Login
Newsletter
Werbung

Sicherheit: Denial of Service in v8
Aktuelle Meldungen Distributionen
Name: Denial of Service in v8
ID: FEDORA-2014-9113
Distribution: Fedora
Plattformen: Fedora 19
Datum: Fr, 15. August 2014, 08:08
Referenzen: Keine Angabe
Applikationen: v8

Originalnachricht

Name        : v8
Product : Fedora 19
Version : 3.14.5.10
Release : 11.fc19
URL : http://code.google.com/p/v8
Summary : JavaScript Engine
Description :
V8 is Google's open source JavaScript engine. V8 is written in C++ and is
used
in Google Chrome, the open source browser from Google. V8 implements ECMAScript
as specified in ECMA-262, 3rd edition.

-------------------------------------------------------------------------------
-
Update Information:

TJ Fontaine of the Node.js project reports:

A memory corruption vulnerability, which results in a
denial-of-service, was identified in the versions of V8 that ship with
Node.js 0.8 and 0.10. In certain circumstances, a particularly deep
recursive workload that may trigger a GC and receive an interrupt may
overflow the stack and result in a segmentation fault. For instance,
if your work load involves successive `JSON.parse` calls and the
parsed objects are significantly deep, you may experience the process
aborting while parsing.

This issue was identified by Tom Steele of [^Lift
Security](https://liftsecurity.io/) and Fedor Indunty, Node.js Core
Team member worked closely with the V8 team to find our resolution.

The V8 issue is described here https://codereview.chromium.org/339883002

It has landed in the Node repository here:
https://github.com/joyent/node/commit/530af9cb8e700e7596b3ec812bad123c9fa06356

And has been released in the following versions:

* [v0.10.30](http://nodejs.org/dist/v0.10.30)
http://blog.nodejs.org/2014/07/31/node-v0-10-30-stable/
* [v0.8.28](http://nodejs.org/dist/v0.8.28)
http://blog.nodejs.org/2014/07/31/node-v0-8-28-maintenance/

### The Fix

[Applied in this update.]

### Remediation

The best course of action is to patch or upgrade Node.js.

### Mitigation

To mitigate against deep JSON parsing you can limit the size of the
string you parse against, or ban clients who trigger a `RangeError`
for parsing JSON.

There is no specific maximum size of a JSON string, though keeping the
max to the size of your known message bodies is suggested. If your
message bodies cannot be over 20K, there's no reason to accept 1MB
bodies.

For web frameworks that do automatic JSON parsing, you may need to
configure the routes that accept JSON payloads to have a maximum body
size.

* [expressjs](http://expressjs.com) and
[krakenjs](http://krakenjs.com) used with the
[body-parser](https://github.com/expressjs/body-parser#bodyparserjsonoptions)
plugin accepts a `limit` parameter in your JSON config
* [Hapi.js](http://hapijs.com) has `payload.maxBytes`
https://github.com/spumko/hapi/blob/master/docs/Reference.md
* [restify](http://mcavage.me/node-restify/#Bundled-Plugins) bundled
`bodyParser` accepts a `maxBodySize`

Source: https://groups.google.com/d/msg/nodejs/-siJEObdp10/2xcqqmTHiEMJ
-------------------------------------------------------------------------------
-
ChangeLog:

* Thu Jul 31 2014 T.C. Hollingsworth <tchollingsworth@gmail.com> -
1:3.14.5.10-11
- backport security fix for memory corruption and stack overflow (RHBZ#1125464)
https://groups.google.com/d/msg/nodejs/-siJEObdp10/2xcqqmTHiEMJ
- backport bug fix for x64 MathMinMax for negative untagged int32 arguments.
https://github.com/joyent/node/commit/3530fa9cd09f8db8101c4649cab03bcdf760c434
* Thu Jun 19 2014 T.C. Hollingsworth <tchollingsworth@gmail.com> -
1:3.14.5.10-10
- fix corner case in integer comparisons (v8 bug#2416; nodejs bug#7528)
* Sun Jun 8 2014 Fedora Release Engineering
<rel-eng@lists.fedoraproject.org> - 1:3.14.5.10-9
- Rebuilt for https://fedoraproject.org/wiki/Fedora_21_Mass_Rebuild
* Sat May 3 2014 T.C. Hollingsworth <tchollingsworth@gmail.com> -
1:3.14.5.10-8
- use clock_gettime() instead of gettimeofday(), which increases V8 performance
dramatically on virtual machines
* Tue Mar 18 2014 T.C. Hollingsworth <tchollingsworth@gmail.com> -
1:3.14.5.10-7
- backport fix for unsigned integer arithmetic (RHBZ#1077136; CVE-2014-1704)
* Mon Feb 24 2014 Tomas Hrcka <thrcka@redhat.com> - 1:3.14.5.10-6
- Backport fix for incorrect handling of popular pages (RHBZ#1059070;
CVE-2013-6640)
* Fri Feb 14 2014 T.C. Hollingsworth <tchollingsworth@gmail.com> -
1:3.14.5.10-5
- rebuild for icu-52
* Mon Jan 27 2014 T.C. Hollingsworth <tchollingsworth@gmail.com> -
1:3.14.5.10-4
- backport fix for enumeration for objects with lots of properties
* Fri Dec 13 2013 T.C. Hollingsworth <tchollingsworth@gmail.com> -
1:3.14.5.10-3
- backport fix for out-of-bounds read DoS (RHBZ#1039889; CVE-2013-6640)
* Fri Aug 2 2013 T.C. Hollingsworth <tchollingsworth@gmail.com> -
1:3.14.5.10-2
- backport fix for remote DoS or unspecified other impact via type confusion
(RHBZ#991116; CVE-2013-2882)
-------------------------------------------------------------------------------
-
References:

[ 1 ] Bug #1125464 - V8 Memory Corruption and Stack Overflow
https://bugzilla.redhat.com/show_bug.cgi?id=1125464
-------------------------------------------------------------------------------
-

This update can be installed with the "yum" update program. Use
su -c 'yum update v8' at the command line.
For more information, refer to "Managing Software with yum",
available at http://docs.fedoraproject.org/yum/.

All packages are signed with the Fedora Project GPG key. More details on the
GPG keys used by the Fedora Project can be found at
https://fedoraproject.org/keys
-------------------------------------------------------------------------------
-
_______________________________________________
package-announce mailing list
package-announce@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/package-announce
Pro-Linux
Gewinnspiel
Neue Nachrichten
Werbung