Mandriva issued this advisory on December 27: http://lists.mandriva.com/security-announce/2011-12/msg00025.php
Keywords: (none) => SecurityAssignee: bugsquad => anssi.hannula
Suggested advisory: ======================== Updated icu packages fix a security vulnerability: A stack-based buffer overflow flaw was found in the way ICU performed variant canonicalization for some locale identifiers. If a specially-crafted locale representation was opened in an application linked against ICU, it could cause the application to crash or, possibly, execute arbitrary code with the privileges of the user running the application (CVE-2011-4599). References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-4599 https://rhn.redhat.com/errata/RHSA-2011-1815.html http://www.mandriva.com/en/support/security/advisories/?dis=2011&name=MDVSA-2011:194 https://bugzilla.redhat.com/show_bug.cgi?id=765812 ======================== Updated packages in core/updates_testing: ===================== icu-4.4.2-2.1.mga1 lib(64)icu44-4.4.2-2.1.mga1 lib(64)icu-devel-4.4.2-2.1.mga1 icu-doc-4.4.2-2.1.mga1 from icu-4.4.2-2.1.mga1 src.rpm. ===================== No testcase.
Status: NEW => ASSIGNEDCC: (none) => anssi.hannulaAssignee: anssi.hannula => qa-bugs
Tested successfully on i586. I verified that libreoffice can handle unicode characters (I'm assuming it uses it for this).
x86_64 Testing with openttd as there is an update candidate for that too (bug 4044). The following 3 packages are going to be installed: - icu-4.4.2-2.1.mga1.x86_64 - lib64icu-devel-4.4.2-2.1.mga1.x86_64 - lib64icu44-4.4.2-2.1.mga1.x86_64 $ strace -o strace.out openttd $ grep icu strace.out open("/usr/lib64/libicui18n.so.44", O_RDONLY) = 3 open("/usr/lib64/libicuuc.so.44", O_RDONLY) = 3 open("/usr/lib64/libicudata.so.44", O_RDONLY) = 3 $ rpm -qif /usr/lib64/libicui18n.so.44 Name : lib64icu44 Relocations: (not relocatable) Version : 4.4.2 Vendor: Mageia.Org Release : 2.1.mga1 Build Date: Fri 30 Dec 2011 03:55:15 GMT Install Date: Mon 09 Jan 2012 11:21:24 GMT Build Host: jonund Group : System/Libraries Source RPM: icu-4.4.2-2.1.mga1.src.rpm $ rpm -qif /usr/lib64/libicuuc.so.44 Name : lib64icu44 Relocations: (not relocatable) Version : 4.4.2 Vendor: Mageia.Org Release : 2.1.mga1 Build Date: Fri 30 Dec 2011 $ rpm -qif /usr/lib64/libicudata.so.44 Name : lib64icu44 Relocations: (not relocatable) Version : 4.4.2 Vendor: Mageia.Org Release : 2.1.mga1 Build Date: Fri 30 Dec 2011 03:55:15 GMT Testing complete x86_64 $ urpmq --whatrequires lib64icu44 Shows libreoffice does use this too so validating the update. advisory: ======================== Updated icu packages fix a security vulnerability: A stack-based buffer overflow flaw was found in the way ICU performed variant canonicalization for some locale identifiers. If a specially-crafted locale representation was opened in an application linked against ICU, it could cause the application to crash or, possibly, execute arbitrary code with the privileges of the user running the application (CVE-2011-4599). References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-4599 https://rhn.redhat.com/errata/RHSA-2011-1815.html http://www.mandriva.com/en/support/security/advisories/?dis=2011&name=MDVSA-2011:194 https://bugzilla.redhat.com/show_bug.cgi?id=765812 ======================== SRPM: icu-4.4.2-2.1.mga1 src.rpm Could sysadmin please push from core/updates_testing to core/updates Thankyou!
Keywords: (none) => validated_updateCC: (none) => sysadmin-bugsHardware: i586 => All
update pushed
Status: ASSIGNED => RESOLVEDCC: (none) => tmbResolution: (none) => FIXED