Bug 1077141 (CVE-2014-1705)

Summary: CVE-2014-1705 v8: ArrayBuffer memory corruption fixed in Chrome 33.0.1750.152
Product: [Other] Security Response Reporter: Murray McAllister <mmcallis>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED NOTABUG QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: abaron, aortega, apevec, ayoung, bdunne, bkearney, bleanhar, cbillett, ccoleman, chrisw, cpelland, dajohnso, dallan, dclarizi, dmcphers, gkotton, gmccullo, jdetiber, jfrey, jialiu, jkeck, jokerman, jomara, jorton, jprause, jrafanie, katello-bugs, kseifried, lhh, lmeyer, markmc, mfeifer, mmaslano, mmccomas, mmccune, obarenbo, rbryant, rhos-maint, sclewis, sgallagh, tcallawa, tchollingsworth, thrcka, tjay, tkramer, tomckay, tomspur, vdanen, xlecauch, yeylon
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2014-06-13 11:10:22 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1077144, 1077145    
Bug Blocks: 1077147    

Description Murray McAllister 2014-03-17 10:44:50 UTC 
Common Vulnerabilities and Exposures assigned an identifier CVE-2014-1705 to
the following vulnerability:

Name: CVE-2014-1705
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-1705
Assigned: 20140129
Reference: http://googlechromereleases.blogspot.com/2014/03/stable-channel-update-for-chrome-os_14.html
Reference: http://googlechromereleases.blogspot.com/2014/03/stable-channel-update_14.html
Reference: https://code.google.com/p/chromium/issues/detail?id=351787

Google V8, as used in Google Chrome before 33.0.1750.152 on OS X and
Linux and before 33.0.1750.154 on Windows, allows remote attackers to
cause a denial of service (memory corruption) or possibly have
unspecified other impact via unknown vectors.
Comment 1 Murray McAllister 2014-03-17 10:51:50 UTC 
Created v8 tracking bugs for this issue:

Affects: fedora-all [bug 1077144]
Affects: epel-6 [bug 1077145]
Comment 2 T.C. Hollingsworth 2014-03-18 22:07:53 UTC 
Upstream fix:  https://codereview.chromium.org/197793003
Comment 3 T.C. Hollingsworth 2014-03-18 22:14:49 UTC 
And this one also involves a bunch of code not present in v8 3.14.  (The only ArrayBuffer and TypedArray classes I can find are in d8.cc, which can't possibly affect chromium or node.)
Comment 4 Tomas Hoger 2014-06-13 11:02:56 UTC 
It seems V8 only got TypedArray support with/after this commit:
https://code.google.com/p/v8/source/detail?r=14285

Before that, their support was implemented in d8, rather than in the V8 directly.  That implementation seems to have an issue of its own, upstream test (regress-crbug-351787.js) triggers crash on out-of-bounds memcpy() in Shell::ArrayBufferSlice.  The following part triggers the issue:

  var ab1 = new ArrayBuffer(8);
  ab1.__defineGetter__("byteLength", function() { return 1000000; });
  var ab2 = ab1.slice(800000, 900000);

Node.js also has its own implementation of TypedArray.  Test case for this issue does not trigger any node crash.
Comment 5 Tomas Hoger 2014-06-13 11:10:22 UTC 
(In reply to T.C. Hollingsworth from comment #2)
> Upstream fix:  https://codereview.chromium.org/197793003

Direct upstream commit link:
https://code.google.com/p/v8/source/detail?r=19862