Bugzilla will be upgraded to version 5.0 on a still to be determined date in the near future. The original upgrade date has been delayed.
First Last Prev Next    This bug is not in your last search results.
Bug 1077141 - (CVE-2014-1705) CVE-2014-1705 v8: ArrayBuffer memory corruption fixed in Chrome 33.0.1750.152
CVE-2014-1705 v8: ArrayBuffer memory corruption fixed in Chrome 33.0.1750.152
Status: CLOSED NOTABUG
Product: Security Response
Classification: Other
Component: vulnerability (Show other bugs)
unspecified
All Linux
medium Severity medium
: ---
: ---
Assigned To: Red Hat Product Security
impact=moderate,public=20140314,repor...
: Security
Depends On: 1077144 1077145
Blocks: 1077147
  Show dependency treegraph
 
Reported: 2014-03-17 06:44 EDT by Murray McAllister
Modified: 2016-04-26 13:24 EDT (History)
51 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2014-06-13 07:10:22 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)
Add an attachment (proposed patch, testcase, etc.)

  None (edit)
Description Murray McAllister 2014-03-17 06:44:50 EDT 
Common Vulnerabilities and Exposures assigned an identifier CVE-2014-1705 to
the following vulnerability:

Name: CVE-2014-1705
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-1705
Assigned: 20140129
Reference: http://googlechromereleases.blogspot.com/2014/03/stable-channel-update-for-chrome-os_14.html
Reference: http://googlechromereleases.blogspot.com/2014/03/stable-channel-update_14.html
Reference: https://code.google.com/p/chromium/issues/detail?id=351787

Google V8, as used in Google Chrome before 33.0.1750.152 on OS X and
Linux and before 33.0.1750.154 on Windows, allows remote attackers to
cause a denial of service (memory corruption) or possibly have
unspecified other impact via unknown vectors.
Comment 1 Murray McAllister 2014-03-17 06:51:50 EDT 
Created v8 tracking bugs for this issue:

Affects: fedora-all [bug 1077144]
Affects: epel-6 [bug 1077145]
Comment 2 T.C. Hollingsworth 2014-03-18 18:07:53 EDT 
Upstream fix:  https://codereview.chromium.org/197793003
Comment 3 T.C. Hollingsworth 2014-03-18 18:14:49 EDT 
And this one also involves a bunch of code not present in v8 3.14.  (The only ArrayBuffer and TypedArray classes I can find are in d8.cc, which can't possibly affect chromium or node.)
Comment 4 Tomas Hoger 2014-06-13 07:02:56 EDT 
It seems V8 only got TypedArray support with/after this commit:
https://code.google.com/p/v8/source/detail?r=14285

Before that, their support was implemented in d8, rather than in the V8 directly.  That implementation seems to have an issue of its own, upstream test (regress-crbug-351787.js) triggers crash on out-of-bounds memcpy() in Shell::ArrayBufferSlice.  The following part triggers the issue:

  var ab1 = new ArrayBuffer(8);
  ab1.__defineGetter__("byteLength", function() { return 1000000; });
  var ab2 = ab1.slice(800000, 900000);

Node.js also has its own implementation of TypedArray.  Test case for this issue does not trigger any node crash.
Comment 5 Tomas Hoger 2014-06-13 07:10:22 EDT 
(In reply to T.C. Hollingsworth from comment #2)
> Upstream fix:  https://codereview.chromium.org/197793003

Direct upstream commit link:
https://code.google.com/p/v8/source/detail?r=19862
Note You need to log in before you can comment on or make changes to this bug.
First Last Prev Next    This bug is not in your last search results.