The newest Chromium browser release lists a security issue fixed in ICU: http://googlechromereleases.blogspot.ro/2013/10/stable-channel-update.html There doesn't seem to be any information available about the issue yet. I tried to load the Chromium SVN log to see if there's information about it there, but Firefox freezes every time I try to load that. Reproducible: Steps to Reproduce:
Whiteboard: (none) => MGA3TOO, MGA2TOO
CC: (none) => fundawang
Ubuntu has issued an advisory for this on October 15: http://www.ubuntu.com/usn/usn-1989-1/
URL: (none) => http://lwn.net/Vulnerabilities/570525/
The Ubuntu advisory also lists CVE-2013-0900, a low-severity issue fixed by Fedora back in March. I missed it because it got mixed in with Chromium CVEs. Here's the LWN reference for that one: http://lwn.net/Vulnerabilities/542922/ CVE-2013-0900 only affects the version we have in Mageia 2. CVE-2013-2924 affects Mageia 2 and Mageia 3. Both CVEs are already fixed in the version we have in Cauldron. Patched packages uploaded for Mageia 2 and Mageia 3. Advisory (Mageia 2): ======================== Updated icu packages fix security vulnerabilities: It was discovered that ICU contained a race condition affecting multi- threaded applications. If an application using ICU processed crafted data, an attacker could cause it to crash or potentially execute arbitrary code with the privileges of the user invoking the program (CVE-2013-0900). It was discovered that ICU incorrectly handled memory operations. If an application using ICU processed crafted data, an attacker could cause it to crash or potentially execute arbitrary code with the privileges of the user invoking the program (CVE-2013-2924). References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-0900 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2924 http://www.ubuntu.com/usn/usn-1989-1/ ======================== Updated packages in core/updates_testing: ======================== icu-4.8.1.1-2.1.mga2 icu-doc-4.8.1.1-2.1.mga2 libicu48-4.8.1.1-2.1.mga2 libicu-devel-4.8.1.1-2.1.mga2 from icu-4.8.1.1-2.1.mga2.src.rpm Advisory (Mageia 3): ======================== Updated icu packages fix security vulnerability: It was discovered that ICU incorrectly handled memory operations. If an application using ICU processed crafted data, an attacker could cause it to crash or potentially execute arbitrary code with the privileges of the user invoking the program (CVE-2013-2924). References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2924 http://www.ubuntu.com/usn/usn-1989-1/ ======================== Updated packages in core/updates_testing: ======================== icu-50.1.2-1.1.mga3 icu-data-50.1.2-1.1.mga3 icu-doc-50.1.2-1.1.mga3 libicu50-50.1.2-1.1.mga3 libicu-devel-50.1.2-1.1.mga3 from icu-50.1.2-1.1.mga3.src.rpm
Version: Cauldron => 3Assignee: bugsquad => qa-bugsSummary: icu new security issue CVE-2013-2924 => icu new security issues CVE-2013-0900 and CVE-2013-2924Whiteboard: MGA3TOO, MGA2TOO => MGA2TOOSeverity: normal => major
What is the right way to test this package ? Roelof
CC: (none) => rwobben
ON MGA3 x86_64 no problem installing the package and deleting it. Roelof
The best way to test it is to run LibreOffice and play with some Unicode characters.
Oke, Tommorrow I will try to find out how to work with Unicode characters. And test it. Roelof
I tried from keyboard some Unicode and they all work. After that I tried with insert - special keys and also not a problem. After that I tried with hexadecimal codes and I cannot make it work but I think I do not know how to make this work on M3. So for me M3 x86_64 ok. Roelof
Whiteboard: MGA2TOO => MGA2TOO M3 x86_64 ok
Whiteboard: MGA2TOO M3 x86_64 ok => MGA2TOO MGA3-64-OK
Testing complete mga2 32 No PoC's. Tested with unicode in libreoffice (ctrl-shift-u followed by 4 numbers, then release ctrl-shift)
Whiteboard: MGA2TOO MGA3-64-OK => MGA2TOO mga2-32-ok MGA3-64-OK
Testing complete mga2 64
Whiteboard: MGA2TOO mga2-32-ok MGA3-64-OK => MGA2TOO mga2-32-ok mga2-64-ok MGA3-64-OK
Whiteboard: MGA2TOO mga2-32-ok mga2-64-ok MGA3-64-OK => MGA2TOO mga2-32-ok mga2-64-ok mga3-32-ok MGA3-64-OK
Two advisories uploaded for this one. 11362.mga2.adv 11362.mga3.adv Validating. Could sysadmin please push from 2&3 core/updates_testing to updates. Thanks!
Keywords: (none) => validated_updateCC: (none) => sysadmin-bugs
Mga2 update pushed: http://advisories.mageia.org/MGASA-2013-0315.html Mga3 update pushed: http://advisories.mageia.org/MGASA-2013-0316.html
Status: NEW => RESOLVEDCC: (none) => tmbResolution: (none) => FIXED