Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 486948 (CVE-2013-2924)

Summary: <dev-libs/icu-51.2-r1 : Use-after-free vulnerability (CVE-2013-2924)
Product: Gentoo Security Reporter: GLSAMaker/CVETool Bot <glsamaker>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: normal    
Priority: Normal    
Version: unspecified   
Hardware: All   
OS: Linux   
See Also: https://bugzilla.redhat.com/show_bug.cgi?id=1015594
http://code.google.com/p/chromium/issues/detail?id=275803
http://bugs.debian.org/702346
http://bugs.icu-project.org/trac/ticket/10318
Whiteboard: A3 [glsa]
Package list:
Runtime testing required: ---
Attachments:
Description Flags
changeset_34076.diff none

Description GLSAMaker/CVETool Bot gentoo-dev 2013-10-04 10:54:48 UTC 
CVE-2013-2924 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-2924):
  Use-after-free vulnerability in International Components for Unicode (ICU),
  as used in Google Chrome before 30.0.1599.66 and other products, allows
  remote attackers to cause a denial of service or possibly have unspecified
  other impact via unknown vectors.
Comment 1 Agostino Sarubbo gentoo-dev 2013-10-04 11:29:32 UTC 

*** This bug has been marked as a duplicate of bug 486900 ***
Comment 2 Sean Amoss (RETIRED) gentoo-dev Security 2013-10-06 15:37:24 UTC 
*** Bug 486900 has been marked as a duplicate of this bug. ***
Comment 3 Chí-Thanh Christopher Nguyễn gentoo-dev 2013-10-29 12:18:23 UTC 
Created attachment 362224 [details, diff]
changeset_34076.diff

Upstream patch to address the issue. Taken from

http://bugs.icu-project.org/trac/changeset/34076
Comment 4 Andreas K. Hüttel archtester gentoo-dev 2013-10-29 17:14:28 UTC 
What's the plan here? If you want to fast-stabilize a newer version I'd like to know asap, since I have to re-build libreoffice-bin because of poppler anyway.
Comment 5 Andreas K. Hüttel archtester gentoo-dev 2013-10-30 08:46:24 UTC 
(In reply to Andreas K. Hüttel from comment #4)
> What's the plan here? If you want to fast-stabilize a newer version I'd like
> to know asap, since I have to re-build libreoffice-bin because of poppler
> anyway.

OK we're going with =dev-libs/icu-51.2-r1

Please do your security magic and have arches stabilize that.
Comment 6 Andreas K. Hüttel archtester gentoo-dev 2013-10-31 23:12:46 UTC 
Arches please security-stabilize 

=dev-libs/icu-51.2-r1

Target: all stable arches
Comment 7 Agostino Sarubbo gentoo-dev 2013-11-01 13:02:14 UTC 
amd64 stable
Comment 8 Agostino Sarubbo gentoo-dev 2013-11-01 13:04:19 UTC 
ppc stable
Comment 9 Agostino Sarubbo gentoo-dev 2013-11-01 13:04:27 UTC 
ppc64 stable
Comment 10 Agostino Sarubbo gentoo-dev 2013-11-01 13:04:36 UTC 
x86 stable
Comment 11 Nikoli 2013-11-01 16:24:38 UTC 
Current icu ebuild has wrong subslot and causes useless rebuild of libreoffice and several other packages:
https://bugs.gentoo.org/show_bug.cgi?id=464876#c2
Comment 12 Agostino Sarubbo gentoo-dev 2013-11-01 20:57:51 UTC 
alpha stable
Comment 13 Agostino Sarubbo gentoo-dev 2013-11-02 08:03:32 UTC 
arm stable
Comment 14 Jeroen Roovers (RETIRED) gentoo-dev 2013-11-02 16:46:14 UTC 
Stable for HPPA.
Comment 15 Agostino Sarubbo gentoo-dev 2013-11-03 11:24:44 UTC 
sparc stable
Comment 16 pavel sanda 2013-11-05 07:39:10 UTC 
I see depency conflict with bibtexu with newly stabilized ebuild, https://bugs.gentoo.org/show_bug.cgi?id=490459
Comment 17 Agostino Sarubbo gentoo-dev 2013-11-12 20:13:42 UTC 
ia64 stable.

Maintainer(s), please cleanup.
Security, please vote.
Comment 18 Sergey Popov gentoo-dev 2013-11-13 09:07:37 UTC 
GLSA vote: yes
Comment 19 Agostino Sarubbo gentoo-dev 2013-11-14 11:51:00 UTC 
(In reply to Sergey Popov from comment #18)
> GLSA vote: yes

This is A. Please file the request or add to the existing.
Comment 20 Yury German Gentoo Infrastructure gentoo-dev 2013-11-15 07:07:32 UTC 
GLSA Request Filed
Comment 21 Andreas K. Hüttel archtester gentoo-dev 2013-12-27 15:37:55 UTC 
All vulnerable versions removed from the tree.
Comment 22 GLSAMaker/CVETool Bot gentoo-dev 2014-02-10 11:16:20 UTC 
This issue was resolved and addressed in
 GLSA 201402-14 at http://security.gentoo.org/glsa/glsa-201402-14.xml
by GLSA coordinator Mikle Kolyada (Zlogene).