Common Vulnerabilities and Exposures assigned an identifier CVE-2013-6640 to the following vulnerability: Name: CVE-2013-6640 URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-6640 Assigned: 20131105 Reference: http://code.google.com/p/v8/source/detail?r=17801 Reference: http://googlechromereleases.blogspot.com/2013/12/stable-channel-update.html Reference: https://code.google.com/p/chromium/issues/detail?id=319860 The DehoistArrayIndex function in hydrogen-dehoist.cc in Google V8 before 3.22.24.7, as used in Google Chrome before 31.0.1650.63, allows remote attackers to cause a denial of service (out-of-bounds read) via JavaScript code that sets a variable to the value of an array element with a crafted index.
Created v8 tracking bugs for this issue: Affects: fedora-all [bug 1039894] Affects: epel-6 [bug 1039895]
This does not appear the affect v8-3.14.5.10 stable version used by Fedora for node.js. The hydrogen-dehoist.cc file does not exist in this version.
(In reply to T.C. Hollingsworth from comment #2) > This does not appear the affect v8-3.14.5.10 stable version used by Fedora > for node.js. The hydrogen-dehoist.cc file does not exist in this version. I have had a look at this and while we have no file named hydrogen-dehoist.cc we do have hydrogen.cc that has a function DehoistArrayIndex() and looks to contain the vulnerable code. I think perhaps this was split into multiple files in a later version (I haven't looked at the history upstream). Would you mind double checking?
(In reply to Garth Mollett from comment #3) > I have had a look at this and while we have no file named > hydrogen-dehoist.cc we do have hydrogen.cc that has a function > DehoistArrayIndex() and looks to contain > the vulnerable code. > > I think perhaps this was split into multiple files in a later version (I > haven't looked at the history upstream).wit > > Would you mind double checking? Good catch. That's what I get for answering bugmail before coffee. :-( You can test w/Fedora or EPEL's nodejs package by running: wget https://raw.github.com/v8/v8/3d45af8494ab85d312c4be77999155ed5c045048/test/mjsunit/regress/regress-crbug-319835.js wget https://raw.github.com/v8/v8/3d45af8494ab85d312c4be77999155ed5c045048/test/mjsunit/regress/regress-crbug-319860.js node --allow_natives_syntax regress-crbug-319835.js node --allow_natives_syntax regress-crbug-319860.js The first `node` call segfaults as expected with the vulnerability, while the second one does not with Fedora's v8 version. I guess that isn't so strange given the question mark in the comments in the regression tests. (I *really* wish Google would open their security bugs after CVEs go public. Playing these guessing games is getting really old...) Backporting shouldn't be too difficult; will post a patch shortly.
Created attachment 836453 [details] v8-3.14.5.10-CVE-2013-6640.patch The attached patch resolves the issue with v8-3.14.5.10. The regression tests described above are confirmed to pass. Regression tests against nodejs itself to confirm that the patch doesn't cause any other issues also passed. Updates for Fedora and EPEL will be pushed shortly.
The above patch has now landed in the bundled copy of v8 on the upstream node v0.10 branch: https://github.com/joyent/node/pull/6699
v8-3.14.5.10-3.fc19 has been pushed to the Fedora 19 stable repository. If problems still persist, please make note of it in this bug report.
v8-3.14.5.10-3.fc18 has been pushed to the Fedora 18 stable repository. If problems still persist, please make note of it in this bug report.
v8-3.14.5.10-3.fc20 has been pushed to the Fedora 20 stable repository. If problems still persist, please make note of it in this bug report.
v8-3.14.5.10-3.el6 has been pushed to the Fedora EPEL 6 stable repository. If problems still persist, please make note of it in this bug report.
node.js commit fixing this in embedded v8 copy: https://github.com/joyent/node/commit/39e2426
This issue has been addressed in the following products: Red Hat Software Collections 1 for Red Hat Enterprise Linux 7 Red Hat Software Collections 1 for Red Hat Enterprise Linux 6.5 EUS Red Hat Software Collections 1 for Red Hat Enterprise Linux 6.4 EUS Red Hat Software Collections 1 for Red Hat Enterprise Linux 6 Via RHSA-2014:1744 https://rhn.redhat.com/errata/RHSA-2014-1744.html