Opened 8 years ago

Closed 7 years ago

#54004 closed defect (fixed)

icu @58.2: fix CVE-2017-7867 and CVE-2017-7868

Reported by: l2dy (Zero King) Owned by: ryandesign (Ryan Carsten Schmidt)
Priority: Normal Milestone:
Component: ports Version:
Keywords: Cc:
Port: icu

Description (last modified by ryandesign (Ryan Carsten Schmidt))

See https://ssl.icu-project.org/trac/changeset/39671. Fixed in icu 59.1.

https://nvd.nist.gov/vuln/detail/CVE-2017-7867
https://nvd.nist.gov/vuln/detail/CVE-2017-7868

Change History (3)

comment:1 Changed 8 years ago by ryandesign (Ryan Carsten Schmidt)

Description: modified (diff)
Status: newaccepted

Given the major version number increase, I imagine this will involve revbumping and rebuilding all dependents again.

comment:2 Changed 7 years ago by ryandesign (Ryan Carsten Schmidt)

Yikes:

http://site.icu-project.org/download/59:

There are major changes for ICU4C that require changes in projects using ICU. See below for details.

  • ICU4C now uses and requires C++11 language features and libraries.
  • ICU4C has also moved to char16_t as the type for UTF-16. This is a breaking change. Please see the detail section below.

Seems like updating to this version will break a ton of stuff on non-C++11 platforms (OS X <= 10.8) so I don't think we should update yet. I can patch to address the CVEs though.

comment:3 Changed 7 years ago by ryandesign (Ryan Carsten Schmidt)

Resolution: fixed
Status: acceptedclosed

In ed8c15b1c8e4d61eebf722c9c45bb96895c53afe/macports-ports:

icu: Address CVE-2017-7867 and CVE-2017-7868

Closes: #54004

Note: See TracTickets for help on using tickets.