Bug 6679 - v8 package is old and possibly missing security updates (and chromium-browser update) [mga1 & 2]
: v8 package is old and possibly missing security updates (and chromium-browser...
Status: RESOLVED FIXED
Product: Mageia
Classification: Unclassified
Component: Security
: 2
: All Linux
: Normal Severity: normal
: ---
Assigned To: QA Team
:
: http://lwn.net/Vulnerabilities/504948/
: MGA1TOO mga2-64-OK mga1-64-OK mga2-32...
: validated_update
: 2317
: 5966
  Show dependency treegraph
 
Reported: 2012-07-03 22:59 CEST by David Walser
Modified: 2012-07-21 15:02 CEST (History)
6 users (show)

See Also:
Source RPM: v8-3.3.10-1.mga2.src.rpm
CVE:


Attachments

Description David Walser 2012-07-03 22:59:29 CEST
OpenSuSE has issued an advisory today (July 3):
http://lists.opensuse.org/opensuse-updates/2012-07/msg00003.html

It is primarily an update for Chromium, but it also updates the v8 package to a much newer version than ours.  It is unclear if there are security issues fixed between our version and the one they updated to.
Comment 1 David Walser 2012-07-05 01:25:53 CEST
D Morgan has fixed this in Cauldron.

He has also built chromium for Mageia 2.  Still pending is v8.

Also still pending are updates for Mageia 1.

Packages built so far:
chromium-browser-stable-20.0.1132.47-0.1.mga2.i586.rpm
chromium-browser-20.0.1132.47-0.1.mga2.i586.rpm

from chromium-browser-stable-20.0.1132.47-0.1.mga2.src.rpm
Comment 2 David Walser 2012-07-05 01:34:05 CEST
v8 is now built.  Mageia 1 is pending.

Packages built so far:
v8-3.12.7-0.1.mga2.i586.rpm
v8-devel-3.12.7-0.1.mga2.i586.rpm
chromium-browser-stable-20.0.1132.47-0.1.mga2.i586.rpm
chromium-browser-20.0.1132.47-0.1.mga2.i586.rpm

from SRPMS:
v8-3.12.7-0.1.mga2.src.rpm
chromium-browser-stable-20.0.1132.47-0.1.mga2.src.rpm
Comment 3 David Walser 2012-07-05 01:55:34 CEST
v8 for Mageia 1 is now built.  Chromium for Mageia 1 is the last piece needed.

Packages built so far for Mageia 1:
v8-3.12.7-0.1.mga1.i586.rpm
v8-devel-3.12.7-0.1.mga1.i586.rpm

from v8-3.12.7-0.1.mga1.src.rpm
Comment 4 David Walser 2012-07-06 01:48:04 CEST
Just an FYI when you get this to build, Mandriva has updated this in MDV 2010.2, and here is there package version:
chromium-browser-stable-20.0.1132.47-2mdv2010.2

So we should increase the release tag to 2.  This may require a rebuild anyway, as a user on IRC (lemonzest) was saying the current build (mga2 updates_testing) has a problem with its icons.
Comment 5 D Morgan 2012-07-06 07:15:20 CEST
new package pushed to fix the "icons" issue
Comment 6 Olivier Delaune 2012-07-06 10:20:55 CEST
Testing on Mageia 2 64-bits. No more "icons" problem. However, chromium seems to rather slow to start. I tried to delete ~/.config/chromium but it is the same. Maybe it is a local problem but if there are other people who have this problem, we should check.
Comment 7 Olivier Delaune 2012-07-06 10:21:53 CEST
I forgot, I tested chromium-browser-stable-20.0.1132.47-2.1.mga2
Comment 8 David Walser 2012-07-06 13:47:15 CEST
Thanks D Morgan.

Current package list for Mageia 2:
v8-3.12.7-0.1.mga2.i586.rpm
v8-devel-3.12.7-0.1.mga2.i586.rpm
chromium-browser-stable-20.0.1132.47-2.1.mga2.i586.rpm
chromium-browser-20.0.1132.47-2.1.mga2.i586.rpm

from SRPMS:
v8-3.12.7-0.1.mga2.src.rpm
chromium-browser-stable-20.0.1132.47-2.1.mga2.src.rpm
Comment 9 David Walser 2012-07-13 02:26:52 CEST
chromium-browser-stable-20.0.1132.57-0.1.mga2 is now in Mageia 2 updates_testing.

Note that the version in Mandriva 2010.2 is now higher again:
chromium-browser-stable-20.0.1132.57-1mdv2010.2
Comment 10 David Walser 2012-07-13 04:05:09 CEST
chromium-browser-stable for Mageia 1 is finishing up on the build system now, but it looks like it's gonna build, so that gives us the full set of packages.

Now all we need is an advisory.  Then we can send to QA.

