public inbox for gentoo-dev@lists.gentoo.org
 help / color / mirror / Atom feed
* [gentoo-dev] removing vulnerable versions of dev-lang/v8
@ 2013-11-08  5:22 "Paweł Hajdan, Jr."
  2013-11-08 14:42 ` Ian Stakenvicius
  2013-11-08 15:18 ` Diego Elio Pettenò
  0 siblings, 2 replies; 6+ messages in thread
From: "Paweł Hajdan, Jr." @ 2013-11-08  5:22 UTC (permalink / raw
  To: gentoo-dev

[-- Attachment #1: Type: text/plain, Size: 1150 bytes --]

For some context of this please see
<http://thread.gmane.org/gmane.linux.gentoo.devel/88222>

v8-3.20.17.7 fixes a memory corruption vulnerability, see
<http://googlechromereleases.blogspot.com/2013/10/stable-channel-update.html>

However, we still have v8-3.19 and even 3.18 in portage - this is
probably an oversight when stabilizing new versions.

Problem #1 is that sci-geosciences/osgearth-2.4 depends on
=dev-lang/v8-3.18.5.14 (see
<https://bugs.gentoo.org/show_bug.cgi?id=484786> for context). It
doesn't work with more recent v8, but it can be made to not depend on v8.

Problem #2 is dev-db/drizzle having a v8 USE flag. The ebuild is
actually broken for other reasons, see
<https://bugs.gentoo.org/show_bug.cgi?id=490216>. I'd like that USE flag
to be removed and v8 to always be disabled in drizzle.

With that I'd like to proceed with hard masking v8. I'm working with
upstream on better API stability, it seems to be working pretty well.
That's still a very long way to ABI stability, if at all possible.

Please comment on possible solutions for removing known vulnerable v8
versions from the tree.

Paweł


[-- Attachment #2: OpenPGP digital signature --]
[-- Type: application/pgp-signature, Size: 203 bytes --]

^ permalink raw reply	[flat|nested] 6+ messages in thread

* Re: [gentoo-dev] removing vulnerable versions of dev-lang/v8
  2013-11-08  5:22 [gentoo-dev] removing vulnerable versions of dev-lang/v8 "Paweł Hajdan, Jr."
@ 2013-11-08 14:42 ` Ian Stakenvicius
  2013-11-08 15:00   ` Rich Freeman
  2013-11-08 15:18 ` Diego Elio Pettenò
  1 sibling, 1 reply; 6+ messages in thread
From: Ian Stakenvicius @ 2013-11-08 14:42 UTC (permalink / raw
  To: gentoo-dev

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

On 08/11/13 12:22 AM, "Paweł Hajdan, Jr." wrote:
> For some context of this please see 
> <http://thread.gmane.org/gmane.linux.gentoo.devel/88222>
> 
> v8-3.20.17.7 fixes a memory corruption vulnerability, see 
> <http://googlechromereleases.blogspot.com/2013/10/stable-channel-update.html>
>
>  However, we still have v8-3.19 and even 3.18 in portage - this is 
> probably an oversight when stabilizing new versions.
> 
> Problem #1 is that sci-geosciences/osgearth-2.4 depends on 
> =dev-lang/v8-3.18.5.14 (see 
> <https://bugs.gentoo.org/show_bug.cgi?id=484786> for context). It 
> doesn't work with more recent v8, but it can be made to not depend
> on v8.
> 
> Problem #2 is dev-db/drizzle having a v8 USE flag. The ebuild is 
> actually broken for other reasons, see 
> <https://bugs.gentoo.org/show_bug.cgi?id=490216>. I'd like that USE
> flag to be removed and v8 to always be disabled in drizzle.
> 
> With that I'd like to proceed with hard masking v8. I'm working
> with upstream on better API stability, it seems to be working
> pretty well. That's still a very long way to ABI stability, if at
> all possible.
> 
> Please comment on possible solutions for removing known vulnerable
> v8 versions from the tree.
> 
> Paweł
> 

So, you're saying, drop v8 USE flags and deps from these two packages,
and hard-mask?  Makes sense to me...

