New issue
Advanced search Search tips
Note: Color blocks (like or ) mean that a user may not be available. Tooltip shows the reason.
Starred by 1 user

Issue metadata

Status: Fixed
Last visit > 30 days ago
Closed: Oct 2011
EstimatedDays: ----
NextAction: ----
OS: All
Pri: 1
Type: Bug-Security

  • Only users with EditIssue permission may comment.

Sign in to add a comment

Security: Calling arbitrary V8 native functions from JavaScript

Reported by, Oct 14 2011

Issue description

This template is ONLY for reporting security bugs. Please use a different
template for other types of bug reports.

Please see the following link for instructions on filing security bugs:

When lazily parsing function the allow_natives_syntax flag is always set for those functions. The preparser doesn't report invalid use of natives syntax, so within functions arbitrary natives can be called if preparsing is enabled (source file > 1024 byte). The native functions expose V8 internal functionality which could be exploited.

Chrome Version: since 10.0.605.0 (Official Build 68547) canary build
Operating System: All OS

See the attached JavaScript file.
1.0 KB View Download
Sorry the version above is not correct: this goes back to Chrome version 9.0.571.0 (r64892) when V8 version 2.5.4 (r5757) was merged into Chrome.

Comment 4 by, Oct 14 2011

Labels: -Pri-0 Pri-1 SecSeverity-High Mstone-15 SecImpacts-Stable SecImpacts-Beta
Thanks for catching this. Do you have an ETA on when you'll have a fix ready?

Comment 5 by, Oct 18 2011

Patch committed on v8 bleeding edge as r9643, and ported to all branches since 3.3 (versions (r9653), (r9644), (r9645), (r9646), and (r9651)).

Labels: -Restrict-View-SecurityTeam Restrict-View-SecurityNotify
Status: FixUnreleased
@lrn: thanks! Is this by any chance the same issue as ?

Comment 7 by, Oct 18 2011

As Danno says, it's the same explit.
I don't think there is anything else to it.
It uses a known approach to make an internal method call a malicious function to get access to the script object. This was patched earlier, so overwriting the "lineFromPosition" shouldn't be possible, but it's not safe against someone with access to %IgnoreAttributesAndSetProperty().

Labels: CVE-2011-3891

Comment 9 by, Oct 20 2011

Which Chrome versions have this fix?

Comment 10 by, May 15 2012

Status: Fixed
Marking old security bugs Fixed..
Project Member

Comment 11 by, Oct 13 2012

Labels: Restrict-AddIssueComment-Commit
This issue has been closed for some time. No one will pay attention to new comments.
If you are seeing this bug or have new data, please click New Issue to start a new bug.
Project Member

Comment 12 by, Mar 10 2013

Labels: -Type-Security -Area-WebKit -WebKit-JavaScript -SecSeverity-High -Mstone-15 -SecImpacts-Stable -SecImpacts-Beta Cr-Content Cr-Content-JavaScript Security-Impact-Stable Security-Impact-Beta Security-Severity-High M-15 Type-Bug-Security
Project Member

Comment 13 by, Mar 13 2013

Labels: Restrict-View-EditIssue
Project Member

Comment 14 by, Mar 13 2013

Labels: -Restrict-AddIssueComment-Commit Restrict-AddIssueComment-EditIssue
Labels: -Restrict-View-SecurityNotify -Restrict-View-EditIssue
Project Member

Comment 16 by, Mar 21 2013

Labels: -Security-Severity-High Security_Severity-High
Project Member

Comment 17 by, Mar 21 2013

Labels: -Security-Impact-Stable Security_Impact-Stable
Project Member

Comment 18 by, Mar 21 2013

Labels: -Security-Impact-Beta Security_Impact-Beta
Project Member

Comment 19 by, Apr 6 2013

Labels: -Cr-Content Cr-Blink
Project Member

Comment 20 by, Apr 6 2013

Labels: -Cr-Content-JavaScript Cr-Blink-JavaScript
Project Member

Comment 21 by, Jun 14 2016

Labels: -security_impact-beta
Project Member

Comment 22 by, Oct 1 2016

This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit - Your friendly Sheriffbot
Project Member

Comment 23 by, Oct 2 2016

This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit - Your friendly Sheriffbot
Labels: allpublic
Labels: CVE_description-submitted

Sign in to add a comment