[v10.x] deps: backport ICU-20958 to fix CVE-2020-10531 (!33572) · Merge requests · Rodrigo Test / Test Group-nodejs / node

Rodrigo Muino Tomonari requested to merge github/fork/richardlau/icucve into v10.x-staging May 26, 2020

Add floating patch for ICU 64.2 from https://github.com/unicode-org/icu/commit/18b212f235c8b1dea3b8bbd0accd57340b32ba55.

Original commit message:

   ICU-21032 Backport to 64.x: ICU-20958 Prevent SEGV_MAPERR in append

   See #971

   (cherry picked from commit b7d08bc04a4296982fcef8b6b8a354a9e4e7afca)

Refs: https://unicode-org.atlassian.net/browse/ICU-20958 Refs: https://github.com/unicode-org/icu/pull/1155 Refs: https://github.com/nodejs/help/issues/2716

I don't have a way of reproducing the crash for the original ICU CVE on v10.x as the version of V8 included does not contain the Intl.ListFormat function.

cc @nodejs/lts @srl295

Checklist

make -j4 test (UNIX), or vcbuild test (Windows) passes
commit message follows commit guidelines

Admin message

Admin message

[v10.x] deps: backport ICU-20958 to fix CVE-2020-10531

Checklist

Merge request reports