Bug 1074737 (CVE-2013-6668) - CVE-2013-6668 v8: multiple vulnerabilities fixed in Google Chrome version 33.0.1750.146
Summary: CVE-2013-6668 v8: multiple vulnerabilities fixed in Google Chrome version 33....
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2013-6668
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 1074739 1074740 1139698
Blocks: 1072168 1139716
TreeView+ depends on / blocked
 
Reported: 2014-03-11 01:51 UTC by Murray McAllister
Modified: 2021-02-17 06:47 UTC (History)
50 users (show)

Fixed In Version: v8 3.24.35.10
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2014-10-30 12:59:28 UTC
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2014:1744 0 normal SHIPPED_LIVE Moderate: v8314-v8 security update 2014-10-30 16:08:15 UTC

Description Murray McAllister 2014-03-11 01:51:47 UTC 
The Google Chrome 3.24.35.10 release[1] fixed a number of vulnerabilities in v8:

343964
https://codereview.chromium.org/170343003
https://code.google.com/p/chromium/issues/detail?id=343964

344186
https://codereview.chromium.org/172093002
https://code.google.com/p/chromium/issues/detail?id=344186

347909
https://codereview.chromium.org/184393002
https://code.google.com/p/chromium/issues/detail?id=347909

From an initial inspection, these all require untrusted JavaScript to be parsed to trigger the issues. As such, these should have a moderate or low impact for the way v8 is used in Red Hat products.

[1] http://googlechromereleases.blogspot.com.au/2014/03/stable-channel-update.html
Comment 2 Murray McAllister 2014-03-11 02:01:14 UTC 
Created v8 tracking bugs for this issue:

Affects: fedora-all [bug 1074739]
Affects: epel-6 [bug 1074740]
Comment 3 T.C. Hollingsworth 2014-03-18 22:01:22 UTC 
(In reply to Murray McAllister from comment #0)
> The Google Chrome 3.24.35.10 release[1] fixed a number of vulnerabilities in
> v8:
> 
> 343964
> https://codereview.chromium.org/170343003

This patch touches a number of functions that do not exist in v8 3.14.

> 344186
> https://codereview.chromium.org/172093002

This patch is to a file that does not exist in v8 3.14.

> 347909
> https://codereview.chromium.org/184393002

This patch also seems to be for code that does not exist in our v8.
Comment 4 Tomas Hoger 2014-06-16 08:46:14 UTC 
(In reply to T.C. Hollingsworth from comment #3)
> > 344186
> > https://codereview.chromium.org/172093002
> 
> This patch is to a file that does not exist in v8 3.14.

In v8 3.14, BoundsCheckBbData is in src/hydrogen.cc.  Upstream test case for this bug also crashes 3.14.
Comment 5 Tomas Hoger 2014-06-16 19:09:07 UTC 
Note there is an additional follow-up fix for the code modified by the commit mentioned in comment 4 under CVE-2014-1729, see bug 1086120 comment 2.
Comment 6 Tomas Hoger 2014-09-03 14:06:06 UTC 
(In reply to Tomas Hoger from comment #4)
> (In reply to T.C. Hollingsworth from comment #3)
> > > 344186
> > > https://codereview.chromium.org/172093002
> > 
> > This patch is to a file that does not exist in v8 3.14.
> 
> In v8 3.14, BoundsCheckBbData is in src/hydrogen.cc.  Upstream test case for
> this bug also crashes 3.14.

Backport of the fix to v8 bundled with node.js 0.10:

https://github.com/joyent/node/commit/fd80a31e0697d6317ce8c2d289575399f4e06d21

released as part of node.js 0.10.31:

http://blog.nodejs.org/2014/08/19/node-v0-10-31-stable/
Comment 9 T.C. Hollingsworth 2014-09-18 04:05:25 UTC 
(In reply to Tomas Hoger from comment #6)
> Backport of the fix to v8 bundled with node.js 0.10:
> 
> https://github.com/joyent/node/commit/
> fd80a31e0697d6317ce8c2d289575399f4e06d21
> 
> released as part of node.js 0.10.31:
> 
> http://blog.nodejs.org/2014/08/19/node-v0-10-31-stable/

Please make sure you also pull in:
https://github.com/joyent/node/commit/3122e0eae64c5ab494b29d0a9cadef902d93f1f9

Otherwise lots of applications will segfault:
https://github.com/joyent/node/issues/8208
Comment 10 Fedora Update System 2014-09-27 09:48:03 UTC 
nodejs-0.10.32-1.fc21, v8-3.14.5.10-14.fc21 has been pushed to the Fedora 21 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 11 Fedora Update System 2014-09-28 04:26:06 UTC 
nodejs-0.10.32-1.fc19, v8-3.14.5.10-14.fc19 has been pushed to the Fedora 19 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 12 Fedora Update System 2014-09-28 04:29:25 UTC 
nodejs-0.10.32-1.fc20, v8-3.14.5.10-14.fc20 has been pushed to the Fedora 20 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 13 Garth Mollett 2014-10-08 06:16:58 UTC 
Statement:

Red Hat Product Security has rated this issue as having Low security impact in Red Hat Enterprise Linux OpenStack Platform. This issue is not currently planned to be addressed in a future security update.
Comment 14 errata-xmlrpc 2014-10-30 12:09:16 UTC 
This issue has been addressed in the following products:

  Red Hat Software Collections 1 for Red Hat Enterprise Linux 7
  Red Hat Software Collections 1 for Red Hat Enterprise Linux 6.5 EUS
  Red Hat Software Collections 1 for Red Hat Enterprise Linux 6.4 EUS
  Red Hat Software Collections 1 for Red Hat Enterprise Linux 6

Via RHSA-2014:1744 https://rhn.redhat.com/errata/RHSA-2014-1744.html
Comment 15 Fedora Update System 2014-10-31 01:22:00 UTC 
nodejs-0.10.32-1.el7, v8-3.14.5.10-14.el7 has been pushed to the Fedora EPEL 7 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 16 Fedora Update System 2014-10-31 01:27:26 UTC 
nodejs-0.10.32-1.el6, v8-3.14.5.10-14.el6 has been pushed to the Fedora EPEL 6 stable repository.  If problems still persist, please make note of it in this bug report.
Note You need to log in before you can comment on or make changes to this bug.