Bug 8567 - v8 new security issues CVE-2012-5120, CVE-2012-5128, CVE-2012-5153, CVE-2013-0836, CVE-2013-2632
Summary: v8 new security issues CVE-2012-5120, CVE-2012-5128, CVE-2012-5153, CVE-2013-...
Status: RESOLVED WONTFIX
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 2
Hardware: i586 Linux
Priority: Normal major
Target Milestone: ---
Assignee: Damien Lallement
QA Contact:
URL: http://lwn.net/Vulnerabilities/531058/
Whiteboard:
Keywords:
Depends on: 10691
Blocks: 6927
  Show dependency treegraph
 
Reported: 2013-01-01 02:39 CET by David Walser
Modified: 2013-07-09 22:14 CEST (History)
9 users (show)

See Also:
Source RPM: v8-3.12.11-1.mga3.src.rpm
CVE:
Status comment:


Attachments

Description David Walser 2013-01-01 02:39:41 CET
Fedora has issued an advisory on December 11:
http://lists.fedoraproject.org/pipermail/package-announce/2012-December/095191.html

Mageia 2 is also affected.

These are fixed upstream in 3.13.7.5.
David Walser 2013-01-01 02:40:44 CET

Blocks: (none) => 6927

David Walser 2013-01-01 02:41:30 CET

Whiteboard: (none) => MGA2TOO

David Walser 2013-01-08 17:27:06 CET

CC: (none) => dmorganec

David Walser 2013-01-08 17:27:14 CET

CC: (none) => cjw

David Walser 2013-01-31 00:25:23 CET

CC: (none) => shikamaru

Comment 1 David Walser 2013-02-05 18:56:54 CET
OpenSuSE has issued an advisory today (February 5):
http://lists.opensuse.org/opensuse-updates/2013-02/msg00007.html

It says more security issues are fixed upstream in 3.16.4.0.

from http://lwn.net/Vulnerabilities/536251/
David Walser 2013-02-08 21:37:31 CET

CC: (none) => fundawang

David Walser 2013-02-08 21:37:47 CET

CC: (none) => shlomif

David Walser 2013-02-08 21:38:44 CET

CC: (none) => alexander

Comment 2 David Walser 2013-02-08 21:39:21 CET
Other than chromium, this is only used by nodejs.  Can we update this?
Comment 3 Funda Wang 2013-02-09 04:03:09 CET
Currently, our chromium-browser-unstable does not use system v8, so only nodejs is affected now.

I've put package into updates/testing. If all goes well, I'll request them to be put into release.

As for mga2, let's wait after cauldron release landed.

Status: NEW => ASSIGNED

Comment 4 David Walser 2013-02-09 04:08:03 CET
Thanks Funda!

Quick question: did you mean to build the nodejs you just built in updates_testing?  It was built in release, but won't it not build against the v8 in updates_testing in that case?
Comment 5 Funda Wang 2013-02-09 18:10:07 CET
Yes, I need to update nodejs to 0.9.9 to have it built.
D Morgan 2013-03-28 19:10:03 CET

Assignee: dmorganec => fundawang

Comment 6 David Walser 2013-03-28 19:13:35 CET
I think chromium-browser-unstable is using system v8 now.

Where are we at with this?  When will this be fixed?
Comment 7 D Morgan 2013-03-28 19:14:35 CET
no we still use bundle v8, this was to much work to use system one ( rediff huge patch each time, etc )
Comment 8 D Morgan 2013-03-28 19:15:22 CET
i can look this bugreport if funda doesn't. as he did a big part this shouldn't be long
Comment 9 David Walser 2013-04-08 23:11:41 CEST
Fedora has issued an advisory on December 18:
http://lists.fedoraproject.org/pipermail/package-announce/2013-April/101470.html

This adds three more CVEs.

