966121 – (CVE-2013-2838) CVE-2013-2838 v8: Denial of service (out-of-bounds read) via unspecified vectors

Bug 966121 (CVE-2013-2838) - CVE-2013-2838 v8: Denial of service (out-of-bounds read) via unspecified vectors

Summary: CVE-2013-2838 v8: Denial of service (out-of-bounds read) via unspecified vectors

Keywords:
Status:	CLOSED NOTABUG
Alias:	CVE-2013-2838
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	medium
Severity:	medium
Target Milestone:	---
Assignee:	Red Hat Product Security
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:	966127 966128
Blocks:
TreeView+	depends on / blocked

Reported:	2013-05-22 14:19 UTC by Jan Lieskovsky
Modified:	2020-11-05 10:33 UTC (History)
CC List:	5 users (show)
Fixed In Version:	V8-3.18.5
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed:	2013-05-23 18:58:46 UTC
Embargoed:

Attachments	(Terms of Use)

Description Jan Lieskovsky 2013-05-22 14:19:57 UTC

Common Vulnerabilities and Exposures assigned an identifier CVE-2013-2838 to the following vulnerability:

Google V8, as used in Google Chrome before 27.0.1453.93, allows remote attackers to cause a denial of service (out-of-bounds read) via unspecified vectors.

References:
[1] http://googlechromereleases.blogspot.com/2013/05/stable-channel-release.html
[2] https://code.google.com/p/chromium/issues/detail?id=235311

Upstream patch (covering multiple issues besides #235311):
[3] http://code.google.com/p/v8/source/detail?r=14498

Comment 1 Jan Lieskovsky 2013-05-22 14:25:28 UTC

This issue affects the versions of the v8 package, as shipped with Fedora release of 17 and 18. Please schedule an update.

--

This issue affects the version of the v8 package, as shipped with Fedora EPEL-6. Please schedule an update.

Comment 2 Jan Lieskovsky 2013-05-22 14:27:20 UTC

Created v8 tracking bugs for this issue

Affects: fedora-all [bug 966127]
Affects: epel-6 [bug 966128]

Comment 3 T.C. Hollingsworth 2013-05-22 19:50:12 UTC

Node.js upstream notified in issue 5535:
https://github.com/joyent/node/issues/5535

Any indication whether this affects the 3.16 stable branch of V8 used in Fedora?  The upstream bug is still embargoed and there haven't been any pushes to this branch upstream since April.

That patch contains a lot of unrelated changes so can't be backported, so I cannot take any action in Fedora or EPEL at this time.  I'll have to wait for feedback here or from Node.js upstream (who is in much better contact with V8 upstream than myself).

Comment 4 T.C. Hollingsworth 2013-05-23 18:58:46 UTC

The actual patch is:
https://code.google.com/p/v8/source/detail?r=14481

This bug never affected the stable 3.16 series in Fedora, so no action is needed.  Closing NEXTRELEASE because when we update v8 we'll definitely update to a version that already has this fixed.

Comment 5 Tomas Hoger 2013-08-22 20:58:22 UTC

(In reply to T.C. Hollingsworth from comment #4)
> This bug never affected the stable 3.16 series in Fedora

Was this rather meant to say 3.14?  It does not seem 3.16 was ever in Fedora.  Any details on why 3.14/.16 was unaffected?  The fix seems applicable.

Comment 6 T.C. Hollingsworth 2013-08-22 22:01:00 UTC

Yeah, I meant 3.14, sorry.

The determination was made by the lead Node.js upstream developer:
https://github.com/joyent/node/issues/5535#issuecomment-18316882

To double-check, I ran the relevant regression test [1] and it passes with our current v8.

[1] https://github.com/v8/v8/blob/a295634/test/mjsunit/regress/regress-235311.js

Comment 7 Tomas Hoger 2013-08-23 14:22:18 UTC

Thank you!  I did see node upstream ticket comment, and check with reproducer with the same results.  I could not see where the difference lies.

Note You need to log in before you can comment on or make changes to this bug.