Stable Channel Update

The Chrome team is excited to announce the promotion of Chrome 24 to the stable channel. Chrome 24.0.1312.52 has been updated for Windows, Mac, Linux, and Chrome Frame.

This is the first Stable release with support for MathML, thanks to WebKit volunteer Dave Barton. This release also contains an update to Flash (11.5.31.137) as well as improvements in speed and stability. You can find out more about Chrome 24 on the Official Chrome Blog and the Official Chromium Blog.

Security fixes and rewards:

Please see the Chromium security page for more detail. Note that the referenced bugs may be kept private until a majority of our users are up to date with the fix.

• [$1000] [162494] High CVE-2012-5145: Use-after-free in SVG layout. _Credit to Atte Kettunen of OUSPG. _
• [$4000] [165622] High CVE-2012-5146: Same origin policy bypass with malformed URL. _Credit to Erling A Ellingsen and Subodh Iyengar, both of Facebook. _
• [$1000] [165864] High CVE-2012-5147: Use-after-free in DOM handling. _Credit to José A. Vázquez. _
• [167122] Medium CVE-2012-5148: Missing filename sanitization in hyphenation support. _Credit to Google Chrome Security Team (Justin Schuh). _
• [166795] High CVE-2012-5149: Integer overflow in audio IPC handling. _Credit to Google Chrome Security Team (Chris Evans). _
• [165601] High CVE-2012-5150: Use-after-free when seeking video. _Credit to Google Chrome Security Team (Inferno). _
• [165538] High CVE-2012-5151: Integer overflow in PDF JavaScript. _Credit to Mateusz Jurczyk, with contribution from Gynvael Coldwind, both of Google Security Team. _
• [165430] Medium CVE-2012-5152: Out-of-bounds read when seeking video. _Credit to Google Chrome Security Team (Inferno). _
• [164565] High CVE-2012-5153: Out-of-bounds stack access in v8. _Credit to Andreas Rossberg of the Chromium development community. _
• [Windows only] [164490] Low CVE-2012-5154: Integer overflow in shared memory allocation. _Credit to Google Chrome Security Team (Chris Evans). _
• [Mac only] [163208] Medium CVE-2012-5155: Missing Mac sandbox for worker processes. _Credit to Google Chrome Security Team (Julien Tinnes). _
• [162778] High CVE-2012-5156: Use-after-free in PDF fields. _Credit to Mateusz Jurczyk, with contribution from Gynvael Coldwind, both of Google Security Team. _
• [162776] [162156] Medium CVE-2012-5157: Out-of-bounds reads in PDF image handling. _Credit to Mateusz Jurczyk, with contribution from Gynvael Coldwind, both of Google Security Team. _
• [162153] High CVE-2013-0828: Bad cast in PDF root handling. _Credit to Mateusz Jurczyk, with contribution from Gynvael Coldwind, both of Google Security Team. _
• [162114] High CVE-2013-0829: Corruption of database metadata leading to incorrect file access. _Credit to Google Chrome Security Team (Jüri Aedla). _
• [Windows only] [162066] Low CVE-2013-0830: Missing NUL termination in IPC. _Credit to Google Chrome Security Team (Justin Schuh). _
• [161836] Low CVE-2013-0831: Possible path traversal from extension process. _Credit to Google Chrome Security Team (Tom Sepez). _
• [160380] Medium CVE-2013-0832: Use-after-free with printing. _Credit to Google Chrome Security Team (Cris Neckar). _
• [154485] Medium CVE-2013-0833: Out-of-bounds read with printing._ Credit to Google Chrome Security Team (Cris Neckar). _
• [154283] Medium CVE-2013-0834: Out-of-bounds read with glyph handling. _Credit to Google Chrome Security Team (Cris Neckar). _
• [152921] Low CVE-2013-0835: Browser crash with geolocation. _Credit to Arthur Gerkis. _
• [150545] High CVE-2013-0836: Crash in v8 garbage collection. _Credit to Google Chrome Security Team (Cris Neckar). _
• [145363] Medium CVE-2013-0837: Crash in extension tab handling. _Credit to Tom Nielsen. _
• [Linux only] [143859] Low CVE-2013-0838: Tighten permissions on shared memory segments. _Credit to Google Chrome Security Team (Chris Palmer). _
  Many of the above bugs were detected using AddressSanitizer.

The security issues in V8 have been fixed in v8-3.14.5.3.

We'd also like to thank Atte Kettunen and Sławomir Błażek for working with us during the development cycle and preventing security regressions from ever reaching the stable channel. Rewards were issued.

Full details about what changes are in this build are available in the SVN revision log. Interested in switching release channels? Find out how. If you find a new issue, please let us know by filing a bug.

Dharani Govindan
Google Chrome