Bug#1107856: bookworm-pu: package icu/72.1-3+deb12u1
Package: release.debian.org
Severity: normal
Tags: bookworm moreinfo
User: release.debian.org@packages.debian.org
Usertags: pu
X-Debbugs-Cc: icu@packages.debian.org, security@debian.org
Control: affects -1 + src:icu
* CVE-2025-5222: Stack-based buffer overflow (Closes: #1106684)
Tagged moreinfo, as question to the security team whether they want
this in pu or as DSA.
diffstat for icu-72.1 icu-72.1
changelog | 7
patches/0001-ICU-22973-Fix-buffer-overflow-by-using-CharString.patch | 162 ++++++++++
patches/series | 1
3 files changed, 170 insertions(+)
diff -Nru icu-72.1/debian/changelog icu-72.1/debian/changelog
--- icu-72.1/debian/changelog 2022-11-25 21:19:48.000000000 +0200
+++ icu-72.1/debian/changelog 2025-06-13 21:44:52.000000000 +0300
@@ -1,3 +1,10 @@
+icu (72.1-3+deb12u1) bookworm; urgency=medium
+
+ * Non-maintainer upload.
+ * CVE-2025-5222: Stack-based buffer overflow (Closes: #1106684)
+
+ -- Adrian Bunk <bunk@debian.org> Fri, 13 Jun 2025 21:44:52 +0300
+
icu (72.1-3) unstable; urgency=high
* Backport fix for ICU-22198: fix stack buffer overflow.
diff -Nru icu-72.1/debian/patches/0001-ICU-22973-Fix-buffer-overflow-by-using-CharString.patch icu-72.1/debian/patches/0001-ICU-22973-Fix-buffer-overflow-by-using-CharString.patch
--- icu-72.1/debian/patches/0001-ICU-22973-Fix-buffer-overflow-by-using-CharString.patch 1970-01-01 02:00:00.000000000 +0200
+++ icu-72.1/debian/patches/0001-ICU-22973-Fix-buffer-overflow-by-using-CharString.patch 2025-06-13 21:44:52.000000000 +0300
@@ -0,0 +1,162 @@
+From 1f01f4b70f16763352eefc17298b106e6a181909 Mon Sep 17 00:00:00 2001
+From: Frank Tang <ftang@chromium.org>
+Date: Wed, 22 Jan 2025 11:50:59 -0800
+Subject: ICU-22973 Fix buffer overflow by using CharString
+
+---
+ source/tools/genrb/parse.cpp | 49 ++++++++++++++++++------------
+ 1 file changed, 29 insertions(+), 20 deletions(-)
+
+diff --git a/source/tools/genrb/parse.cpp b/source/tools/genrb/parse.cpp
+index 2c5d4952436..512f251e1b4 100644
+--- a/source/tools/genrb/parse.cpp
++++ b/source/tools/genrb/parse.cpp
+@@ -1153,7 +1153,7 @@ addCollation(ParseState* state, TableResource *result, const char *collationTyp
+ struct UString *tokenValue;
+ struct UString comment;
+ enum ETokenType token;
+- char subtag[1024];
++ CharString subtag;
+ UnicodeString rules;
+ UBool haveRules = false;
+ UVersionInfo version;
+@@ -1189,15 +1189,15 @@ addCollation(ParseState* state, TableResource *result, const char *collationTyp
+ return NULL;
+ }
+
+- u_UCharsToChars(tokenValue->fChars, subtag, u_strlen(tokenValue->fChars) + 1);
+-
++ subtag.clear();
++ subtag.appendInvariantChars(tokenValue->fChars, u_strlen(tokenValue->fChars), *status);
+ if (U_FAILURE(*status))
+ {
+ res_close(result);
+ return NULL;
+ }
+
+- member = parseResource(state, subtag, NULL, status);
++ member = parseResource(state, subtag.data(), NULL, status);
+
+ if (U_FAILURE(*status))
+ {
+@@ -1208,7 +1208,7 @@ addCollation(ParseState* state, TableResource *result, const char *collationTyp
+ {
+ // Ignore the parsed resources, continue parsing.
