Bug 854473

Summary: VUL-0: new v8 updates fix multiple vulnerabilities
Product: [Novell Products] SUSE Security Incidents Reporter: Sebastian Krahmer <krahmer>
Component: IncidentsAssignee: Raymond Wooninck <tittiatcoke>
Status: RESOLVED FIXED QA Contact: Security Team bot <security-team>
Severity: Normal    
Priority: P3 - Medium CC: abergmann, aj, meissner, security-team
Version: unspecified   
Target Milestone: ---   
Hardware: Other   
OS: openSUSE 13.1   
Whiteboard:
Found By: --- Services Priority:
Business Priority: Blocker: ---
Marketing QA Status: --- IT Deployment: ---

Description Sebastian Krahmer 2013-12-09 12:23:19 UTC 
Medium CVE-2013-6638: Buffer overflow in v8. This issue was fixed in v8 version 3.22.24.7. Credit to Jakob Kummerow of the Chromium project.
High CVE-2013-6639: Out of bounds write in v8. This issue was fixed in v8 version 3.22.24.7. Credit to Jakob Kummerow of the Chromium project.
Medium CVE-2013-6640: Out of bounds read in v8. This issue was fixed in v8 version 3.22.24.7. Credit to Jakob Kummerow of the Chromium project.


Please see here:


http://googlechromereleases.blogspot.de/2013/12/stable-channel-update.html
Comment 1 Swamp Workflow Management 2013-12-09 23:00:29 UTC 
bugbot adjusting priority
Comment 2 Raymond Wooninck 2013-12-10 10:26:47 UTC 
Created maintenance update for v8 Standalone for targets 12.2, 12.3 and 13.1.   Also submitted the update to Factory
Comment 3 Bernhard Wiedemann 2013-12-10 11:00:16 UTC 
This is an autogenerated message for OBS integration:
This bug (854473) was mentioned in
https://build.opensuse.org/request/show/210336 12.2 / v8
https://build.opensuse.org/request/show/210337 12.3 / v8
https://build.opensuse.org/request/show/210338 13.1 / v8
https://build.opensuse.org/request/show/210344 Factory / v8
Comment 4 Andreas Jaeger 2013-12-12 21:16:42 UTC 
The patch is broken:

# zypper patch
...
Problem: nothing provides libicui18n.so()(64bit) needed by libv8-3-3.22.24.8-2.4.1.x86_64
 Solution 1: deinstallation of libv8-3-3.20.0.1-2.1.3.x86_64
 Solution 2: do not install patch:openSUSE_Maintenance_2353-1.noarch
 Solution 3: break libv8-3-3.22.24.8-2.4.1.x86_64 by ignoring some of its dependencies

It should install libv8-3.3.22 but it cannot.
Comment 5 Marcus Meissner 2013-12-13 10:01:35 UTC 
Raymond?
Comment 6 Alexander Bergmann 2013-12-13 12:54:07 UTC 
Raymond, there seams to be a problem with armv7l port. Can you please check?
Comment 7 Raymond Wooninck 2013-12-13 16:42:18 UTC 
It seems that Google has decided that also V8 could benefit from an internal ICU, this causes now issues as that the icu library is not really build.  This is also causing the failure on ARM. 

I am currently revising the spec-file for v8 so that we can utilize the system ICU and have everything correct again. 

Please let me know to which repo I should submit the update ?
Comment 8 Marcus Meissner 2013-12-16 11:52:14 UTC 
you resubmit it like before , we can fold it into the running ones.
Comment 9 Raymond Wooninck 2013-12-16 13:37:05 UTC 
Ok,  I submitted a new Maintenance request for V8 to 12.2,12.3 and 13.1 update repo's.  This one is now adjusted to build against system libicu.  Also the ARM build for 13.1 is working.
Comment 10 Sebastian Krahmer 2013-12-23 10:18:58 UTC 
One of the submits has been declined,
please check here:

https://build.opensuse.org/request/show/211140#request_history

("Don't drop " (based on bnc#797599)" from changes.")
Comment 11 Swamp Workflow Management 2013-12-23 14:04:50 UTC 
openSUSE-SU-2013:1927-1: An update that fixes 7 vulnerabilities is now available.

