Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 370627 - <dev-lang/v8-3.2.10.15: same origin bypass (CVE-2011-2332)
Summary: <dev-lang/v8-3.2.10.15: same origin bypass (CVE-2011-2332)
Status: RESOLVED FIXED
Alias: None
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal minor (vote)
Assignee: Gentoo Security
URL: http://googlechromereleases.blogspot....
Whiteboard: B4 [noglsa]
Keywords:
Depends on:
Blocks:
 
Reported: 2011-06-08 07:46 UTC by Paweł Hajdan, Jr. (RETIRED)
Modified: 2011-06-26 23:51 UTC (History)
2 users (show)

See Also:
Package list:
Runtime testing required: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Paweł Hajdan, Jr. (RETIRED) gentoo-dev 2011-06-08 07:46:35 UTC 
An unspecified vulnerability in v8 may allow same origin bypass.
Comment 1 Paweł Hajdan, Jr. (RETIRED) gentoo-dev 2011-06-08 07:48:16 UTC 
Arches, please stabilize =dev-lang/v8-3.2.10.15

Please note that tests are failing, upstream is to blame. I can RESTRICT them if you want.
Comment 2 Markos Chandras (RETIRED) gentoo-dev 2011-06-08 08:25:55 UTC 
(In reply to comment #1)
> Arches, please stabilize =dev-lang/v8-3.2.10.15
> 
> Please note that tests are failing, upstream is to blame. I can RESTRICT them
> if you want.

If you know they fail, please restrict them. No reason to allow users to execute them without apparent reason
Comment 3 Paweł Hajdan, Jr. (RETIRED) gentoo-dev 2011-06-08 09:52:48 UTC 
(In reply to comment #2)
> (In reply to comment #1)
> > Arches, please stabilize =dev-lang/v8-3.2.10.15
> > 
> > Please note that tests are failing, upstream is to blame. I can RESTRICT them
> > if you want.
> 
> If you know they fail, please restrict them. No reason to allow users to
> execute them without apparent reason

Done.
Comment 4 Agostino Sarubbo gentoo-dev 2011-06-08 11:23:01 UTC 
amd64 ok.


Small note that does not blocks:
v8 adds itself "-fomit-frame-pointer". If you have time, drop it with a simple sed. Thanks
Comment 5 Ian Delaney (RETIRED) gentoo-dev 2011-06-08 15:13:59 UTC 
amd64:

amd64 ok
Comment 6 Markos Chandras (RETIRED) gentoo-dev 2011-06-08 17:44:26 UTC 
amd64 done. Thanks Agostino and Ian
Comment 7 Myckel Habets 2011-06-08 18:58:11 UTC 
Distcc building seems to be broken (in other packages it works fine):

i686-pc-linux-gnu-g++ -o obj/release/bignum.os -c -march=athlon-xp -O2 -pipe -fno-strict-aliasing -Wall -W -Wno-unused-parameter -Wnon-virtual-dtor -pedantic -m32 -fomit-frame-pointer -fdata-sections -ffunction-sections -ansi -fno-rtti -fno-exceptions -Wall -W -Wno-unused-parameter -Wnon-virtual-dtor -pedantic -m32 -fomit-frame-pointer -fdata-sections -ffunction-sections -ansi -fPIC -DV8_TARGET_ARCH_IA32 -DV8_SHARED -DV8_FAST_TLS -DENABLE_DEBUGGER_SUPPORT -DENABLE_VMSTATE_TRACKING -DENABLE_LOGGING_AND_PROFILING -Isrc src/bignum.cc
distcc[12563] (dcc_get_top_dir) Warning: HOME is not set; can't find distcc directory
distcc[12563] (dcc_get_top_dir) Warning: HOME is not set; can't find distcc directory
distcc[12563] (dcc_get_top_dir) Warning: HOME is not set; can't find distcc directory
distcc[12563] (dcc_build_somewhere) Warning: failed to distribute, running locally instead
distcc[12563] (dcc_get_top_dir) Warning: HOME is not set; can't find distcc directory
distcc[12563] (dcc_lock_one) ERROR: failed to lock
distcc[12563] (dcc_get_top_dir) Warning: HOME is not set; can't find distcc directory
distcc[12563] (dcc_get_top_dir) Warning: HOME is not set; can't find distcc directory

Can someone else confirm this?
Comment 8 Paweł Hajdan, Jr. (RETIRED) gentoo-dev 2011-06-21 07:13:33 UTC 
x86 stable
Comment 9 Tim Sammut (RETIRED) gentoo-dev 2011-06-26 20:56:11 UTC 
Thanks, folks. GLSA Vote: no.
Comment 10 Stefan Behte (RETIRED) gentoo-dev Security 2011-06-26 23:50:48 UTC 
Vote: no, closing noglsa.
Comment 11 Stefan Behte (RETIRED) gentoo-dev Security 2011-06-26 23:51:01 UTC 
Really closing.