Bug 1039889 (CVE-2013-6640)
| Summary: | CVE-2013-6640 v8: DoS (out-of-bounds read) in DehoistArrayIndex function in hydrogen.cc | ||||||
|---|---|---|---|---|---|---|---|
| Product: | [Other] Security Response | Reporter: | Ratul Gupta <ratulg> | ||||
| Component: | vulnerability | Assignee: | Red Hat Product Security <security-response-team> | ||||
| Status: | CLOSED ERRATA | QA Contact: | |||||
| Severity: | medium | Docs Contact: | |||||
| Priority: | medium | ||||||
| Version: | unspecified | CC: | abaron, aortega, apevec, ayoung, bdunne, bkearney, bleanhar, cbillett, ccoleman, chrisw, cpelland, dajohnso, dclarizi, dmcphers, drieden, gkotton, gmccullo, gmollett, iheim, jdetiber, jfrey, jialiu, jkeck, jokerman, jomara, jorton, jprause, jrafanie, jrusnack, katello-bugs, kseifried, lhh, lmeyer, markmc, mmaslano, mmccomas, mmccune, mmcgrath, nobody+bgollahe, obarenbo, rbryant, rhos-maint, sclewis, sgallagh, tcallawa, tchollingsworth, tdawson, thrcka, tjay, tomckay, tomspur, xlecauch, yeylon | ||||
| Target Milestone: | --- | Keywords: | Security | ||||
| Target Release: | --- | ||||||
| Hardware: | All | ||||||
| OS: | Linux | ||||||
| Whiteboard: | |||||||
| Fixed In Version: | v8 3.22.24.7 | Doc Type: | Bug Fix | ||||
| Doc Text: | Story Points: | --- | |||||
| Clone Of: | Environment: | ||||||
| Last Closed: | 2014-10-30 12:59:16 UTC | Type: | --- | ||||
| Regression: | --- | Mount Type: | --- | ||||
| Documentation: | --- | CRM: | |||||
| Verified Versions: | Category: | --- | |||||
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||
| Cloudforms Team: | --- | Target Upstream Version: | |||||
| Embargoed: | |||||||
| Bug Depends On: | 1039894, 1039895, 1139698 | ||||||
| Bug Blocks: | 1040074, 1139716 | ||||||
| Attachments: |
|
||||||
|
Description
Ratul Gupta
2013-12-10 09:20:24 UTC
Created v8 tracking bugs for this issue: Affects: fedora-all [bug 1039894] Affects: epel-6 [bug 1039895] This does not appear the affect v8-3.14.5.10 stable version used by Fedora for node.js. The hydrogen-dehoist.cc file does not exist in this version. (In reply to T.C. Hollingsworth from comment #2) > This does not appear the affect v8-3.14.5.10 stable version used by Fedora > for node.js. The hydrogen-dehoist.cc file does not exist in this version. I have had a look at this and while we have no file named hydrogen-dehoist.cc we do have hydrogen.cc that has a function DehoistArrayIndex() and looks to contain the vulnerable code. I think perhaps this was split into multiple files in a later version (I haven't looked at the history upstream). Would you mind double checking? (In reply to Garth Mollett from comment #3) > I have had a look at this and while we have no file named > hydrogen-dehoist.cc we do have hydrogen.cc that has a function > DehoistArrayIndex() and looks to contain > the vulnerable code. > > I think perhaps this was split into multiple files in a later version (I > haven't looked at the history upstream).wit > > Would you mind double checking? Good catch. That's what I get for answering bugmail before coffee. :-( You can test w/Fedora or EPEL's nodejs package by running: wget https://raw.github.com/v8/v8/3d45af8494ab85d312c4be77999155ed5c045048/test/mjsunit/regress/regress-crbug-319835.js wget https://raw.github.com/v8/v8/3d45af8494ab85d312c4be77999155ed5c045048/test/mjsunit/regress/regress-crbug-319860.js node --allow_natives_syntax regress-crbug-319835.js node --allow_natives_syntax regress-crbug-319860.js The first `node` call segfaults as expected with the vulnerability, while the second one does not with Fedora's v8 version. I guess that isn't so strange given the question mark in the comments in the regression tests. (I *really* wish Google would open their security bugs after CVEs go public. Playing these guessing games is getting really old...) Backporting shouldn't be too difficult; will post a patch shortly. Created attachment 836453 [details]
v8-3.14.5.10-CVE-2013-6640.patch
The attached patch resolves the issue with v8-3.14.5.10. The regression tests described above are confirmed to pass.
Regression tests against nodejs itself to confirm that the patch doesn't cause any other issues also passed. Updates for Fedora and EPEL will be pushed shortly.
The above patch has now landed in the bundled copy of v8 on the upstream node v0.10 branch: https://github.com/joyent/node/pull/6699 v8-3.14.5.10-3.fc19 has been pushed to the Fedora 19 stable repository. If problems still persist, please make note of it in this bug report. v8-3.14.5.10-3.fc18 has been pushed to the Fedora 18 stable repository. If problems still persist, please make note of it in this bug report. v8-3.14.5.10-3.fc20 has been pushed to the Fedora 20 stable repository. If problems still persist, please make note of it in this bug report. v8-3.14.5.10-3.el6 has been pushed to the Fedora EPEL 6 stable repository. If problems still persist, please make note of it in this bug report. node.js commit fixing this in embedded v8 copy: https://github.com/joyent/node/commit/39e2426 This issue has been addressed in the following products: Red Hat Software Collections 1 for Red Hat Enterprise Linux 7 Red Hat Software Collections 1 for Red Hat Enterprise Linux 6.5 EUS Red Hat Software Collections 1 for Red Hat Enterprise Linux 6.4 EUS Red Hat Software Collections 1 for Red Hat Enterprise Linux 6 Via RHSA-2014:1744 https://rhn.redhat.com/errata/RHSA-2014-1744.html |