[Pkg-javascript-devel] Bug#773671: libv8-3.14: multiple security issues

Michael Gilbert mgilbert at debian.org
Sun Dec 21 20:19:42 UTC 2014 

package: src:libv8-3.14
severity: grave
tags: security

Hi,

the following vulnerabilities were published for libv8-3.14.

CVE-2013-2632[0]:
| Google V8 before 3.17.13, as used in Google Chrome before 27.0.1444.3,
| allows remote attackers to cause a denial of service (application
| crash) or possibly have unspecified other impact via crafted
| JavaScript code, as demonstrated by the Bejeweled game.

CVE-2013-2838[1]:
| Google V8, as used in Google Chrome before 27.0.1453.93, allows remote
| attackers to cause a denial of service (out-of-bounds read) via
| unspecified vectors.

CVE-2013-2882[2]:
| Google V8, as used in Google Chrome before 28.0.1500.95, allows remote
| attackers to cause a denial of service or possibly have unspecified
| other impact via vectors that leverage "type confusion."

CVE-2013-2919[3]:
| Google V8, as used in Google Chrome before 30.0.1599.66, allows remote
| attackers to cause a denial of service (memory corruption) or possibly
| have unspecified other impact via unknown vectors.

CVE-2013-6638[4]:
| Multiple buffer overflows in runtime.cc in Google V8 before 3.22.24.7,
| as used in Google Chrome before 31.0.1650.63, allow remote attackers
| to cause a denial of service or possibly have unspecified other impact
| via vectors that trigger a large typed array, related to the (1)
| Runtime_TypedArrayInitialize and (2)
| Runtime_TypedArrayInitializeFromArrayLike functions.

CVE-2013-6639[5]:
| The DehoistArrayIndex function in hydrogen-dehoist.cc (aka
| hydrogen.cc) in Google V8 before 3.22.24.7, as used in Google Chrome
| before 31.0.1650.63, allows remote attackers to cause a denial of
| service (out-of-bounds write) or possibly have unspecified other
| impact via JavaScript code that sets the value of an array element
| with a crafted index.

CVE-2013-6640[6]:
| The DehoistArrayIndex function in hydrogen-dehoist.cc (aka
| hydrogen.cc) in Google V8 before 3.22.24.7, as used in Google Chrome
| before 31.0.1650.63, allows remote attackers to cause a denial of
| service (out-of-bounds read) via JavaScript code that sets a variable
| to the value of an array element with a crafted index.

CVE-2013-6649[7]:
| Use-after-free vulnerability in the RenderSVGImage::paint function in
| core/rendering/svg/RenderSVGImage.cpp in Blink, as used in Google
| Chrome before 32.0.1700.102, allows remote attackers to cause a denial
| of service or possibly have unspecified other impact via vectors
| involving a zero-size SVG image.

CVE-2013-6650[8]:
| The StoreBuffer::ExemptPopularPages function in store-buffer.cc in
| Google V8 before 3.22.24.16, as used in Google Chrome before
| 32.0.1700.102, allows remote attackers to cause a denial of service
| (memory corruption) or possibly have unspecified other impact via
| vectors that trigger incorrect handling of "popular pages."

CVE-2013-6668[9]:
| Multiple unspecified vulnerabilities in Google V8 before 3.24.35.10,
| as used in Google Chrome before 33.0.1750.146, allow attackers to
| cause a denial of service or possibly have other impact via unknown
| vectors.

CVE-2014-1704[10]:
| Multiple unspecified vulnerabilities in Google V8 before 3.23.17.18,
| as used in Google Chrome before 33.0.1750.149, allow attackers to
| cause a denial of service or possibly have other impact via unknown
| vectors.

CVE-2014-1705[11]:
| Google V8, as used in Google Chrome before 33.0.1750.152 on OS X and
| Linux and before 33.0.1750.154 on Windows, allows remote attackers to
| cause a denial of service (memory corruption) or possibly have
| unspecified other impact via unknown vectors.

CVE-2014-1716[12]:
| Cross-site scripting (XSS) vulnerability in the Runtime_SetPrototype
| function in runtime.cc in Google V8, as used in Google Chrome before
| 34.0.1847.116, allows remote attackers to inject arbitrary web script
| or HTML via unspecified vectors, aka "Universal XSS (UXSS)."

CVE-2014-1717[13]:
| Google V8, as used in Google Chrome before 34.0.1847.116, does not
| properly use numeric casts during handling of typed arrays, which
| allows remote attackers to cause a denial of service (out-of-bounds
| array access) or possibly have unspecified other impact via crafted
| JavaScript code.

CVE-2014-1717[14]:
| Google V8, as used in Google Chrome before 34.0.1847.116, does not
| properly use numeric casts during handling of typed arrays, which
| allows remote attackers to cause a denial of service (out-of-bounds
| array access) or possibly have unspecified other impact via crafted
| JavaScript code.

CVE-2014-1729[15]:
| Multiple unspecified vulnerabilities in Google V8 before 3.24.35.22,
| as used in Google Chrome before 34.0.1847.116, allow attackers to
| cause a denial of service or possibly have other impact via unknown
| vectors.

