Bug 29491 - icu new security issue CVE-2021-30535
Summary: icu new security issue CVE-2021-30535
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 8
Hardware: All Linux
Priority: Normal major
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
Whiteboard: MGA8-64-OK
Keywords: advisory, validated_update
Depends on:
Reported: 2021-09-25 23:08 CEST by David Walser
Modified: 2021-11-25 01:10 CET (History)
7 users (show)

See Also:
Source RPM: icu-68.2-1.mga8.src.rpm
CVE: CVE-2021-30535
Status comment:


Description David Walser 2021-09-25 23:08:42 CEST
Google has released Chrome version 91.0.4472.77 on May 25:

It fixes a security issue in ICU, which is fixed upstream in 69.1.

Nicolas tracked down details on the issue:

"Regarding CVE-2021-30535 in icu, according to https://security-tracker.debian.org/tracker/CVE-2021-30535, the fix is this commit: https://github.com/unicode-org/icu/pull/1698/commits/e450fa50fc242282551f56b941dc93b9a8a0bcbb
dates from April 13, 2021.  Debian added the patch locid_operators.patch to fix their version 67.1.

Version 68.2, from December 17, 2020 is also vulnerable."
David Walser 2021-09-25 23:08:58 CEST

Status comment: (none) => Fixed upstream in 69.1

Comment 1 Marja Van Waes 2021-09-25 23:37:38 CEST
Nobody maintains so many packages :-(

Assignee: bugsquad => pkg-bugs
CC: (none) => marja11

Comment 2 Nicolas Salguero 2021-09-27 10:49:09 CEST
Suggested advisory:

The updated packages fix a security vulnerability:

Double free in ICU in Google Chrome prior to 91.0.4472.77 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (CVE-2021-30535)


Updated packages in core/updates_testing:

from SRPM:

Status comment: Fixed upstream in 69.1 => (none)
CVE: (none) => CVE-2021-30535
Assignee: pkg-bugs => qa-bugs
CC: (none) => nicolas.salguero

Comment 3 Herman Viaene 2021-09-28 15:46:12 CEST
MGA8-64 Plasme on Lenovo B50
When selecting lib64icu68-68.2-1.1.mga8 for installation in MCC, I get a long list of packages to be removed
 (because of missing devel(libQt5Core(64bit)),
  because of missing devel (libQt5DBus(64bit)),
  because of missing devel(libQt5Gui(64bit)),
  because of missing devel(libQt5Widgets(64bit)))
 (because of missing devell(libpangocairo-1.0(64bit)),
  because of missing e pkgconfig(pangocairo),
  because of missing  pkgconfig(pango),
  because of missing  pkgconfig(pangoft2),
  because of missing devel(libpango-1.0(64bit)))

CC: (none) => herman.viaene

Comment 4 Len Lawrence 2021-09-28 16:02:38 CEST
mga8, x64

The reproducer is not well specified - it looks like a snippet of C++ - so we shall skip that.

Five packages updated cleanly.
Looking at an older bug for testing information.
$ icuinfo
 <icuSystemParams type="icu4c">
ICU Initialization returned: U_ZERO_ERROR
Plugins are disabled.
$ uconv --list
UTF-8 ibm-1208 ibm-1209 ibm-5304 ibm-5305 ibm-13496 ibm-13497 ibm-17592 ibm-17593 windows-65001 cp1208 x-UTF_8J unicode-1-1-utf-8 unicode-2-0-utf-8 
UTF-16 ISO-10646-UCS-2 ibm-1204 ibm-1205 unicode csUnicode ucs-2 

$ uconv --default-code
Apply SJIS encoding to a piece of text:
$ uconv -f UTF-8 -t SJIS -o sjis.txt jabberwocky
$ diff jabberwocky sjis.txt
$ uconv -f SJIS -t ISO-8859-1 -o iso.txt sjis.txt
No differences between the three files.

$ cat part2
π = 3.14159 or thereabouts
$ uconv -f UTF-8 -t SJIS -o part3 part2
$ cat part3
�� = 3.14159 or thereabouts
$ file part3
part3: Non-ISO extended-ASCII text
$ uconv -f UTF-8 -t ISO-8859-1 -o part4 part2
Conversion from Unicode to codepage failed at input byte position 0. Unicode: 03c0 Error: Invalid character found

The pi character cannot be handled at all by iso-8859-1.  sjis transforms it to an unprintable character.
$ od -x part2
0000000 80cf 3d20 3320 312e 3134 3935 6f20 2072
0000020 6874 7265 6165 6f62 7475 0a73
$ od -x part3
0000000 ce83 3d20 3320 312e 3134 3935 6f20 2072
0000020 6874 7265 6165 6f62 7475 0a73
π is the first two bytes of the dump.

$ uconv -f UTF-8 -t IBM-1047 -o ibm.txt jabberwocky
$ cat ibm.txt
$ uconv -f IBM-1047 -t us-ascii -o usa.txt ibm.txt
lcl@difda:icu $ cat usa.txt

Twas brillig and the slithy toves

`urpmq --whatrequires` shows that lib64icu68 is required by a host of packages.  It is not apparent how to persuade any of those to actually use icu or even to know what functions exercise it so that had better be left alone.
However :-
$ strace -o firefox.trace firefox part3
$ grep icu firefox.trace 
openat(AT_FDCWD, "/lib64/libicui18n.so.68", O_RDONLY|O_CLOEXEC) = 4
openat(AT_FDCWD, "/lib64/libicuuc.so.68", O_RDONLY|O_CLOEXEC) = 4
openat(AT_FDCWD, "/lib64/libicudata.so.68", O_RDONLY|O_CLOEXEC) = 4
getcwd("/home/lcl/qa/icu", 4096)        = 17

This showed a page with the line:
"ƒÎ = 3.14159 or thereabouts"
Maybe somebody should try it with Chromium.
That is the best we can do.

Enough for an OK.

CC: (none) => tarazed25
Whiteboard: (none) => MGA8-64-OK

Comment 5 Len Lawrence 2021-09-28 16:04:02 CEST
Sorry Herman, mid-air collision.
I did not have any difficulties with the installation - installed the five packages and then updated them via qarepo and MageiaUpdate.
Comment 6 Herman Viaene 2021-09-28 18:16:21 CEST
I did not select the devel package for icu. Why not installing a devel package would raise the need to remove others is beyond me.
Anyway, continouing installation works  without further problems.
The QA procedure in the wiki specifies to run openttd. I installed tht, and it is some kind of game. My lack of feeling for and experience of such games, made me wander around the graphis and menus and delete a few buildings.
As a test this could be sufficient, but I'm not happy with the installation.
Comment 7 Dave Hodgins 2021-09-28 21:30:17 CEST
Uninstalling devel packages when the corresponding version of the package they
are used to compile is being removed is normal, and should be allowed during
the testing. People who are not compiling programs themselves will not normally
have the devel packages installed.

CC: (none) => davidwhodgins

Comment 8 Thomas Andrews 2021-10-02 05:38:18 CEST
Looks good, then. Validating. Advisory in Comment 2.

Keywords: (none) => validated_update
CC: (none) => andrewsfarm, sysadmin-bugs

Dave Hodgins 2021-10-02 19:34:13 CEST

Keywords: (none) => advisory

Comment 9 Mageia Robot 2021-10-02 20:58:59 CEST
An update for this issue has been pushed to the Mageia Updates repository.


Resolution: (none) => FIXED

Comment 10 David Walser 2021-11-25 01:10:50 CET
Ubuntu has issued an advisory for this today (November 24):

Note You need to log in before you can comment on or make changes to this bug.