From unknown Sat Jun 21 03:14:46 2025 Content-Disposition: inline Content-Transfer-Encoding: quoted-printable MIME-Version: 1.0 X-Mailer: MIME-tools 5.509 (Entity 5.509) Content-Type: text/plain; charset=utf-8 From: bug#28968 <28968@debbugs.gnu.org> To: bug#28968 <28968@debbugs.gnu.org> Subject: Status: [PATCH] gnu: icu4c: Fix CVE-2017-14952. Reply-To: bug#28968 <28968@debbugs.gnu.org> Date: Sat, 21 Jun 2025 10:14:46 +0000 retitle 28968 [PATCH] gnu: icu4c: Fix CVE-2017-14952. reassign 28968 guix-patches submitter 28968 Leo Famulari severity 28968 normal tag 28968 patch thanks From debbugs-submit-bounces@debbugs.gnu.org Tue Oct 24 12:36:52 2017 Received: (at submit) by debbugs.gnu.org; 24 Oct 2017 16:36:52 +0000 Received: from localhost ([127.0.0.1]:60097 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1e72CC-0002sc-FK for submit@debbugs.gnu.org; Tue, 24 Oct 2017 12:36:52 -0400 Received: from eggs.gnu.org ([208.118.235.92]:59891) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1e72C7-0002sJ-TN for submit@debbugs.gnu.org; Tue, 24 Oct 2017 12:36:50 -0400 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1e72C1-0006Xp-Le for submit@debbugs.gnu.org; Tue, 24 Oct 2017 12:36:42 -0400 X-Spam-Checker-Version: SpamAssassin 3.3.2 (2011-06-06) on eggs.gnu.org X-Spam-Level: X-Spam-Status: No, score=0.9 required=5.0 tests=BAYES_00,T_DKIM_INVALID, UNWANTED_LANGUAGE_BODY autolearn=disabled version=3.3.2 Received: from lists.gnu.org ([2001:4830:134:3::11]:41082) by eggs.gnu.org with esmtps (TLS1.0:RSA_AES_256_CBC_SHA1:32) (Exim 4.71) (envelope-from ) id 1e72C1-0006Xf-Ho for submit@debbugs.gnu.org; Tue, 24 Oct 2017 12:36:41 -0400 Received: from eggs.gnu.org ([2001:4830:134:3::10]:50857) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1e72Bz-0000Er-RB for guix-patches@gnu.org; Tue, 24 Oct 2017 12:36:41 -0400 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1e72Bv-0006T4-Bx for guix-patches@gnu.org; Tue, 24 Oct 2017 12:36:39 -0400 Received: from out3-smtp.messagingengine.com ([66.111.4.27]:52231) by eggs.gnu.org with esmtps (TLS1.0:DHE_RSA_AES_256_CBC_SHA1:32) (Exim 4.71) (envelope-from ) id 1e72Bv-0006SK-6V for guix-patches@gnu.org; Tue, 24 Oct 2017 12:36:35 -0400 Received: from compute4.internal (compute4.nyi.internal [10.202.2.44]) by mailout.nyi.internal (Postfix) with ESMTP id 3AE7C20AF5; Tue, 24 Oct 2017 12:36:34 -0400 (EDT) Received: from frontend2 ([10.202.2.161]) by compute4.internal (MEProxy); Tue, 24 Oct 2017 12:36:34 -0400 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=famulari.name; h=date:from:message-id:subject:to:x-me-sender:x-me-sender :x-sasl-enc; s=mesmtp; bh=WxoSjHtOT/+Tqf+MlXnnU6H5m0LZGrYvmDK7DT a2NYI=; b=K/iR22oSxv1dRNobz84qPCenzhrQwBfbRLXe8r4FgvdFTN3tYTuWYv dBvK0sygOohZQjXOARn+Pa3ajOSMLRLZlikS+5F4AEwlqZZncOOOB7H8cL3e+kmU 7YKO+lo0uUjppqQfyJHWvk5mkF2PMdEZPk+vc+Hje1iTUtLXuR2J8= DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d= messagingengine.com; h=date:from:message-id:subject:to :x-me-sender:x-me-sender:x-sasl-enc; s=fm1; bh=WxoSjHtOT/+Tqf+Ml XnnU6H5m0LZGrYvmDK7DTa2NYI=; b=GMX7Q2K/CRERbvetiaWBYqngVV25wCaTM zT0ALvFKCBXn1QWLfApEXXBI9bTvIEEidESKJIC4ITaP54Ds/eancFYRBK8mcLAK sDKEYBl3ljMlxin4at9vtCkvIwG2wL17LXHKrmZEdi1jGbLtrK2N+wtvJRDvAjLc 50M7V/LfjFiiqKNy8E2d9vvPP7CPp1/k9uiSiy80AHzLHySjWVu2WRJqWg+vVZAr