From ${URL} : [$5000][430353] High CVE-2014-7923: Memory corruption in ICU. Credit to yangdingning. [$4000][422824] High CVE-2014-7926: Memory corruption in ICU. Credit to yangdingning. @maintainer(s): after the bump, in case we need to stabilize the package, please let us know if it is ready for the stabilization or not.
and: [$1000][433866] Medium CVE-2014-7940: Uninitialized-value in ICU. Credit to miaubiz.
CVE-2014-7923 From NIST: "The Regular Expressions package in International Components for Unicode (ICU) 52 before SVN revision 292944, as used in Google Chrome before 40.0.2214.91, allows remote attackers to cause a denial of service (memory corruption) or possibly have unspecified other impact via vectors related to a (1) zero-length quantifier or (2) look-behind expression, a different vulnerability than CVE-2014-7926." I.e. affects <53 CVE-2014-7926 From NIST: "The Regular Expressions package in International Components for Unicode (ICU) 52 before SVN revision 292944, as used in Google Chrome before 40.0.2214.91, allows remote attackers to cause a denial of service (memory corruption) or possibly have unspecified other impact via vectors related to a (1) zero-length quantifier or (2) look-behind expression, a different vulnerability than CVE-2014-7923." I.e. affects <53 CVE-2014-7940 From NIST: "The collator implementation in i18n/ucol.cpp in International Components for Unicode (ICU) 52 through SVN revision 293126, as used in Google Chrome before 40.0.2214.91, does not initialize memory for a data structure, which allows remote attackers to cause a denial of service or possibly have unspecified other impact via a crafted character sequence." I.e. affects <53 Please help kick remaining arches in bug 523164
We stabilize even newer dev-libs/54.1-r1 in bug 539108 (where this is fixed too).
All vulnerable versions removed. Office out.
GLSA for ICU already exist, adding this to the GLSA.
This issue was resolved and addressed in GLSA 201503-06 at https://security.gentoo.org/glsa/201503-06 by GLSA coordinator Kristian Fiskerstrand (K_F).