It sounds like CVE-2012-5153 and CVE-2013-0836 are fixed upstream in 3.14.5.8 and CVE-2013-2632 was fixed with an additional patch.

from http://lwn.net/Vulnerabilities/546497/

Summary: v8 new security issues CVE-2012-5120 and CVE-2012-5128 => v8 new security issues CVE-2012-5120, CVE-2012-5128, CVE-2012-5153, CVE-2013-0836, CVE-2013-2632

Comment 10 David Walser 2013-04-08 23:23:21 CEST
If nodejs is the only thing using this, maybe we should just drop this package from Cauldron and let nodejs use its bundled copy, as Fedora apparently is.  They also updated nodejs for these latest vulerabilities:
http://lists.fedoraproject.org/pipermail/package-announce/2013-April/101468.html

CC: (none) => mageia

Comment 11 David Walser 2013-04-13 16:34:35 CEST
Sysadmins, now that nothing depends on this package in Cauldron, please remove all files associated with the v8 SRPM in Cauldron.  Thanks.

CC: (none) => sysadmin-bugs

Comment 12 Thomas Backlund 2013-04-13 16:56:40 CEST
(In reply to David Walser from comment #11)
> Sysadmins, now that nothing depends on this package in Cauldron, please
> remove all files associated with the v8 SRPM in Cauldron.  Thanks.

dropped from cauldron.

CC: (none) => tmb

Comment 13 David Walser 2013-04-13 22:57:51 CEST
OK, this is no longer an issue in Cauldron.

Damien, for Mageia 2, can we safely update nodejs to take care of these issues there?

Version: Cauldron => 2
Whiteboard: MGA2TOO => (none)

David Walser 2013-04-13 22:58:12 CEST

Assignee: fundawang => mageia

Comment 14 Damien Lallement 2013-05-07 13:06:27 CEST
new nodejs package in core/updates_testing: nodejs-0.8.23-1.mga2
[root@maximus ~]# node -e 'console.log(process.versions.v8);'
3.11.10.25
[root@maximus ~]#

FYI:
- 0.8.x is stable release (last update: Tue, 09 Apr 2013)
- 0.9.x is unstable release
- 0.10.x is stable release for 3 (v8: 3.14.5.8)
- 0.11.x is unstable

If ok, I will ask for an update request to QA.
I tested the package: "works for me".
Comment 15 David Walser 2013-05-07 15:08:50 CEST
Thanks Damien.

Looking at the nodejs ChangeLog:
https://raw.github.com/joyent/node/v0.10.5/ChangeLog

I see that nodejs 0.8.x updated to v8 3.11.10.25 on 2012-10-25, but all of these security issues have come out since then.  I suppose it's possible they don't affect nodejs 3.11.x (the other distros' issued updates were for 3.13.x, 3.14.x, and 3.16.x), but the only one of the issues I could find links to upstream patches for is the last one, CVE-2013-2632, and those upstream patches apply to the bundled v8 3.11.10.25.  Here's where that one was reported upstream to nodejs:
https://github.com/joyent/node/issues/5113

Granted that nodejs 0.8.23 came out on 2013-03-07, so they might be aware of these issues (although maybe not the ones from the last update in Comment 9) and have determined they're not exploitable through v8.  Would it be possible to check this with upstream?

I can see those v8 CVE-2013-2632 commits are in nodejs 0.10.3, which came out 2013-04-03 (and the upstream bug says they were committed on 2013-03-23).  Maybe there are more fixes in nodejs 0.8.x SVN for these newer security issues?  Maybe it's not maintained anymore?

