Bug#990629: unblock: icu/67.1-7
Package: release.debian.org
Severity: normal
User: release.debian.org@packages.debian.org
Usertags: unblock
Hi RMs,
I would like to update the ICU (International Components for Unicode)
package to fix CVE-2021-30535 [1] for Bullseye.
[ Reason ]
Fix a security issue which makes it possible for a remote attacker to
potentially exploit heap corruption in applications using the ICU
library.
[ Impact ]
Application crash due to double free.
[ Tests ]
Upstream tests.
[ Risks ]
None.
[ Checklist ]
[x] all changes are documented in the d/changelog
[x] I reviewed all changes and I approve them
[x] attach debdiff against the package in testing
[ Other info ]
None.
unblock icu/67.1-7
Thanks,
Laszlo/GCS
[1] https://github.com/unicode-org/icu/pull/1698
diff -Nru icu-67.1/debian/changelog icu-67.1/debian/changelog
--- icu-67.1/debian/changelog 2021-01-13 06:45:13.000000000 +0100
+++ icu-67.1/debian/changelog 2021-06-30 18:07:32.000000000 +0200
@@ -1,3 +1,10 @@
+icu (67.1-7) unstable; urgency=high
+
+ * Backport upstream security fix for CVE-2021-30535: crash caused by locale
+ assign/move operators.
+
+ -- Laszlo Boszormenyi (GCS) <gcs@debian.org> Wed, 30 Jun 2021 18:07:32 +0200
+
icu (67.1-6) unstable; urgency=medium
* Add pkg-config build dependency to build-test of autopkg tests.
diff -Nru icu-67.1/debian/patches/locid_operators.patch icu-67.1/debian/patches/locid_operators.patch
--- icu-67.1/debian/patches/locid_operators.patch 1970-01-01 01:00:00.000000000 +0100
+++ icu-67.1/debian/patches/locid_operators.patch 2021-04-21 15:42:38.000000000 +0200
@@ -0,0 +1,41 @@
+diff --git a/patches/locid_operators.patch b/patches/locid_operators.patch
+new file mode 100644
+index 0000000..7428558
+--- /dev/null
++++ b/patches/locid_operators.patch
+@@ -0,0 +1,35 @@
++diff --git a/source/common/locid.cpp b/source/common/locid.cpp
++index 0d506293..4743db53 100644
++--- a/source/common/locid.cpp
+++++ b/source/common/locid.cpp
++@@ -469,14 +469,18 @@ Locale& Locale::operator=(Locale&& other) U_NOEXCEPT {
++ if ((baseName != fullName) && (baseName != fullNameBuffer)) uprv_free(baseName);
++ if (fullName != fullNameBuffer) uprv_free(fullName);
++
++- if (other.fullName == other.fullNameBuffer) {
+++ if (other.fullName == other.fullNameBuffer || other.baseName == other.fullNameBuffer) {
++ uprv_strcpy(fullNameBuffer, other.fullNameBuffer);
+++ }
+++ if (other.fullName == other.fullNameBuffer) {
++ fullName = fullNameBuffer;
++ } else {
++ fullName = other.fullName;
++ }
++
++- if (other.baseName == other.fullName) {
+++ if (other.baseName == other.fullNameBuffer) {
+++ baseName = fullNameBuffer;
+++ } else if (other.baseName == other.fullName) {
++ baseName = fullName;
++ } else {
++ baseName = other.baseName;
++@@ -2696,6 +2700,9 @@ Locale::setKeywordValue(const char* keywordName, const char* keywordValue, UErro
++ if (fullName != fullNameBuffer) {
++ // if full Name is already on the heap, need to free it.
++ uprv_free(fullName);
+++ if (baseName == fullName) {
+++ baseName = newFullName; // baseName should not point to freed memory.
+++ }
++ }
++ fullName = newFullName;
++ status = U_ZERO_ERROR;
diff -Nru icu-67.1/debian/patches/series icu-67.1/debian/patches/series
--- icu-67.1/debian/patches/series 2020-08-18 17:39:36.000000000 +0200
+++ icu-67.1/debian/patches/series 2021-06-30 18:07:32.000000000 +0200
@@ -5,3 +5,4 @@
layout-test-fix.patch
#flaky-tests.patch
ICU-13786_Fix_addLikelySubtags_minimizeSubtags.patch
+locid_operators.patch
Reply to: