Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 486900

Summary: dev-libs/icu: use-after-free flaw leads to denial of service (CVE-2013-2924)
Product: Gentoo Security Reporter: Agostino Sarubbo <ago>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED DUPLICATE    
Severity: normal CC: office
Priority: Normal    
Version: unspecified   
Hardware: All   
OS: Linux   
URL: https://bugzilla.redhat.com/show_bug.cgi?id=1014886
Whiteboard:
Package list:
Runtime testing required: ---

Description Agostino Sarubbo gentoo-dev 2013-10-03 18:57:03 UTC 
From ${URL} :

Common Vulnerabilities and Exposures assigned an identifier CVE-2013-2924 to
the following vulnerability:

Name: CVE-2013-2924
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2924
Assigned: 20130411
Reference: http://bugs.icu-project.org/trac/ticket/10318
Reference: http://googlechromereleases.blogspot.com/2013/10/stable-channel-update.html
Reference: https://code.google.com/p/chromium/issues/detail?id=275803
Reference: https://src.chromium.org/viewvc/chrome?revision=219151&view=revision

Use-after-free vulnerability in International Components for Unicode
(ICU), as used in Google Chrome before 30.0.1599.66 and other
products, allows remote attackers to cause a denial of service or
possibly have unspecified other impact via unknown vectors.


@maintainer(s): after the bump, in case we need to stabilize the package, please say explicitly if it is ready for the stabilization or not.
Comment 1 Agostino Sarubbo gentoo-dev 2013-10-04 11:29:32 UTC 
*** Bug 486948 has been marked as a duplicate of this bug. ***
Comment 2 Sean Amoss (RETIRED) gentoo-dev Security 2013-10-06 15:37:24 UTC 
Reversing duplicate bug: the CVETool assignment for bug 486948 cannot be reversed. In the future, please place the CVE in the bug summary per the Vulnerability Policy [1] so it can be found.

[1] http://www.gentoo.org/security/en/vulnerability-policy.xml

*** This bug has been marked as a duplicate of bug 486948 ***
Comment 3 Agostino Sarubbo gentoo-dev 2013-10-06 17:08:34 UTC 
(In reply to Sean Amoss from comment #2)
> Reversing duplicate bug: the CVETool assignment for bug 486948 cannot be
> reversed. In the future, please place the CVE in the bug summary per the
> Vulnerability Policy [1] so it can be found.
> 
> [1] http://www.gentoo.org/security/en/vulnerability-policy.xml
> 

The vulnerability policy says also:

- set the Alias field to the CVE identifier. In case there are multiple identifiers, use the first one.