Google has fixed 12 security vulnerabilities in Chrome, including six high-risk bugs. The new version of the browser includes a number of fixes for bugs discovered by external researchers as well as by Google’s own internal security team.
Two of the more serious vulnerabilities patched in Chrome include use-after-free bugs in various elements of the browser, and there also are two out of bounds reads in the browser. Those are listed as high-risk flaws, as well. But perhaps the most interesting bug fixed in the new version is a medium-risk vulnerability related to the TLS negotiation process. During that process, Chrome failed to do a check of some certificates it encountered.
Here’s the full list of bugs fixed Chrome 31:
$500][268565] Medium CVE-2013-6621: Use after free related to speech input elements. Credit to Khalil Zhani.
[$2000][272786] High CVE-2013-6622: Use after free related to media elements. Credit to cloudfuzzer.
[$500][282925] High CVE-2013-6623: Out of bounds read in SVG. Credit to miaubiz.
[$1000][290566] High CVE-2013-6624: Use after free related to “id” attribute strings. Credit to Jon Butler.
[$2000][295010] High CVE-2013-6625: Use after free in DOM ranges. Credit to cloudfuzzer.
[295695] Low CVE-2013-6626: Address bar spoofing related to interstitial warnings. Credit to Chamal de Silva.
[$4000][299892] High CVE-2013-6627: Out of bounds read in HTTP parsing. Credit to skylined.
[$1000][306959] Medium CVE-2013-6628: Issue with certificates not being checked during TLS renegotiation. Credit to Antoine Delignat-Lavaud and Karthikeyan Bhargavan from Prosecco of INRIA Paris.
-
[315823] Medium-Critical CVE-2013-2931: Various fixes from internal audits, fuzzing and other initiatives.
-
[258723] Medium CVE-2013-6629: Read of uninitialized memory in libjpeg and libjpeg-turbo. Credit to Michal Zalewski of Google.
-
[299835] Medium CVE-2013-6630: Read of uninitialized memory in libjpeg-turbo. Credit to Michal Zalewski of Google.
-
[296804] High CVE-2013-6631: Use after free in libjingle. Credit to Patrik Höglund of the Chromium project.
As part of its bug reward program, Google paid out $11,000 in bounties to external researchers.