I'm still a little concerned about the potential security issues
caused by embedded V8's in projects, but as we've already concluded in
that other thread, there's no other way until the API stabilizes..


-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.22 (GNU/Linux)

iF4EAREIAAYFAlJ8+EcACgkQ2ugaI38ACPDZvwEAhQHhSovgSouf+TMnZrus1I4v
svWFshpj9ZR6/EhvzH4A/izLFwlxfwcNrkwEkzOY7FBBAxh9zMPiOLZFGbcxtqKx
=Tooi
-----END PGP SIGNATURE-----


^ permalink raw reply	[flat|nested] 6+ messages in thread

* Re: [gentoo-dev] removing vulnerable versions of dev-lang/v8
  2013-11-08 14:42 ` Ian Stakenvicius
@ 2013-11-08 15:00   ` Rich Freeman
  0 siblings, 0 replies; 6+ messages in thread
From: Rich Freeman @ 2013-11-08 15:00 UTC (permalink / raw
  To: gentoo-dev

On Fri, Nov 8, 2013 at 9:42 AM, Ian Stakenvicius <axs@gentoo.org> wrote:
> I'm still a little concerned about the potential security issues
> caused by embedded V8's in projects, but as we've already concluded in
> that other thread, there's no other way until the API stabilizes..

Yup.  When a project uses a library with an unstable API, they're
basically taking on a commitment to fork it unless upstream backports
all fixes.  If the alternative is re-implementing the library the
project is no worse off (at least with embedded libs we know about the
vulnerabilities).  If there are other alternatives, then they should
probably rethink their strategy.

Rich


^ permalink raw reply	[flat|nested] 6+ messages in thread

* Re: [gentoo-dev] removing vulnerable versions of dev-lang/v8
  2013-11-08  5:22 [gentoo-dev] removing vulnerable versions of dev-lang/v8 "Paweł Hajdan, Jr."
  2013-11-08 14:42 ` Ian Stakenvicius
@ 2013-11-08 15:18 ` Diego Elio Pettenò
  2013-11-08 15:25   ` Peter Stuge
  2013-11-08 21:49   ` hasufell
  1 sibling, 2 replies; 6+ messages in thread
From: Diego Elio Pettenò @ 2013-11-08 15:18 UTC (permalink / raw
  To: gentoo-dev@lists.gentoo.org

[-- Attachment #1: Type: text/plain, Size: 584 bytes --]

On Fri, Nov 8, 2013 at 5:22 AM, "Paweł Hajdan, Jr."
<phajdan.jr@gentoo.org>wrote:

> Problem #1 is that sci-geosciences/osgearth-2.4 depends on
> =dev-lang/v8-3.18.5.14 (see
> <https://bugs.gentoo.org/show_bug.cgi?id=484786> for context). It
> doesn't work with more recent v8, but it can be made to not depend on v8.
>

If "made not to depend" means "bundle", is the bundled version any safer
than the ebuild there? If the answer is no, you're now increasing the
security issue.

Diego Elio Pettenò — Flameeyes
flameeyes@flameeyes.eu — http://blog.flameeyes.eu/

[-- Attachment #2: Type: text/html, Size: 1196 bytes --]

^ permalink raw reply	[flat|nested] 6+ messages in thread

* Re: [gentoo-dev] removing vulnerable versions of dev-lang/v8
  2013-11-08 15:18 ` Diego Elio Pettenò
@ 2013-11-08 15:25   ` Peter Stuge
  2013-11-08 21:49   ` hasufell
  1 sibling, 0 replies; 6+ messages in thread
From: Peter Stuge @ 2013-11-08 15:25 UTC (permalink / raw
  To: gentoo-dev

Diego Elio Pettenò wrote:
> > Problem #1 is that sci-geosciences/osgearth-2.4 depends on
> > =dev-lang/v8-3.18.5.14 (see
> > <https://bugs.gentoo.org/show_bug.cgi?id=484786> for context). It
> > doesn't work with more recent v8, but it can be made to not depend on v8.
> 
> If "made not to depend" means "bundle", is the bundled version any safer
> than the ebuild there? If the answer is no, you're now increasing the
> security issue.

