|Summary:||<dev-libs/icu-68.2: Multiple vulnerabilities|
|Product:||Gentoo Security||Reporter:||Stephan Hartmann <sultan>|
|Component:||Vulnerabilities||Assignee:||Gentoo Security <security>|
|Whiteboard:||A2 [glsa+ cve]|
|Package list:||Runtime testing required:||---|
|Bug Depends on:||761034, 761070, 761082|
Description Stephan Hartmann 2020-11-20 12:14:08 UTC
Chromium Devs discovered 3 security issues in =dev-libs/icu-68.1 and AFAICS we are affected by 2 of them: Fix memory READ by ASAN in ListFormatter https://github.com/unicode-org/icu/pull/1450 https://unicode-org.atlassian.net/browse/ICU-21383 Fix Locale::setKeywordValue bug found by fuzzer https://github.com/unicode-org/icu/pull/1461 https://unicode-org.atlassian.net/browse/ICU-21385 Third one is for Windows only.
Comment 1 Lars Wendler (Polynomial-C) (RETIRED) 2020-11-20 14:02:31 UTC
=dev-libs/icu-68.1 is still masked because of removal of public macro definitions for TRUE and FALSE which affects a couple of packages. The question is, are older versions affected as well?
Comment 2 Andreas Sturmlechner 2020-11-27 10:17:37 UTC
(In reply to Stephan Hartmann from comment #0) > Fix memory READ by ASAN in ListFormatter > > https://github.com/unicode-org/icu/pull/1450 > https://unicode-org.atlassian.net/browse/ICU-21383 This one is in icu4c, which is a different tarball, so we only need to take care of ICU-21385 as far as I can see. Built successfully with upstream commit 96631951 applied to 68.1.
Comment 3 Stephan Hartmann 2020-11-27 11:00:50 UTC
(In reply to Andreas Sturmlechner from comment #2) > (In reply to Stephan Hartmann from comment #0) > > Fix memory READ by ASAN in ListFormatter > > > > https://github.com/unicode-org/icu/pull/1450 > > https://unicode-org.atlassian.net/browse/ICU-21383 > > This one is in icu4c, which is a different tarball, so we only need to take > care of ICU-21385 as far as I can see. > > Built successfully with upstream commit 96631951 applied to 68.1. Both patches are applied to icu4c and icu ebuild uses icu4c tarball.
Comment 4 Andreas Sturmlechner 2020-11-27 11:48:44 UTC
right... I always get confused with how their release dir structure differs from git repo. Can't get the commit to apply over 68.1 anyway.
Comment 5 Andreas Sturmlechner 2020-11-28 23:46:21 UTC
It's because their tag snapshot differs from release tarball............... icu4c/source/i18n/formattedval_impl.h does not contain *at least* 86f00ad7 without which e7f66732 (ICU-21383) is not going to apply.
Comment 6 Larry the Git Cow 2020-12-18 18:13:54 UTC
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=c205bd27dbb1f815a1e61ecbc87bd5bfc62894c3 commit c205bd27dbb1f815a1e61ecbc87bd5bfc62894c3 Author: Lars Wendler <email@example.com> AuthorDate: 2020-12-18 18:13:03 +0000 Commit: Lars Wendler <firstname.lastname@example.org> CommitDate: 2020-12-18 18:13:51 +0000 dev-libs/icu: Security bump to version 68.2 Bug: https://bugs.gentoo.org/755704 Package-Manager: Portage-3.0.12, Repoman-3.0.2 Signed-off-by: Lars Wendler <email@example.com> dev-libs/icu/Manifest | 1 + dev-libs/icu/icu-68.2.ebuild | 142 +++++++++++++++++++++++++++++++++++++++++++ 2 files changed, 143 insertions(+)
Comment 7 Sam James 2020-12-18 18:18:02 UTC
Poly, sultan, asturm: thank you all. Please stable when ready. Let's be a little bit patient because of how fragile ICU can be...
Comment 8 Matt Turner 2021-01-03 17:25:43 UTC
Is it okay if we add app-text/poppler-20.12.1 to this stabilization list to reduce the number of subslot rebuilds users will see? (See bug 763204).
Comment 9 Andreas Sturmlechner 2021-01-03 17:28:42 UTC
NACK, will skip this version of poppler.
Comment 10 Sam James 2021-01-04 03:39:44 UTC
Removed bug 756649 because I've stabled the 5.x variant which builds on ppc and 8.x doesn't (if any in the 8.x series). Please CC arches for this + any other bugs you want me to do at the same time if you can, when ready. Thanks!
Comment 11 Sam James 2021-01-06 23:46:25 UTC
Comment 12 Sam James 2021-01-09 13:41:43 UTC
Comment 13 Sam James 2021-01-09 15:15:45 UTC
Comment 14 Sam James 2021-01-09 21:16:04 UTC
Comment 15 Sam James 2021-01-09 21:17:29 UTC
Comment 16 Sam James 2021-01-09 21:18:34 UTC
Comment 17 Sam James 2021-01-10 09:06:09 UTC
Comment 18 Sam James 2021-01-10 09:10:24 UTC
Comment 19 Rolf Eike Beer 2021-01-14 21:00:38 UTC
Comment 20 John Helmert III 2021-01-14 21:11:28 UTC
Comment 21 John Helmert III 2021-01-14 21:11:59 UTC
(In reply to John Helmert III (ajak) from comment #20) > Please cleanup. ... whenever possible!
Comment 22 Andreas Sturmlechner 2021-01-20 19:36:04 UTC
Cleanup done in commit 372d3cc50b556b021ccd4ba60ce27be2adaa26cc.
Comment 23 John Helmert III 2021-01-21 00:42:57 UTC
Comment 24 Andreas Sturmlechner 2021-03-13 17:35:30 UTC
Comment 25 Thomas Deutschmann 2021-05-25 16:34:14 UTC
New GLSA request filed.