Package: chromium-browser
Version: 6.0.472.63~r59945-3
Severity: important
Tags: upstream patch security
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
browser/worker_host/message_port_dispatcher.cc in Google Chrome before
8.0.552.224 and Chrome OS before 8.0.552.343 does not properly handle certain
postMessage calls, which allows remote attackers to cause a denial of service
(NULL pointer dereference and application crash) via crafted JavaScript code
that creates a web worker.
I tested this on sid and confirmed the error.
The attached patch comes from r66620 in the upstream repository and it's
issue 63529.
- -- System Information:
Debian Release: 6.0
APT prefers unstable
APT policy: (500, 'unstable'), (500, 'testing'), (500, 'stable')
Architecture: amd64 (x86_64)
Kernel: Linux 2.6.32-5-amd64 (SMP w/2 CPU cores)
Locale: LANG=en_GB.utf8, LC_CTYPE=en_GB.utf8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/bash
Versions of packages chromium-browser depends on:
ii chromium-browser-ins 6.0.472.63~r59945-3 page inspector for the chromium-br
ii libasound2 1.0.23-2.1 shared library for ALSA applicatio
ii libatk1.0-0 1.30.0-1 The ATK accessibility toolkit
ii libbz2-1.0 1.0.5-6 high-quality block-sorting file co
ii libc6 2.11.2-7 Embedded GNU C Library: Shared lib
ii libcairo2 1.8.10-6 The Cairo 2D vector graphics libra
ii libcups2 1.4.5-1 Common UNIX Printing System(tm) -
ii libdbus-1-3 1.2.24-3 simple interprocess messaging syst
ii libdbus-glib-1-2 0.88-2 simple interprocess messaging syst
ii libevent-1.4-2 1.4.13-stable-1 An asynchronous event notification
ii libexpat1 2.0.1-7 XML parsing C library - runtime li
ii libfontconfig1 2.8.0-2.1 generic font configuration library
ii libfreetype6 2.4.2-2.1 FreeType 2 font engine, shared lib
ii libgcc1 1:4.4.5-10 GCC support library
ii libgconf2-4 2.28.1-6 GNOME configuration database syste
ii libgcrypt11 1.4.5-2 LGPL Crypto library - runtime libr
ii libgl1-mesa-glx [lib 7.7.1-4 A free implementation of the OpenG
ii libglewmx1.5 1.5.4-1 The OpenGL Extension Wrangler - ru
ii libglib2.0-0 2.24.2-1 The GLib library of C routines
ii libgtk2.0-0 2.20.1-2 The GTK+ graphical user interface
ii libicu44 4.4.2-2 International Components for Unico
ii libjpeg62 6b1-1 The Independent JPEG Group's JPEG
ii libnspr4-0d 4.8.6-1 NetScape Portable Runtime Library
ii libnss3-1d 3.12.8-1 Network Security Service libraries
ii libpango1.0-0 1.28.3-1 Layout and rendering of internatio
ii libpng12-0 1.2.44-1 PNG library - runtime
ii libstdc++6 4.4.5-10 The GNU Standard C++ Library v3
ii libv8-2.2.24 2.2.24-7 V8 JavaScript Engine
ii libvpx0 0.9.1-2 VP8 video codec (shared library)
ii libx11-6 2:1.3.3-4 X11 client-side library
ii libxext6 2:1.1.2-1 X11 miscellaneous extension librar
ii libxml2 2.7.8.dfsg-1 GNOME XML library
ii libxrender1 1:0.9.6-1 X Rendering Extension client libra
ii libxslt1.1 1.1.26-6 XSLT 1.0 processing library - runt
ii libxss1 1:1.2.1-1 X11 Screen Saver extension library
ii xdg-utils 1.0.2+cvs20100307-3 desktop integration utilities from
ii zlib1g 1:1.2.3.4.dfsg-3 compression library - runtime
chromium-browser recommends no packages.
Versions of packages chromium-browser suggests:
ii chromium-browser-l10 6.0.472.63~r59945-3 chromium-browser language packages
- -- no debconf information
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)
iQIcBAEBAgAGBQJNEnWtAAoJEFOUR53TUkxRzrEP+gLvZM5NskvzXQAY3+TSuorV
9hLK4OkHgOkkMTw4dgDT8ZwFhY2sxhTPZar4N65asJWzeCDlX+N7eg8mLfBpa0ac
AabslDPYq1hQxAWIU5EowK6PwRC2nTezGhTXmICvG2ogL9fTzdL7H/Yk40I2OI4z
sDETssZcrrI2Wq2f4WS44wvYvVNWrj6MJLPWIqO8msfwkMp4bZ3lzW5hYbwxEiLQ
+FSf0oK536st409mL94eI4vSGfEx+znn0cVqhJeJOi6+E2wzQZYyM75lFtdjpxnE
ldSFzYwFzTvPR3Yzqwj6VN2WimuT17BdmfX+SaYwdaDi99PaI0QhVMp3o4q4yMcr
OE54vwPd/GhrqkJ8WH4Puovp7x5OkCJTDYXgGRSkzHf/woXcCRNlHU186gTIoZ1M
j1sa0dItYgOQ2LxJKrZML5apsikrR1GSuKXp+24RM7zEPcpO4p0yc9FuamXsPaxn
/eulRJBicnMxmMuTnqHRANPc4OjaQcGFV8Ya76YRIG99sIDvI4OkcwULuj2QxOT1
VWN3470+xEOn+QRgrzbJ6n+LYb/VH/FyEjw3FF95EfGAeLobPyHwKVay4MIXyYc2
d5/jeLzmEJHWcWPsKhJvEsveCzma3IuPGldxSt2QfYY1OUazpvIaCS7L4IvtmNhC
2LQ1ePF0YblFrDJXxc/K
=eC7M
-----END PGP SIGNATURE-----
--- trunk/src/chrome/browser/worker_host/message_port_dispatcher.cc 2010/11/18 15:06:44 66619
+++ trunk/src/chrome/browser/worker_host/message_port_dispatcher.cc 2010/11/18 15:27:53 66620
@@ -195,11 +195,13 @@
sent_ports[i]->route_id = new_routing_ids[i];
}
- // Now send the message to the entangled port.
- IPC::Message* ipc_msg = new WorkerProcessMsg_Message(
- entangled_port.route_id, message, sent_message_port_ids,
- new_routing_ids);
- entangled_port.sender->Send(ipc_msg);
+ if (entangled_port.sender) {
+ // Now send the message to the entangled port.
+ IPC::Message* ipc_msg = new WorkerProcessMsg_Message(
+ entangled_port.route_id, message, sent_message_port_ids,
+ new_routing_ids);
+ entangled_port.sender->Send(ipc_msg);
+ }
}
}
@@ -210,9 +212,11 @@
}
MessagePort& port = message_ports_[message_port_id];
- port.sender->Send(new WorkerProcessMsg_MessagesQueued(port.route_id));
- port.queue_messages = true;
- port.sender = NULL;
+ if (port.sender) {
+ port.sender->Send(new WorkerProcessMsg_MessagesQueued(port.route_id));
+ port.queue_messages = true;
+ port.sender = NULL;
+ }
}
void MessagePortDispatcher::OnSendQueuedMessages(
