Summary: | <dev-libs/icu-50.1.2: Race condition allows remote attackers to cause a DoS (CVE-2013-0900) | ||
---|---|---|---|
Product: | Gentoo Security | Reporter: | Agostino Sarubbo <ago> |
Component: | Vulnerabilities | Assignee: | Gentoo Security <security> |
Status: | RESOLVED FIXED | ||
Severity: | normal | ||
Priority: | Normal | ||
Version: | unspecified | ||
Hardware: | All | ||
OS: | Linux | ||
URL: | https://bugzilla.redhat.com/show_bug.cgi?id=918167 | ||
Whiteboard: | A3 [glsa] | ||
Package list: | Runtime testing required: | --- | |
Bug Depends on: | 467452 | ||
Bug Blocks: |
Description
Agostino Sarubbo
2013-03-05 17:28:18 UTC
CVE-2013-0900 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-0900): Race condition in the International Components for Unicode (ICU) functionality in Google Chrome before 25.0.1364.97 on Windows and Linux, and before 25.0.1364.99 on Mac OS X, allows remote attackers to cause a denial of service or possibly have unspecified other impact via unknown vectors. @openoffice, it looks like there are ABI issues preventing us from stabilizing =dev-libs/icu-50.1.2 ? (In reply to comment #2) > @openoffice, it looks like there are ABI issues preventing us from > stabilizing =dev-libs/icu-50.1.2 ? Actually the icu-50.1.2 is fine, but I would rather see the patch in 49, 50 series have serious regressions in RTL rendering, would that be possible? (In reply to comment #3) > (In reply to comment #2) > > @openoffice, it looks like there are ABI issues preventing us from > > stabilizing =dev-libs/icu-50.1.2 ? > > Actually the icu-50.1.2 is fine, but I would rather see the patch in 49, 50 > series have serious regressions in RTL rendering, would that be possible? Ok, we will backtrack to [ebuild] and wait for a patched 49 ebuild. I guess this is A3 instead of B3 Filled stabilisation request on the new enough icu. Is there a plan to package 51.2? Either that or removed vulnerable versions: http://site.icu-project.org/download/51 OK guys could ANYONE please state here in which icu version this bug is fixed **upstream**? Ago, you filed it, have a word! (My guess is that this zombie issue is long fixed in all icu versions in the tree, but it would be nice to have that confirmed.) (In reply to Andreas K. Hüttel from comment #8) > OK guys could ANYONE please state here in which icu version this bug is > fixed **upstream**? Ago, you filed it, have a word! > > (My guess is that this zombie issue is long fixed in all icu versions in the > tree, but it would be nice to have that confirmed.) Never mind, comment 2 and comment 3 say it's fixed in 50.1.2 Nothing to do for office here anymore In comment #4 ankle set it to build again because people wanted it in back ported to 49 build. Looks like that action was never taken, this was stabilized as per Bug # 467452. Stabilized version was 51.1 that fixes this CVE. Current version in tree is 51.2-r1, 51.1 is not in tree anymore. Adding to Existing GLSA Draft. This issue was resolved and addressed in GLSA 201402-14 at http://security.gentoo.org/glsa/glsa-201402-14.xml by GLSA coordinator Mikle Kolyada (Zlogene). |