[v8/el6: 1/2] backport fix for remote DoS or unspecified other impact via type confusion

Fri Aug 2 20:07:30 UTC 2013

commit eccaf3ba101105547a03d51234791830b7727d1c
Author: T.C. Hollingsworth <tchollingsworth at gmail.com>
Date:   Fri Aug 2 13:04:50 2013 -0700

    backport fix for remote DoS or unspecified other impact via type confusion
    
      (RHBZ#991116; CVE-2013-2882)

 v8-3.14.5.10-CVE-2013-2882.patch |   55 ++++++++++++++++++++++++++++++++++++++
 v8.spec                          |   10 ++++++-
 2 files changed, 64 insertions(+), 1 deletions(-)
---

diff --git a/v8-3.14.5.10-CVE-2013-2882.patch b/v8-3.14.5.10-CVE-2013-2882.patch
new file mode 100644
index 0000000..b14dbb5
--- /dev/null
+++ b/v8-3.14.5.10-CVE-2013-2882.patch
@@ -0,0 +1,55 @@
+From 18e43f925d5d502b7531f40e4a1becba56089303 Mon Sep 17 00:00:00 2001
+From: "mstarzinger at chromium.org" <mstarzinger at chromium.org>
+Date: Mon, 15 Jul 2013 11:41:41 +0000
+Subject: [PATCH] Use internal array as API function cache.
+
+R=yangguo at chromium.org
+BUG=chromium:260106
+TEST=cctest/test-api/Regress260106
+
+Review URL: https://codereview.chromium.org/19159003
+
+git-svn-id: https://v8.googlecode.com/svn/branches/bleeding_edge@15665 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
+---
+ src/apinatives.js       |  2 +-
+ test/cctest/test-api.cc | 11 +++++++++++
+ 2 files changed, 12 insertions(+), 1 deletion(-)
+
+diff --git a/src/apinatives.js b/src/apinatives.js
+index 79b41dd..adefab6 100644
+--- a/src/apinatives.js
++++ b/src/apinatives.js
+@@ -37,7 +37,7 @@ function CreateDate(time) {
+ }
+ 
+ 
+-var kApiFunctionCache = {};
++var kApiFunctionCache = new InternalArray();
+ var functionCache = kApiFunctionCache;
+ 
+ 
+diff --git a/test/cctest/test-api.cc b/test/cctest/test-api.cc
+index 728a8f7..bcd28bd 100644
+--- a/test/cctest/test-api.cc
++++ b/test/cctest/test-api.cc
+@@ -17707,6 +17707,17 @@ THREADED_TEST(Regress157124) {
+ }
+ 
+ 
++THREADED_TEST(Regress260106) {
++  LocalContext context;
++  v8::HandleScope scope(context->GetIsolate());
++  Local<FunctionTemplate> templ = FunctionTemplate::New(DummyCallHandler);
++  CompileRun("for (var i = 0; i < 128; i++) Object.prototype[i] = 0;");
++  Local<Function> function = templ->GetFunction();
++  CHECK(!function.IsEmpty());
++  CHECK(function->IsFunction());
++}
++
++
+ #ifndef WIN32
+ class ThreadInterruptTest {
+  public:
+-- 
+1.8.3.1
+
diff --git a/v8.spec b/v8.spec
index dd4b038..4b66451 100644
--- a/v8.spec
+++ b/v8.spec
@@ -23,7 +23,7 @@
 
 Name:		v8
 Version:	%{somajor}.%{sominor}.%{sobuild}.%{sotiny}
-Release:	1%{?dist}
+Release:	2%{?dist}
 Epoch:		1
 Summary:	JavaScript Engine
 Group:		System Environment/Libraries
@@ -37,6 +37,9 @@ BuildRequires:	scons, readline-devel, libicu-devel
 #backport fix for CVE-2013-2634 (RHBZ#924495)
 Patch1:		v8-3.14.5.8-CVE-2013-2634.patch
 
+#backport fix for CVE-2013-2882 (RHBZ#991116)
+Patch2:     v8-3.14.5.10-CVE-2013-2882.patch
+
 %description
 V8 is Google's open source JavaScript engine. V8 is written in C++ and is used 
 in Google Chrome, the open source browser from Google. V8 implements ECMAScript 
@@ -53,6 +56,7 @@ Development headers and libraries for v8.
 %prep
 %setup -q -n %{name}-%{version}
 %patch1 -p1
+%patch2 -p1
 
 # -fno-strict-aliasing is needed with gcc 4.4 to get past some ugly code
 PARSED_OPT_FLAGS=`echo \'$RPM_OPT_FLAGS -fPIC -fno-strict-aliasing -Wno-unused-parameter -Wno-error=strict-overflow -Wno-error=unused-local-typedefs -Wno-unused-but-set-variable\'| sed "s/ /',/g" | sed "s/',/', '/g"`
@@ -210,6 +214,10 @@ rm -rf %{buildroot}
 %{python_sitelib}/j*.py*
 
 %changelog
+* Fri Aug 02 2013 T.C. Hollingsworth <tchollingsworth at gmail.com> - 1:3.14.5.10-2
+- backport fix for remote DoS or unspecified other impact via type confusion
+  (RHBZ#991116; CVE-2013-2882)
+
 * Wed May 29 2013 T.C. Hollingsworth <tchollingsworth at gmail.com> - 1:3.14.5.10-1
 - new upstream release 3.14.5.10
 
