tech-pkg archive

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]

in defense of the update to icu 59.1

ICU 59.1 includes a security fix that is not mentioned anywhere in
the release notes and doesn't sound good.
(It's an out of bounds write triggered by a particular string. it's
possible that in the right hands, you could pass e.g. Firefox a string
that corrupts memory and executes code).

I have a backport of the fix in a pullup request, but maintaining an
unofficial stable tree to a library that seems to not acknowledge
security issues in release notes is playing with fire.

They're pretty awful about compatibility, I think we all learned that
now. The previous update to 58.1 was delayed as it caused runtime
crashes on libreoffice and Firefox. The number 59 is a semver major

Next time will be better :-)

Home | Main Index | Thread Index | Old Index