Summary: | dev-libs/icu <= 3.8.1 Regular Expressions Vulnerabilities (CVE-2007-(4770|4771)) | ||
---|---|---|---|
Product: | Gentoo Security | Reporter: | Lars Hartmann <lars> |
Component: | Vulnerabilities | Assignee: | Gentoo Security <security> |
Status: | RESOLVED FIXED | ||
Severity: | major | CC: | h.mth, office, php-bugs |
Priority: | High | ||
Version: | unspecified | ||
Hardware: | All | ||
OS: | Linux | ||
URL: | http://secunia.com/advisories/28575 | ||
Whiteboard: | B1 [glsa] | ||
Package list: | Runtime testing required: | --- | |
Bug Depends on: | |||
Bug Blocks: | 206889 |
Description
Lars Hartmann
2008-01-29 07:34:24 UTC
maintainers - please provide an updated ebuild *** Bug 207905 has been marked as a duplicate of this bug. *** ping I reproduced the 4771 issue on 3.6.1. Caolan McNamara from RedHat backported the patches to 3.6: https://bugzilla.redhat.com/show_bug.cgi?id=429023 This bug also affects OpenOffice, as it currently uses an internal copy of icu. OpenOffice herd, please advise here. OpenOffice, please try building against the (security patched) libicu 3.8.1-r1 here: http://overlays.gentoo.org/svn/proj/php/migration/dev-libs/icu/ If that does not work, please patch the copy of icu. (In reply to comment #5) > OpenOffice, please try building against the (security patched) libicu 3.8.1-r1 > here: http://overlays.gentoo.org/svn/proj/php/migration/dev-libs/icu/ > > If that does not work, please patch the copy of icu. > I've added a new revision (-r1) of openoffice-2.3.1 to portage, this uses external icu again (we had to back this out prior to stabilizing 2.3.1 as it was broken in OOo), works fine here on x86, other archs will have to test accordingly icu-3.8.1-r1 with the patch is in the tree now, thanks to jakub. I did not do any tests except from compiling (I haven't touched that package before anyway). I might try building OOo tomorrow, but certainly not today. icu-3.6-r2 in the tree as well (with the patch from redhat). You probably want 3.8* stable for OpenOffice anyway, but I don't really know, ask jakub if in doubt. ;) (In reply to comment #8) > icu-3.6-r2 in the tree as well (with the patch from redhat). You probably want > 3.8* stable for OpenOffice anyway, but I don't really know, ask jakub if in > doubt. ;) Well, yes, definitely. It won't compile with ~icu-3.6. arches, please test and stabilize the following: dev-libs/icu-3.6-r2 (will be hanging around for dev-libs/xerces-c-2.8.0 at least unless someone fixes the messy thing to work w/ icu-3.8.x) dev-libs/icu-3.8.1-r1 ppc and ppc64 done. dertobi123 tested ppc and I committed for his convenience. Stable for HPPA. x86 stable alpha/ia64/sparc stable amd64 done (In reply to comment #14) > amd64 done You missed dev-libs/icu-3.6-r2; thanks. (In reply to comment #15) > (In reply to comment #14) > > amd64 done > > You missed dev-libs/icu-3.6-r2; thanks. > done Updated in release snapshot. GLSA 200803-20 |