Hi Salvatore, On Tue, May 27, 2025 at 9:39 PM Salvatore Bonaccorso <car...@debian.org> wrote: > CVE-2025-5222[0]: > | Stack buffer overflow in the SRBRoot::addTag function > > The avaiable information is bit scarce here. The issue discription at > least points to the same issue as tracked in [1]. Though it is not > very clear with the fix version and identifying the fixing commit. Can > you find more on it? Well, it's quite late in the night, but I did some quick tests. This affects the ICU 75.1 and 76.1, but not the 77.1 version. While the first two fails with: unknown resource type 'ning' parse error. Stopped parsing resource with U_INVALID_FORMAT_ERROR parse error. Stopped parsing resource with U_INVALID_FORMAT_ERROR *** stack smashing detected ***: terminated Aborted
The latter handles this: unknown resource type 'ning' parse error. Stopped parsing resource with U_INVALID_FORMAT_ERROR parse error. Stopped parsing resource with U_INVALID_FORMAT_ERROR couldn't parse the file. Error:U_INVALID_FORMAT_ERROR This is strange in that upstream notes this will be fixed in the ICU 78.1 version - but 77.1 already handles this correctly. This makes sense by the way as the report is from November 2024 and 77.1 release is made later in March, 2025. I need to dig into it, probably with Git bisect to find the fixing commit. I couldn't test the 74.1 version and earliter yet. Regards, Laszlo/GCS
