Bug 854473 - VUL-0: new v8 updates fix multiple vulnerabilities
VUL-0: new v8 updates fix multiple vulnerabilities
Status: RESOLVED FIXED
Classification: Novell Products
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents
unspecified
Other openSUSE 13.1
: P3 - Medium : Normal
: ---
Assigned To: Raymond Wooninck
Security Team bot
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2013-12-09 12:23 UTC by Sebastian Krahmer
Modified: 2015-02-19 02:20 UTC (History)
4 users (show)

See Also:
Found By: ---
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Sebastian Krahmer 2013-12-09 12:23:19 UTC
Medium CVE-2013-6638: Buffer overflow in v8. This issue was fixed in v8 version 3.22.24.7. Credit to Jakob Kummerow of the Chromium project.
High CVE-2013-6639: Out of bounds write in v8. This issue was fixed in v8 version 3.22.24.7. Credit to Jakob Kummerow of the Chromium project.
Medium CVE-2013-6640: Out of bounds read in v8. This issue was fixed in v8 version 3.22.24.7. Credit to Jakob Kummerow of the Chromium project.


Please see here:


http://googlechromereleases.blogspot.de/2013/12/stable-channel-update.html
Comment 1 Swamp Workflow Management 2013-12-09 23:00:29 UTC
bugbot adjusting priority
Comment 2 Raymond Wooninck 2013-12-10 10:26:47 UTC
Created maintenance update for v8 Standalone for targets 12.2, 12.3 and 13.1.   Also submitted the update to Factory
Comment 3 Bernhard Wiedemann 2013-12-10 11:00:16 UTC
This is an autogenerated message for OBS integration:
This bug (854473) was mentioned in
https://build.opensuse.org/request/show/210336 12.2 / v8
https://build.opensuse.org/request/show/210337 12.3 / v8
https://build.opensuse.org/request/show/210338 13.1 / v8
https://build.opensuse.org/request/show/210344 Factory / v8
Comment 4 Andreas Jaeger 2013-12-12 21:16:42 UTC
The patch is broken:

# zypper patch
...
Problem: nothing provides libicui18n.so()(64bit) needed by libv8-3-3.22.24.8-2.4.1.x86_64
 Solution 1: deinstallation of libv8-3-3.20.0.1-2.1.3.x86_64
 Solution 2: do not install patch:openSUSE_Maintenance_2353-1.noarch
 Solution 3: break libv8-3-3.22.24.8-2.4.1.x86_64 by ignoring some of its dependencies

It should install libv8-3.3.22 but it cannot.
Comment 5 Marcus Meissner 2013-12-13 10:01:35 UTC
Raymond?
Comment 6 Alexander Bergmann 2013-12-13 12:54:07 UTC
Raymond, there seams to be a problem with armv7l port. Can you please check?
Comment 7 Raymond Wooninck 2013-12-13 16:42:18 UTC
It seems that Google has decided that also V8 could benefit from an internal ICU, this causes now issues as that the icu library is not really build.  This is also causing the failure on ARM. 

I am currently revising the spec-file for v8 so that we can utilize the system ICU and have everything correct again. 

Please let me know to which repo I should submit the update ?
Comment 8 Marcus Meissner 2013-12-16 11:52:14 UTC
you resubmit it like before , we can fold it into the running ones.
Comment 9 Raymond Wooninck 2013-12-16 13:37:05 UTC
Ok,  I submitted a new Maintenance request for V8 to 12.2,12.3 and 13.1 update repo's.  This one is now adjusted to build against system libicu.  Also the ARM build for 13.1 is working.
Comment 10 Sebastian Krahmer 2013-12-23 10:18:58 UTC
One of the submits has been declined,
please check here:

https://build.opensuse.org/request/show/211140#request_history

("Don't drop " (based on bnc#797599)" from changes.")
Comment 11 Swamp Workflow Management 2013-12-23 14:04:50 UTC
openSUSE-SU-2013:1927-1: An update that fixes 7 vulnerabilities is now available.

Category: security (moderate)
Bug References: 847971,854472,854473
CVE References: CVE-2013-6634,CVE-2013-6635,CVE-2013-6636,CVE-2013-6637,CVE-2013-6638,CVE-2013-6639,CVE-2013-6640
Sources used:
openSUSE 12.3 (src):    chromium-31.0.1650.63-1.21.1
Comment 12 Swamp Workflow Management 2013-12-23 14:06:44 UTC
openSUSE-SU-2013:1933-1: An update that fixes 7 vulnerabilities is now available.

Category: security (moderate)
Bug References: 847971,854472,854473
CVE References: CVE-2013-6634,CVE-2013-6635,CVE-2013-6636,CVE-2013-6637,CVE-2013-6638,CVE-2013-6639,CVE-2013-6640
Sources used:
openSUSE 12.2 (src):    chromium-31.0.1650.63-1.58.1
Comment 13 Swamp Workflow Management 2013-12-25 17:10:06 UTC
openSUSE-SU-2013:1960-1: An update that fixes three vulnerabilities is now available.

Category: security (moderate)
Bug References: 854473
CVE References: CVE-2013-6638,CVE-2013-6639,CVE-2013-6640
Sources used:
openSUSE 12.3 (src):    v8-3.22.24.8-2.4.1
Comment 14 Swamp Workflow Management 2013-12-25 17:10:32 UTC
openSUSE-SU-2013:1962-1: An update that fixes three vulnerabilities is now available.

Category: security (moderate)
Bug References: 854473
CVE References: CVE-2013-6638,CVE-2013-6639,CVE-2013-6640
Sources used:
openSUSE 13.1 (src):    v8-3.22.24.8-2.4.1
Comment 15 Marcus Meissner 2014-01-14 08:49:17 UTC
i fixed the declined v8 rr myself
Comment 16 Sebastian Krahmer 2014-01-15 09:13:12 UTC
released
Comment 17 Swamp Workflow Management 2014-01-15 10:04:48 UTC
openSUSE-SU-2014:0065-1: An update that fixes 43 vulnerabilities is now available.

Category: security (moderate)
Bug References: 847971,854472,854473
CVE References: CVE-2013-2906,CVE-2013-2907,CVE-2013-2908,CVE-2013-2909,CVE-2013-2910,CVE-2013-2911,CVE-2013-2912,CVE-2013-2913,CVE-2013-2914,CVE-2013-2915,CVE-2013-2916,CVE-2013-2917,CVE-2013-2918,CVE-2013-2919,CVE-2013-2920,CVE-2013-2921,CVE-2013-2922,CVE-2013-2923,CVE-2013-2924,CVE-2013-2925,CVE-2013-2926,CVE-2013-2927,CVE-2013-2928,CVE-2013-2931,CVE-2013-6621,CVE-2013-6622,CVE-2013-6623,CVE-2013-6624,CVE-2013-6625,CVE-2013-6626,CVE-2013-6627,CVE-2013-6628,CVE-2013-6629,CVE-2013-6630,CVE-2013-6631,CVE-2013-6632,CVE-2013-6634,CVE-2013-6635,CVE-2013-6636,CVE-2013-6637,CVE-2013-6638,CVE-2013-6639,CVE-2013-6640
Sources used:
openSUSE 13.1 (src):    chromium-31.0.1650.63-13.7
Comment 18 Swamp Workflow Management 2014-01-20 11:04:26 UTC
openSUSE-SU-2014:0092-1: An update that fixes three vulnerabilities is now available.

Category: security (moderate)
Bug References: 854473
CVE References: CVE-2013-6638,CVE-2013-6639,CVE-2013-6640
Sources used:
openSUSE 12.2 (src):    v8-3.22.24.8-1.17.1