Google has issued an advisory on December 6: https://chromereleases.googleblog.com/2017/12/stable-channel-update-for-desktop.html It includes a fix for a security issue in ICU.
Whiteboard: (none) => MGA5TOO
Assigning to the registered icu maintainer.
CC: (none) => marja11Assignee: bugsquad => shlomif
Upstream commit to fix this: https://ssl.icu-project.org/trac/changeset/40654 Added in Chromium source as: chromium-63.0.3239.108/third_party/icu/patches/persian_cal.patch Advisory: ======================== Updated icu packages fix security vulnerability: Integer overflow in ICU in the Persian calendar (CVE-2017-15422). References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-15422 https://ssl.icu-project.org/trac/changeset/40654 https://chromereleases.googleblog.com/2017/12/stable-channel-update-for-desktop.html ======================== Updated packages in core/updates_testing: ======================== icu-53.1-12.9.mga5 icu53-data-53.1-12.9.mga5 icu-doc-53.1-12.9.mga5 libicu53-53.1-12.9.mga5 libicu-devel-53.1-12.9.mga5 icu-58.2-3.2.mga6 icu58-data-58.2-3.2.mga6 icu-doc-58.2-3.2.mga6 libicu58-58.2-3.2.mga6 libicu-devel-58.2-3.2.mga6 from SRPMS: icu-53.1-12.9.mga5.src.rpm icu-58.2-3.2.mga6.src.rpm
Assignee: shlomif => qa-bugs
Testing M5/64 The CVE leads nowhere useful. Test reference: https://bugs.mageia.org/show_bug.cgi?id=21929#c5 Updated to: icu-53.1-12.9.mga5 icu53-data-53.1-12.9.mga5 lib64icu-devel-53.1-12.9.mga5 lib64icu53-53.1-12.9.mga5 Of the many programs provided by icu, none have man pages, but -h provides usage info - not always saying what the command does, including for 'uconv' which seems to be the main one! Important options: -l, --list list all available encodings -f, --from-code code set the original encoding -t, --to-code code set the destination encoding -o, --output file write output to file I created a pure text file, and another containing French & Welsh accented characters. $ icuinfo <icuSystemParams type="icu4c"> ... </icuSystemParams> ICU Initialization returned: U_ZERO_ERROR Plugin file is: /usr/lib64/icu/icuplugins53.txt $ uconv -l shows a very long list of code lines which often contain many codenames; are these synonyms for the first cited? It seems so, because $ uconv --list-code <one of the synonyms> returns the first codename in the line. $ uconv --default-code UTF-8 Pure unaccented text -> SJIS conversion: $ uconv -f UTF-8 -t SJIS -o sjis.txt simpletext.txt $ cmp simpletext.txt sjis.txt Identical files. Convert back to ISO: $ uconv -f SJIS -t ISO-8859-1 -o iso.txt sjis.txt $ cmp simpletext.txt iso.txt Identical files, i.e. orignal-converted-reconverted. Accented characters: $ cat accents.txt é è ç à ù ê ô û ï î ŵ ŷ $ uconv -f UTF-8 -t ISO-8859-1 -o iso.txt accents.txt Conversion from Unicode to codepage failed at input byte position 30. Unicode: 0175 Error: Invalid character found Try again. $ uconv -f ISO-8859-1 -t UTF-8 -o iso.txt accents.txt $ cat iso.txt é è ç à ù ê ô û ï î ŵ Å· $ uconv -f ISO-8859-1 -t SJIS -o sjis.txt accents.txt Conversion from Unicode to codepage failed at input byte position 0. Unicode: 00c3 Error: Invalid character found I imagine this means that the output code page did not have é. ISO-> UTF & back: $ uconv -f ISO-8859-1 -t UTF-8 -o iso.txt accents.txt $ cat iso.txt é è ç à ù ê ô û ï î ŵ Å· $ uconv -f UTF-8 -t ISO-8859-1 -o back.txt iso.txt $ cat back.txt é è ç à ù ê ô û ï î ŵ ŷ $ cmp accents.txt back.txt [Identical] Simple text to/from different codes: $ uconv -f UTF-8 -t IBM-1047 -o ibm.txt simpletext.txt $ file ibm.txt ibm.txt: Non-ISO extended-ASCII text, with NEL line terminators $ uconv -f IBM-1047 -t us-ascii -o usa.txt ibm.txt $ file usa.txt usa.txt: ASCII text $ cmp simpletext.txt usa.txt [identical] Play with accents: $ uconv -f ISO-8859-1 -t IBM-1047 -o ibm.txt accents.txt $ uconv -f IBM-1047 -t us-ascii -o usa.txt ibm.txt Conversion from Unicode to codepage failed at input byte position 0. Unicode: 00c3 Error: Invalid character found Try again $ uconv -f IBM-1047 -t UTF-8 -o utf.txt ibm.txt Enough of this, my head spins. OKing.
Keywords: (none) => advisoryWhiteboard: MGA5TOO => MGA5TOO MGA5-64-OKCC: (none) => lewyssmith
To prioritise.
CC: lewyssmith => (none)
installed updates and ran some tests of uconv works as designed uconv -f UTF-8 -t UTF32_PlatformEndian -o b1.txt brian.txt created a 64 byte file from a 16 byte file uconv -f UTF32_PlatformEndian -t UTF-8 -o b2.txt b1.txt created a 16 byte file from 64 byte file and it views properly Working as designed from this simple test. $ uname -a Linux localhost 4.9.56-desktop-1.mga6 #1 SMP Thu Oct 12 22:55:31 UTC 2017 x86_64 x86_64 x86_64 GNU/Linux
Whiteboard: MGA5TOO MGA5-64-OK => MGA5TOO MGA5-64-OK mga6-64-okCC: (none) => brtians1
Thank you Brian for the Mageia 6 OK. Validating.
Keywords: (none) => validated_updateCC: (none) => lewyssmith, sysadmin-bugs
An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2017-0484.html
Status: NEW => RESOLVEDResolution: (none) => FIXED