Broken and defunct libv8-3.14 urgently needs removal

Thanks for reporting.

I've subscribed the Ubuntu archive admins to take a look at this.

Just a note: while the package was removed from Debian stable/testing, it looks like it is still present in unstable https://tracker.debian.org/pkg/libv8-3.14.

Thank you!

Indeed, the Debian maintainer (Jérémy Lal) told me he is in the process of removing libv8-3.14 entirely as well, but they need to deal with the last reverse dependency (uwsgi-plugin-v8).

But for them it's less of an urgent issue because they have already removed it from stable branches. However for Ubuntu it is currently still affecting releases.

Is there somebody that can take a look at this? Again libv8-3.14 crashes on start, has a lot of security issues and has been removed from Debian stable.

What's worse is that libv8-3.14 is masking the working version of libv8-dev from libnode-dev.

Copying from https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=773671:

The following vulnerabilities were published for libv8-3.14.

CVE-2013-2632[0]:
| Google V8 before 3.17.13, as used in Google Chrome before 27.0.1444.3,
| allows remote attackers to cause a denial of service (application
| crash) or possibly have unspecified other impact via crafted
| JavaScript code, as demonstrated by the Bejeweled game.

CVE-2013-2838[1]:
| Google V8, as used in Google Chrome before 27.0.1453.93, allows remote
| attackers to cause a denial of service (out-of-bounds read) via
| unspecified vectors.

CVE-2013-2882[2]:
| Google V8, as used in Google Chrome before 28.0.1500.95, allows remote
| attackers to cause a denial of service or possibly have unspecified
| other impact via vectors that leverage "type confusion."

CVE-2013-2919[3]:
| Google V8, as used in Google Chrome before 30.0.1599.66, allows remote
| attackers to cause a denial of service (memory corruption) or possibly
| have unspecified other impact via unknown vectors.

CVE-2013-6638[4]:
| Multiple buffer overflows in runtime.cc in Google V8 before 3.22.24.7,
| as used in Google Chrome before 31.0.1650.63, allow remote attackers
| to cause a denial of service or possibly have unspecified other impact
| via vectors that trigger a large typed array, related to the (1)
| Runtime_TypedArrayInitialize and (2)
| Runtime_TypedArrayInitializeFromArrayLike functions.

CVE-2013-6639[5]:
| The DehoistArrayIndex function in hydrogen-dehoist.cc (aka
| hydrogen.cc) in Google V8 before 3.22.24.7, as used in Google Chrome
| before 31.0.1650.63, allows remote attackers to cause a denial of
| service (out-of-bounds write) or possibly have unspecified other
| impact via JavaScript code that sets the value of an array element
| with a crafted index.

CVE-2013-6640[6]:
| The DehoistArrayIndex function in hydrogen-dehoist.cc (aka
| hydrogen.cc) in Google V8 before 3.22.24.7, as used in Google Chrome
| before 31.0.1650.63, allows remote attackers to cause a denial of
| service (out-of-bounds read) via JavaScript code that sets a variable
| to the value of an array element with a crafted index.

CVE-2013-6649[7]:
| Use-after-free vulnerability in the RenderSVGImage::paint function in
| core/rendering/svg/RenderSVGImage.cpp in Blink, as used in Google
| Chrome before 32.0.1700.102, allows remote attackers to cause a denial
| of service or possibly have unspecified other impact via vectors
| involving a zero-size SVG image.

CVE-2013-6650[8]:
| The StoreBuffer::ExemptPopularPages function in store-buffer.cc in
| Google V8 before 3.22.24.16, as used in Google Chrome before
| 32.0.1700.102, allows remote attackers to cause a denial of service
| (memory corruption) or possibly have unspecified other impact via
| vectors that trigger incorrect handling of "popular pages."

CVE-2013-6668[9]:
| Multiple unspecified vulnerabilities in Google V8 before 3.24.35.10,
| as used in Goog...

On my Bionic box, I see there's a few direct reverse dependencies:

$ apt-rdepends --reverse libv8-3.14.5
Reading package lists... Done
Building dependency tree
Reading state information... Done
libv8-3.14.5
  Reverse Depends: libv8-3.14-dbg (= 3.14.5.8-11ubuntu1)
  Reverse Depends: libv8-3.14-dev (= 3.14.5.8-11ubuntu1)
  Reverse Depends: libv8-dev (= 3.14.5.8-11ubuntu1)
  Reverse Depends: postgresql-10-plv8 (1:1.4.10.ds-2)
  Reverse Depends: r-cran-v8 (1.5-1)
  Reverse Depends: uwsgi-plugin-v8 (2.0.15+10+0.0.3)
libv8-3.14-dbg
libv8-3.14-dev
libv8-dev
postgresql-10-plv8
  Reverse Depends: postgresql-10-plv8-dbgsym (= 1:1.4.10.ds-2)
postgresql-10-plv8-dbgsym
r-cran-v8
  Reverse Depends: r-cran-v8-dbgsym (= 1.5-1)
r-cran-v8-dbgsym
uwsgi-plugin-v8
  Reverse Depends: uwsgi-plugin-v8-dbgsym (= 2.0.15+10+0.0.3)
uwsgi-plugin-v8-dbgsym