wqJTiIOolY7LUMirkwAcV9IJwJfYTgs7ffRuN4UaOV2AuwbxJM+GqWbp0bAkL0Rw 1fbMwLOdUertW28MmsdA0cGx3n8NWiwzQMrNsCYq+8YxncRKi/ezQ== X-ME-Sender: Received: from jasmine.lan (c-73-165-108-70.hsd1.pa.comcast.net [73.165.108.70]) by mail.messagingengine.com (Postfix) with ESMTPA id E9EE12484B for ; Tue, 24 Oct 2017 12:36:33 -0400 (EDT) From: Leo Famulari To: guix-patches@gnu.org Subject: [PATCH] gnu: icu4c: Fix CVE-2017-14952. Date: Tue, 24 Oct 2017 12:36:30 -0400 Message-Id: X-Mailer: git-send-email 2.14.3 X-detected-operating-system: by eggs.gnu.org: GNU/Linux 2.2.x-3.x [generic] [fuzzy] X-detected-operating-system: by eggs.gnu.org: GNU/Linux 2.6.x X-Received-From: 2001:4830:134:3::11 X-Spam-Score: -4.1 (----) X-Debbugs-Envelope-To: submit X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -4.1 (----) * gnu/packages/patches/icu4c-CVE-2017-14952.patch: New file. * gnu/local.mk (dist_patch_DATA): Add it. * gnu/packages/icu4c.scm (icu4c)[replacement]: New field. (icu4c-fixed): New variable. --- gnu/local.mk | 1 + gnu/packages/icu4c.scm | 10 ++++++++++ gnu/packages/patches/icu4c-CVE-2017-14952.patch | 18 ++++++++++++++++++ 3 files changed, 29 insertions(+) create mode 100644 gnu/packages/patches/icu4c-CVE-2017-14952.patch diff --git a/gnu/local.mk b/gnu/local.mk index 6b70300ff..d02b25072 100644 --- a/gnu/local.mk +++ b/gnu/local.mk @@ -734,6 +734,7 @@ dist_patch_DATA = \ %D%/packages/patches/hydra-disable-darcs-test.patch \ %D%/packages/patches/icecat-avoid-bundled-libraries.patch \ %D%/packages/patches/icu4c-CVE-2017-7867-CVE-2017-7868.patch \ + %D%/packages/patches/icu4c-CVE-2017-14952.patch \ %D%/packages/patches/icu4c-reset-keyword-list-iterator.patch \ %D%/packages/patches/id3lib-CVE-2007-4460.patch \ %D%/packages/patches/ilmbase-fix-tests.patch \ diff --git a/gnu/packages/icu4c.scm b/gnu/packages/icu4c.scm index 346128585..55bc9f203 100644 --- a/gnu/packages/icu4c.scm +++ b/gnu/packages/icu4c.scm @@ -32,6 +32,7 @@ (define-public icu4c (package (name "icu4c") + (replacement icu4c-fixed) (version "58.2") (source (origin (method url-fetch) @@ -70,6 +71,15 @@ C/C++ part.") (license x11) (home-page "http://site.icu-project.org/"))) +(define icu4c-fixed + (package + (inherit icu4c) + (source (origin + (inherit (package-source icu4c)) + (patches (append + (origin-patches (package-source icu4c)) + (search-patches "icu4c-CVE-2017-14952.patch"))))))) + (define-public java-icu4j (package (name "java-icu4j") diff --git a/gnu/packages/patches/icu4c-CVE-2017-14952.patch b/gnu/packages/patches/icu4c-CVE-2017-14952.patch new file mode 100644 index 000000000..564f69d01 --- /dev/null +++ b/gnu/packages/patches/icu4c-CVE-2017-14952.patch @@ -0,0 +1,18 @@ +Fix CVE-2017-14952: + +https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-14952 + +Patch copied from upstream source repository: + +http://bugs.icu-project.org/trac/changeset/40324/trunk/icu4c/source/i18n/zonemeta.cpp#file0 + +Index: trunk/icu4c/source/i18n/zonemeta.cpp +=================================================================== +--- icu/source/i18n/zonemeta.cpp (revision 40283) ++++ icu/source/i18n/zonemeta.cpp (revision 40324) +@@ -691,5 +691,4 @@ + if (U_FAILURE(status)) { + delete mzMappings; +- deleteOlsonToMetaMappingEntry(entry); + uprv_free(entry); + break; -- 