[RndTbl] Chrome blows up the net?

[Adam Thompson]

V8 is the JavaScript engine developed for use in Google Chrome.
Tons of projects have imported the V8 JS engine for one reason or another, without necessarily importing Chromium itself.
So...... yeah, what you're seeing sounds about right.  Even Java support JavaScript nowadays.
-Adam

-----Original Message-----
From: Roundtable <roundtable-bounces at muug.ca> On Behalf Of Trevor Cordes
Sent: Thursday, March 7, 2024 6:40 PM
To: MUUG RndTbl <roundtable at muug.ca>
Subject: [RndTbl] Chrome blows up the net?

So I hit the computer for the first time today and there's not the usual
2-5 Fedora sec update notices, but 356.  That's a first.

So Google Chrome has a really bad zero-day
High CVE-2024-1938: Type Confusion in V8
High CVE-2024-1939: Type Confusion in V8

And these 356 are all this bug.  This is very interesting because these
just seem like random packages... how can they all have this bug?  So it
looks like the Chrome stuff got into JDK stuff, and the JDK stuff got into
300+ other things (uh, what?).

Strangely, I don't see notices for Chromium or webkit libraries... unless
they are coming next.

Y'all started using firejail to wrap your Chrome/Chromium in after the Feb
MUUG presentation, right?? ??  Add some more height to the histogram I
posted of Chrome CVEs... Google: leading the pack.

Luckily I mostly use Firefox!

The info on these CVEs is currently very limited.  If someone has some
juicier info on the hole, let us know.

CVE-2024-1938	
Type Confusion in V8 in Google Chrome prior to 122.0.6261.94 allowed a
remote attacker to potentially exploit object corruption via a crafted
HTML page. (Chromium security severity: High)

CVE-2024-1939
Type Confusion in V8 in Google Chrome prior to 122.0.6261.94 allowed a
remote attacker to potentially exploit heap corruption via a crafted HTML
page. (Chromium security severity: High)
_______________________________________________
Roundtable mailing list
Roundtable at muug.ca
https://muug.ca/mailman/listinfo/roundtable