So I hit the computer for the first time today and there's not the usual 2-5 Fedora sec update notices, but 356. That's a first.
So Google Chrome has a really bad zero-day High CVE-2024-1938: Type Confusion in V8 High CVE-2024-1939: Type Confusion in V8
And these 356 are all this bug. This is very interesting because these just seem like random packages... how can they all have this bug? So it looks like the Chrome stuff got into JDK stuff, and the JDK stuff got into 300+ other things (uh, what?).
Strangely, I don't see notices for Chromium or webkit libraries... unless they are coming next.
Y'all started using firejail to wrap your Chrome/Chromium in after the Feb MUUG presentation, right?? ?? Add some more height to the histogram I posted of Chrome CVEs... Google: leading the pack.
Luckily I mostly use Firefox!
The info on these CVEs is currently very limited. If someone has some juicier info on the hole, let us know.
CVE-2024-1938 Type Confusion in V8 in Google Chrome prior to 122.0.6261.94 allowed a remote attacker to potentially exploit object corruption via a crafted HTML page. (Chromium security severity: High)
CVE-2024-1939 Type Confusion in V8 in Google Chrome prior to 122.0.6261.94 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: High)
V8 is the JavaScript engine developed for use in Google Chrome. Tons of projects have imported the V8 JS engine for one reason or another, without necessarily importing Chromium itself. So...... yeah, what you're seeing sounds about right. Even Java support JavaScript nowadays. -Adam
-----Original Message----- From: Roundtable roundtable-bounces@muug.ca On Behalf Of Trevor Cordes Sent: Thursday, March 7, 2024 6:40 PM To: MUUG RndTbl roundtable@muug.ca Subject: [RndTbl] Chrome blows up the net?
So I hit the computer for the first time today and there's not the usual 2-5 Fedora sec update notices, but 356. That's a first.
So Google Chrome has a really bad zero-day High CVE-2024-1938: Type Confusion in V8 High CVE-2024-1939: Type Confusion in V8
And these 356 are all this bug. This is very interesting because these just seem like random packages... how can they all have this bug? So it looks like the Chrome stuff got into JDK stuff, and the JDK stuff got into 300+ other things (uh, what?).
Strangely, I don't see notices for Chromium or webkit libraries... unless they are coming next.
Y'all started using firejail to wrap your Chrome/Chromium in after the Feb MUUG presentation, right?? ?? Add some more height to the histogram I posted of Chrome CVEs... Google: leading the pack.
Luckily I mostly use Firefox!
The info on these CVEs is currently very limited. If someone has some juicier info on the hole, let us know.
CVE-2024-1938 Type Confusion in V8 in Google Chrome prior to 122.0.6261.94 allowed a remote attacker to potentially exploit object corruption via a crafted HTML page. (Chromium security severity: High)
CVE-2024-1939 Type Confusion in V8 in Google Chrome prior to 122.0.6261.94 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: High) _______________________________________________ Roundtable mailing list Roundtable@muug.ca https://muug.ca/mailman/listinfo/roundtable
On 2024-03-08 Adam Thompson wrote:
V8 is the JavaScript engine developed for use in Google Chrome. Tons of projects have imported the V8 JS engine for one reason or another, without necessarily importing Chromium itself. So...... yeah, what you're seeing sounds about right. Even Java support JavaScript nowadays. -Adam
Haha, so now that has me wondering just how embarrassing this bug really is... something buggy in JS/V8's type massaging perhaps? How on earth does this go unnoticed for (ostensibly) a long time.
So this one bug may have had 356(+!) packages vulnerable. Makes the openssl bug look like child's play.
Oh no... this will just give more ammo to the "force strict typing" crowd!! ;-) <--- sort of
Google programmer skill seems to be devolving to level of MS, which I would have thought impossible.
If someone finds actual details (or a git commit!) post it here...
-
Adam Thompson -
Trevor Cordes