Thanks D Morgan :o)

Updated packages in core/updates_testing:
========================
v8-3.12.7-0.1.mga1.i586.rpm
v8-devel-3.12.7-0.1.mga1.i586.rpm
chromium-browser-stable-20.0.1132.57-2.1.mga1.i586.rpm
chromium-browser-20.0.1132.57-2.1.mga1.i586.rpm
v8-3.12.7-0.1.mga2.i586.rpm
v8-devel-3.12.7-0.1.mga2.i586.rpm
chromium-browser-stable-20.0.1132.57-2.1.mga2.i586.rpm
chromium-browser-20.0.1132.57-2.1.mga2.i586.rpm

from SRPMS:
v8-3.12.7-0.1.mga1.src.rpm
chromium-browser-stable-20.0.1132.57-2.1.mga1.src.rpm
v8-3.12.7-0.1.mga2.src.rpm
chromium-browser-stable-20.0.1132.57-2.1.mga2.src.rpm
Comment 11 D Morgan 2012-07-14 00:38:53 CEST
We provide a new version of chromium, fixing all those issues :

[129898] High CVE-2012-2842: Use-after-free in counter handling. Credit to miaubiz.
[130595] High CVE-2012-2843: Use-after-free in layout height tracking. Credit to miaubiz.
[133450] High CVE-2012-2844: Bad object access with JavaScript in PDF. Credit to Alexey Samsonov of Google.
[118633] Low CVE-2012-2815: Leak of iframe fragment id. Credit to Elie Bursztein of Google.
[Windows only] [119150] [119250] High CVE-2012-2816: Prevent sandboxed processes interfering with each other. Credit to Google Chrome Security Team (Justin Schuh).
[120222] High CVE-2012-2817: Use-after-free in table section handling. Credit to miaubiz.
[120944] High CVE-2012-2818: Use-after-free in counter layout. Credit to miaubiz.
[120977] High CVE-2012-2819: Crash in texture handling. Credit to Ken “gets” Russell of the Chromium development community.
[121926] Medium CVE-2012-2820: Out-of-bounds read in SVG filter handling. Credit to Atte Kettunen of OUSPG.
[122925] Medium CVE-2012-2821: Autofill display problem. Credit to “simonbrown60”.
[various] Medium CVE-2012-2822: Misc. lower severity OOB read issues in PDF. Credit to awesome ASAN and various Googlers (Kostya Serebryany, Evgeniy Stepanov, Mateusz Jurczyk, Gynvael Coldwind).
[124356] High CVE-2012-2823: Use-after-free in SVG resource handling. Credit to miaubiz.
[125374] High CVE-2012-2824: Use-after-free in SVG painting. Credit to miaubiz.
[128688] Medium CVE-2012-2826: Out-of-bounds read in texture conversion. Credit to Google Chrome Security Team (Inferno).
[Mac only] [129826] Low CVE-2012-2827: Use-after-free in Mac UI. Credit to the Chromium development community (Dharani Govindan).
[129857] High CVE-2012-2828: Integer overflows in PDF. Credit to Mateusz Jurczyk of Google Security Team with contributions by Gynvael Coldwind of Google Security Team and Google Chrome Security Team (Chris Evans).
[129947] High CVE-2012-2829: Use-after-free in first-letter handling. Credit to miaubiz.
[129951] High CVE-2012-2830: Wild pointer in array value setting. Credit to miaubiz.
[Windows only] [130276] Low CVE-2012-2764: Unqualified load of metro DLL. Credit to Moshe Zioni of Comsec Consulting.
[130356] High CVE-2012-2831: Use-after-free in SVG reference handling. Credit to miaubiz.
[131553] High CVE-2012-2832: Uninitialized pointer in PDF image codec. Credit to Mateusz Jurczyk of Google Security Team with contributions by Gynvael Coldwind of Google Security Team.
[132156] High CVE-2012-2833: Buffer overflow in PDF JS API. Credit to Mateusz Jurczyk of Google Security Team.
[132779] High CVE-2012-2834: Integer overflow in Matroska container. Credit to Jüri Aedla.
Comment 12 David Walser 2012-07-14 01:15:12 CEST
Thanks D Morgan.  Assigning to QA.

Advisory in Comment 11, list of packages in Comment 10.
Comment 13 Manuel Hiebel 2012-07-18 00:51:22 CEST
I don't know how to test v8, but chromium is ok on mga1 x86_64
Comment 14 claire robinson 2012-07-18 17:35:42 CEST
v8 is the javascript engine, you can test it with google's own v8 performance tester here: http://v8.googlecode.com/svn/data/benchmarks/v7/run.html
Comment 15 claire robinson 2012-07-18 17:56:09 CEST
Testing complete Mageia 2 x86_64

Tested java, flash, v8, spellcheck, general browser stuff.
Comment 16 Manuel Hiebel 2012-07-19 00:07:52 CEST
ok, thanks, so v8 is ok too on mga1/64
Comment 17 claire robinson 2012-07-19 10:35:28 CEST
Testing chromium-browser complete Mageia 2 i586

Seems chromium can run the v8 test with or without v8 installed so that is not a good test for the separate v8 package.

It does install d8 in /usr/bin/ which appears to be a javascript shell.

Testing with a few examples from here..
http://www.sandeepdatta.com/2011/10/using-v8-javascript-shell-d8.html

$ d8
V8 version 3.12.7 [console: dumb]
d8> print("Hello", "world", 5, 3.14, [1,2], {"a":5})
Hello world 5 3.14 1,2 [object Object]
d8> var s = read("LICENSE")
(d8):1: Error loading file
var s = read("LICENSE")
        ^

d8> os.system("pwd")
(d8):1: ReferenceError: os is not defined
os.system("pwd")
^
ReferenceError: os is not defined
    at (d8):1:1

d8>

Not sure if this means there is something wrong with v8?
Comment 18 Dave Hodgins 2012-07-20 03:06:11 CEST
The following packages will require linking:

libflac8-1.2.1-10.mga1 (Core Release (distrib1))
Comment 19 Dave Hodgins 2012-07-20 03:16:04 CEST
$ d8
V8 version 3.12.7 [console: dumb]
d8> x = 10
10
d8> x
10
d8> quit()

Testing of v8 on i586 complete.
Comment 20 Dave Hodgins 2012-07-20 03:31:08 CEST
Testing complete on Mageia 1 i586.

Could someone from the sysadmin team push the srpms

v8-3.12.7-0.1.mga2.src.rpm
chromium-browser-stable-20.0.1132.57-2.1.mga2.src.rpm

from Mageia 2 Core Updates Testing to Core Updates and the srpms

v8-3.12.7-0.1.mga1.src.rpm
chromium-browser-stable-20.0.1132.57-2.1.mga1.src.rpm

from Mageia 1 Core Updates Testing to Core updates and link the rpm package

libflac8

from Core Release to Core Updates in both Mageia 1 and 2.

Advisory:  This security update to the chromium-browser and the v8 standalone
javascript processor corrects the following security issues.

[129898] High CVE-2012-2842: Use-after-free in counter handling. Credit to
miaubiz.
[130595] High CVE-2012-2843: Use-after-free in layout height tracking. Credit
to miaubiz.
[133450] High CVE-2012-2844: Bad object access with JavaScript in PDF. Credit
to Alexey Samsonov of Google.
[118633] Low CVE-2012-2815: Leak of iframe fragment id. Credit to Elie
Bursztein of Google.
[Windows only] [119150] [119250] High CVE-2012-2816: Prevent sandboxed
processes interfering with each other. Credit to Google Chrome Security Team
(Justin Schuh).
[120222] High CVE-2012-2817: Use-after-free in table section handling. Credit
to miaubiz.
[120944] High CVE-2012-2818: Use-after-free in counter layout. Credit to
miaubiz.
[120977] High CVE-2012-2819: Crash in texture handling. Credit to Ken “gets”
Russell of the Chromium development community.
[121926] Medium CVE-2012-2820: Out-of-bounds read in SVG filter handling.
Credit to Atte Kettunen of OUSPG.
[122925] Medium CVE-2012-2821: Autofill display problem. Credit to
“simonbrown60”.
[various] Medium CVE-2012-2822: Misc. lower severity OOB read issues in PDF.
Credit to awesome ASAN and various Googlers (Kostya Serebryany, Evgeniy
Stepanov, Mateusz Jurczyk, Gynvael Coldwind).
[124356] High CVE-2012-2823: Use-after-free in SVG resource handling. Credit to
miaubiz.
[125374] High CVE-2012-2824: Use-after-free in SVG painting. Credit to miaubiz.
[128688] Medium CVE-2012-2826: Out-of-bounds read in texture conversion. Credit
to Google Chrome Security Team (Inferno).
[Mac only] [129826] Low CVE-2012-2827: Use-after-free in Mac UI. Credit to the
Chromium development community (Dharani Govindan).
[129857] High CVE-2012-2828: Integer overflows in PDF. Credit to Mateusz
Jurczyk of Google Security Team with contributions by Gynvael Coldwind of
Google Security Team and Google Chrome Security Team (Chris Evans).
[129947] High CVE-2012-2829: Use-after-free in first-letter handling. Credit to
miaubiz.
[129951] High CVE-2012-2830: Wild pointer in array value setting. Credit to
miaubiz.
[Windows only] [130276] Low CVE-2012-2764: Unqualified load of metro DLL.
Credit to Moshe Zioni of Comsec Consulting.
[130356] High CVE-2012-2831: Use-after-free in SVG reference handling. Credit
to miaubiz.
[131553] High CVE-2012-2832: Uninitialized pointer in PDF image codec. Credit
to Mateusz Jurczyk of Google Security Team with contributions by Gynvael
Coldwind of Google Security Team.
[132156] High CVE-2012-2833: Buffer overflow in PDF JS API. Credit to Mateusz
Jurczyk of Google Security Team.
[132779] High CVE-2012-2834: Integer overflow in Matroska container. Credit to
Jüri Aedla.

https://bugs.mageia.org/show_bug.cgi?id=6679
Comment 21 Thomas Backlund 2012-07-21 15:02:31 CEST
Packages linked and update pushed:
https://wiki.mageia.org/en/Support/Advisories/MGASA-2012-0177

Note You need to log in before you can comment on or make changes to this bug.