+ current V8 sheriffs to take a look. Assigning Windows for now but since it's in V8 it may be a vulnerability across all platforms.

Hi, thanks for your report. unfortunately we cannot decrypt the GPG attachment because it seems to be encrypted to the wrong key.

gpg: encrypted with RSA key, ID 31D00026684184C6
gpg: encrypted with RSA key, ID 0FC941D950CB43FB

The security@google.com gpg key is:
C789A16F 6F4D6519 (OLD)
B8E4105C C9DEDC77 (NEW)

please feel free to re-encrypt with the security@google.com or security@chromium.org (we can handle either/both)

https://pgp.mit.edu/pks/lookup?op=get&search=0xB8E4105CC9DEDC77 (security@google.com)

https://pgp.mit.edu/pks/lookup?op=get&search=0xA73851D532C206B6 (security@chromium.org)

Attaching it in unencrypted form

Deleted: Chrome RCE.zip 35.8 KB

Chrome RCE.zip 35.8 KB Download

Pinging other TF team members.

The following revision refers to this bug:
  https://chromium.googlesource.com/v8/v8.git/+/52a9e67a477bdb67ca893c25c145ef5191976220

commit 52a9e67a477bdb67ca893c25c145ef5191976220
Author: Jaroslav Sevcik <jarin@chromium.org>
Date: Wed Sep 26 12:02:11 2018

[turbofan] Fix ObjectCreate's side effect annotation.

Bug:  chromium:888923 
Change-Id: Ifb22cd9b34f53de3cf6e47cd92f3c0abeb10ac79
Reviewed-on: https://chromium-review.googlesource.com/1245763
Reviewed-by: Benedikt Meurer <bmeurer@chromium.org>
Commit-Queue: Jaroslav Sevcik <jarin@chromium.org>
Cr-Commit-Position: refs/heads/master@{#56236}
[modify] https://crrev.com/52a9e67a477bdb67ca893c25c145ef5191976220/src/compiler/js-operator.cc
[add] https://crrev.com/52a9e67a477bdb67ca893c25c145ef5191976220/test/mjsunit/compiler/regress-888923.js

This essentially takes over the whole renderer. Should we do a 69 respin for this?

Please note that this is not a regression.

We should definitely get it into 70, and a merge to 69 won't hurt in case there does turn out to be another respin.

This bug requires manual review: We are only 13 days from stable.
Please contact the milestone owner if you have questions.
Owners: benmason@(Android), kariahda@(iOS), geohsu@(ChromeOS), abdulsyed@(Desktop)

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

Approving merge for M70. Branch:3538

+govind@ for M69 review. However note that we are about 2 weeks away from M70 stable. 

We're NOT planning any further M69 respin for Desktop. 
awhalley@, does it still make sense to approve the merge to M69 based on comment #15?

Either way, my thinking was that if we do a 69 respin it would be urgent at short notice, so getting changes in just in case would be good, but we can also re-assess if that happens.

Got it, approving merge to M69 branch 3497 based on comment #19. We will pick up this change for any future M69 respin (if any).

The following revision refers to this bug:
  https://chromium.googlesource.com/v8/v8.git/+/9e12622c9158384a4f73e73b9b966662b7b5ac73

commit 9e12622c9158384a4f73e73b9b966662b7b5ac73
Author: Jakob Kummerow <jkummerow@chromium.org>
Date: Tue Oct 02 21:13:44 2018

Merged: [turbofan] Fix ObjectCreate's side effect annotation.

Revision: 52a9e67a477bdb67ca893c25c145ef5191976220

BUG= chromium:888923 
LOG=N
NOTRY=true
NOPRESUBMIT=true
NOTREECHECKS=true
R=gsathya@chromium.org

Change-Id: I712017c082a3520f2ab9971924e564982f8a9741
Reviewed-on: https://chromium-review.googlesource.com/c/1257809
Reviewed-by: Sathya Gunasekaran <gsathya@chromium.org>
Cr-Commit-Position: refs/branch-heads/7.0@{#51}
Cr-Branched-From: 6e2adae6f7f8e891cfd01f3280482b20590427a6-refs/heads/7.0.276@{#1}
Cr-Branched-From: bc08a8624cbbea7a2d30071472bc73ad9544eadf-refs/heads/master@{#55424}
[modify] https://crrev.com/9e12622c9158384a4f73e73b9b966662b7b5ac73/src/compiler/js-operator.cc
[add] https://crrev.com/9e12622c9158384a4f73e73b9b966662b7b5ac73/test/mjsunit/compiler/regress-888923.js

The following revision refers to this bug:
  https://chromium.googlesource.com/v8/v8.git/+/e044c13118780334d87f46032b521e8f5af1fa78

commit e044c13118780334d87f46032b521e8f5af1fa78
Author: Jakob Kummerow <jkummerow@chromium.org>
Date: Tue Oct 02 21:31:42 2018

Merged: [turbofan] Fix ObjectCreate's side effect annotation.

Revision: 52a9e67a477bdb67ca893c25c145ef5191976220

BUG= chromium:888923 
LOG=N
NOTRY=true
NOPRESUBMIT=true
NOTREECHECKS=true
R=adamk@chromium.org

Change-Id: I39583b87019249c981254cb7f6407e508b674d38
Reviewed-on: https://chromium-review.googlesource.com/c/1257817
Reviewed-by: Adam Klein <adamk@chromium.org>
Cr-Commit-Position: refs/branch-heads/6.9@{#62}
Cr-Branched-From: d7b61abe7b48928aed739f02bf7695732d359e7e-refs/heads/6.9.427@{#1}
Cr-Branched-From: b7e108d6016bf6b7de3a34e6d61cb522f5193460-refs/heads/master@{#54504}
[modify] https://crrev.com/e044c13118780334d87f46032b521e8f5af1fa78/src/compiler/js-operator.cc
[add] https://crrev.com/e044c13118780334d87f46032b521e8f5af1fa78/test/mjsunit/compiler/regress-888923.js

This was needed on Node.js 10. Backport: https://github.com/nodejs/node/pull/25027

This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot