Tuesday, October 15, 2013

Stable Channel Update

Chrome has been updated to 30.0.1599.101 for Windows, Mac, Linux and Chrome Frame. 

Security Fixes and Rewards

Note: Access to bug details and links may be kept restricted until a majority of users are updated with a fix. We will also retain restrictions if the bug exists in a third party library that other projects similarly depend on, but haven’t yet fixed.

This update includes 5 security fixes. Below, we highlight fixes that were either contributed by external researchers or particularly interesting. Please see the Chromium security page for more information.

[$1000][292422] High CVE-2013-2925: Use after free in XHR. Credit to Atte Kettunen of OUSPG.
[$2000][294456] High CVE-2013-2926: Use after free in editing. Credit to cloudfuzzer.
[$2000][297478] High CVE-2013-2927: Use after free in forms. Credit to cloudfuzzer.

As usual, our ongoing internal security work responsible for a wide range of fixes:
  • [305790] CVE-2013-2928: Various fixes from internal audits, fuzzing and other initiatives.

Many of the above bugs were detected using AddressSanitizer.

A full list of changes is available in the SVN log. Interested in switching release channels? Find out how. If you find a new issue, please let us know by filing a bug.

Karen Grunberg
Google Chrome

25 comments:

shadowsgrey said...

On Ubuntu 12.04 LTS, the default GUI update-manager lists but refuses to select/install 30.0.1599.101 from the Google repository.

Command line "sudo apt-get upgrade" produces the message that package google-chrome-stable is being "kept back". This message typically appears when an upgrade would require the installation of a new package and/or removal of an existing package (as opposed to simply/solely updating existing packages).

I've not yet tried "apt-get dist-upgrade", because I've never before needed it when upgrading Google Chrome stable on this system. Does 30.0.1599.101 for Ubuntu (12.04 LTS) really require the installation and/or removal of new package(s), or was a mistake made in its generation? (Or if neither, then I guess I need to look at my system specifically. But again, I've never before encountered this problem on this system.)

Neo Yang said...

is the crash issue on Mac#30.0.1599.69 get fixed? I'm posting this msg for the third time because Chrome crashes!!!

Karen said...

can you point us to a crash neo? we are doing our best to resolve but I need actual crash dump to see what's crashing.

Daniel Getz said...

On Debian 7 i386 this latest upgrade is prevented because of incorrect dependencies: lib32gcc1, lib32stdc++6, and libc6-i386.

Sounds like this is the same or similar to the problem in Ubuntu?

Sasso said...

Yes Daniel, the problem is the same on Ubuntu 12.04 LTS with the three "precise" dependencies you listed:

Dépend: lib32gcc1 (>=1:4.1.1) but it is not installable
Dépend: lib32stdc++6 (>=4.6) but it is not installable
Dépend: libc6-i386 (>=2.11) but it is not installable

Charin Tapaeng said...

This a Chrome 64bit

高时超 said...

Why isn' t this severe issue https://code.google.com/p/chromium/issues/detail?id=305011 still not fixed? I don' t know if I can provide more information.

Masahito Yamaga said...

The version number of Pepper Flash in

/Applications/Google Chrome.app/Contents/Versions/30.0.1599.101/Google Chrome Framework.framework/Internet Plug-Ins/PepperFlash/PepperFlashPlayer.plugin/Contents/Info.plist

is described as "11.8.800.66". It should be "11.9.900.117" as it actually is.

Alex Dan said...

Does this include the fix for:

https://code.google.com/p/chromium/issues/detail?id=290399

Also?

A7med said...

does this Issue 303046: NTLM token on cross domain, fixed in this version https://code.google.com/p/chromium/issues/detail?id=303046

some webistes crashed with aw snap error because of this

Alex Sung said...

Not able to update from Linux Mint 15 as well. Can we get a fix for it? Thank you.

Karen said...

We're working on the Linux issues actively.

高时超, it should be fixed so i would appreciate any more information you have.

Hartato Sukagunas said...

All entries in saved password disappeared. Account is synced. Password entries in Google dashboard still exists. Using 32-bit Linux.

Hartato Sukagunas said...

Additional information regarding empty password list. When run from command line, the following message appeared:

[25790:25790:1017/200210:ERROR:password_store_factory.cc(110)] Could not initialize login database.
ATTENTION: default value of option force_s3tc_enable overridden by environment.
[25790:25790:1017/200211:ERROR:non_frontend_data_type_controller.cc(198)] Passwords datatype error was encountered: Failed loading
[25790:25790:1017/200211:ERROR:model_association_manager.cc(315)] Failed to associate models for Passwords

shadowsgrey said...

I am disappointed, if not surprised, at the further lack of communication on Google's part on the issues with 32 bit Linux.

This Debian forum thread

http://forums.debian.net/viewtopic.php?f=10&t=108245

is kind enough to point to a/the relevant Chromium issue

https://code.google.com/p/chromium/issues/detail?id=304017

Note that the problem was identified on 4th October, and the cause of the wrong dependencies was apparently removed from the build bots on 9th October.

