Nobody maintains so many packages :-(

Assignee: bugsquad => pkg-bugs
CC: (none) => marja11

Suggested advisory:
========================

The updated packages fix a security vulnerability:

Double free in ICU in Google Chrome prior to 91.0.4472.77 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (CVE-2021-30535)

References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-30535
https://chromereleases.googleblog.com/2021/05/stable-channel-update-for-desktop_25.html
========================

Updated packages in core/updates_testing:
========================
icu-68.2-1.1.mga8
icu68-data-68.2-1.1.mga8
icu-doc-68.2-1.1.mga8
lib(64)icu68-68.2-1.1.mga8
lib(64)icu-devel-68.2-1.1.mga8

from SRPM:
icu-68.2-1.1.mga8.src.rpm

Status comment: Fixed upstream in 69.1 => (none)
CVE: (none) => CVE-2021-30535
Assignee: pkg-bugs => qa-bugs
CC: (none) => nicolas.salguero
Status: NEW => ASSIGNED

MGA8-64 Plasme on Lenovo B50
When selecting lib64icu68-68.2-1.1.mga8 for installation in MCC, I get a long list of packages to be removed
lib64dbusmenu-qt5-devel-0.9.3-1.20160218.4.mga8.x86_64
 (because of missing devel(libQt5Core(64bit)),
  because of missing devel (libQt5DBus(64bit)),
  because of missing devel(libQt5Gui(64bit)),
  because of missing devel(libQt5Widgets(64bit)))
lib64gtk+2.0-devel-2.24.33-1.mga8.x86_64
 (because of missing devell(libpangocairo-1.0(64bit)),
  because of missing e pkgconfig(pangocairo),
  because of missing  pkgconfig(pango),
  because of missing  pkgconfig(pangoft2),
  because of missing devel(libpango-1.0(64bit)))
lib64harfbuzz-devel-2.7.4-1.mga8.x86_64
etc......

CC: (none) => herman.viaene

mga8, x64

CVE-2021-30535
https://bugs.chromium.org/p/chromium/issues/detail?id=1194899
The reproducer is not well specified - it looks like a snippet of C++ - so we shall skip that.

Five packages updated cleanly.
Looking at an older bug for testing information.
$ icuinfo
 <icuSystemParams type="icu4c">
 ....
 </icuSystemParams>
ICU Initialization returned: U_ZERO_ERROR
Plugins are disabled.
$ uconv --list
UTF-8 ibm-1208 ibm-1209 ibm-5304 ibm-5305 ibm-13496 ibm-13497 ibm-17592 ibm-17593 windows-65001 cp1208 x-UTF_8J unicode-1-1-utf-8 unicode-2-0-utf-8 
UTF-16 ISO-10646-UCS-2 ibm-1204 ibm-1205 unicode csUnicode ucs-2 
....

$ uconv --default-code
UTF-8
Apply SJIS encoding to a piece of text:
$ uconv -f UTF-8 -t SJIS -o sjis.txt jabberwocky
$ diff jabberwocky sjis.txt
$
$ uconv -f SJIS -t ISO-8859-1 -o iso.txt sjis.txt
No differences between the three files.

$ cat part2
π = 3.14159 or thereabouts
$ uconv -f UTF-8 -t SJIS -o part3 part2
$ cat part3
�� = 3.14159 or thereabouts
$ file part3
part3: Non-ISO extended-ASCII text
$ uconv -f UTF-8 -t ISO-8859-1 -o part4 part2
Conversion from Unicode to codepage failed at input byte position 0. Unicode: 03c0 Error: Invalid character found

The pi character cannot be handled at all by iso-8859-1.  sjis transforms it to an unprintable character.
$ od -x part2
0000000 80cf 3d20 3320 312e 3134 3935 6f20 2072
0000020 6874 7265 6165 6f62 7475 0a73
0000034
$ od -x part3
0000000 ce83 3d20 3320 312e 3134 3935 6f20 2072
0000020 6874 7265 6165 6f62 7475 0a73
0000034
π is the first two bytes of the dump.

$ uconv -f UTF-8 -t IBM-1047 -o ibm.txt jabberwocky
$ cat ibm.txt
%㦁�@�������@���@���@������@�����%ĉ�@����@���@���@������@��@���@����K%���@�����@����@���@���������%���@���@����@�����@��������K%%
$ uconv -f IBM-1047 -t us-ascii -o usa.txt ibm.txt
lcl@difda:icu $ cat usa.txt

Twas brillig and the slithy toves
......

`urpmq --whatrequires` shows that lib64icu68 is required by a host of packages.  It is not apparent how to persuade any of those to actually use icu or even to know what functions exercise it so that had better be left alone.
However :-
$ strace -o firefox.trace firefox part3
$ grep icu firefox.trace 
openat(AT_FDCWD, "/lib64/libicui18n.so.68", O_RDONLY|O_CLOEXEC) = 4
openat(AT_FDCWD, "/lib64/libicuuc.so.68", O_RDONLY|O_CLOEXEC) = 4
openat(AT_FDCWD, "/lib64/libicudata.so.68", O_RDONLY|O_CLOEXEC) = 4
getcwd("/home/lcl/qa/icu", 4096)        = 17

This showed a page with the line:
"ƒÎ = 3.14159 or thereabouts"
Maybe somebody should try it with Chromium.
That is the best we can do.

Enough for an OK.

CC: (none) => tarazed25
Whiteboard: (none) => MGA8-64-OK

Sorry Herman, mid-air collision.
I did not have any difficulties with the installation - installed the five packages and then updated them via qarepo and MageiaUpdate.

I did not select the devel package for icu. Why not installing a devel package would raise the need to remove others is beyond me.
Anyway, continouing installation works  without further problems.
The QA procedure in the wiki specifies to run openttd. I installed tht, and it is some kind of game. My lack of feeling for and experience of such games, made me wander around the graphis and menus and delete a few buildings.
As a test this could be sufficient, but I'm not happy with the installation.

Uninstalling devel packages when the corresponding version of the package they
are used to compile is being removed is normal, and should be allowed during
the testing. People who are not compiling programs themselves will not normally
have the devel packages installed.

CC: (none) => davidwhodgins

Looks good, then. Validating. Advisory in Comment 2.

Keywords: (none) => validated_update
CC: (none) => andrewsfarm, sysadmin-bugs

An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2021-0455.html

Status: ASSIGNED => RESOLVED
Resolution: (none) => FIXED

Ubuntu has issued an advisory for this today (November 24):
https://ubuntu.com/security/notices/USN-5156-1