+ }
+- else if (uprv_strcmp(subtag, "Version") == 0 && member->isString())
++ else if (uprv_strcmp(subtag.data(), "Version") == 0 && member->isString())
+ {
+ StringResource *sr = static_cast<StringResource *>(member);
+ char ver[40];
+@@ -1225,11 +1225,11 @@ addCollation(ParseState* state, TableResource *result, const char *collationTyp
+ result->add(member, line, *status);
+ member = NULL;
+ }
+- else if(uprv_strcmp(subtag, "%%CollationBin")==0)
++ else if(uprv_strcmp(subtag.data(), "%%CollationBin")==0)
+ {
+ /* discard duplicate %%CollationBin if any*/
+ }
+- else if (uprv_strcmp(subtag, "Sequence") == 0 && member->isString())
++ else if (uprv_strcmp(subtag.data(), "Sequence") == 0 && member->isString())
+ {
+ StringResource *sr = static_cast<StringResource *>(member);
+ rules = sr->fString;
+@@ -1395,7 +1395,7 @@ parseCollationElements(ParseState* state, char *tag, uint32_t startline, UBool n
+ struct UString *tokenValue;
+ struct UString comment;
+ enum ETokenType token;
+- char subtag[1024], typeKeyword[1024];
++ CharString subtag, typeKeyword;
+ uint32_t line;
+
+ result = table_open(state->bundle, tag, NULL, status);
+@@ -1437,7 +1437,8 @@ parseCollationElements(ParseState* state, char *tag, uint32_t startline, UBool n
+ return NULL;
+ }
+
+- u_UCharsToChars(tokenValue->fChars, subtag, u_strlen(tokenValue->fChars) + 1);
++ subtag.clear();
++ subtag.appendInvariantChars(tokenValue->fChars, u_strlen(tokenValue->fChars), *status);
+
+ if (U_FAILURE(*status))
+ {
+@@ -1445,9 +1446,9 @@ parseCollationElements(ParseState* state, char *tag, uint32_t startline, UBool n
+ return NULL;
+ }
+
+- if (uprv_strcmp(subtag, "default") == 0)
++ if (uprv_strcmp(subtag.data(), "default") == 0)
+ {
+- member = parseResource(state, subtag, NULL, status);
++ member = parseResource(state, subtag.data(), NULL, status);
+
+ if (U_FAILURE(*status))
+ {
+@@ -1466,22 +1467,29 @@ parseCollationElements(ParseState* state, char *tag, uint32_t startline, UBool n
+ if(token == TOK_OPEN_BRACE) {
+ token = getToken(state, &tokenValue, &comment, &line, status);
+ TableResource *collationRes;
+- if (keepCollationType(subtag)) {
+- collationRes = table_open(state->bundle, subtag, NULL, status);
++ if (keepCollationType(subtag.data())) {
++ collationRes = table_open(state->bundle, subtag.data(), NULL, status);
+ } else {
+ collationRes = NULL;
+ }
+ // need to parse the collation data regardless
+- collationRes = addCollation(state, collationRes, subtag, startline, status);
++ collationRes = addCollation(state, collationRes, subtag.data(), startline, status);
+ if (collationRes != NULL) {
+ result->add(collationRes, startline, *status);
+ }
+ } else if(token == TOK_COLON) { /* right now, we'll just try to see if we have aliases */
+ /* we could have a table too */
+ token = peekToken(state, 1, &tokenValue, &line, &comment, status);
+- u_UCharsToChars(tokenValue->fChars, typeKeyword, u_strlen(tokenValue->fChars) + 1);
+- if(uprv_strcmp(typeKeyword, "alias") == 0) {
+- member = parseResource(state, subtag, NULL, status);
++ typeKeyword.clear();
++ typeKeyword.appendInvariantChars(tokenValue->fChars, u_strlen(tokenValue->fChars), *status);
++ if (U_FAILURE(*status))
++ {
++ res_close(result);
++ return nullptr;
++ }
++
++ if(uprv_strcmp(typeKeyword.data(), "alias") == 0) {
++ member = parseResource(state, subtag.data(), NULL, status);
+ if (U_FAILURE(*status))
+ {
+ res_close(result);
+@@ -1523,7 +1531,7 @@ realParseTable(ParseState* state, TableResource *table, char *tag, uint32_t star
+ struct UString *tokenValue=NULL;
+ struct UString comment;
+ enum ETokenType token;
+- char subtag[1024];
++ CharString subtag;
+ uint32_t line;
+ UBool readToken = false;
+
+@@ -1562,7 +1570,8 @@ realParseTable(ParseState* state, TableResource *table, char *tag, uint32_t star
+ }
+
+ if(uprv_isInvariantUString(tokenValue->fChars, -1)) {
+- u_UCharsToChars(tokenValue->fChars, subtag, u_strlen(tokenValue->fChars) + 1);
++ subtag.clear();
++ subtag.appendInvariantChars(tokenValue->fChars, u_strlen(tokenValue->fChars), *status);
+ } else {
+ *status = U_INVALID_FORMAT_ERROR;
+ error(line, "invariant characters required for table keys");
+@@ -1575,7 +1584,7 @@ realParseTable(ParseState* state, TableResource *table, char *tag, uint32_t star
+ return NULL;
+ }
+
+- member = parseResource(state, subtag, &comment, status);
++ member = parseResource(state, subtag.data(), &comment, status);
+
+ if (member == NULL || U_FAILURE(*status))
+ {
+--
+2.30.2
+
diff -Nru icu-72.1/debian/patches/series icu-72.1/debian/patches/series
--- icu-72.1/debian/patches/series 2022-11-25 21:19:45.000000000 +0200
+++ icu-72.1/debian/patches/series 2025-06-13 21:44:52.000000000 +0300
@@ -1,2 +1,3 @@
icudata-stdlibs.patch
ICU-22198.patch
+0001-ICU-22973-Fix-buffer-overflow-by-using-CharString.patch
Reply to: