Summary: | <dev-libs/icu-68.2: Multiple vulnerabilities | ||
---|---|---|---|
Product: | Gentoo Security | Reporter: | Stephan Hartmann (RETIRED) <sultan> |
Component: | Vulnerabilities | Assignee: | Gentoo Security <security> |
Status: | RESOLVED FIXED | ||
Severity: | major | ||
Priority: | Normal | ||
Version: | unspecified | ||
Hardware: | All | ||
OS: | Linux | ||
URL: | https://chromium-review.googlesource.com/c/chromium/src/+/2536432 | ||
See Also: |
https://bugs.gentoo.org/show_bug.cgi?id=751919 https://bugs.gentoo.org/show_bug.cgi?id=754852 https://bugs.gentoo.org/show_bug.cgi?id=764251 https://bugs.gentoo.org/show_bug.cgi?id=765169 |
||
Whiteboard: | A2 [glsa+ cve] | ||
Package list: | Runtime testing required: | --- | |
Bug Depends on: | 761034, 761070, 761082 | ||
Bug Blocks: |
Description
Stephan Hartmann (RETIRED)
2020-11-20 12:14:08 UTC
=dev-libs/icu-68.1 is still masked because of removal of public macro definitions for TRUE and FALSE which affects a couple of packages. The question is, are older versions affected as well? (In reply to Stephan Hartmann from comment #0) > Fix memory READ by ASAN in ListFormatter > > https://github.com/unicode-org/icu/pull/1450 > https://unicode-org.atlassian.net/browse/ICU-21383 This one is in icu4c, which is a different tarball, so we only need to take care of ICU-21385 as far as I can see. Built successfully with upstream commit 96631951 applied to 68.1. (In reply to Andreas Sturmlechner from comment #2) > (In reply to Stephan Hartmann from comment #0) > > Fix memory READ by ASAN in ListFormatter > > > > https://github.com/unicode-org/icu/pull/1450 > > https://unicode-org.atlassian.net/browse/ICU-21383 > > This one is in icu4c, which is a different tarball, so we only need to take > care of ICU-21385 as far as I can see. > > Built successfully with upstream commit 96631951 applied to 68.1. Both patches are applied to icu4c and icu ebuild uses icu4c tarball. right... I always get confused with how their release dir structure differs from git repo. Can't get the commit to apply over 68.1 anyway. It's because their tag snapshot differs from release tarball............... icu4c/source/i18n/formattedval_impl.h does not contain *at least* 86f00ad7 without which e7f66732 (ICU-21383) is not going to apply. The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=c205bd27dbb1f815a1e61ecbc87bd5bfc62894c3 commit c205bd27dbb1f815a1e61ecbc87bd5bfc62894c3 Author: Lars Wendler <polynomial-c@gentoo.org> AuthorDate: 2020-12-18 18:13:03 +0000 Commit: Lars Wendler <polynomial-c@gentoo.org> CommitDate: 2020-12-18 18:13:51 +0000 dev-libs/icu: Security bump to version 68.2 Bug: https://bugs.gentoo.org/755704 Package-Manager: Portage-3.0.12, Repoman-3.0.2 Signed-off-by: Lars Wendler <polynomial-c@gentoo.org> dev-libs/icu/Manifest | 1 + dev-libs/icu/icu-68.2.ebuild | 142 +++++++++++++++++++++++++++++++++++++++++++ 2 files changed, 143 insertions(+) Poly, sultan, asturm: thank you all. Please stable when ready. Let's be a little bit patient because of how fragile ICU can be... Is it okay if we add app-text/poppler-20.12.1 to this stabilization list to reduce the number of subslot rebuilds users will see? (See bug 763204). NACK, will skip this version of poppler. Removed bug 756649 because I've stabled the 5.x variant which builds on ppc and 8.x doesn't (if any in the 8.x series). Please CC arches for this + any other bugs you want me to do at the same time if you can, when ready. Thanks! ping arm done arm64 done x86 done ppc64 done ppc done amd64 done sparc done hppa stable Please cleanup. (In reply to John Helmert III (ajak) from comment #20) > Please cleanup. ... whenever possible! Cleanup done in commit 372d3cc50b556b021ccd4ba60ce27be2adaa26cc. Thank you! ping New GLSA request filed. This issue was resolved and addressed in GLSA 202105-08 at https://security.gentoo.org/glsa/202105-08 by GLSA coordinator Thomas Deutschmann (whissi). |