[Bug 1187262] Re: [MIR] mongodb, libv8, snowball, gyp

[Jamie Strandboge]

"Re: it must be demonstrated that libv8 does not process untrusted
javascript

libv8 is used to provide the scriptable shell in mongodb; access to the
shell is via the mongo client application."

We allowed V8 to be embedded in the Ubuntu SDK because the attack
surface was greatly reduced-- it won't process arbitrary QML-- it will
process code from the developer. There are some corner cases with string
processing where we need to keep an eye on V8 CVEs, but on the whole, V8
in the Ubuntu SDK can largely be ignored.

For mongodb you described a different situation. The mongo client application provides a scriptable shell. We fixed all kinds of vulnerabilities for an authenticated attacker in other software. Even if we said we need to enforce authentication and decided we wouldn't fix V8 bugs for an authenticated attacker, we would still have to fix them for the now non-default configurations that don't use authentication and/or connections through the loopback (loopback isn't strong protection anyway-- if there were a vulnerability in another piece of software on the system, a remote attacker could attack it and then attack mongo via the loopback)
I think this provides an attack surface such that we would have to support V8 with security updates.

-- 
You received this bug notification because you are a member of Ubuntu
Server Team, which is subscribed to the bug report.
https://bugs.launchpad.net/bugs/1187262

Title:
  [MIR] mongodb, libv8, snowball, gyp

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/gyp/+bug/1187262/+subscriptions