deps: V8: backport f320600cd1f4 (V18.x CVE-2024-4761) #54597
Conversation
Original commit message:
[wasm-gc] Only normalize JSObject targets in SetOrCopyDataProperties
Bug: 339458194
Change-Id: I4d6eebdd921971fa28d7c474535d978900ba633f
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/5527397
Reviewed-by: Rezvan Mahdavi Hezaveh <[email protected]>
Commit-Queue: Shu-yu Guo <[email protected]>
Cr-Commit-Position: refs/heads/main@{#93811}
Refs: v8/v8@f320600
|
Review requested:
|
nodejs-github-bot
added
build
|
Any reason to believe this is needed? wasm-gc has not been enabled in V8 until very recently (end of 2023) |
|
Latest Node 18 minor version has V8 10.2.154.26. See https://github.com/nodejs/node/blob/v18.20.4/deps/v8/include/v8-version.h |
|
My point is that wasm-gc (the feature that the commit targets), was not enabled in V8 10.2. So that version cannot be affected. |
giancorderoortiz
changed the title
RedYetiDev
added
the
commit-queue-squash
There was a problem hiding this comment.
This is unfortunately needed to please the vulnerability scanners. We stated previously that while this is not a vulnerability for Node.js, we would accept a backport if somebody would do it. (As stated, this is work for the sake of work created by the vulnerability scanners and company policies).
lgtm
|
@mcollina this doesn't even build. I'm sorry but I refuse to spend voluntary time fixing stuff for broken payed security tools. |
|
@giancorderoortiz I appreciate the effort you made, this is not your fault |
|
I'd also like to understand something: let's say that we successfully (and meaningfully) backport a V8 CVE fix into v18.x. What mechanism will make the security tools stop flagging Node.js as vulnerable? |
As said, this is up to @giancorderoortiz and their employer to fix if they want to, not us. (So no, don't spend any time on it @targos). |
I actually have no clue. Likely they can put a checkmark in a spreadsheet that this was mitigated. It is the unfortunate reality of the enterprise world. If any of my current or past employers would have needed something like this under a support contract, I would have obliged, to the point of sending a PR or creating a build of Node just for them. Frankly, dealing with these kind of things is why we are enrolling in HeroDevs. |
|
I'm one of the few active releasers. Creating a release is a lot of time. |
|
We should also take into account the risk of backporting V8 fixes. This very pull request shows that it is non trivial and while here it's obvious because the build is broken, another change might build fine but break the system in unexpected ways. I don't know if anyone in the active collaborator base knows V8 good enough to properly review these changes |
mcollina
added
the
tsc-agenda
|
I can't find the issue atm, but I recall that @RafaelGSS mentioned he would assemble a release. |
Original commit message:
Merged: [parser] Using FunctionParsingScope for parsing class static blocks
Class static blocks contain statements, don't inherit the
ExpressionScope stack.
(cherry picked from commit 3e037e195e508dea045f5626862412e8f64fc919)
Bug: 341663589
Change-Id: Ice9a710293b028e5d9fd30d5d85c4842f970b152
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/5558360
Reviewed-by: Adam Klein <[email protected]>
Reviewed-by: Shu-yu Guo <[email protected]>
Commit-Queue: Adam Klein <[email protected]>
Cr-Commit-Position: refs/branch-heads/12.4@{nodejs#38}
Cr-Branched-From: 309640da62fae0485c7e4f64829627c92d53b35d-refs/heads/12.4.254@{nodejs#1}
Cr-Branched-From: 5dc24701432278556a9829d27c532f974643e6df-refs/heads/main@{#92862}
Refs: v8/v8@6e5e105
github-actions
bot
removed
the
request-ci
mhdawson
removed
the
tsc-agenda
|
The outcome of the TSC meeting is that, unfortunately, we are not planning to accept this backport due to compatibility risk as this will need to go to maintenance release. Thanks anyway. |
V8 Backport of v8/v8@f320600
Fixes CVE-2024-4761, which has been tagged by CISA as KEV.