Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 486948 (CVE-2013-2924)

Summary: <dev-libs/icu-51.2-r1 : Use-after-free vulnerability (CVE-2013-2924)
Product: Gentoo Security Reporter: GLSAMaker/CVETool Bot <glsamaker>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Severity: normal    
Priority: Normal    
Version: unspecified   
Hardware: All   
OS: Linux   
See Also:
Whiteboard: A3 [glsa]
Package list:
Runtime testing required: ---
Description Flags
changeset_34076.diff none

Description GLSAMaker/CVETool Bot gentoo-dev 2013-10-04 10:54:48 UTC
CVE-2013-2924 (
  Use-after-free vulnerability in International Components for Unicode (ICU),
  as used in Google Chrome before 30.0.1599.66 and other products, allows
  remote attackers to cause a denial of service or possibly have unspecified
  other impact via unknown vectors.
Comment 1 Agostino Sarubbo gentoo-dev 2013-10-04 11:29:32 UTC

*** This bug has been marked as a duplicate of bug 486900 ***
Comment 2 Sean Amoss (RETIRED) gentoo-dev Security 2013-10-06 15:37:24 UTC
*** Bug 486900 has been marked as a duplicate of this bug. ***
Comment 3 Chí-Thanh Christopher Nguyễn gentoo-dev 2013-10-29 12:18:23 UTC
Created attachment 362224 [details, diff]

Upstream patch to address the issue. Taken from
Comment 4 Andreas K. Hüttel archtester gentoo-dev 2013-10-29 17:14:28 UTC
What's the plan here? If you want to fast-stabilize a newer version I'd like to know asap, since I have to re-build libreoffice-bin because of poppler anyway.
Comment 5 Andreas K. Hüttel archtester gentoo-dev 2013-10-30 08:46:24 UTC
(In reply to Andreas K. Hüttel from comment #4)
> What's the plan here? If you want to fast-stabilize a newer version I'd like
> to know asap, since I have to re-build libreoffice-bin because of poppler
> anyway.

OK we're going with =dev-libs/icu-51.2-r1

Please do your security magic and have arches stabilize that.
Comment 6 Andreas K. Hüttel archtester gentoo-dev 2013-10-31 23:12:46 UTC
Arches please security-stabilize 


Target: all stable arches
Comment 7 Agostino Sarubbo gentoo-dev 2013-11-01 13:02:14 UTC
amd64 stable
Comment 8 Agostino Sarubbo gentoo-dev 2013-11-01 13:04:19 UTC
ppc stable
Comment 9 Agostino Sarubbo gentoo-dev 2013-11-01 13:04:27 UTC
ppc64 stable
Comment 10 Agostino Sarubbo gentoo-dev 2013-11-01 13:04:36 UTC
x86 stable
Comment 11 Nikoli 2013-11-01 16:24:38 UTC
Current icu ebuild has wrong subslot and causes useless rebuild of libreoffice and several other packages:
Comment 12 Agostino Sarubbo gentoo-dev 2013-11-01 20:57:51 UTC
alpha stable
Comment 13 Agostino Sarubbo gentoo-dev 2013-11-02 08:03:32 UTC
arm stable
Comment 14 Jeroen Roovers (RETIRED) gentoo-dev 2013-11-02 16:46:14 UTC
Stable for HPPA.
Comment 15 Agostino Sarubbo gentoo-dev 2013-11-03 11:24:44 UTC
sparc stable
Comment 16 pavel sanda 2013-11-05 07:39:10 UTC
I see depency conflict with bibtexu with newly stabilized ebuild,
Comment 17 Agostino Sarubbo gentoo-dev 2013-11-12 20:13:42 UTC
ia64 stable.

Maintainer(s), please cleanup.
Security, please vote.
Comment 18 Sergey Popov gentoo-dev 2013-11-13 09:07:37 UTC
GLSA vote: yes
Comment 19 Agostino Sarubbo gentoo-dev 2013-11-14 11:51:00 UTC
(In reply to Sergey Popov from comment #18)
> GLSA vote: yes

This is A. Please file the request or add to the existing.
Comment 20 Yury German Gentoo Infrastructure gentoo-dev 2013-11-15 07:07:32 UTC
GLSA Request Filed
Comment 21 Andreas K. Hüttel archtester gentoo-dev 2013-12-27 15:37:55 UTC
All vulnerable versions removed from the tree.
Comment 22 GLSAMaker/CVETool Bot gentoo-dev 2014-02-10 11:16:20 UTC
This issue was resolved and addressed in
 GLSA 201402-14 at
by GLSA coordinator Mikle Kolyada (Zlogene).