Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 437834 (CVE-2012-5109)

Summary: <dev-libs/icu-4.6.1: out-of-bounds read via vectors related to a regular expression (CVE-2012-5109)
Product: Gentoo Security Reporter: Agostino Sarubbo <ago>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: minor CC: arfrever.fta, proxy-maint
Priority: Normal    
Version: unspecified   
Hardware: All   
OS: Linux   
URL: https://bugzilla.redhat.com/show_bug.cgi?id=864538
Whiteboard: B3 [noglsa]
Package list:
Runtime testing required: ---

Description Agostino Sarubbo gentoo-dev 2012-10-10 13:14:42 UTC 
From red hat bugzilla at $URL:

Common Vulnerabilities and Exposures assigned an identifier CVE-2012-5109 to the following vulnerability:

The International Components for Unicode (ICU) functionality in Google Chrome before 22.0.1229.92 allows remote attackers to cause a denial of service (out-of-bounds read) via vectors related to a regular expression.

References:
[1] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-5109
[2] http://googlechromereleases.blogspot.com/2012/10/stable-channel-update.html
[3] https://code.google.com/p/chromium/issues/detail?id=148692 (private)
Comment 1 GLSAMaker/CVETool Bot gentoo-dev 2012-10-13 20:37:13 UTC 
CVE-2012-5109 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-5109):
  The International Components for Unicode (ICU) functionality in Google
  Chrome before 22.0.1229.92 allows remote attackers to cause a denial of
  service (out-of-bounds read) via vectors related to a regular expression.
Comment 2 Arfrever Frehtes Taifersar Arahesis 2012-10-24 16:51:19 UTC 
Red Hat bug mentioned in URL field now contains:
"Upstream patch:
http://bugs.icu-project.org/trac/changeset/29356"

So bug #437834 was fixed since ICU 4.6.1.
Comment 3 Sean Amoss (RETIRED) gentoo-dev Security 2012-10-24 19:09:35 UTC 
(In reply to comment #2)
> Red Hat bug mentioned in URL field now contains:
> "Upstream patch:
> http://bugs.icu-project.org/trac/changeset/29356"
> 
> So bug #437834 was fixed since ICU 4.6.1.

Thank you, Arfrever. 

GLSA vote: no. Not only would this lead to a client-side DoS, but ICU users should already be protected by applying the resolution in GLSA 201209-07.
Comment 4 Stefan Behte (RETIRED) gentoo-dev Security 2012-12-16 22:09:38 UTC 
Closing noglsa.