Google has released Chrome version 91.0.4472.77 on May 25: https://chromereleases.googleblog.com/2021/05/stable-channel-update-for-desktop_25.html It fixes a security issue in ICU, which is fixed upstream in 69.1. Nicolas tracked down details on the issue: https://bugs.mageia.org/show_bug.cgi?id=28732#c31 "Regarding CVE-2021-30535 in icu, according to https://security-tracker.debian.org/tracker/CVE-2021-30535, the fix is this commit: https://github.com/unicode-org/icu/pull/1698/commits/e450fa50fc242282551f56b941dc93b9a8a0bcbb [...] dates from April 13, 2021. Debian added the patch locid_operators.patch to fix their version 67.1. Version 68.2, from December 17, 2020 is also vulnerable."
Status comment: (none) => Fixed upstream in 69.1
Nobody maintains so many packages :-(
Assignee: bugsquad => pkg-bugsCC: (none) => marja11
Suggested advisory: ======================== The updated packages fix a security vulnerability: Double free in ICU in Google Chrome prior to 91.0.4472.77 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (CVE-2021-30535) References: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-30535 https://chromereleases.googleblog.com/2021/05/stable-channel-update-for-desktop_25.html ======================== Updated packages in core/updates_testing: ======================== icu-68.2-1.1.mga8 icu68-data-68.2-1.1.mga8 icu-doc-68.2-1.1.mga8 lib(64)icu68-68.2-1.1.mga8 lib(64)icu-devel-68.2-1.1.mga8 from SRPM: icu-68.2-1.1.mga8.src.rpm
Status comment: Fixed upstream in 69.1 => (none)CVE: (none) => CVE-2021-30535Assignee: pkg-bugs => qa-bugsCC: (none) => nicolas.salgueroStatus: NEW => ASSIGNED
MGA8-64 Plasme on Lenovo B50 When selecting lib64icu68-68.2-1.1.mga8 for installation in MCC, I get a long list of packages to be removed lib64dbusmenu-qt5-devel-0.9.3-1.20160218.4.mga8.x86_64 (because of missing devel(libQt5Core(64bit)), because of missing devel (libQt5DBus(64bit)), because of missing devel(libQt5Gui(64bit)), because of missing devel(libQt5Widgets(64bit))) lib64gtk+2.0-devel-2.24.33-1.mga8.x86_64 (because of missing devell(libpangocairo-1.0(64bit)), because of missing e pkgconfig(pangocairo), because of missing pkgconfig(pango), because of missing pkgconfig(pangoft2), because of missing devel(libpango-1.0(64bit))) lib64harfbuzz-devel-2.7.4-1.mga8.x86_64 etc......
CC: (none) => herman.viaene
mga8, x64 CVE-2021-30535 https://bugs.chromium.org/p/chromium/issues/detail?id=1194899 The reproducer is not well specified - it looks like a snippet of C++ - so we shall skip that. Five packages updated cleanly. Looking at an older bug for testing information. $ icuinfo <icuSystemParams type="icu4c"> .... </icuSystemParams> ICU Initialization returned: U_ZERO_ERROR Plugins are disabled. $ uconv --list UTF-8 ibm-1208 ibm-1209 ibm-5304 ibm-5305 ibm-13496 ibm-13497 ibm-17592 ibm-17593 windows-65001 cp1208 x-UTF_8J unicode-1-1-utf-8 unicode-2-0-utf-8 UTF-16 ISO-10646-UCS-2 ibm-1204 ibm-1205 unicode csUnicode ucs-2 .... $ uconv --default-code UTF-8 Apply SJIS encoding to a piece of text: $ uconv -f UTF-8 -t SJIS -o sjis.txt jabberwocky $ diff jabberwocky sjis.txt $ $ uconv -f SJIS -t ISO-8859-1 -o iso.txt sjis.txt No differences between the three files. $ cat part2 π = 3.14159 or thereabouts $ uconv -f UTF-8 -t SJIS -o part3 part2 $ cat part3 �� = 3.14159 or thereabouts $ file part3 part3: Non-ISO extended-ASCII text $ uconv -f UTF-8 -t ISO-8859-1 -o part4 part2 Conversion from Unicode to codepage failed at input byte position 0. Unicode: 03c0 Error: Invalid character found The pi character cannot be handled at all by iso-8859-1. sjis transforms it to an unprintable character. $ od -x part2 0000000 80cf 3d20 3320 312e 3134 3935 6f20 2072 0000020 6874 7265 6165 6f62 7475 0a73 0000034 $ od -x part3 0000000 ce83 3d20 3320 312e 3134 3935 6f20 2072 0000020 6874 7265 6165 6f62 7475 0a73 0000034 π is the first two bytes of the dump. $ uconv -f UTF-8 -t IBM-1047 -o ibm.txt jabberwocky $ cat ibm.txt %㦁�@�������@���@���@������@�����%ĉ�@����@���@���@������@��@���@����K%���@�����@����@���@���������%���@���@����@�����@��������K%% $ uconv -f IBM-1047 -t us-ascii -o usa.txt ibm.txt lcl@difda:icu $ cat usa.txt Twas brillig and the slithy toves ...... `urpmq --whatrequires` shows that lib64icu68 is required by a host of packages. It is not apparent how to persuade any of those to actually use icu or even to know what functions exercise it so that had better be left alone. However :- $ strace -o firefox.trace firefox part3 $ grep icu firefox.trace openat(AT_FDCWD, "/lib64/libicui18n.so.68", O_RDONLY|O_CLOEXEC) = 4 openat(AT_FDCWD, "/lib64/libicuuc.so.68", O_RDONLY|O_CLOEXEC) = 4 openat(AT_FDCWD, "/lib64/libicudata.so.68", O_RDONLY|O_CLOEXEC) = 4 getcwd("/home/lcl/qa/icu", 4096) = 17 This showed a page with the line: "ƒÎ = 3.14159 or thereabouts" Maybe somebody should try it with Chromium. That is the best we can do. Enough for an OK.
CC: (none) => tarazed25Whiteboard: (none) => MGA8-64-OK
Sorry Herman, mid-air collision. I did not have any difficulties with the installation - installed the five packages and then updated them via qarepo and MageiaUpdate.
I did not select the devel package for icu. Why not installing a devel package would raise the need to remove others is beyond me. Anyway, continouing installation works without further problems. The QA procedure in the wiki specifies to run openttd. I installed tht, and it is some kind of game. My lack of feeling for and experience of such games, made me wander around the graphis and menus and delete a few buildings. As a test this could be sufficient, but I'm not happy with the installation.
Uninstalling devel packages when the corresponding version of the package they are used to compile is being removed is normal, and should be allowed during the testing. People who are not compiling programs themselves will not normally have the devel packages installed.
CC: (none) => davidwhodgins
Looks good, then. Validating. Advisory in Comment 2.
Keywords: (none) => validated_updateCC: (none) => andrewsfarm, sysadmin-bugs
Keywords: (none) => advisory
An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2021-0455.html
Status: ASSIGNED => RESOLVEDResolution: (none) => FIXED
Ubuntu has issued an advisory for this today (November 24): https://ubuntu.com/security/notices/USN-5156-1