2.14.3 From debbugs-submit-bounces@debbugs.gnu.org Tue Oct 24 12:55:22 2017 Received: (at 28968) by debbugs.gnu.org; 24 Oct 2017 16:55:22 +0000 Received: from localhost ([127.0.0.1]:60114 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1e72U5-0003OW-QC for submit@debbugs.gnu.org; Tue, 24 Oct 2017 12:55:21 -0400 Received: from hera.aquilenet.fr ([141.255.128.1]:48789) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1e72U2-0003OL-6U for 28968@debbugs.gnu.org; Tue, 24 Oct 2017 12:55:20 -0400 Received: from localhost (localhost [127.0.0.1]) by hera.aquilenet.fr (Postfix) with ESMTP id 5D95EF463; Tue, 24 Oct 2017 18:55:18 +0200 (CEST) X-Virus-Scanned: Debian amavisd-new at aquilenet.fr Received: from hera.aquilenet.fr ([127.0.0.1]) by localhost (hera.aquilenet.fr [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id jTWmDNRwaBZT; Tue, 24 Oct 2017 18:55:17 +0200 (CEST) Received: from ribbon (unknown [216.123.155.195]) by hera.aquilenet.fr (Postfix) with ESMTPSA id DB5E1F459; Tue, 24 Oct 2017 18:55:16 +0200 (CEST) From: ludo@gnu.org (Ludovic =?utf-8?Q?Court=C3=A8s?=) To: Leo Famulari Subject: Re: [bug#28968] [PATCH] gnu: icu4c: Fix CVE-2017-14952. References: X-URL: http://www.fdn.fr/~lcourtes/ X-Revolutionary-Date: 3 Brumaire an 226 de la =?utf-8?Q?R=C3=A9volution?= X-PGP-Key-ID: 0x090B11993D9AEBB5 X-PGP-Key: http://www.fdn.fr/~lcourtes/ludovic.asc X-PGP-Fingerprint: 3CE4 6455 8A84 FDC6 9DB4 0CFB 090B 1199 3D9A EBB5 X-OS: x86_64-pc-linux-gnu Date: Tue, 24 Oct 2017 09:55:13 -0700 In-Reply-To: (Leo Famulari's message of "Tue, 24 Oct 2017 12:36:30 -0400") Message-ID: <873768pjta.fsf@gnu.org> User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/25.3 (gnu/linux) MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable X-Spam-Score: 1.0 (+) X-Debbugs-Envelope-To: 28968 Cc: 28968@debbugs.gnu.org X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: 1.0 (+) Leo Famulari skribis: > * gnu/packages/patches/icu4c-CVE-2017-14952.patch: New file. > * gnu/local.mk (dist_patch_DATA): Add it. > * gnu/packages/icu4c.scm (icu4c)[replacement]: New field. > (icu4c-fixed): New variable. LGTM, thank you! Ludo=E2=80=99. From debbugs-submit-bounces@debbugs.gnu.org Tue Oct 24 13:11:16 2017 Received: (at control) by debbugs.gnu.org; 24 Oct 2017 17:11:16 +0000 Received: from localhost ([127.0.0.1]:60126 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1e72jT-0003pF-VF for submit@debbugs.gnu.org; Tue, 24 Oct 2017 13:11:16 -0400 Received: from out5-smtp.messagingengine.com ([66.111.4.29]:43971) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1e72jP-0003p0-AX for control@debbugs.gnu.org; Tue, 24 Oct 2017 13:11:11 -0400 Received: from compute4.internal (compute4.nyi.internal [10.202.2.44]) by mailout.nyi.internal (Postfix) with ESMTP id A71FF2106D; Tue, 24 Oct 2017 13:11:10 -0400 (EDT) Received: from frontend1 ([10.202.2.160]) by compute4.internal (MEProxy); Tue, 24 Oct 2017 13:11:10 -0400 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=famulari.name; h=content-type:date:from:message-id:mime-version:to:x-me-sender :x-me-sender:x-sasl-enc; s=mesmtp; bh=Xv1BVHs0rlFzoK2MmnE9FfzCn3 uNzSh4PflCni9esLg=; b=Zs0oOWIZSUiELkwq9bsrj83kFaJnhpDhY47TNPG2Kz oNj5fXPjWavZ4qX5TezR3ZKnydzeziYzHstbaDysinwuBy8f0WvF7rLpDDkLDvea 