Bug 1039887 (CVE-2013-6638)

Summary: CVE-2013-6638 v8: multiple buffer overflows in runtime.cc
Product: [Other] Security Response Reporter: Ratul Gupta <ratulg>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED NOTABUG QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: abaron, aortega, apevec, ayoung, bdunne, bgollahe, bkearney, bleanhar, cbillett, ccoleman, chrisw, cpelland, dajohnso, dallan, dclarizi, dmcphers, drieden, gkotton, gmccullo, gmollett, hateya, jdetiber, jfrey, jialiu, jkeck, jokerman, jomara, jorton, jprause, jrafanie, katello-bugs, kseifried, lhh, lmeyer, markmc, mmaslano, mmccomas, mmccune, nobody+bgollahe, obarenbo, rbryant, rhos-maint, sclewis, sgallagh, tcallawa, tchollingsworth, tdawson, thrcka, tjay, tkramer, tomckay, tomspur, xlecauch, yeylon
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: v8 3.22.24.7 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2013-12-11 06:19:20 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1039892, 1039893    
Bug Blocks: 1040074    

Description Ratul Gupta 2013-12-10 09:20:03 UTC 
Common Vulnerabilities and Exposures assigned an identifier CVE-2013-6638 to the following vulnerability:

Name: CVE-2013-6638
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-6638
Assigned: 20131105
Reference: http://www.mail-archive.com/v8-dev@googlegroups.com/msg79646.html
Reference: http://code.google.com/p/v8/source/detail?r=17800
Reference: http://googlechromereleases.blogspot.com/2013/12/stable-channel-update.html
Reference: https://code.google.com/p/chromium/issues/detail?id=319722

Multiple buffer overflows in runtime.cc in Google V8 before 3.22.24.7, as used in Google Chrome before 31.0.1650.63, allow remote attackers to cause a denial of service or possibly have unspecified other impact via vectors that trigger a large typed array, related to the (1) Runtime_TypedArrayInitialize and (2) Runtime_TypedArrayInitializeFromArrayLike functions.
Comment 1 Ratul Gupta 2013-12-10 09:24:57 UTC 
Created v8 tracking bugs for this issue:

Affects: fedora-all [bug 1039892]
Affects: epel-6 [bug 1039893]
Comment 2 T.C. Hollingsworth 2013-12-10 15:53:43 UTC 
This does not appear to affect v8-3.14.5.10 stable version used by Fedora for node.js.  The TypedArray class affected does not exist in this version.
Comment 3 Garth Mollett 2013-12-11 04:11:17 UTC 
(In reply to T.C. Hollingsworth from comment #2)
> This does not appear to affect v8-3.14.5.10 stable version used by Fedora
> for node.js.  The TypedArray class affected does not exist in this version.

Same appears to be true for the ruby193-v8 versions as shipped by openstack,openshift,cloudforms, satellite and sam.
Comment 4 Garth Mollett 2013-12-11 06:19:20 UTC 
Statement:

Not Vulnerable. This issue only affects versions of v8 that support typed arrays. This issue does not affect the versions of v8 as shipped with various Red Hat products.