Package: chromium-browser
Version: 6.0.472.63~r59945-3
Severity: important
Tags: upstream patch security
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
The ThemeInstalledInfoBarDelegate::Observe function in
browser/extensions/theme_installed_infobar_delegate.cc in Google Chrome
before 8.0.552.224 and Chrome OS before 8.0.552.343 does not properly handle
incorrect tab interaction by an extension, which allows user-assisted remote
attackers to cause a denial of service (application crash) via a crafted
extension.
I tested this on sid and confirmed the error.
The attached patch comes from r68112 in the upstream repository and it's
issue 60761 (code review at http://codereview.chromium.org/5326011/).
- -- System Information:
Debian Release: 6.0
APT prefers unstable
APT policy: (500, 'unstable'), (500, 'testing'), (500, 'stable')
Architecture: amd64 (x86_64)
Kernel: Linux 2.6.32-5-amd64 (SMP w/2 CPU cores)
Locale: LANG=en_GB.utf8, LC_CTYPE=en_GB.utf8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/bash
Versions of packages chromium-browser depends on:
ii chromium-browser-ins 6.0.472.63~r59945-3 page inspector for the chromium-br
ii libasound2 1.0.23-2.1 shared library for ALSA applicatio
ii libatk1.0-0 1.30.0-1 The ATK accessibility toolkit
ii libbz2-1.0 1.0.5-6 high-quality block-sorting file co
ii libc6 2.11.2-7 Embedded GNU C Library: Shared lib
ii libcairo2 1.8.10-6 The Cairo 2D vector graphics libra
ii libcups2 1.4.5-1 Common UNIX Printing System(tm) -
ii libdbus-1-3 1.2.24-3 simple interprocess messaging syst
ii libdbus-glib-1-2 0.88-2 simple interprocess messaging syst
ii libevent-1.4-2 1.4.13-stable-1 An asynchronous event notification
ii libexpat1 2.0.1-7 XML parsing C library - runtime li
ii libfontconfig1 2.8.0-2.1 generic font configuration library
ii libfreetype6 2.4.2-2.1 FreeType 2 font engine, shared lib
ii libgcc1 1:4.4.5-10 GCC support library
ii libgconf2-4 2.28.1-6 GNOME configuration database syste
ii libgcrypt11 1.4.5-2 LGPL Crypto library - runtime libr
ii libgl1-mesa-glx [lib 7.7.1-4 A free implementation of the OpenG
ii libglewmx1.5 1.5.4-1 The OpenGL Extension Wrangler - ru
ii libglib2.0-0 2.24.2-1 The GLib library of C routines
ii libgtk2.0-0 2.20.1-2 The GTK+ graphical user interface
ii libicu44 4.4.2-2 International Components for Unico
ii libjpeg62 6b1-1 The Independent JPEG Group's JPEG
ii libnspr4-0d 4.8.6-1 NetScape Portable Runtime Library
ii libnss3-1d 3.12.8-1 Network Security Service libraries
ii libpango1.0-0 1.28.3-1 Layout and rendering of internatio
ii libpng12-0 1.2.44-1 PNG library - runtime
ii libstdc++6 4.4.5-10 The GNU Standard C++ Library v3
ii libv8-2.2.24 2.2.24-7 V8 JavaScript Engine
ii libvpx0 0.9.1-2 VP8 video codec (shared library)
ii libx11-6 2:1.3.3-4 X11 client-side library
ii libxext6 2:1.1.2-1 X11 miscellaneous extension librar
ii libxml2 2.7.8.dfsg-1 GNOME XML library
ii libxrender1 1:0.9.6-1 X Rendering Extension client libra
ii libxslt1.1 1.1.26-6 XSLT 1.0 processing library - runt
ii libxss1 1:1.2.1-1 X11 Screen Saver extension library
ii xdg-utils 1.0.2+cvs20100307-3 desktop integration utilities from
ii zlib1g 1:1.2.3.4.dfsg-3 compression library - runtime
chromium-browser recommends no packages.
Versions of packages chromium-browser suggests:
ii chromium-browser-l10 6.0.472.63~r59945-3 chromium-browser language packages
- -- no debconf information
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)
iQIcBAEBAgAGBQJNEn4LAAoJEFOUR53TUkxRgWMP/3JCWhyGJqy57mp0F+M1cr5b
kHNrmUKiCTdcRB+stV/hsnz0MJ6gsdGbSCbBpIh6kLQN+k5XHNGjzClGKvUk0bJP
shfBcjxLjlgvorocEORRlxbgD+yRYIe/9fdkaNks/TGwLLYro/gVz8Y/nbAr1KdT
q+CFKYus+GnZB7Mat5GHnvFZo0wO+LNyjN3llyRWPyfJvpl/lvlEWgOxdtVstKX1
51J/99PYKVHHF0Tw1LGqiWQl8ilWLKdHcm42bqUyS6nU60Z28rr+qUmmUxh0unL3
J+/qYrz02P1gLht8Q3ioQlkN1E+Cr9jF59PvufQ2df1a1aTQ46ffX7UfVoNw6Fi2
Xc1UH+F2KJy32W/SiKqzGsSfliswtub5SkS3trr1l4eYunamcmNfVSXgrpNnKiR8
p7zG07YdDkkg8rTYAhaPz66ZG1AL+teYUZdvhQC3CVavjcAfdR+w8Q27X0R9dTbv
Fz0bolGuAxVauE0VVg6xEhEmQ7I2K6mYcFyJHui3QJJYawuUE7WLwdgVztTEcsNG
MpnZQOYy/m8AxQTcS7OYQykILiL10+gifBZvT/SrcZtAgPquzwvZVANnT9HivOE5
hTVmCb/Bnyb8hrhgY8lrMTf8/ipLnicb03yjMF8VveYGVYLGl9Mb/hNr5L26aAO4
APY9KNe1rs9E35HAjqIS
=COxd
-----END PGP SIGNATURE-----
--- trunk/src/chrome/browser/extensions/theme_installed_infobar_delegate.cc 2010/12/03 00:06:05 68111
+++ trunk/src/chrome/browser/extensions/theme_installed_infobar_delegate.cc 2010/12/03 00:12:47 68112
@@ -98,8 +98,22 @@
// If the new theme is different from what this info bar is associated
// with, close this info bar since it is no longer relevant.
const Extension* extension = Details<const Extension>(details).ptr();
- if (!extension || theme_id_ != extension->id())
- tab_contents_->RemoveInfoBar(this);
+ if (!extension || theme_id_ != extension->id()) {
+ if (tab_contents_ && !tab_contents_->is_being_destroyed()) {
+ tab_contents_->RemoveInfoBar(this);
+ // The infobar is gone so there is no reason for this delegate to keep
+ // a pointer to the TabContents (the TabContents has deleted its
+ // reference to this delegate and a new delegate will be created if
+ // a new infobar is created).
+ tab_contents_ = NULL;
+ // Although it's not being used anymore, this delegate is never deleted.
+ // It can not be deleted now because it is still needed if we
+ // "undo" the theme change that triggered this notification
+ // (when InfoBar::OnBackgroundExpose() is called). This will likely
+ // be fixed when infobar delegate deletion is cleaned up for
+ // http://crbug.com/62154.
+ }
+ }
}
bool ThemeInstalledInfoBarDelegate::MatchesTheme(const Extension* theme) {
