Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 539108 (CVE-2014-9654)

Summary: <dev-libs/icu-54.1-r1: unspecified overflow vulnerability in regular expression processing (CVE-2014-9654)
Product: Gentoo Security Reporter: Agostino Sarubbo <ago>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Severity: normal    
Priority: Normal    
Version: unspecified   
Hardware: All   
OS: Linux   
Whiteboard: A3 [glsa]
Package list:
Runtime testing required: ---

Description Agostino Sarubbo gentoo-dev 2015-02-06 14:02:34 UTC
From ${URL} :

An unspecified overlow vulnerability was fixed in ICU [1] and Chrome browser [2][3].


@maintainer(s): after the bump, in case we need to stabilize the package, please let us know if it is ready for the stabilization or not.
Comment 1 Andreas K. Hüttel archtester gentoo-dev 2015-02-07 17:52:30 UTC
Patch added to dev-libs/icu-53.1-r3 and dev-libs/icu-54.1-r1

Unfortunately the patch looks like it breaks ABI. So I've changed the subslot in each case (53 -> 53a, 54 -> 54a).

Needs testing for a while and then a decision whether 53.1-r3 or 54.1-r1 goes stable. (54.1 was only just bumped a few days ago.)
Comment 2 Andreas K. Hüttel archtester gentoo-dev 2015-02-14 16:52:18 UTC
(In reply to Andreas K. Hüttel from comment #1)
> Needs testing for a while and then a decision whether 53.1-r3 or 54.1-r1
> goes stable. (54.1 was only just bumped a few days ago.)

Looks good, so let's go immediately for dev-libs/icu-54.1-r1

Arches please stabilize
Target: all stable arches


On amd64 and x86 this needs to be synchronized with bug 534684 (because of libreoffice-bin dependencies). This obsoletes bug 523164.
Comment 3 Agostino Sarubbo gentoo-dev 2015-02-15 14:57:45 UTC
amd64 stable
Comment 4 Agostino Sarubbo gentoo-dev 2015-02-15 14:59:36 UTC
x86 stable
Comment 5 Jeroen Roovers (RETIRED) gentoo-dev 2015-02-16 08:48:21 UTC
Stable for HPPA.
Comment 6 Agostino Sarubbo gentoo-dev 2015-02-16 10:24:04 UTC
sparc stable
Comment 7 Markus Meier gentoo-dev 2015-02-17 21:11:22 UTC
arm stable
Comment 8 Agostino Sarubbo gentoo-dev 2015-02-18 08:52:58 UTC
ppc64 stable
Comment 9 Agostino Sarubbo gentoo-dev 2015-02-18 09:18:24 UTC
ppc stable
Comment 10 Agostino Sarubbo gentoo-dev 2015-02-23 11:38:36 UTC
ia64 stable
Comment 11 Agostino Sarubbo gentoo-dev 2015-02-24 10:58:47 UTC
alpha stable.

Maintainer(s), please cleanup.
Security, please add it to the existing request, or file a new one.
Comment 12 Andreas K. Hüttel archtester gentoo-dev 2015-02-25 00:19:39 UTC
All vulnerable versions removed. Office out.
Comment 13 Yury German Gentoo Infrastructure gentoo-dev 2015-02-25 04:20:57 UTC
Arches and Maintainer(s), Thank you for your work.

New GLSA Request filed.
Comment 14 GLSAMaker/CVETool Bot gentoo-dev 2015-03-14 18:27:28 UTC
This issue was resolved and addressed in
 GLSA 201503-06 at
by GLSA coordinator Kristian Fiskerstrand (K_F).