Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 460426 (CVE-2013-0900)

Summary: <dev-libs/icu-50.1.2: Race condition allows remote attackers to cause a DoS (CVE-2013-0900)
Product: Gentoo Security Reporter: Agostino Sarubbo <ago>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: normal    
Priority: Normal    
Version: unspecified   
Hardware: All   
OS: Linux   
URL: https://bugzilla.redhat.com/show_bug.cgi?id=918167
Whiteboard: A3 [glsa]
Package list:
Runtime testing required: ---
Bug Depends on: 467452    
Bug Blocks:    

Description Agostino Sarubbo gentoo-dev 2013-03-05 17:28:18 UTC
From ${URL} :

Common Vulnerabilities and Exposures assigned an identifier CVE-2013-0900 to the following 
vulnerability:

Race condition in the International Components for Unicode (ICU) functionality in Google Chrome 
before 25.0.1364.97 on Windows and Linux, and before 25.0.1364.99 on Mac OS X, allows remote 
attackers to cause a denial of service or possibly have unspecified other impact via unknown 
vectors.

References:
[1] https://code.google.com/p/chromium/issues/detail?id=152442 (private)
[2] http://googlechromereleases.blogspot.com/2013/02/stable-channel-update_21.html

Other references:
[3] http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=702346
[4] http://bugs.icu-project.org/trac/ticket/9737
[5] http://bugs.icu-project.org/trac/changeset/32865
[6] http://bugs.icu-project.org/trac/changeset/32908
Comment 1 GLSAMaker/CVETool Bot gentoo-dev 2013-03-05 22:43:56 UTC
CVE-2013-0900 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-0900):
  Race condition in the International Components for Unicode (ICU)
  functionality in Google Chrome before 25.0.1364.97 on Windows and Linux, and
  before 25.0.1364.99 on Mac OS X, allows remote attackers to cause a denial
  of service or possibly have unspecified other impact via unknown vectors.
Comment 2 Sean Amoss (RETIRED) gentoo-dev Security 2013-03-14 11:45:07 UTC
@openoffice, it looks like there are ABI issues preventing us from stabilizing =dev-libs/icu-50.1.2 ?
Comment 3 Tomáš Chvátal (RETIRED) gentoo-dev 2013-03-14 11:57:34 UTC
(In reply to comment #2)
> @openoffice, it looks like there are ABI issues preventing us from
> stabilizing =dev-libs/icu-50.1.2 ?

Actually the icu-50.1.2 is fine, but I would rather see the patch in 49, 50 series have serious regressions in RTL rendering, would that be possible?
Comment 4 Sean Amoss (RETIRED) gentoo-dev Security 2013-03-14 12:04:08 UTC
(In reply to comment #3)
> (In reply to comment #2)
> > @openoffice, it looks like there are ABI issues preventing us from
> > stabilizing =dev-libs/icu-50.1.2 ?
> 
> Actually the icu-50.1.2 is fine, but I would rather see the patch in 49, 50
> series have serious regressions in RTL rendering, would that be possible?

Ok, we will backtrack to [ebuild] and wait for a patched 49 ebuild.
Comment 5 Agostino Sarubbo gentoo-dev 2013-03-19 20:46:49 UTC
I guess this is A3 instead of B3
Comment 6 Tomáš Chvátal (RETIRED) gentoo-dev 2013-04-28 13:43:16 UTC
Filled stabilisation request on the new enough icu.
Comment 7 Andrew John Hughes 2013-06-04 18:01:33 UTC
Is there a plan to package 51.2?  Either that or removed vulnerable versions: http://site.icu-project.org/download/51
Comment 8 Andreas K. Hüttel archtester gentoo-dev 2013-12-27 17:21:02 UTC
OK guys could ANYONE please state here in which icu version this bug is fixed **upstream**?  Ago, you filed it, have a word!

(My guess is that this zombie issue is long fixed in all icu versions in the tree, but it would be nice to have that confirmed.)
Comment 9 Andreas K. Hüttel archtester gentoo-dev 2013-12-27 17:24:47 UTC
(In reply to Andreas K. Hüttel from comment #8)
> OK guys could ANYONE please state here in which icu version this bug is
> fixed **upstream**?  Ago, you filed it, have a word!
> 
> (My guess is that this zombie issue is long fixed in all icu versions in the
> tree, but it would be nice to have that confirmed.)

Never mind, comment 2 and comment 3 say it's fixed in 50.1.2

Nothing to do for office here anymore
Comment 10 Yury German Gentoo Infrastructure gentoo-dev 2013-12-29 22:38:07 UTC
In comment #4 ankle set it to build again because people wanted it in back ported to 49 build. Looks like that action was never taken, this was stabilized as per Bug # 467452.

Stabilized version was 51.1 that fixes this CVE. Current version in tree is 51.2-r1, 51.1 is not in tree anymore.

Adding to Existing GLSA Draft.
Comment 11 GLSAMaker/CVETool Bot gentoo-dev 2014-02-10 11:16:18 UTC
This issue was resolved and addressed in
 GLSA 201402-14 at http://security.gentoo.org/glsa/glsa-201402-14.xml
by GLSA coordinator Mikle Kolyada (Zlogene).