Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 843731 (CVE-2022-1638) - <dev-libs/icu-71.1-r1: Heap buffer overflow in V8 Internationalization
Summary: <dev-libs/icu-71.1-r1: Heap buffer overflow in V8 Internationalization
Status: CONFIRMED
Alias: CVE-2022-1638
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal minor (vote)
Assignee: Gentoo Security
URL:
Whiteboard: B3 [glsa?]
Keywords: PullRequest
Depends on: boost-1.79-stable, qt-5.15.4-stable
Blocks: CVE-2022-1633, CVE-2022-1634, CVE-2022-1635, CVE-2022-1636, CVE-2022-1637, CVE-2022-1639, CVE-2022-1640, CVE-2022-1641
  Show dependency tree
 
Reported: 2022-05-11 07:50 UTC by Stephan Hartmann (RETIRED)
Modified: 2022-06-26 06:13 UTC (History)
0 users

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Stephan Hartmann (RETIRED) gentoo-dev 2022-05-11 07:50:11 UTC
The report comes from V8, but the fix is in ICU:
https://github.com/unicode-org/icu/pull/2070
Comment 1 Larry the Git Cow gentoo-dev 2022-05-18 11:13:06 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=3d3cad32d1310cafeeed46b374ef3120c0195ff7

commit 3d3cad32d1310cafeeed46b374ef3120c0195ff7
Author:     Andreas Sturmlechner <asturm@gentoo.org>
AuthorDate: 2022-05-18 10:54:00 +0000
Commit:     Andreas Sturmlechner <asturm@gentoo.org>
CommitDate: 2022-05-18 11:12:53 +0000

    dev-libs/icu: Fix CVE-2022-1638
    
    Bug: https://bugs.gentoo.org/843731
    Package-Manager: Portage-3.0.30, Repoman-3.0.3
    Signed-off-by: Andreas Sturmlechner <asturm@gentoo.org>

 dev-libs/icu/files/icu-71.1-CVE-2022-1638.patch | 202 ++++++++++++++++++++++++
 dev-libs/icu/icu-71.1-r1.ebuild                 | 154 ++++++++++++++++++
 2 files changed, 356 insertions(+)
Comment 2 Larry the Git Cow gentoo-dev 2022-06-19 09:13:03 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=443ab2fb240d54a565ff358c897191dec78ee33c

commit 443ab2fb240d54a565ff358c897191dec78ee33c
Author:     Andreas Sturmlechner <asturm@gentoo.org>
AuthorDate: 2022-06-19 07:02:10 +0000
Commit:     Andreas Sturmlechner <asturm@gentoo.org>
CommitDate: 2022-06-19 09:12:45 +0000

    dev-libs/icu: Cleanup vulnerable 70.1-r1
    
    Bug: https://bugs.gentoo.org/843731
    Package-Manager: Portage-3.0.30, Repoman-3.0.3
    Signed-off-by: Andreas Sturmlechner <asturm@gentoo.org>

 dev-libs/icu/Manifest                             |   1 -
 dev-libs/icu/files/icu-70.1-fix-ucptrietest.patch |  38 ------
 dev-libs/icu/icu-70.1-r1.ebuild                   | 146 ----------------------
 3 files changed, 185 deletions(-)
Comment 3 Andreas Sturmlechner gentoo-dev 2022-06-19 09:16:36 UTC
Cleanup done, office proj out.