Bug 1150848 (CVE-2014-3188) - CVE-2014-3188 v8: IPC and v8 issue fixed in Google Chrome 38.0.2125.101
Summary: CVE-2014-3188 v8: IPC and v8 issue fixed in Google Chrome 38.0.2125.101
Keywords:
Status: CLOSED WONTFIX
Alias: CVE-2014-3188
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
high
high
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 1151335 1151338
Blocks: 1150851 1151371
TreeView+ depends on / blocked
 
Reported: 2014-10-09 04:21 UTC by Murray McAllister
Modified: 2020-11-05 10:31 UTC (History)
51 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2015-01-21 16:23:57 UTC
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2014:1626 0 normal SHIPPED_LIVE Critical: chromium-browser security update 2014-10-14 11:22:06 UTC

Description Murray McAllister 2014-10-09 04:21:31 UTC 
Common Vulnerabilities and Exposures assigned an identifier CVE-2014-3188 to
the following vulnerability:

Name: CVE-2014-3188
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3188
Assigned: 20140503
Reference: http://googlechromereleases.blogspot.com/2014/10/stable-channel-update-for-chrome-os.html
Reference: http://googlechromereleases.blogspot.com/2014/10/stable-channel-update.html
Reference: https://code.google.com/p/v8/source/detail?r=24125
Reference: https://crbug.com/416449

Google Chrome before 38.0.2125.101 and Chrome OS before 38.0.2125.101
do not properly handle the interaction of IPC and Google V8, which
allows remote attackers to execute arbitrary code via vectors
involving JSON data, related to improper parsing of an escaped index
by ParseJsonObject in json-parser.h.

From an initial inspection, the affected function does not appear to be in Fedora v8 or the ruby193-v8-3.14.5.10 packages.
Comment 3 errata-xmlrpc 2014-10-14 08:34:35 UTC 
This issue has been addressed in the following products:

  Supplementary for Red Hat Enterprise Linux 6

Via RHSA-2014:1626 https://rhn.redhat.com/errata/RHSA-2014-1626.html
Comment 7 Yadnyawalk Tale 2020-08-04 10:37:53 UTC 
manifest.txt:36260:rhn_satellite:6.5/v8-3.14.5.10-19.el7sat

At this time, we have no additional z-streams planned for sat-6.5.z. Based upon that and that this is a low severity issue, closing this one as wontfix. 
Ref: https://access.redhat.com/support/policy/updates/satellite
Note You need to log in before you can comment on or make changes to this bug.