[v8/el6: 1/2] backport fix for remote DoS or unspecified other impact via type confusion
T.C. Hollingsworth
patches at fedoraproject.org
Fri Aug 2 20:07:30 UTC 2013
commit eccaf3ba101105547a03d51234791830b7727d1c
Author: T.C. Hollingsworth <tchollingsworth at gmail.com>
Date: Fri Aug 2 13:04:50 2013 -0700
backport fix for remote DoS or unspecified other impact via type confusion
(RHBZ#991116; CVE-2013-2882)
v8-3.14.5.10-CVE-2013-2882.patch | 55 ++++++++++++++++++++++++++++++++++++++
v8.spec | 10 ++++++-
2 files changed, 64 insertions(+), 1 deletions(-)
---
diff --git a/v8-3.14.5.10-CVE-2013-2882.patch b/v8-3.14.5.10-CVE-2013-2882.patch
new file mode 100644
index 0000000..b14dbb5
--- /dev/null
+++ b/v8-3.14.5.10-CVE-2013-2882.patch
@@ -0,0 +1,55 @@
+From 18e43f925d5d502b7531f40e4a1becba56089303 Mon Sep 17 00:00:00 2001
+From: "mstarzinger at chromium.org" <mstarzinger at chromium.org>
+Date: Mon, 15 Jul 2013 11:41:41 +0000
+Subject: [PATCH] Use internal array as API function cache.
+
+R=yangguo at chromium.org
+BUG=chromium:260106
+TEST=cctest/test-api/Regress260106
+
+Review URL: https://codereview.chromium.org/19159003
+
+git-svn-id: https://v8.googlecode.com/svn/branches/bleeding_edge@15665 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
+---
+ src/apinatives.js | 2 +-
+ test/cctest/test-api.cc | 11 +++++++++++
+ 2 files changed, 12 insertions(+), 1 deletion(-)
+
+diff --git a/src/apinatives.js b/src/apinatives.js
+index 79b41dd..adefab6 100644
+--- a/src/apinatives.js
++++ b/src/apinatives.js
+@@ -37,7 +37,7 @@ function CreateDate(time) {
+ }
+
+
+-var kApiFunctionCache = {};
++var kApiFunctionCache = new InternalArray();
+ var functionCache = kApiFunctionCache;
+
+
+diff --git a/test/cctest/test-api.cc b/test/cctest/test-api.cc
+index 728a8f7..bcd28bd 100644
+--- a/test/cctest/test-api.cc
++++ b/test/cctest/test-api.cc
+@@ -17707,6 +17707,17 @@ THREADED_TEST(Regress157124) {
+ }
+
+
++THREADED_TEST(Regress260106) {
++ LocalContext context;
++ v8::HandleScope scope(context->GetIsolate());
++ Local<FunctionTemplate> templ = FunctionTemplate::New(DummyCallHandler);
++ CompileRun("for (var i = 0; i < 128; i++) Object.prototype[i] = 0;");
++ Local<Function> function = templ->GetFunction();
++ CHECK(!function.IsEmpty());
++ CHECK(function->IsFunction());
++}
++
++
+ #ifndef WIN32
+ class ThreadInterruptTest {
+ public:
+--
+1.8.3.1
+
diff --git a/v8.spec b/v8.spec
index dd4b038..4b66451 100644
--- a/v8.spec
+++ b/v8.spec
@@ -23,7 +23,7 @@
Name: v8
Version: %{somajor}.%{sominor}.%{sobuild}.%{sotiny}
-Release: 1%{?dist}
+Release: 2%{?dist}
Epoch: 1
Summary: JavaScript Engine
Group: System Environment/Libraries
@@ -37,6 +37,9 @@ BuildRequires: scons, readline-devel, libicu-devel
#backport fix for CVE-2013-2634 (RHBZ#924495)
Patch1: v8-3.14.5.8-CVE-2013-2634.patch
+#backport fix for CVE-2013-2882 (RHBZ#991116)
+Patch2: v8-3.14.5.10-CVE-2013-2882.patch
+
%description
V8 is Google's open source JavaScript engine. V8 is written in C++ and is used
in Google Chrome, the open source browser from Google. V8 implements ECMAScript
@@ -53,6 +56,7 @@ Development headers and libraries for v8.
%prep
%setup -q -n %{name}-%{version}
%patch1 -p1
+%patch2 -p1
# -fno-strict-aliasing is needed with gcc 4.4 to get past some ugly code
PARSED_OPT_FLAGS=`echo \'$RPM_OPT_FLAGS -fPIC -fno-strict-aliasing -Wno-unused-parameter -Wno-error=strict-overflow -Wno-error=unused-local-typedefs -Wno-unused-but-set-variable\'| sed "s/ /',/g" | sed "s/',/', '/g"`
@@ -210,6 +214,10 @@ rm -rf %{buildroot}
%{python_sitelib}/j*.py*
%changelog
+* Fri Aug 02 2013 T.C. Hollingsworth <tchollingsworth at gmail.com> - 1:3.14.5.10-2
+- backport fix for remote DoS or unspecified other impact via type confusion
+ (RHBZ#991116; CVE-2013-2882)
+
* Wed May 29 2013 T.C. Hollingsworth <tchollingsworth at gmail.com> - 1:3.14.5.10-1
- new upstream release 3.14.5.10
More information about the scm-commits
mailing list