55fk/SVrJPkvXbmk8vuBTdelb6M1VLCjqA5+7IKvqs5xal7GohBwck+v3zS0REB1 g= DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d= messagingengine.com; h=content-type:date:from:message-id :mime-version:to:x-me-sender:x-me-sender:x-sasl-enc; s=fm1; bh=X v1BVHs0rlFzoK2MmnE9FfzCn3uNzSh4PflCni9esLg=; b=fcBG8UuGXJzJEBAM4 Rgcu9raUJuyrU0gEFKpIozeTe4RcDbrrUpzuKEAtqqde4SbQnQ3UPq3pTCVbydbk InJwcy9WVOquXnIb5R+KDjk2AliHW2gUAvOfQi66dtGFsWmnjPGBXObo7QPDL2jN QMKmfQNRS2T39CB48mVdRhP65StuMtIxoFsO9sM77cdueOrWZmd3gqdtjsAck+dH lmWbqPfjHN/l0uhRyLd7mIKPv8JqVOvkIfRJYBR29qTKbPLOXPDGzMkv1adUCb9v ZC0vii6+WtJKQi+p0A7vZBAGwXawWPRtlI/CrsOjoiN5uOIyO5yU6AacsJBJSvUC Osxrw== X-ME-Sender: Received: from localhost (c-73-165-108-70.hsd1.pa.comcast.net [73.165.108.70]) by mail.messagingengine.com (Postfix) with ESMTPA id 588E47E1AE for ; Tue, 24 Oct 2017 13:11:10 -0400 (EDT) Date: Tue, 24 Oct 2017 13:11:09 -0400 From: Leo Famulari To: control@debbugs.gnu.org Message-ID: <20171024171109.GA20975@jasmine.lan> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.9.1 (2017-09-22) X-Spam-Score: 1.3 (+) X-Spam-Report: Spam detection software, running on the system "debbugs.gnu.org", has NOT identified this incoming email as spam. The original message has been attached to this so you can view it or label similar future email. If you have any questions, see the administrator of that system for details. Content preview: close 28968 [...] Content analysis details: (1.3 points, 10.0 required) pts rule name description ---- ---------------------- -------------------------------------------------- -0.7 RCVD_IN_DNSWL_LOW RBL: Sender listed at http://www.dnswl.org/, low trust [66.111.4.29 listed in list.dnswl.org] -0.0 SPF_PASS SPF: sender matches SPF record 0.0 T_DKIM_INVALID DKIM-Signature header exists but is not valid 1.8 MISSING_SUBJECT Missing Subject: header 0.2 NO_SUBJECT Extra score for no subject X-Debbugs-Envelope-To: control X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: 1.3 (+) X-Spam-Report: Spam detection software, running on the system "debbugs.gnu.org", has NOT identified this incoming email as spam. The original message has been attached to this so you can view it or label similar future email. If you have any questions, see the administrator of that system for details. Content preview: close 28968 [...] Content analysis details: (1.3 points, 10.0 required) pts rule name description ---- ---------------------- -------------------------------------------------- -0.7 RCVD_IN_DNSWL_LOW RBL: Sender listed at http://www.dnswl.org/, low trust [66.111.4.29 listed in list.dnswl.org] -0.0 SPF_PASS SPF: sender matches SPF record 0.0 T_DKIM_INVALID DKIM-Signature header exists but is not valid 0.0 TVD_SPACE_RATIO No description available. 1.8 MISSING_SUBJECT Missing Subject: header 0.2 NO_SUBJECT Extra score for no subject close 28968 From unknown Sat Jun 21 03:14:46 2025 Received: (at fakecontrol) by fakecontrolmessage; To: internal_control@debbugs.gnu.org From: Debbugs Internal Request Subject: Internal Control Message-Id: bug archived. Date: Wed, 22 Nov 2017 12:24:03 +0000 User-Agent: Fakemail v42.6.9 # This is a fake control message. # # The action: # bug archived. thanks # This fakemail brought to you by your local debbugs # administrator