Nonetheless, stable shipped days later with the wrong dependencies still in place.

Note also that one of the Chromium developers complains about the continuing comments on the issue and closes/restricts commenting.

From a user's perspective, Chrome is a product whose purpose is to constantly interact with external resources. The update fixes potential or actual vulnerabilities that could put such interaction at risk. Delays, especially when *a fix is at hand*, expose users to continuing risk. Should they not be rather concerned at this risk?

Google wants us all to use Chrome. Then do more to maintain our confidence and trust. That INCLUDES communicating, and timely response. Seriously, this is an area where Google continues to fall down. Legitimate feedback and concern disappears into a "black hole", until a response is deigned.

Neo Yang said...

@Karen, pls refer this link for more info, http://productforums.google.com/forum/#!msg/chrome/XAGBdUcOF34/kV1m0unw2sMJ

trasher said...

Because Google don`t have time or can`t solve so simple taks like is a dependencies between three libraries, here is the solution:

- download & install these three packages from https://drive.google.com/folderview?id=0B2TqAdaq593zNGRpNDFZX2NzM0E&usp=sharing

- after run update manager in ubuntu / xubuntu 12.04LTS 32bit and the lastest stable Google Chrome is installed.

Personally tested on Xubuntu 12.04LTS 32 bit.

Paul said...

Thanks to @trasher for the guidance. Followed and tested on Unbuntu 12.04 LTS 32bit. Works fine.

shafique said...

Internet Users have very big Good News, Now you can earn with Just Share an add or picture on Facebook, Facebook is the Most popular Website in the World and you can make unlimited income with Just Facebook Posting Program.
Genuines Works of Data Entry, Facebook Posting, Copy Pasting, Add Posting, Clicking, Web Surfing, Website Visiting, Article Sharing, Data Sharing, Google Business Plan and Much More Business Plans.
www.jobzcorner.com

Alex Sung said...

Can you solve this for Linux Mint 15?
http://i44.tinypic.com/66wvep.png

shadowsgrey said...

@Alex Sung

Have a look at the Chromium issue I mentioned, and particularly at comment 27:

https://code.google.com/p/chromium/issues/detail?id=304017#c27

In that comment, pdknsk provides instructions for a workaround to the incorrect dependencies. I've performed that work-around, and it solved the problem on 32-bit Ubuntu 12.04 LTS.

Furthermore, that workaround uses already installed utilities to pull a copy of the package from your already-configured repositories. You are using tools already on your system, and you are pulling from an already trusted repository. You are not required to use anything from a new, unknown third party.

Basically, the instructions cause you to: Pull a copy of the package from Google's respository; unpackage it so you can get at its contents; use sed (stream editor) to modify the release value slightly for identification; use sed to remove two incorrect dependencies from the list of dependencies.

Continuing, the instuctions have you change ownership of hte sandbox to root, and to modify the permissions of the sandbox so that it runs under root. I checked my pre-existing installation of Chrome ...69, and that is how the sandbox files were configured/permissioned under it.

Then, the instructions have you repackage the modified package contents into a new package; then you install that package.

After doing all this, I found my installation of Chrome updated to 101. Further, the 101 update has been removed from the list of available/pending updates that Ubuntu's graphical Update Manager presents.

I was most worried about the ownership and permissions assignments for the sandbox. Thus, I looked at what the existing installation (...69) had for these. As near as I could tell, pdknsk's instructions mirror these exactly. But I'm not an expert in this.

Hope this helps.

shadowsgrey said...

In my previous comment, change "two" to "three", thusly:

"use sed to remove three incorrect dependencies"

In my hurry, I missed that one of the sed command is removing two adjacent dependency specifications.

Alex Sung said...

@Shadowsgrey Thank a million and work like a charm.

$ apt-get download google-chrome-stable
$ dpkg-deb -R google-chrome-stable_30.0.1599.101-1_i386.deb 304017

$ sed -i 304017/DEBIAN/control \
-e 's/30.0.1599.101-1/30.0.1599.101-2~304017/' \
-e 's/lib32gcc1 (>= 1:4.1.1), lib32stdc++6 (>= 4.6), //' \
-e 's/libc6-i386 (>= 2.11), //'

$ sudo chown root:root 304017/opt/google/chrome/chrome-sandbox
$ sudo chmod 4755 304017/opt/google/chrome/chrome-sandbox

$ dpkg-deb -b 304017
$ sudo dpkg -i 304017.deb

Hartato Sukagunas said...

I solved the empty password list problem by deleting "Login Data" and "Login Data-journal" files in config/google-chrome/Default directory.

Chrome recreated the files and sync repopulated them.

SL BarefootDreamer said...

My Kaspersky detected this vulnerability.How do I fix it my Chrome states there are no updates available. I am running windows 8.