[Pkg-chromium-commit] chromium-browser/chromium-browser.squeeze: 711 - Medium Out-of-bounds read in plug-in handling. Credit to Bill Budge of
Giuseppe Iuculano
iuculano at debian.org
Fri Feb 11 16:09:38 UTC 2011
Branch name: chromium-browser/chromium-browser.squeeze
Branch location : bzr+ssh://bzr.debian.org/bzr/pkg-chromium/chromium-browser/chromium-browser.squeeze
Browse location: http://bzr.debian.org/loggerhead/pkg-chromium
Revision No: 711
Revision Id: iuculano at debian.org-20110211160938-eepmwvyf0u504im1
Committer: Giuseppe Iuculano <iuculano at debian.org>
Message : - Medium Out-of-bounds read in plug-in handling. Credit to Bill Budge of
Google.
- Medium Possible failure to terminate process on out-of-memory condition.
Credit to David Warren of CERT/CC.
--------------------------------------------------------
** Added :
- debian/patches/69970.patch
- debian/patches/70456.patch
** Modified :
- debian/changelog
- debian/patches/series
-------------- next part --------------
=== modified file 'debian/changelog'
--- a/debian/changelog 2011-02-11 14:54:03 +0000
+++ b/debian/changelog 2011-02-11 16:09:38 +0000
@@ -4,8 +4,12 @@
- High Stale pointer in animation event handling. Credit to Rik Cabanier.
- High Stale pointer with anonymous block handling. Credit to Martin
Barbella.
+ - Medium Out-of-bounds read in plug-in handling. Credit to Bill Budge of
+ Google.
+ - Medium Possible failure to terminate process on out-of-memory condition.
+ Credit to David Warren of CERT/CC.
- -- Giuseppe Iuculano <iuculano at debian.org> Fri, 11 Feb 2011 15:53:13 +0100
+ -- Giuseppe Iuculano <iuculano at debian.org> Fri, 11 Feb 2011 17:08:57 +0100
chromium-browser (6.0.472.63~r59945-5+squeeze1) stable-security; urgency=high
=== added file 'debian/patches/69970.patch'
--- a/debian/patches/69970.patch 1970-01-01 00:00:00 +0000
+++ b/debian/patches/69970.patch 2011-02-11 16:09:38 +0000
@@ -0,0 +1,14 @@
+--- a/src/third_party/WebKit/WebCore/bindings/v8/V8NPUtils.cpp
++++ b/src/third_party/WebKit/WebCore/bindings/v8/V8NPUtils.cpp
+@@ -65,8 +65,9 @@ void convertV8ObjectToNPVariant(v8::Loca
+ VOID_TO_NPVARIANT(*result);
+ else if (object->IsString()) {
+ v8::String::Utf8Value utf8(object);
+- char* utf8_chars = strdup(*utf8);
+- STRINGN_TO_NPVARIANT(utf8_chars, utf8.length(), *result);
++ char* utf8Chars = reinterpret_cast<char*>(malloc(utf8.length()));
++ memcpy(utf8Chars, *utf8, utf8.length());
++ STRINGN_TO_NPVARIANT(utf8Chars, utf8.length(), *result);
+ } else if (object->IsObject()) {
+ DOMWindow* window = V8Proxy::retrieveWindow(V8Proxy::currentContext());
+ NPObject* npobject = npCreateV8ScriptObject(0, v8::Handle<v8::Object>::Cast(object), window);
=== added file 'debian/patches/70456.patch'
--- a/debian/patches/70456.patch 1970-01-01 00:00:00 +0000
+++ b/debian/patches/70456.patch 2011-02-11 16:09:38 +0000
@@ -0,0 +1,44 @@
+--- a/src/base/debug_util_posix.cc
++++ b/src/base/debug_util_posix.cc
+@@ -256,6 +256,9 @@ bool DebugUtil::BeingDebugged() {
+ // static
+ void DebugUtil::BreakDebugger() {
+ DEBUG_BREAK();
++#if defined(NDEBUG)
++ _exit(1);
++#endif
+ }
+
+ StackTrace::StackTrace() {
+--- a/src/chrome/app/chrome_dll_main.cc
++++ b/src/chrome/app/chrome_dll_main.cc
+@@ -155,6 +155,7 @@ void InvalidParameter(const wchar_t* exp
+ const wchar_t* file, unsigned int line,
+ uintptr_t reserved) {
+ __debugbreak();
++ _exit(1);
+ }
+
+ void PureCall() {
+@@ -180,6 +181,7 @@ void OnNoMemory() {
+ // the buffer is then used, it provides a handy mapping of memory starting at
+ // address 0 for an attacker to utilize.
+ __debugbreak();
++ _exit(1);
+ }
+ #pragma warning(pop)
+
+--- a/src/chrome/plugin/plugin_main.cc
++++ b/src/chrome/plugin/plugin_main.cc
+@@ -120,8 +120,10 @@ int PluginMain(const MainFunctionParams&
+ BOOL result = run_security_tests(&test_count);
+ DCHECK(result) << "Test number " << test_count << " has failed.";
+ // If we are in release mode, crash or debug the process.
+- if (!result)
++ if (!result) {
+ __debugbreak();
++ _exit(1);
++ }
+ }
+
+ FreeLibrary(sandbox_test_module);
=== modified file 'debian/patches/series'
--- a/debian/patches/series 2011-02-11 14:54:03 +0000
+++ b/debian/patches/series 2011-02-11 16:09:38 +0000
@@ -54,3 +54,5 @@
68244.patch
67234.patch
69556.patch
+69970.patch
+70456.patch
More information about the Pkg-chromium-commit
mailing list