Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 755704 - <dev-libs/icu-68.2: Multiple vulnerabilities
Summary: <dev-libs/icu-68.2: Multiple vulnerabilities
Status: RESOLVED FIXED
Alias: None
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal major (vote)
Assignee: Gentoo Security
URL: https://chromium-review.googlesource....
Whiteboard: A2 [glsa+ cve]
Keywords:
Depends on: 761034 761070 761082
Blocks:
  Show dependency tree
 
Reported: 2020-11-20 12:14 UTC by Stephan Hartmann
Modified: 2021-05-26 08:31 UTC (History)
0 users

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Stephan Hartmann gentoo-dev 2020-11-20 12:14:08 UTC
Chromium Devs discovered 3 security issues in =dev-libs/icu-68.1 and AFAICS we are affected by 2 of them:

Fix memory READ by ASAN in ListFormatter

https://github.com/unicode-org/icu/pull/1450
https://unicode-org.atlassian.net/browse/ICU-21383

Fix Locale::setKeywordValue bug found by fuzzer

https://github.com/unicode-org/icu/pull/1461
https://unicode-org.atlassian.net/browse/ICU-21385

Third one is for Windows only.
Comment 1 Lars Wendler (Polynomial-C) gentoo-dev 2020-11-20 14:02:31 UTC
=dev-libs/icu-68.1 is still masked because of removal of public macro definitions for TRUE and FALSE which affects a couple of packages.

The question is, are older versions affected as well?
Comment 2 Andreas Sturmlechner gentoo-dev 2020-11-27 10:17:37 UTC
(In reply to Stephan Hartmann from comment #0)
> Fix memory READ by ASAN in ListFormatter
> 
> https://github.com/unicode-org/icu/pull/1450
> https://unicode-org.atlassian.net/browse/ICU-21383

This one is in icu4c, which is a different tarball, so we only need to take care of ICU-21385 as far as I can see.

Built successfully with upstream commit 96631951 applied to 68.1.
Comment 3 Stephan Hartmann gentoo-dev 2020-11-27 11:00:50 UTC
(In reply to Andreas Sturmlechner from comment #2)
> (In reply to Stephan Hartmann from comment #0)
> > Fix memory READ by ASAN in ListFormatter
> > 
> > https://github.com/unicode-org/icu/pull/1450
> > https://unicode-org.atlassian.net/browse/ICU-21383
> 
> This one is in icu4c, which is a different tarball, so we only need to take
> care of ICU-21385 as far as I can see.
> 
> Built successfully with upstream commit 96631951 applied to 68.1.

Both patches are applied to icu4c and icu ebuild uses icu4c tarball.
Comment 4 Andreas Sturmlechner gentoo-dev 2020-11-27 11:48:44 UTC
right... I always get confused with how their release dir structure differs from git repo. Can't get the commit to apply over 68.1 anyway.
Comment 5 Andreas Sturmlechner gentoo-dev 2020-11-28 23:46:21 UTC
It's because their tag snapshot differs from release tarball...............

icu4c/source/i18n/formattedval_impl.h does not contain *at least* 86f00ad7 without which e7f66732 (ICU-21383) is not going to apply.
Comment 6 Larry the Git Cow gentoo-dev 2020-12-18 18:13:54 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=c205bd27dbb1f815a1e61ecbc87bd5bfc62894c3

commit c205bd27dbb1f815a1e61ecbc87bd5bfc62894c3
Author:     Lars Wendler <polynomial-c@gentoo.org>
AuthorDate: 2020-12-18 18:13:03 +0000
Commit:     Lars Wendler <polynomial-c@gentoo.org>
CommitDate: 2020-12-18 18:13:51 +0000

    dev-libs/icu: Security bump to version 68.2
    
    Bug: https://bugs.gentoo.org/755704
    Package-Manager: Portage-3.0.12, Repoman-3.0.2
    Signed-off-by: Lars Wendler <polynomial-c@gentoo.org>

 dev-libs/icu/Manifest        |   1 +
 dev-libs/icu/icu-68.2.ebuild | 142 +++++++++++++++++++++++++++++++++++++++++++
 2 files changed, 143 insertions(+)
Comment 7 Sam James archtester gentoo-dev Security 2020-12-18 18:18:02 UTC
Poly, sultan, asturm: thank you all. Please stable when ready. Let's be a little bit patient because of how fragile ICU can be...
Comment 8 Matt Turner gentoo-dev 2021-01-03 17:25:43 UTC
Is it okay if we add app-text/poppler-20.12.1 to this stabilization list to reduce the number of subslot rebuilds users will see? (See bug 763204).
Comment 9 Andreas Sturmlechner gentoo-dev 2021-01-03 17:28:42 UTC
NACK, will skip this version of poppler.
Comment 10 Sam James archtester gentoo-dev Security 2021-01-04 03:39:44 UTC
Removed bug 756649 because I've stabled the 5.x variant which builds on ppc and 8.x doesn't (if any in the 8.x series).

Please CC arches for this + any other bugs you want me to do at the same time if you can, when ready. Thanks!
Comment 11 Sam James archtester gentoo-dev Security 2021-01-06 23:46:25 UTC
ping
Comment 12 Sam James archtester gentoo-dev Security 2021-01-09 13:41:43 UTC
arm done
Comment 13 Sam James archtester gentoo-dev Security 2021-01-09 15:15:45 UTC
arm64 done
Comment 14 Sam James archtester gentoo-dev Security 2021-01-09 21:16:04 UTC
x86 done
Comment 15 Sam James archtester gentoo-dev Security 2021-01-09 21:17:29 UTC
ppc64 done
Comment 16 Sam James archtester gentoo-dev Security 2021-01-09 21:18:34 UTC
ppc done
Comment 17 Sam James archtester gentoo-dev Security 2021-01-10 09:06:09 UTC
amd64 done
Comment 18 Sam James archtester gentoo-dev Security 2021-01-10 09:10:24 UTC
sparc done
Comment 19 Rolf Eike Beer archtester 2021-01-14 21:00:38 UTC
hppa stable
Comment 20 John Helmert III gentoo-dev Security 2021-01-14 21:11:28 UTC
Please cleanup.
Comment 21 John Helmert III gentoo-dev Security 2021-01-14 21:11:59 UTC
(In reply to John Helmert III (ajak) from comment #20)
> Please cleanup.

... whenever possible!
Comment 22 Andreas Sturmlechner gentoo-dev 2021-01-20 19:36:04 UTC
Cleanup done in commit 372d3cc50b556b021ccd4ba60ce27be2adaa26cc.
Comment 23 John Helmert III gentoo-dev Security 2021-01-21 00:42:57 UTC
Thank you!
Comment 24 Andreas Sturmlechner gentoo-dev 2021-03-13 17:35:30 UTC
ping
Comment 25 Thomas Deutschmann gentoo-dev Security 2021-05-25 16:34:14 UTC
New GLSA request filed.
Comment 26 GLSAMaker/CVETool Bot gentoo-dev 2021-05-26 08:31:27 UTC
This issue was resolved and addressed in
 GLSA 202105-08 at https://security.gentoo.org/glsa/202105-08
by GLSA coordinator Thomas Deutschmann (whissi).