NAK. I stopped the security audit as soon as I saw that qtjsbackend-opensource-src contains an embedded copy of the Google V8 Javascript engine (ie, libv8). The version that is embedded is 3.11.4 from last May. libv8 in the archive already has no one maintaining it and its older than what's in qtjsbackend-opensource-src, so switching to it wouldn't help (it has 13 open CVEs against it). There are currently 5 open CVEs against the version that is in qtjsbackend-opensource-src right now: CVE-2012-5120 CVE-2012-5128 CVE-2012-5153 CVE-2013-0836 CVE-2013-2632
Furthermore, qtjsbackend-opensource-src's own README file has instructions on updating the embedded v8: "In the likely case of conflicts, follow the git instructions about continuing the patch application process after resolving the conflicts." This probably explains why libv8 hasn't been updated upstream. I also looked at fixes and they will require significant backporting. Between the 5 open CVEs in qtjsbackend-opensource-src now, upstream's reluctance to keep it up to date, a lack of a suitable in archive alternative in libv8, the complexity of maintaining a Javascript engine without upstream support, and its security history, I believe qtjsbackend-opensource-src is unsupportable currently. ** CVE added: http://www.cve.mitre.org/cgi- bin/cvename.cgi?name=2012-5120 ** CVE added: http://www.cve.mitre.org/cgi- bin/cvename.cgi?name=2012-5128 ** CVE added: http://www.cve.mitre.org/cgi- bin/cvename.cgi?name=2012-5153 ** CVE added: http://www.cve.mitre.org/cgi- bin/cvename.cgi?name=2013-0836 ** CVE added: http://www.cve.mitre.org/cgi- bin/cvename.cgi?name=2013-2632 ** Changed in: qtjsbackend-opensource-src (Ubuntu) Status: Incomplete => Won't Fix ** Changed in: qtjsbackend-opensource-src (Ubuntu) Assignee: Jamie Strandboge (jdstrand) => (unassigned) -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1157732 Title: [MIR] circle of friends To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/accounts-qml-module/+bug/1157732/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
