Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 539108 (CVE-2014-9654)

Summary: <dev-libs/icu-54.1-r1: unspecified overflow vulnerability in regular expression processing (CVE-2014-9654)
Product: Gentoo Security Reporter: Agostino Sarubbo <ago>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: normal    
Priority: Normal    
Version: unspecified   
Hardware: All   
OS: Linux   
URL: https://bugzilla.redhat.com/show_bug.cgi?id=1190129
Whiteboard: A3 [glsa]
Package list:
Runtime testing required: ---

Description Agostino Sarubbo gentoo-dev 2015-02-06 14:02:34 UTC 
From ${URL} :

An unspecified overlow vulnerability was fixed in ICU [1] and Chrome browser [2][3].

[1]: http://bugs.icu-project.org/trac/changeset/36801
[2]: https://code.google.com/p/chromium/issues/detail?id=432209
[3]: https://chromium.googlesource.com/chromium/deps/icu/+/dd727641e190d60e4593bcb3a35c7f51eb4925c5


@maintainer(s): after the bump, in case we need to stabilize the package, please let us know if it is ready for the stabilization or not.
Comment 1 Andreas K. Hüttel archtester gentoo-dev 2015-02-07 17:52:30 UTC 
Patch added to dev-libs/icu-53.1-r3 and dev-libs/icu-54.1-r1

Unfortunately the patch looks like it breaks ABI. So I've changed the subslot in each case (53 -> 53a, 54 -> 54a).

Needs testing for a while and then a decision whether 53.1-r3 or 54.1-r1 goes stable. (54.1 was only just bumped a few days ago.)
Comment 2 Andreas K. Hüttel archtester gentoo-dev 2015-02-14 16:52:18 UTC 
(In reply to Andreas K. Hüttel from comment #1)
> Needs testing for a while and then a decision whether 53.1-r3 or 54.1-r1
> goes stable. (54.1 was only just bumped a few days ago.)

Looks good, so let's go immediately for dev-libs/icu-54.1-r1

Arches please stabilize
Target: all stable arches

=dev-libs/icu-54.1-r1

On amd64 and x86 this needs to be synchronized with bug 534684 (because of libreoffice-bin dependencies). This obsoletes bug 523164.
Comment 3 Agostino Sarubbo gentoo-dev 2015-02-15 14:57:45 UTC 
amd64 stable
Comment 4 Agostino Sarubbo gentoo-dev 2015-02-15 14:59:36 UTC 
x86 stable
Comment 5 Jeroen Roovers (RETIRED) gentoo-dev 2015-02-16 08:48:21 UTC 
Stable for HPPA.
Comment 6 Agostino Sarubbo gentoo-dev 2015-02-16 10:24:04 UTC 
sparc stable
Comment 7 Markus Meier gentoo-dev 2015-02-17 21:11:22 UTC 
arm stable
Comment 8 Agostino Sarubbo gentoo-dev 2015-02-18 08:52:58 UTC 
ppc64 stable
Comment 9 Agostino Sarubbo gentoo-dev 2015-02-18 09:18:24 UTC 
ppc stable
Comment 10 Agostino Sarubbo gentoo-dev 2015-02-23 11:38:36 UTC 
ia64 stable
Comment 11 Agostino Sarubbo gentoo-dev 2015-02-24 10:58:47 UTC 
alpha stable.

Maintainer(s), please cleanup.
Security, please add it to the existing request, or file a new one.
Comment 12 Andreas K. Hüttel archtester gentoo-dev 2015-02-25 00:19:39 UTC 
All vulnerable versions removed. Office out.
Comment 13 Yury German Gentoo Infrastructure gentoo-dev 2015-02-25 04:20:57 UTC 
Arches and Maintainer(s), Thank you for your work.

New GLSA Request filed.
Comment 14 GLSAMaker/CVETool Bot gentoo-dev 2015-03-14 18:27:28 UTC 
This issue was resolved and addressed in
 GLSA 201503-06 at https://security.gentoo.org/glsa/201503-06
by GLSA coordinator Kristian Fiskerstrand (K_F).