"Re: it must be demonstrated that libv8 does not process untrusted javascript
libv8 is used to provide the scriptable shell in mongodb; access to the shell is via the mongo client application." We allowed V8 to be embedded in the Ubuntu SDK because the attack surface was greatly reduced-- it won't process arbitrary QML-- it will process code from the developer. There are some corner cases with string processing where we need to keep an eye on V8 CVEs, but on the whole, V8 in the Ubuntu SDK can largely be ignored. For mongodb you described a different situation. The mongo client application provides a scriptable shell. We fixed all kinds of vulnerabilities for an authenticated attacker in other software. Even if we said we need to enforce authentication and decided we wouldn't fix V8 bugs for an authenticated attacker, we would still have to fix them for the now non-default configurations that don't use authentication and/or connections through the loopback (loopback isn't strong protection anyway-- if there were a vulnerability in another piece of software on the system, a remote attacker could attack it and then attack mongo via the loopback) I think this provides an attack surface such that we would have to support V8 with security updates. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1187262 Title: [MIR] mongodb, libv8, snowball, gyp To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/gyp/+bug/1187262/+subscriptions -- ubuntu-bugs mailing list [email protected] https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
