Bug 966121 (CVE-2013-2838)

Summary: CVE-2013-2838 v8: Denial of service (out-of-bounds read) via unspecified vectors
Product: [Other] Security Response Reporter: Jan Lieskovsky <jlieskov>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED NOTABUG QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: sgallagh, tcallawa, tchollingsworth, thrcka, tomspur
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: V8-3.18.5 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2013-05-23 18:58:46 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 966127, 966128    
Bug Blocks:    

Description Jan Lieskovsky 2013-05-22 14:19:57 UTC 
Common Vulnerabilities and Exposures assigned an identifier CVE-2013-2838 to the following vulnerability:

Google V8, as used in Google Chrome before 27.0.1453.93, allows remote attackers to cause a denial of service (out-of-bounds read) via unspecified vectors.

References:
[1] http://googlechromereleases.blogspot.com/2013/05/stable-channel-release.html
[2] https://code.google.com/p/chromium/issues/detail?id=235311

Upstream patch (covering multiple issues besides #235311):
[3] http://code.google.com/p/v8/source/detail?r=14498
Comment 1 Jan Lieskovsky 2013-05-22 14:25:28 UTC 
This issue affects the versions of the v8 package, as shipped with Fedora release of 17 and 18. Please schedule an update.

--

This issue affects the version of the v8 package, as shipped with Fedora EPEL-6. Please schedule an update.
Comment 2 Jan Lieskovsky 2013-05-22 14:27:20 UTC 
Created v8 tracking bugs for this issue

Affects: fedora-all [bug 966127]
Affects: epel-6 [bug 966128]
Comment 3 T.C. Hollingsworth 2013-05-22 19:50:12 UTC 
Node.js upstream notified in issue 5535:
https://github.com/joyent/node/issues/5535

Any indication whether this affects the 3.16 stable branch of V8 used in Fedora?  The upstream bug is still embargoed and there haven't been any pushes to this branch upstream since April.

That patch contains a lot of unrelated changes so can't be backported, so I cannot take any action in Fedora or EPEL at this time.  I'll have to wait for feedback here or from Node.js upstream (who is in much better contact with V8 upstream than myself).
Comment 4 T.C. Hollingsworth 2013-05-23 18:58:46 UTC 
The actual patch is:
https://code.google.com/p/v8/source/detail?r=14481

This bug never affected the stable 3.16 series in Fedora, so no action is needed.  Closing NEXTRELEASE because when we update v8 we'll definitely update to a version that already has this fixed.
Comment 5 Tomas Hoger 2013-08-22 20:58:22 UTC 
(In reply to T.C. Hollingsworth from comment #4)
> This bug never affected the stable 3.16 series in Fedora

Was this rather meant to say 3.14?  It does not seem 3.16 was ever in Fedora.  Any details on why 3.14/.16 was unaffected?  The fix seems applicable.
Comment 6 T.C. Hollingsworth 2013-08-22 22:01:00 UTC 
Yeah, I meant 3.14, sorry.

The determination was made by the lead Node.js upstream developer:
https://github.com/joyent/node/issues/5535#issuecomment-18316882

To double-check, I ran the relevant regression test [1] and it passes with our current v8.

[1] https://github.com/v8/v8/blob/a295634/test/mjsunit/regress/regress-235311.js
Comment 7 Tomas Hoger 2013-08-23 14:22:18 UTC 
Thank you!  I did see node upstream ticket comment, and check with reproducer with the same results.  I could not see where the difference lies.