Based on my previous impression I OTOH assumed that Paweł meant
disabling use of v8, but since I don't use either package I didn't
look at the bug.

Your email made me more curious, and as Paweł wrote the bug gives
plenty of context, among other things Paweł has attached a patch
there to disable v8 in osgearth.

I think it's commendable that he doesn't settle for simply masking
osgearth along with v8.


//Peter


^ permalink raw reply	[flat|nested] 6+ messages in thread

* Re: [gentoo-dev] removing vulnerable versions of dev-lang/v8
  2013-11-08 15:18 ` Diego Elio Pettenò
  2013-11-08 15:25   ` Peter Stuge
@ 2013-11-08 21:49   ` hasufell
  1 sibling, 0 replies; 6+ messages in thread
From: hasufell @ 2013-11-08 21:49 UTC (permalink / raw
  To: gentoo-dev

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 11/08/2013 04:18 PM, Diego Elio Pettenò wrote:
> 
> On Fri, Nov 8, 2013 at 5:22 AM, "Paweł Hajdan, Jr." 
> <phajdan.jr@gentoo.org <mailto:phajdan.jr@gentoo.org>> wrote:
> 
> Problem #1 is that sci-geosciences/osgearth-2.4 depends on 
> =dev-lang/v8-3.18.5.14 (see 
> <https://bugs.gentoo.org/show_bug.cgi?id=484786> for context). It 
> doesn't work with more recent v8, but it can be made to not depend 
> on v8.
> 
> 
> If "made not to depend" means "bundle", is the bundled version any
> safer than the ebuild there? If the answer is no, you're now
> increasing the security issue.
> 
> Diego Elio Pettenò — Flameeyes flameeyes@flameeyes.eu
> <mailto:flameeyes@flameeyes.eu> — http://blog.flameeyes.eu/


https://github.com/gwaldron/osgearth/issues/333

in short: they kind of forked (I am not sure if there are any major
modifications yet) it and do not plan to bundle it

there is no release more current than osgearth-2.4, so I am fine with
hardmasking/treecleaning osgearth

I will not maintain a fork of v8.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.22 (GNU/Linux)
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iQEcBAEBAgAGBQJSfVxtAAoJEFpvPKfnPDWzZ7EH/ib4oZPMLUTYDU0gvkC2NL9o
XVvaSdD2lWbAi6ZTwS7RCqygGWoUu5duM4qAOpb/i+KcBgvmXiyDuoOarVFea0PW
Si1StRzYf2aVitbdjTqUYlmynX5yiNFvnx5J3knZegzVpm1A9n2Dq2dnIeG7C7zO
waWurRsOAdL+XAU3tNot1TepyZwojB3xz3w9k0YtuTTwHRX2vGQ7XM1MOnr9jrOy
Is4x5naeau7P4t7Doi5+y9zj5ydshmEHeRm5Upt3DB6JO1WmPdA+8Z4ZmcOLiWUu
tBLSqpxSf6TGaUbOop7hNWDWl8ptfrzoSyQjTu6fLHLSo+SMH4qToSEdOlpkqyc=
=0K7T
-----END PGP SIGNATURE-----


^ permalink raw reply	[flat|nested] 6+ messages in thread

end of thread, other threads:[~2013-11-08 21:49 UTC | newest]

Thread overview: 6+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2013-11-08  5:22 [gentoo-dev] removing vulnerable versions of dev-lang/v8 "Paweł Hajdan, Jr."
2013-11-08 14:42 ` Ian Stakenvicius
2013-11-08 15:00   ` Rich Freeman
2013-11-08 15:18 ` Diego Elio Pettenò
2013-11-08 15:25   ` Peter Stuge
2013-11-08 21:49   ` hasufell

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox