755704 – <dev-libs/icu-68.2: Multiple vulnerabilities

Bug 755704 - <dev-libs/icu-68.2: Multiple vulnerabilities

Summary: <dev-libs/icu-68.2: Multiple vulnerabilities

Status:	RESOLVED FIXED

Alias:	None

Product:	Gentoo Security
Classification:	Unclassified
Component:	Vulnerabilities (show other bugs)
Hardware:	All Linux

Importance:	Normal major (vote)
Assignee:	Gentoo Security

URL:	https://chromium-review.googlesource....
Whiteboard:	A2 [glsa+ cve]
Keywords:

Depends on:	761034 761070 761082
Blocks:
	Show dependency tree

Reported:	2020-11-20 12:14 UTC by Stephan Hartmann
Modified:	2021-05-26 08:31 UTC (History)
CC List:	0 users

See Also:	icu-68.1 qt-5.15.2-stable CVE-2020-15995, CVE-2020-16043, CVE-2021-21106, CVE-2021-21107, CVE-2021-21108, CVE-2021-21109, CVE-2021-21110, CVE-2021-21111, CVE-2021-21112, CVE-2021-21113, CVE-2021-21114, CVE-2021-21115, CVE-2021-21116 765169
Package list:
Runtime testing required:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Stephan Hartmann (RETIRED) gentoo-dev

2020-11-20 12:14:08 UTC

Chromium Devs discovered 3 security issues in =dev-libs/icu-68.1 and AFAICS we are affected by 2 of them:

Fix memory READ by ASAN in ListFormatter

https://github.com/unicode-org/icu/pull/1450
https://unicode-org.atlassian.net/browse/ICU-21383

Fix Locale::setKeywordValue bug found by fuzzer

https://github.com/unicode-org/icu/pull/1461
https://unicode-org.atlassian.net/browse/ICU-21385

Third one is for Windows only.

Comment 1 Lars Wendler (Polynomial-C) (RETIRED) gentoo-dev

2020-11-20 14:02:31 UTC

=dev-libs/icu-68.1 is still masked because of removal of public macro definitions for TRUE and FALSE which affects a couple of packages.

The question is, are older versions affected as well?

Comment 2 Andreas Sturmlechner gentoo-dev

2020-11-27 10:17:37 UTC

(In reply to Stephan Hartmann from comment #0)
> Fix memory READ by ASAN in ListFormatter
> 
> https://github.com/unicode-org/icu/pull/1450
> https://unicode-org.atlassian.net/browse/ICU-21383

This one is in icu4c, which is a different tarball, so we only need to take care of ICU-21385 as far as I can see.

Built successfully with upstream commit 96631951 applied to 68.1.

Comment 3 Stephan Hartmann (RETIRED) gentoo-dev

2020-11-27 11:00:50 UTC

(In reply to Andreas Sturmlechner from comment #2)
> (In reply to Stephan Hartmann from comment #0)
> > Fix memory READ by ASAN in ListFormatter
> > 
> > https://github.com/unicode-org/icu/pull/1450
> > https://unicode-org.atlassian.net/browse/ICU-21383
> 
> This one is in icu4c, which is a different tarball, so we only need to take
> care of ICU-21385 as far as I can see.
> 
> Built successfully with upstream commit 96631951 applied to 68.1.

Both patches are applied to icu4c and icu ebuild uses icu4c tarball.

Comment 4 Andreas Sturmlechner gentoo-dev

2020-11-27 11:48:44 UTC

right... I always get confused with how their release dir structure differs from git repo. Can't get the commit to apply over 68.1 anyway.

Comment 5 Andreas Sturmlechner gentoo-dev

2020-11-28 23:46:21 UTC

It's because their tag snapshot differs from release tarball...............

icu4c/source/i18n/formattedval_impl.h does not contain *at least* 86f00ad7 without which e7f66732 (ICU-21383) is not going to apply.

