Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 539108 (CVE-2014-9654) - <dev-libs/icu-54.1-r1: unspecified overflow vulnerability in regular expression processing (CVE-2014-9654)
Summary: <dev-libs/icu-54.1-r1: unspecified overflow vulnerability in regular expressi...
Status: RESOLVED FIXED
Alias: CVE-2014-9654
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal normal (vote)
Assignee: Gentoo Security
URL: https://bugzilla.redhat.com/show_bug....
Whiteboard: A3 [glsa]
Keywords:
Depends on:
Blocks:
 
Reported: 2015-02-06 14:02 UTC by Agostino Sarubbo
Modified: 2015-03-14 18:27 UTC (History)
0 users

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Agostino Sarubbo gentoo-dev 2015-02-06 14:02:34 UTC
From ${URL} :

An unspecified overlow vulnerability was fixed in ICU [1] and Chrome browser [2][3].

[1]: http://bugs.icu-project.org/trac/changeset/36801
[2]: https://code.google.com/p/chromium/issues/detail?id=432209
[3]: https://chromium.googlesource.com/chromium/deps/icu/+/dd727641e190d60e4593bcb3a35c7f51eb4925c5


@maintainer(s): after the bump, in case we need to stabilize the package, please let us know if it is ready for the stabilization or not.
Comment 1 Andreas K. Hüttel archtester gentoo-dev 2015-02-07 17:52:30 UTC
Patch added to dev-libs/icu-53.1-r3 and dev-libs/icu-54.1-r1

Unfortunately the patch looks like it breaks ABI. So I've changed the subslot in each case (53 -> 53a, 54 -> 54a).

Needs testing for a while and then a decision whether 53.1-r3 or 54.1-r1 goes stable. (54.1 was only just bumped a few days ago.)
Comment 2 Andreas K. Hüttel archtester gentoo-dev 2015-02-14 16:52:18 UTC
(In reply to Andreas K. Hüttel from comment #1)
> Needs testing for a while and then a decision whether 53.1-r3 or 54.1-r1
> goes stable. (54.1 was only just bumped a few days ago.)

Looks good, so let's go immediately for dev-libs/icu-54.1-r1

Arches please stabilize
Target: all stable arches

=dev-libs/icu-54.1-r1

On amd64 and x86 this needs to be synchronized with bug 534684 (because of libreoffice-bin dependencies). This obsoletes bug 523164.
Comment 3 Agostino Sarubbo gentoo-dev 2015-02-15 14:57:45 UTC
amd64 stable
Comment 4 Agostino Sarubbo gentoo-dev 2015-02-15 14:59:36 UTC
x86 stable
Comment 5 Jeroen Roovers (RETIRED) gentoo-dev 2015-02-16 08:48:21 UTC
Stable for HPPA.
Comment 6 Agostino Sarubbo gentoo-dev 2015-02-16 10:24:04 UTC
sparc stable
Comment 7 Markus Meier gentoo-dev 2015-02-17 21:11:22 UTC
arm stable
Comment 8 Agostino Sarubbo gentoo-dev 2015-02-18 08:52:58 UTC
ppc64 stable
Comment 9 Agostino Sarubbo gentoo-dev 2015-02-18 09:18:24 UTC
ppc stable
Comment 10 Agostino Sarubbo gentoo-dev 2015-02-23 11:38:36 UTC
ia64 stable
Comment 11 Agostino Sarubbo gentoo-dev 2015-02-24 10:58:47 UTC
alpha stable.

Maintainer(s), please cleanup.
Security, please add it to the existing request, or file a new one.
Comment 12 Andreas K. Hüttel archtester gentoo-dev 2015-02-25 00:19:39 UTC
All vulnerable versions removed. Office out.
Comment 13 Yury German Gentoo Infrastructure gentoo-dev 2015-02-25 04:20:57 UTC
Arches and Maintainer(s), Thank you for your work.

New GLSA Request filed.
Comment 14 GLSAMaker/CVETool Bot gentoo-dev 2015-03-14 18:27:28 UTC
This issue was resolved and addressed in
 GLSA 201503-06 at https://security.gentoo.org/glsa/201503-06
by GLSA coordinator Kristian Fiskerstrand (K_F).