Google has released version 20 of its Chrome browser, and has fixed a nice, symmetrical 20 flaws in the browser, including 13 high-risk bugs. Google also paid out $8,000 in rewards to researchers who reported bugs.
A large number of the bugs fixed in Chrome 20 are use-after-free vulnerabilities in various components of the browser. Many of the flaws in this release of the browser were discovered by members of the Google internal security team. Nearly all the other bugs were discovered and reported by a security researcher named Miaubiz, who took home $7,000 in bug bounties for his efforts.
In addition to the bug bounties paid to the researchers who reported Chrome-specific bugs, Google also paid out two rewards to researchers who found flaws that had a wider reach. Juri Aedla earned $3,000 for discovering an integer overflow in libxml and Nicholas Gregoire got $500 for a wild read in XSL handling.
The list of bugs fixed in Chrome 20:
- [118633] Low CVE-2012-2815: Leak of iframe fragment id. Credit to Elie Bursztein of Google.
- [Windows only] [119150] [119250] High CVE-2012-2816: Prevent sandboxed processes interfering with each other. Credit to Google Chrome Security Team (Justin Schuh).
- [$1000] [120222] High CVE-2012-2817: Use-after-free in table section handling. Credit to miaubiz.
- [$1000] [120944] High CVE-2012-2818: Use-after-free in counter layout. Credit to miaubiz.
- [120977] High CVE-2012-2819: Crash in texture handling. Credit to Ken “gets” Russell of the Chromium development community.
- [121926] Medium CVE-2012-2820: Out-of-bounds read in SVG filter handling. Credit to Atte Kettunen of OUSPG.
- [122925] Medium CVE-2012-2821: Autofill display problem. Credit to “simonbrown60”.
- [various] Medium CVE-2012-2822: Misc. lower severity OOB read issues in PDF. Credit to awesome ASAN and various Googlers (Kostya Serebryany, Evgeniy Stepanov, Mateusz Jurczyk, Gynvael Coldwind).
- [$1000] [124356] High CVE-2012-2823: Use-after-free in SVG resource handling. Credit to miaubiz.
- [$1000] [125374] High CVE-2012-2824: Use-after-free in SVG painting. Credit to miaubiz.
- [128688] Medium CVE-2012-2826: Out-of-bounds read in texture conversion. Credit to Google Chrome Security Team (Inferno).
- [Mac only] [129826] Low CVE-2012-2827: Use-after-free in Mac UI. Credit to the Chromium development community (Dharani Govindan).
- [129857] High CVE-2012-2828: Integer overflows in PDF. Credit to Mateusz Jurczyk of Google Security Team and Google Chrome Security Team (Chris Evans).
- [$1000] [129947] High CVE-2012-2829: Use-after-free in first-letter handling. Credit to miaubiz.
- [$1000] [129951] High CVE-2012-2830: Wild pointer in array value setting. Credit to miaubiz.
- [Windows only] [130276] Low CVE-2012-2764: Unqualified load of metro DLL. Credit to Moshe Zioni of Comsec Consulting.
- [$1000] [130356] High CVE-2012-2831: Use-after-free in SVG reference handling. Credit to miaubiz.
- [131553] High CVE-2012-2832: Uninitialized pointer in PDF image codec. Credit to Mateusz Jurczyk of Google Security Team.
- [132156] High CVE-2012-2833: Buffer overflow in PDF JS API. Credit to Mateusz Jurczyk of Google Security Team.
- [$1000] [132779] High CVE-2012-2834: Integer overflow in Matroska container. Credit to Jüri Aedla.