-
Notifications
You must be signed in to change notification settings - Fork 113
SecurityAdvisory201308013
This advisory concerns implementations of the Array methods in the V8 JavaScript virtual machine (used in Google Chrome):
(a) Implementations of some Array methods are not spec compliant, allowing the caller to mutate a frozen array.
(b) Implementations of some Array methods may under certain circumstances receive an implicit "this" equal to the global window object. We thank Tung Tran [email protected] for reporting this problem.
(a) An attacker could, for example, mutate the Array.prototype object in the frame in which they are deployed. This can cause unintended behavior of internal Caja code which may lead to vulnerabilities.
(b) An attacker could gain access to the global window object, then take advantage of this to cause disallowed global page operations.
Either of these could lead to an arbitrary code execution breach.
Upgrade to a version of Caja at or after r5551.
(a) These issues were originally reported against the V8 codebase at:
https://code.google.com/p/v8/issues/detail?id=2469 https://code.google.com/p/v8/issues/detail?id=2615 https://code.google.com/p/v8/issues/detail?id=2800
and against the Caja codebase at:
Discussion of the change is at:
(b) This issue was originally reported against the V8 codebase at:
for which we would like to thank Tung Tran [email protected]. It was reported against the Caja codebase at:
Discussion of the change is at: