Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[v10.x] deps: backport ICU-20958 to fix CVE-2020-10531 #33572

Closed
wants to merge 3 commits into from
Closed

[v10.x] deps: backport ICU-20958 to fix CVE-2020-10531 #33572

wants to merge 3 commits into from

Conversation

richardlau
Copy link
Member

@richardlau richardlau commented May 26, 2020
edited

Add floating patch for ICU 64.2 from unicode-org/icu@18b212f.

Original commit message:

   ICU-21032 Backport to 64.x: ICU-20958 Prevent SEGV_MAPERR in append

   See #971

   (cherry picked from commit b7d08bc04a4296982fcef8b6b8a354a9e4e7afca)

Refs: https://unicode-org.atlassian.net/browse/ICU-20958
Refs: unicode-org/icu#1155
Refs: nodejs/help#2716

I don't have a way of reproducing the crash for the original ICU CVE on
v10.x as the version of V8 included does not contain the Intl.ListFormat
function.

cc @nodejs/lts @srl295

Checklist
  • make -j4 test (UNIX), or vcbuild test (Windows) passes
  • commit message follows commit guidelines

krytarowski and others added 2 commits April 17, 2020 11:02
@krytarowski @richardlau
build: allow clang 10+ in configure.py
1b5adbc 
Detected on NetBSD/amd64.

Fixes: nodejs#29536

PR-URL: nodejs#29541
Reviewed-By: Ben Noordhuis <info@bnoordhuis.nl>
Reviewed-By: Luigi Pinca <luigipinca@gmail.com>
Reviewed-By: David Carlier <devnexen@gmail.com>
Reviewed-By: Jiawen Geng <technicalcute@gmail.com>
Reviewed-By: Colin Ihrig <cjihrig@gmail.com>
Reviewed-By: Richard Lau <riclau@uk.ibm.com>
@richardlau
build: move doc versions JSON file out of out/doc
a85721a 
Move the generated previous doc versions JSON file out of `out/doc` to
prevent it being included in the distributed packages.

Signed-off-by: Richard Lau <riclau@uk.ibm.com>

PR-URL: nodejs#32728
Fixes: nodejs/build#2276
Reviewed-By: Shelley Vohr <codebytere@gmail.com>
Reviewed-By: Rich Trott <rtrott@gmail.com>
Reviewed-By: Luigi Pinca <luigipinca@gmail.com>
Reviewed-By: Jiawen Geng <technicalcute@gmail.com>
@nodejs-github-bot nodejs-github-bot added the tools Issues and PRs related to the tools directory. label May 26, 2020
@nodejs-github-bot
Copy link
Collaborator

CI: https://ci.nodejs.org/job/node-test-pull-request/31569/

@srl295
Copy link
Member

srl295 commented May 26, 2020

@richardlau I've merged the PR, so you can pull from unicode-org/icu@18b212f on the maint branch

@richardlau
deps: backport ICU-20958 to fix CVE-2020-10531
530dea3 
Add floating patch for ICU 64.2 from unicode-org/icu@18b212f.

Original commit message:
    ICU-21032 Backport to 64.x: ICU-20958 Prevent SEGV_MAPERR in append

    See nodejs#971

    (cherry picked from commit b7d08bc04a4296982fcef8b6b8a354a9e4e7afca)

Refs: https://unicode-org.atlassian.net/browse/ICU-20958
Refs: unicode-org/icu#1155
@nodejs-github-bot
Copy link
Collaborator

CI: https://ci.nodejs.org/job/node-test-pull-request/31576/

srl295
srl295 approved these changes May 27, 2020
View reviewed changes
Copy link
Member

@srl295 srl295 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

lgtm

@nodejs-github-bot
Copy link
Collaborator

CI: https://ci.nodejs.org/job/node-test-pull-request/31579/

@nodejs-github-bot
Copy link
Collaborator

CI: https://ci.nodejs.org/job/node-test-pull-request/31588/

@BridgeAR BridgeAR added the author ready PRs that have at least one approval, no pending requests for changes, and a CI started. label May 27, 2020
@nodejs-github-bot
Copy link
Collaborator

CI: https://ci.nodejs.org/job/node-test-pull-request/31602/

@nodejs-github-bot
Copy link
Collaborator

CI: https://ci.nodejs.org/job/node-test-pull-request/31617/

@BethGriggs
Copy link
Member

Landed in bd78c6e
Released in v10.21.0.

@BethGriggs BethGriggs closed this Jun 2, 2020
@richardlau richardlau deleted the icucve branch June 2, 2020 20:17
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@srl295 srl295 srl295 approved these changes

@BethGriggs BethGriggs BethGriggs approved these changes

Assignees
No one assigned
Labels
author ready PRs that have at least one approval, no pending requests for changes, and a CI started. tools Issues and PRs related to the tools directory.
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
6 participants
@richardlau @nodejs-github-bot @srl295 @BethGriggs @BridgeAR @krytarowski