Created attachment 158577 [details] security/vuxml update for the CVE-2015-5380 entry to include v8 and v8-devel v8 has been added to the CVE-2015-5380 entry for the unicode-decoder denial of service Reference: https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-5380 Reference: https://codereview.chromium.org/1226493003
Comment on attachment 158577 [details] security/vuxml update for the CVE-2015-5380 entry to include v8 and v8-devel From https://github.com/v8/v8-git-mirror/blob/master/ChangeLog, version 4.5.2 was the last release in May while the issue was fixed in the past few days. Match the NVD entry right now by just specifying range greater than 0.
perhaps instead of <ge>0</ge> you can use <le>3.27.7_2</le> so it doesn't need to be edited again in the future (I made the same mistake the other day)
(In reply to Mark Felder from comment #2) Good call. I'll remember that for the next time and fix it later when I'm not on my phone.
A commit references this bug: Author: feld Date: Sun Jul 12 22:30:26 UTC 2015 New revision: 391847 URL: https://svnweb.freebsd.org/changeset/ports/391847 Log: CVE-2015-5380 also affects v8 and v8-devel PR: 201450 Security: 864e6f75-2372-11e5-86ff-14dae9d210b8 Security: CVE-2015-5380 Changes: head/security/vuxml/vuln.xml
Created attachment 158675 [details] v8 vuxml version range correction (In reply to Mark Felder from comment #2) Sorry for the delay. Thanks for fixing the version. Another patch is attached to accommodate this with the correct version for both lang/v8 and lang/v8-devel. Also, I agree in concept but it's hypothetically possible that a PORTREVISION bump for an unrelated fix like a shared library bump could end up fooling the version check and give a false sense of security if we or the maintainer doesn't keep an eye on it. I know that won't be an issue here but it's something to consider.
Reset to open until port has been updated.
Comment on attachment 158577 [details] security/vuxml update for the CVE-2015-5380 entry to include v8 and v8-devel Variant committed. Obsolete this to reduce PR clutter.
A commit references this bug: Author: feld Date: Mon Jul 13 04:08:33 UTC 2015 New revision: 391876 URL: https://svnweb.freebsd.org/changeset/ports/391876 Log: Correct range for non-devel version of v8 PR: 201450 Security: 864e6f75-2372-11e5-86ff-14dae9d210b8 Changes: head/security/vuxml/vuln.xml
I guess we now wait for sunpoet. It appears we use local distfiles. I looked at the v8 github and they seem to tag a release every few commits or something and they're on 4.6.1 now which seems to be far ahead of this v8 port. I'm not familiar with v8 at all so I'll let someone with a clue sort this out. Hopefully this can be solved soon.
Just to note that this is a dependency of databases/mongodb (amongst others), so I imagine a relatively large number of people are affected.
Sunpoet, do you have any cycles available to work on this? I have patch that backports the fix, but I'm not sure if we want to do that vs upgrading v8
Created attachment 159365 [details] backport CVE fix
A commit references this bug: Author: feld Date: Wed Jul 29 16:41:11 UTC 2015 New revision: 393181 URL: https://svnweb.freebsd.org/changeset/ports/393181 Log: devel/v8, devel/v8-devel: Backport CVE fix This fix has been backported instead of upgrading to a newer release as the upstream release process is a complicated fast-moving target and the current ports are using custom snapshots created by the port maintainer. This will also limit the amount of potential fallout as we know the existing v8 port works well enough to keep mongodb up to date. PR: 201450 MFH: 2015Q3 Security: CVE-2015-5380 Security: 864e6f75-2372-11e5-86ff-14dae9d210b8 Changes: head/devel/v8/ head/devel/v8/files/ head/devel/v8/files/patch-CVE-2015-5380 head/devel/v8-devel/ head/devel/v8-devel/files/ head/devel/v8-devel/files/patch-CVE-2015-5380
A commit references this bug: Author: feld Date: Wed Jul 29 16:43:33 UTC 2015 New revision: 393182 URL: https://svnweb.freebsd.org/changeset/ports/393182 Log: MFH: r393181 devel/v8, devel/v8-devel: Backport CVE fix This fix has been backported instead of upgrading to a newer release as the upstream release process is a complicated fast-moving target and the current ports are using custom snapshots created by the port maintainer. This will also limit the amount of potential fallout as we know the existing v8 port works well enough to keep mongodb up to date. PR: 201450 Security: CVE-2015-5380 Security: 864e6f75-2372-11e5-86ff-14dae9d210b8 Approved by: ports-secteam (with hat) Changes: _U branches/2015Q3/ branches/2015Q3/devel/v8/ branches/2015Q3/devel/v8-devel/
I've backported the patch to keep this from continuing to be a blocker for people trying to install/use mongodb.
A commit references this bug: Author: feld Date: Wed Jul 29 17:00:31 UTC 2015 New revision: 393186 URL: https://svnweb.freebsd.org/changeset/ports/393186 Log: lang/v8, lang/v8-devel: Backport CVE fix This fix has been backported instead of upgrading to a newer release as the upstream release process is a complicated fast-moving target and the current ports are using custom snapshots created by the port maintainer. This will also limit the amount of potential fallout as we know the existing v8 port works well enough to keep mongodb up to date. PR: 201450 MFH: 2015Q3 Security: CVE-2015-5380 Security: 864e6f75-2372-11e5-86ff-14dae9d210b8 Changes: head/lang/v8/Makefile head/lang/v8/files/ head/lang/v8/files/patch-CVE-2015-5380 head/lang/v8-devel/Makefile head/lang/v8-devel/files/patch-CVE-2015-5380
A commit references this bug: Author: feld Date: Wed Jul 29 17:01:45 UTC 2015 New revision: 393187 URL: https://svnweb.freebsd.org/changeset/ports/393187 Log: MFH: r393186 lang/v8, lang/v8-devel: Backport CVE fix This fix has been backported instead of upgrading to a newer release as the upstream release process is a complicated fast-moving target and the current ports are using custom snapshots created by the port maintainer. This will also limit the amount of potential fallout as we know the existing v8 port works well enough to keep mongodb up to date. PR: 201450 Security: CVE-2015-5380 Security: 864e6f75-2372-11e5-86ff-14dae9d210b8 Approved by: ports-secteam (with hat) Changes: _U branches/2015Q3/ branches/2015Q3/lang/v8/Makefile branches/2015Q3/lang/v8/files/ branches/2015Q3/lang/v8-devel/Makefile branches/2015Q3/lang/v8-devel/files/patch-CVE-2015-5380
That's great news. I'll roll this out to our Mongo servers when the package is built.