I'd feel a lot more confident that all of these issues are actually fixed in nodejs 0.10.3.  Is there a reason we can't use that version in Mageia 2?
Comment 17 Damien Lallement 2013-05-07 15:30:01 CEST
(In reply to David Walser from comment #15)
> Thanks Damien.
> 
> Looking at the nodejs ChangeLog:
> https://raw.github.com/joyent/node/v0.10.5/ChangeLog
> 
> I see that nodejs 0.8.x updated to v8 3.11.10.25 on 2012-10-25, but all of
> these security issues have come out since then.  I suppose it's possible
> they don't affect nodejs 3.11.x (the other distros' issued updates were for
> 3.13.x, 3.14.x, and 3.16.x), but the only one of the issues I could find
> links to upstream patches for is the last one, CVE-2013-2632, and those
> upstream patches apply to the bundled v8 3.11.10.25.  Here's where that one
> was reported upstream to nodejs:
> https://github.com/joyent/node/issues/5113

Ok, I see... Let me check if 0.10.2 is working as expected in 2 to be safe with this issue.

> Granted that nodejs 0.8.23 came out on 2013-03-07, so they might be aware of
> these issues (although maybe not the ones from the last update in Comment 9)
> and have determined they're not exploitable through v8.  Would it be
> possible to check this with upstream?

http://blog.nodejs.org/2013/04/08/node-v0-8-23-legacy/
Tue, 09 Apr 2013 for 0.8.23

> I can see those v8 CVE-2013-2632 commits are in nodejs 0.10.3, which came
> out 2013-04-03 (and the upstream bug says they were committed on
> 2013-03-23).  Maybe there are more fixes in nodejs 0.8.x SVN for these newer
> security issues?  Maybe it's not maintained anymore?

The stable release is now 0.10.x.
0.8.x is just having maintenance if needed...

> I'd feel a lot more confident that all of these issues are actually fixed in
> nodejs 0.10.3.  Is there a reason we can't use that version in Mageia 2?

No, my idea was just to have latest nodejs for latest Mageia and having legacy nodejs for our previous distro.
As said before, let me check how 0.10.x is working on 2 and I will update this bug report.
Thanks for the help!
Comment 18 Damien Lallement 2013-05-07 16:36:10 CEST
We can't have nodejs 0.10.x in 2 as openssl needs to be in 1.0.1 (1.0.0 for now).
Comment 19 David Walser 2013-05-07 17:48:25 CEST
I tar'd up the deps/v8 from the nodejs 0.10.3 tarball, and in the Mageia 2 spec, I did rm -rf deps/v8 and extracted it there, and the nodejs 0.8.23 package built just fine with it.  I didn't test to see if it actually works (I don't know how to do that), but maybe that could be an option.
Comment 20 Damien Lallement 2013-05-27 16:04:12 CEST
It's a crappy option, isn't it? :-)
I would rather not to change source package.
Comment 21 David Walser 2013-05-27 16:08:08 CEST
(In reply to Damien Lallement from comment #20)
> It's a crappy option, isn't it? :-)
> I would rather not to change source package.

It's not crappy if it works.  Adding patches is changing the source too.
Comment 22 David Walser 2013-06-17 21:23:09 CEST
Damien, I see you pushed nodejs-0.8.25-1.mga2 to updates_testing.  I'm OK with pushing that as an update and closing this bug, if you want to do that.
Comment 23 Damien Lallement 2013-06-19 10:57:14 CEST
(In reply to David Walser from comment #22)
> Damien, I see you pushed nodejs-0.8.25-1.mga2 to updates_testing.  I'm OK
> with pushing that as an update and closing this bug, if you want to do that.

Ok David. WIP! :-)
Comment 24 Damien Lallement 2013-07-03 18:18:19 CEST
FYI: https://twitter.com/damsweb/status/349883394135568384
I will assign a bug about nodejs 0.8.25 to QA tomorrow.
Damien Lallement 2013-07-04 18:56:24 CEST

Depends on: (none) => 10691

Comment 25 David Walser 2013-07-09 22:14:06 CEST
Now that the nodejs update has been pushed, no packages in the distribution are using the system v8 library.  If anyone else is using that library with their own stuff, they'll have to make arrangements to use a newer version of the library.

Closing as WONTFIX.

Status: ASSIGNED => RESOLVED
Resolution: (none) => WONTFIX


Note You need to log in before you can comment on or make changes to this bug.