CVE-2014-1730[16]:
| Google V8, as used in Google Chrome before 34.0.1847.131 on Windows
| and OS X and before 34.0.1847.132 on Linux, does not properly store
| internationalization metadata, which allows remote attackers to bypass
| intended access restrictions by leveraging "type confusion" and
| reading property values, related to i18n.js and runtime.cc.

CVE-2014-1735[17]:
| Multiple unspecified vulnerabilities in Google V8 before 3.24.35.33,
| as used in Google Chrome before 34.0.1847.131 on Windows and OS X and
| before 34.0.1847.132 on Linux, allow attackers to cause a denial of
| service or possibly have other impact via unknown vectors.

CVE-2014-1736[18]:
| Integer overflow in api.cc in Google V8, as used in Google Chrome
| before 34.0.1847.131 on Windows and OS X and before 34.0.1847.132 on
| Linux, allows remote attackers to cause a denial of service or
| possibly have unspecified other impact via a large length value.

CVE-2014-3152[19]:
| Integer underflow in the LCodeGen::PrepareKeyedOperand function in
| arm/lithium-codegen-arm.cc in Google V8 before 3.25.28.16, as used in
| Google Chrome before 35.0.1916.114, allows remote attackers to cause a
| denial of service or possibly have unspecified other impact via
| vectors that trigger a negative key value.

CVE-2014-3188[20]:
| Google Chrome before 38.0.2125.101 and Chrome OS before 38.0.2125.101
| do not properly handle the interaction of IPC and Google V8, which
| allows remote attackers to execute arbitrary code via vectors
| involving JSON data, related to improper parsing of an escaped index
| by ParseJsonObject in json-parser.h.

CVE-2014-3195[21]:
| Google V8, as used in Google Chrome before 38.0.2125.101, does not
| properly track JavaScript heap-memory allocations as allocations of
| uninitialized memory and does not properly concatenate arrays of
| double-precision floating-point numbers, which allows remote attackers
| to obtain sensitive information via crafted JavaScript code, related
| to the PagedSpace::AllocateRaw and NewSpace::AllocateRaw functions in
| heap/spaces-inl.h, the LargeObjectSpace::AllocateRaw function in
| heap/spaces.cc, and the Runtime_ArrayConcat function in runtime.cc.

CVE-2014-3199[22]:
| The wrap function in bindings/core/v8/custom/V8EventCustom.cpp in the
| V8 bindings in Blink, as used in Google Chrome before 38.0.2125.101,
| has an erroneous fallback outcome for wrapper-selection failures,
| which allows remote attackers to cause a denial of service via vectors
| that trigger stopping a worker process that had been handling an Event
| object.

CVE-2014-7967[23]:
| Multiple unspecified vulnerabilities in Google V8 before 3.28.71.15,
| as used in Google Chrome before 38.0.2125.101, allow attackers to
| cause a denial of service or possibly have other impact via unknown
| vectors.

These are basically untriaged since libv8 hasn't had security support
in the past.  It's up to you to get them triaged and fixed for that to
start.

If you fix the vulnerabilities please also make sure to include the
CVE (Common Vulnerabilities & Exposures) ids in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2013-2632
[1] https://security-tracker.debian.org/tracker/CVE-2013-2838
[2] https://security-tracker.debian.org/tracker/CVE-2013-2882
[3] https://security-tracker.debian.org/tracker/CVE-2013-2919
[4] https://security-tracker.debian.org/tracker/CVE-2013-6638
[5] https://security-tracker.debian.org/tracker/CVE-2013-6639
[6] https://security-tracker.debian.org/tracker/CVE-2013-6640
[7] https://security-tracker.debian.org/tracker/CVE-2013-6649
[8] https://security-tracker.debian.org/tracker/CVE-2013-6650
[9] https://security-tracker.debian.org/tracker/CVE-2013-6668
[10] https://security-tracker.debian.org/tracker/CVE-2014-1704
[11] https://security-tracker.debian.org/tracker/CVE-2014-1705
[12] https://security-tracker.debian.org/tracker/CVE-2014-1716
[13] https://security-tracker.debian.org/tracker/CVE-2014-1717
[14] https://security-tracker.debian.org/tracker/CVE-2014-1717
[15] https://security-tracker.debian.org/tracker/CVE-2014-1729
[16] https://security-tracker.debian.org/tracker/CVE-2014-1730
[17] https://security-tracker.debian.org/tracker/CVE-2014-1735
[18] https://security-tracker.debian.org/tracker/CVE-2014-1736
[19] https://security-tracker.debian.org/tracker/CVE-2014-3152
[20] https://security-tracker.debian.org/tracker/CVE-2014-3188
[21] https://security-tracker.debian.org/tracker/CVE-2014-3195
[22] https://security-tracker.debian.org/tracker/CVE-2014-3199
[23] https://security-tracker.debian.org/tracker/CVE-2014-7967

Please adjust the affected versions in the BTS as needed.

More information about the Pkg-javascript-devel mailing list