Bug 1077141 (CVE-2014-1705) - CVE-2014-1705 v8: ArrayBuffer memory corruption fixed in Chrome 33.0.1750.152
Summary: CVE-2014-1705 v8: ArrayBuffer memory corruption fixed in Chrome 33.0.1750.152
Alias: CVE-2014-1705
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
Depends On: 1077144 1077145
Blocks: 1077147
TreeView+ depends on / blocked
Reported: 2014-03-17 10:44 UTC by Murray McAllister
Modified: 2020-11-05 10:33 UTC (History)
50 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Last Closed: 2014-06-13 11:10:22 UTC

Attachments (Terms of Use)

Description Murray McAllister 2014-03-17 10:44:50 UTC
Common Vulnerabilities and Exposures assigned an identifier CVE-2014-1705 to
the following vulnerability:

Name: CVE-2014-1705
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-1705
Assigned: 20140129
Reference: http://googlechromereleases.blogspot.com/2014/03/stable-channel-update-for-chrome-os_14.html
Reference: http://googlechromereleases.blogspot.com/2014/03/stable-channel-update_14.html
Reference: https://code.google.com/p/chromium/issues/detail?id=351787

Google V8, as used in Google Chrome before 33.0.1750.152 on OS X and
Linux and before 33.0.1750.154 on Windows, allows remote attackers to
cause a denial of service (memory corruption) or possibly have
unspecified other impact via unknown vectors.

Comment 1 Murray McAllister 2014-03-17 10:51:50 UTC
Created v8 tracking bugs for this issue:

Affects: fedora-all [bug 1077144]
Affects: epel-6 [bug 1077145]

Comment 2 T.C. Hollingsworth 2014-03-18 22:07:53 UTC
Upstream fix:  https://codereview.chromium.org/197793003

Comment 3 T.C. Hollingsworth 2014-03-18 22:14:49 UTC
And this one also involves a bunch of code not present in v8 3.14.  (The only ArrayBuffer and TypedArray classes I can find are in d8.cc, which can't possibly affect chromium or node.)

Comment 4 Tomas Hoger 2014-06-13 11:02:56 UTC
It seems V8 only got TypedArray support with/after this commit:

Before that, their support was implemented in d8, rather than in the V8 directly.  That implementation seems to have an issue of its own, upstream test (regress-crbug-351787.js) triggers crash on out-of-bounds memcpy() in Shell::ArrayBufferSlice.  The following part triggers the issue:

  var ab1 = new ArrayBuffer(8);
  ab1.__defineGetter__("byteLength", function() { return 1000000; });
  var ab2 = ab1.slice(800000, 900000);

Node.js also has its own implementation of TypedArray.  Test case for this issue does not trigger any node crash.

Comment 5 Tomas Hoger 2014-06-13 11:10:22 UTC
(In reply to T.C. Hollingsworth from comment #2)
> Upstream fix:  https://codereview.chromium.org/197793003

Direct upstream commit link:

Note You need to log in before you can comment on or make changes to this bug.