in defense of the update to icu 59.1

To: tech-pkg%netbsd.org@localhost
Subject: in defense of the update to icu 59.1
From: coypu%sdf.org@localhost
Date: Mon, 24 Apr 2017 13:32:49 +0000

ICU 59.1 includes a security fix that is not mentioned anywhere in
the release notes and doesn't sound good.
(It's an out of bounds write triggered by a particular string. it's
possible that in the right hands, you could pass e.g. Firefox a string
that corrupts memory and executes code).

I have a backport of the fix in a pullup request, but maintaining an
unofficial stable tree to a library that seems to not acknowledge
security issues in release notes is playing with fire.

They're pretty awful about compatibility, I think we all learned that
now. The previous update to 58.1 was delayed as it caused runtime
crashes on libreoffice and Firefox. The number 59 is a semver major
number!

Next time will be better :-)

Prev by Date: Re: icu wants c++11
Next by Date: Re: icu wants c++11
Previous by Thread: icu wants c++11
Next by Thread: [PATCH] llvm and libLLVM LDFLAGS usage
Indexes:

Home | Main Index | Thread Index | Old Index