           + 75013 Paris           | email: certsvp@renater.fr     +
           =========================================================