Re: [gentoo-dev] removing vulnerable versions of dev-lang/v8

[Ian Stakenvicius <axs@gentoo.org>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

On 08/11/13 12:22 AM, "Paweł Hajdan, Jr." wrote:
> For some context of this please see 
> <http://thread.gmane.org/gmane.linux.gentoo.devel/88222>
> 
> v8-3.20.17.7 fixes a memory corruption vulnerability, see 
> <http://googlechromereleases.blogspot.com/2013/10/stable-channel-update.html>
>
>  However, we still have v8-3.19 and even 3.18 in portage - this is 
> probably an oversight when stabilizing new versions.
> 
> Problem #1 is that sci-geosciences/osgearth-2.4 depends on 
> =dev-lang/v8-3.18.5.14 (see 
> <https://bugs.gentoo.org/show_bug.cgi?id=484786> for context). It 
> doesn't work with more recent v8, but it can be made to not depend
> on v8.
> 
> Problem #2 is dev-db/drizzle having a v8 USE flag. The ebuild is 
> actually broken for other reasons, see 
> <https://bugs.gentoo.org/show_bug.cgi?id=490216>. I'd like that USE
> flag to be removed and v8 to always be disabled in drizzle.
> 
> With that I'd like to proceed with hard masking v8. I'm working
> with upstream on better API stability, it seems to be working
> pretty well. That's still a very long way to ABI stability, if at
> all possible.
> 
> Please comment on possible solutions for removing known vulnerable
> v8 versions from the tree.
> 
> Paweł
> 

So, you're saying, drop v8 USE flags and deps from these two packages,
and hard-mask?  Makes sense to me...

I'm still a little concerned about the potential security issues
caused by embedded V8's in projects, but as we've already concluded in
that other thread, there's no other way until the API stabilizes..


-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.22 (GNU/Linux)

iF4EAREIAAYFAlJ8+EcACgkQ2ugaI38ACPDZvwEAhQHhSovgSouf+TMnZrus1I4v
svWFshpj9ZR6/EhvzH4A/izLFwlxfwcNrkwEkzOY7FBBAxh9zMPiOLZFGbcxtqKx
=Tooi
-----END PGP SIGNATURE-----