Category: security (moderate)
Bug References: 847971,854472,854473
CVE References: CVE-2013-6634,CVE-2013-6635,CVE-2013-6636,CVE-2013-6637,CVE-2013-6638,CVE-2013-6639,CVE-2013-6640
Sources used:
openSUSE 12.3 (src):    chromium-31.0.1650.63-1.21.1
Comment 12 Swamp Workflow Management 2013-12-23 14:06:44 UTC 
openSUSE-SU-2013:1933-1: An update that fixes 7 vulnerabilities is now available.

Category: security (moderate)
Bug References: 847971,854472,854473
CVE References: CVE-2013-6634,CVE-2013-6635,CVE-2013-6636,CVE-2013-6637,CVE-2013-6638,CVE-2013-6639,CVE-2013-6640
Sources used:
openSUSE 12.2 (src):    chromium-31.0.1650.63-1.58.1
Comment 13 Swamp Workflow Management 2013-12-25 17:10:06 UTC 
openSUSE-SU-2013:1960-1: An update that fixes three vulnerabilities is now available.

Category: security (moderate)
Bug References: 854473
CVE References: CVE-2013-6638,CVE-2013-6639,CVE-2013-6640
Sources used:
openSUSE 12.3 (src):    v8-3.22.24.8-2.4.1
Comment 14 Swamp Workflow Management 2013-12-25 17:10:32 UTC 
openSUSE-SU-2013:1962-1: An update that fixes three vulnerabilities is now available.

Category: security (moderate)
Bug References: 854473
CVE References: CVE-2013-6638,CVE-2013-6639,CVE-2013-6640
Sources used:
openSUSE 13.1 (src):    v8-3.22.24.8-2.4.1
Comment 15 Marcus Meissner 2014-01-14 08:49:17 UTC 
i fixed the declined v8 rr myself
Comment 16 Sebastian Krahmer 2014-01-15 09:13:12 UTC 
released
Comment 17 Swamp Workflow Management 2014-01-15 10:04:48 UTC 
openSUSE-SU-2014:0065-1: An update that fixes 43 vulnerabilities is now available.

Category: security (moderate)
Bug References: 847971,854472,854473
CVE References: CVE-2013-2906,CVE-2013-2907,CVE-2013-2908,CVE-2013-2909,CVE-2013-2910,CVE-2013-2911,CVE-2013-2912,CVE-2013-2913,CVE-2013-2914,CVE-2013-2915,CVE-2013-2916,CVE-2013-2917,CVE-2013-2918,CVE-2013-2919,CVE-2013-2920,CVE-2013-2921,CVE-2013-2922,CVE-2013-2923,CVE-2013-2924,CVE-2013-2925,CVE-2013-2926,CVE-2013-2927,CVE-2013-2928,CVE-2013-2931,CVE-2013-6621,CVE-2013-6622,CVE-2013-6623,CVE-2013-6624,CVE-2013-6625,CVE-2013-6626,CVE-2013-6627,CVE-2013-6628,CVE-2013-6629,CVE-2013-6630,CVE-2013-6631,CVE-2013-6632,CVE-2013-6634,CVE-2013-6635,CVE-2013-6636,CVE-2013-6637,CVE-2013-6638,CVE-2013-6639,CVE-2013-6640
Sources used:
openSUSE 13.1 (src):    chromium-31.0.1650.63-13.7
Comment 18 Swamp Workflow Management 2014-01-20 11:04:26 UTC 
openSUSE-SU-2014:0092-1: An update that fixes three vulnerabilities is now available.

Category: security (moderate)
Bug References: 854473
CVE References: CVE-2013-6638,CVE-2013-6639,CVE-2013-6640
Sources used:
openSUSE 12.2 (src):    v8-3.22.24.8-1.17.1