Comment 6 Larry the Git Cow gentoo-dev

2020-12-18 18:13:54 UTC

The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=c205bd27dbb1f815a1e61ecbc87bd5bfc62894c3

commit c205bd27dbb1f815a1e61ecbc87bd5bfc62894c3
Author:     Lars Wendler <polynomial-c@gentoo.org>
AuthorDate: 2020-12-18 18:13:03 +0000
Commit:     Lars Wendler <polynomial-c@gentoo.org>
CommitDate: 2020-12-18 18:13:51 +0000

    dev-libs/icu: Security bump to version 68.2
    
    Bug: https://bugs.gentoo.org/755704
    Package-Manager: Portage-3.0.12, Repoman-3.0.2
    Signed-off-by: Lars Wendler <polynomial-c@gentoo.org>

 dev-libs/icu/Manifest        |   1 +
 dev-libs/icu/icu-68.2.ebuild | 142 +++++++++++++++++++++++++++++++++++++++++++
 2 files changed, 143 insertions(+)

Comment 7 Sam James archtester

2020-12-18 18:18:02 UTC

Poly, sultan, asturm: thank you all. Please stable when ready. Let's be a little bit patient because of how fragile ICU can be...

Comment 8 Matt Turner gentoo-dev

2021-01-03 17:25:43 UTC

Is it okay if we add app-text/poppler-20.12.1 to this stabilization list to reduce the number of subslot rebuilds users will see? (See bug 763204).

Comment 9 Andreas Sturmlechner gentoo-dev

2021-01-03 17:28:42 UTC

NACK, will skip this version of poppler.

Comment 10 Sam James archtester

2021-01-04 03:39:44 UTC

Removed bug 756649 because I've stabled the 5.x variant which builds on ppc and 8.x doesn't (if any in the 8.x series).

Please CC arches for this + any other bugs you want me to do at the same time if you can, when ready. Thanks!

Comment 11 Sam James archtester

2021-01-06 23:46:25 UTC

ping

Comment 12 Sam James archtester

2021-01-09 13:41:43 UTC

arm done

Comment 13 Sam James archtester

2021-01-09 15:15:45 UTC

arm64 done

Comment 14 Sam James archtester

2021-01-09 21:16:04 UTC

x86 done

Comment 15 Sam James archtester

2021-01-09 21:17:29 UTC

ppc64 done

Comment 16 Sam James archtester

2021-01-09 21:18:34 UTC

ppc done

Comment 17 Sam James archtester

2021-01-10 09:06:09 UTC

amd64 done

Comment 18 Sam James archtester

2021-01-10 09:10:24 UTC

sparc done

Comment 19 Rolf Eike Beer archtester

2021-01-14 21:00:38 UTC

hppa stable

Comment 20 John Helmert III archtester

2021-01-14 21:11:28 UTC

Please cleanup.

Comment 21 John Helmert III archtester

2021-01-14 21:11:59 UTC

(In reply to John Helmert III (ajak) from comment #20)
> Please cleanup.

... whenever possible!

Comment 22 Andreas Sturmlechner gentoo-dev

2021-01-20 19:36:04 UTC

Cleanup done in commit 372d3cc50b556b021ccd4ba60ce27be2adaa26cc.

Comment 23 John Helmert III archtester

2021-01-21 00:42:57 UTC

Thank you!

Comment 24 Andreas Sturmlechner gentoo-dev

2021-03-13 17:35:30 UTC

ping

Comment 25 Thomas Deutschmann (RETIRED) gentoo-dev

2021-05-25 16:34:14 UTC

New GLSA request filed.

Comment 26 GLSAMaker/CVETool Bot gentoo-dev

2021-05-26 08:31:27 UTC

This issue was resolved and addressed in
 GLSA 202105-08 at https://security.gentoo.org/glsa/202105-08
by GLSA coordinator Thomas Deutschmann (whissi).