$ acsh postgresql-10-plv8
Package: postgresql-10-plv8
Architecture: amd64
Version: 1:1.4.10.ds-2
Priority: extra
Section: universe/database
Source: plv8
Origin: Ubuntu
Maintainer: Ubuntu Developers <email address hidden>
Original-Maintainer: Debian PostgreSQL Maintainers <email address hidden>
Bugs: https://bugs.launchpad.net/ubuntu/+filebug
Installed-Size: 131
Provides: postgresql-plv8
Depends: postgresql-10, libc6 (>= 2.14), libgcc1 (>= 1:3.0), libstdc++6 (>= 5.2), libv8-3.14.5
Filename: pool/universe/p/plv8/postgresql-10-plv8_1.4.10.ds-2_amd64.deb
Size: 47592
MD5sum: 84d40c9333535f5fee482e59ea398eab
SHA1: 7f05205564529b1962a343e3ac640d3b35c03697
SHA256: 2af68464c9b39f8af33c79e17b9c3ef65cb7e37d56d39efbe48bf166394bdd9e
Homepage: https://github.com/plv8/plv8
Description-en: Procedural language interface between PostgreSQL and JavaScript
 V8 is a high performance JavaScript engine written in C++. It is used
 in the document-oriented data store MongoDB.
 .
 PostgreSQL is an open source SQL database server.
 .
 This package provides a procedural language interface to JavaScript from
 PostgreSQL. Procedural languages are used to write functions
 which can be called in database queries.
Description-md5: cb193632a564b400b3bf3ac64a8d0cec

$ acsh r-cran-v8
Package: r-cran-v8
Architecture: amd64
Version: 1.5-1
Priority: optional
Section: universe/gnu-r
Origin: Ubuntu
Maintainer: Ubuntu Developers <email address hidden>
Original-Maintainer: Debian Science Maintainers <email address hidden>
Bugs: https://bugs.launchpad.net/ubuntu/+filebug
Installed-Size: 1007
Depends: r-base-core (>= 3.4.2-1ubuntu2), r-api-3.4, r-cran-rcpp (>= 0.12), r-cran-jsonlite (>= 1.0), r-cran-curl (>= 1.0), libc6 (>= 2.14), libgcc1 (>= 1:3.0), libstdc++6 (>= 5.2), libv8-3.14.5, libjs-underscore
Suggests: r-cran-testthat, r-cran-knitr
Filename: pool/universe/r/r-cran-v8/r-cran-v8_1.5-1_amd64.deb
Size: 301824
MD5sum: 4daf6d2a1519b20ae1ade180d74a8838
SHA1: 413de1e9cccc1f504000b84f5a4b6c678542b980
SHA256: 946c15c739b2cdf19f0edbd226a89e380ecbc8bd5b57244adde5653f4550d883
Homepage: https://cran.r-project.org/package=V8
Description-en: Embedded JavaScript Engine for R
 An R interface to Google's open source JavaScript engine.
 V8 is written in C++ and implements ECM...

In the latest versions of Debian/Ubuntu, postgresql-10-plv8 has already been removed and r-cran-v8 has been ported to use the working v8 provided by libnode: https://packages.ubuntu.com/eoan/r-cran-v8

So this only leaves 'uwsgi-plugin-v8'. In Debian this package has been removed from the stable distributions, but it is still in 'unstable'. I am not sure what this package does but it can not possibly work because libv8-314 crashes when you try to initiate it.

Oh! Jeroen! I'm sorry I didn't notice who reported this bug when responding earlier. :) Hello again, it's good to hear from you.

Thanks for the details.

It looks like the problem has been solved upstream by Debian who has removed this package from sid.

Also removed from Ubuntu Eoan recently (https://launchpad.net/ubuntu/+source/libv8-3.14/+publishinghistory)

I see Disco (19.04) was mentioned above, though I don't know if packages can/will be removed from non-development releases.

This has been removed from eoan pursuant to its removal from Debian.
Debian removal comment:
  ROM; outdated and useless library; Debian bug #934734