[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]
in defense of the update to icu 59.1
ICU 59.1 includes a security fix that is not mentioned anywhere in
the release notes and doesn't sound good.
(It's an out of bounds write triggered by a particular string. it's
possible that in the right hands, you could pass e.g. Firefox a string
that corrupts memory and executes code).
I have a backport of the fix in a pullup request, but maintaining an
unofficial stable tree to a library that seems to not acknowledge
security issues in release notes is playing with fire.
They're pretty awful about compatibility, I think we all learned that
now. The previous update to 58.1 was delayed as it caused runtime
crashes on libreoffice and Firefox. The number 59 is a semver major
Next time will be better :-)
Main Index |
Thread Index |