ICU: Integer overflow

2020-03-15T00:00:00
ID GLSA-202003-15
Type gentoo
Reporter Gentoo Foundation
Modified 2020-03-15T00:00:00

Description

Background

ICU is a mature, widely used set of C/C++ and Java libraries providing Unicode and Globalization support for software applications.

Description

It was discovered that ICU’s UnicodeString::doAppend() function is vulnerable to an integer overflow. Please review the CVE identifiers referenced below for more details.

Impact

A remote attacker could entice a user to process a specially crafted string in an application linked against ICU, possibly resulting in execution of arbitrary code with the privileges of the process or a Denial of Service condition.

Workaround

There is no known workaround at this time.

Resolution

All ICU users should upgrade to the latest version:

 # emerge --sync
 # emerge --ask --oneshot --verbose ">=dev-libs/icu-65.1-r1"