Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bugzilla DB migration completed. Please report issues to Infra team via email via infra@gentoo.org or IRC
Bug 486948 (CVE-2013-2924) - <dev-libs/icu-51.2-r1 : Use-after-free vulnerability (CVE-2013-2924)
Summary: <dev-libs/icu-51.2-r1 : Use-after-free vulnerability (CVE-2013-2924)
Status: RESOLVED FIXED
Alias: CVE-2013-2924
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal normal (vote)
Assignee: Gentoo Security
URL:
Whiteboard: A3 [glsa]
Keywords:
: 486900 (view as bug list)
Depends on:
Blocks:
 
Reported: 2013-10-04 10:54 UTC by GLSAMaker/CVETool Bot
Modified: 2014-02-10 11:16 UTC (History)
0 users

See Also:
Package list:
Runtime testing required: ---


Attachments
changeset_34076.diff (changeset_34076.diff,1.41 KB, patch)
2013-10-29 12:18 UTC, Chí-Thanh Christopher Nguyễn
no flags Details | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description GLSAMaker/CVETool Bot gentoo-dev 2013-10-04 10:54:48 UTC
CVE-2013-2924 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-2924):
  Use-after-free vulnerability in International Components for Unicode (ICU),
  as used in Google Chrome before 30.0.1599.66 and other products, allows
  remote attackers to cause a denial of service or possibly have unspecified
  other impact via unknown vectors.
Comment 1 Agostino Sarubbo gentoo-dev 2013-10-04 11:29:32 UTC

*** This bug has been marked as a duplicate of bug 486900 ***
Comment 2 Sean Amoss gentoo-dev Security 2013-10-06 15:37:24 UTC
*** Bug 486900 has been marked as a duplicate of this bug. ***
Comment 3 Chí-Thanh Christopher Nguyễn gentoo-dev 2013-10-29 12:18:23 UTC
Created attachment 362224 [details, diff]
changeset_34076.diff

Upstream patch to address the issue. Taken from

http://bugs.icu-project.org/trac/changeset/34076
Comment 4 Andreas K. Hüttel gentoo-dev 2013-10-29 17:14:28 UTC
What's the plan here? If you want to fast-stabilize a newer version I'd like to know asap, since I have to re-build libreoffice-bin because of poppler anyway.
Comment 5 Andreas K. Hüttel gentoo-dev 2013-10-30 08:46:24 UTC
(In reply to Andreas K. Hüttel from comment #4)
> What's the plan here? If you want to fast-stabilize a newer version I'd like
> to know asap, since I have to re-build libreoffice-bin because of poppler
> anyway.

OK we're going with =dev-libs/icu-51.2-r1

Please do your security magic and have arches stabilize that.
Comment 6 Andreas K. Hüttel gentoo-dev 2013-10-31 23:12:46 UTC
Arches please security-stabilize 

=dev-libs/icu-51.2-r1

Target: all stable arches
Comment 7 Agostino Sarubbo gentoo-dev 2013-11-01 13:02:14 UTC
amd64 stable
Comment 8 Agostino Sarubbo gentoo-dev 2013-11-01 13:04:19 UTC
ppc stable
Comment 9 Agostino Sarubbo gentoo-dev 2013-11-01 13:04:27 UTC
ppc64 stable
Comment 10 Agostino Sarubbo gentoo-dev 2013-11-01 13:04:36 UTC
x86 stable
Comment 11 Nikoli 2013-11-01 16:24:38 UTC
Current icu ebuild has wrong subslot and causes useless rebuild of libreoffice and several other packages:
https://bugs.gentoo.org/show_bug.cgi?id=464876#c2
Comment 12 Agostino Sarubbo gentoo-dev 2013-11-01 20:57:51 UTC
alpha stable
Comment 13 Agostino Sarubbo gentoo-dev 2013-11-02 08:03:32 UTC
arm stable
Comment 14 Jeroen Roovers gentoo-dev 2013-11-02 16:46:14 UTC
Stable for HPPA.
Comment 15 Agostino Sarubbo gentoo-dev 2013-11-03 11:24:44 UTC
sparc stable
Comment 16 pavel sanda 2013-11-05 07:39:10 UTC
I see depency conflict with bibtexu with newly stabilized ebuild, https://bugs.gentoo.org/show_bug.cgi?id=490459
Comment 17 Agostino Sarubbo gentoo-dev 2013-11-12 20:13:42 UTC
ia64 stable.

Maintainer(s), please cleanup.
Security, please vote.
Comment 18 Sergey Popov gentoo-dev 2013-11-13 09:07:37 UTC
GLSA vote: yes
Comment 19 Agostino Sarubbo gentoo-dev 2013-11-14 11:51:00 UTC
(In reply to Sergey Popov from comment #18)
> GLSA vote: yes

This is A. Please file the request or add to the existing.
Comment 20 Yury German Gentoo Infrastructure gentoo-dev Security 2013-11-15 07:07:32 UTC
GLSA Request Filed
Comment 21 Andreas K. Hüttel gentoo-dev 2013-12-27 15:37:55 UTC
All vulnerable versions removed from the tree.
Comment 22 GLSAMaker/CVETool Bot gentoo-dev 2014-02-10 11:16:20 UTC
This issue was resolved and addressed in
 GLSA 201402-14 at http://security.gentoo.org/glsa/glsa-201402-14.xml
by GLSA coordinator Mikle Kolyada (Zlogene).