Security Fixes and Rewards





Note: Access to bug details and links may be kept restricted until a majority of users are updated with a fix. We will also retain restrictions if the bug exists in a third party library that other projects similarly depend on, but haven’t yet fixed.





This update includes 25 security fixes . Below, we highlight fixes that were either contributed by external researchers or particularly interesting. Please see the Chromium security page for more information.





[$ 500 ][ 268565 ] Medium CVE-2013-6621: Use after free related to speech input elements. Credit to Khalil Zhani.

[$ 2000 ][ 272786 ] High CVE-2013-6622: Use after free related to media elements. Credit to cloudfuzzer .

[$ 500 ][ 282925 ] High CVE-2013-6623: Out of bounds read in SVG. Credit to miaubiz .

[$ 1000 ][ 290566 ] High CVE-2013-6624: Use after free related to “id” attribute strings. Credit to Jon Butler .

[$ 2000 ][ 295010 ] High CVE-2013-6625: Use after free in DOM ranges. Credit to cloudfuzzer .

[ 295695 ] Low CVE-2013-6626: Address bar spoofing related to interstitial warnings. Credit to Chamal de Silva .

[$ 4000 ][ 299892 ] High CVE-2013-6627: Out of bounds read in HTTP parsing. Credit to skylined .

[$ 1000 ][ 306959 ] Medium CVE-2013-6628: Issue with certificates not being checked during TLS renegotiation. Credit to Antoine Delignat-Lavaud and Karthikeyan Bhargavan from Prosecco of INRIA Paris .





We would also like to thank miaubiz and Atte Kettunen of OUSPG for working with us during the development cycle to prevent security bugs from ever reaching the stable channel. $ 2000 in additional rewards were issued.





As usual, our ongoing internal security work responsible for a wide range of fixes:

[ 315823 ] Medium-Critical CVE-2013-2931: Various fixes from internal audits, fuzzing and other initiatives.

[ 258723 ] Medium CVE-2013-6629: Read of uninitialized memory in libjpeg and libjpeg-turbo. Credit to Michal Zalewski of Google.

[ 299835 ] Medium CVE-2013-6630: Read of uninitialized memory in libjpeg-turbo. Credit to Michal Zalewski of Google.

[ 296804 ] High CVE-2013-6631: Use after free in libjingle. Credit to Patrik Höglund of the Chromium project.



Many of the above bugs were detected using AddressSanitizer .





A full list of changes is available in the SVN log . Interested in switching release channels? Find out how . If you find a new issue, please let us know by filing a bug Anthony LaforgeGoogle Chrome