Bug 33284 – icu: Multiple issues (3.2)

Bug 33284 - icu: Multiple issues (3.2)


Summary:	icu: Multiple issues (3.2)

Status:	CLOSED FIXED

Product:	UCS
Classification:	Unclassified
Component:	Security updates
Version:	UCS 3.0
Hardware:	Other Linux

Importance:	P3 normal (vote)
Target Milestone:	UCS 3.2-6-errata
Assigned To:	Arvid Requate
QA Contact:	Philipp Hahn

URL:
Keywords:

Duplicates:	37630 (view as bug list)
Depends on:
Blocks:
	Show dependency tree / graph

Reported:	2013-11-12 11:22 CET by Moritz Muehlenhoff
Modified:	2015-08-21 13:13 CEST (History)
CC List:	3 users (show)

See Also:
What kind of report is it?:	---
What type of bug is this?:	---
Who will be affected by this bug?:	---
How will those affected feel about the bug?:	---
User Pain:
Enterprise Customer affected?:
School Customer affected?:
ISV affected?:
Waiting Support:
Flags outvoted (downgraded) after PO Review:
Ticket number:
Bug group (optional):	Security
Max CVSS v3 score:

Flags:	requate: Patch_Available+

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Moritz Muehlenhoff

2013-11-12 11:22:22 CET

+++ This bug was initially created as a clone of Bug #30726 +++

Memory corruption in UTF8 handling (CVE-2013-2924)

Comment 1 Moritz Muehlenhoff

2015-02-02 06:57:46 CET

*** Bug 37630 has been marked as a duplicate of this bug. ***

Comment 2 Moritz Muehlenhoff

2015-02-02 06:58:06 CET

The Regular Expressions package in International Components for Unicode (ICU) 52 before SVN revision 292944 allows remote attackers to cause a denial of service (memory corruption) or possibly have unspecified other impact via vectors related to a (1) zero-length quantifier or (2) look-behind expression, a different vulnerability than CVE-2014-7926. (CVE-2014-7923)

The Regular Expressions package in International Components for Unicode (ICU) 52 before SVN revision 292944 allows remote attackers to cause a denial of service (memory corruption) or possibly have unspecified other impact via vectors related to a (1) zero-length quantifier or (2) look-behind expression, a different vulnerability than CVE-2014-7923. (CVE-2014-7926)

The collator implementation in i18n/ucol.cpp in International Components for Unicode (ICU) 52 through SVN revision 293126 does not initialize memory for a data structure, which allows remote attackers to cause a denial of service or possibly have unspecified other impact via a crafted character sequence. (CVE-2014-7940)

Additional issues: CVE-2014-6585 CVE-2014-6591

Comment 3 Moritz Muehlenhoff

2015-02-06 08:00:57 CET

Denial of service in regular expression handling (CVE-2014-9654, CVE-2015-1205)

Comment 4 Arvid Requate

2015-03-17 18:18:25 CET

CVE-2013-1569 CVE-2013-2383 CVE-2013-2384 CVE-2013-2419:

Potential execution of arbitrary code with user privileges due to incorrect memory handling while processing fonts.

Comment 5 Arvid Requate

2015-05-11 12:34:48 CEST

Heap overflow (CVE-2014-8146)
Integer overflow (CVE-2014-8147)

Comment 6 Arvid Requate

2015-07-16 12:00:26 CEST

* missing boundary checks in layout engine (CVE-2015-4760)

Comment 7 Arvid Requate

2015-08-17 12:09:16 CEST

Fixed in 4.4.1-8+squeeze4

Not affected by CVE-2014-8146 CVE-2014-8147 (Code not present)

Comment 8 Arvid Requate

2015-08-18 14:27:35 CEST

No affected by CVE-2013-2924.

Advisory: 2015-08-18-icu.yaml

Comment 9 Philipp Hahn

2015-08-19 14:06:02 CEST

OK: DEBIAN_FRONTEND=noninteractive aptitude install '?source-package(^icu$)~i'
OK: DEBIAN_FRONTEND=noninteractive aptitude install '?source-package(^icu$)?not(?name(udeb))'
OK: amd64 i386
OK: zless /usr/share/doc/libicu44/changelog.Debian.gz # 4.4.1-8+squeeze4
OK: 3.0-2 < errata3.2-6 < 4.0-0

OK: CVE-2013-0900 fixed 4.4.1-8+squeeze2
OK: CVE-2013-2924 fixed 4.4.1-8+squeeze2
OK: CVE-2014-7923 fixed 4.4.1-8+squeeze3
OK: CVE-2014-7926 fixed 4.4.1-8+squeeze3
OK: CVE-2014-7940 fixed 4.4.1-8+squeeze3
OK: CVE-2014-6585 fixed 4.4.1-8+squeeze3
OK: CVE-2014-6591 fixed 4.4.1-8+squeeze3
OK: CVE-2014-9654 fixed 4.4.1-8+squeeze3
FYI: CVE-2015-1205=scr:chromium-browser -> CVE-2014-9654=src:icu
OK: CVE-2013-1569 fixed 4.4.1-8+squeeze3
OK: CVE-2013-2383 fixed 4.4.1-8+squeeze3
OK: CVE-2013-2384 fixed 4.4.1-8+squeeze3
OK: CVE-2013-2419 fixed 4.4.1-8+squeeze3
OK: CVE-2014-8146 <not-affected>
OK: CVE-2014-8147 <not-affected>
OK: CVE-2015-4760 fixed 4.4.1-8+squeeze4

OK: make -C /usr/share/doc/libicu-dev/examples
OK: openoffice.org

OK: 2015-08-18-icu.yaml
OK: errata-announce -V 2015-08-18-icu.yaml

(In reply to Arvid Requate from comment #8)
> No affected by CVE-2013-2924.
Affected, but fixed in Debian package 4.4.1-8+squeeze2.

Comment 10 Janek Walkenhorst

2015-08-21 13:13:18 CEST

<http://errata.univention.de/ucs/3.2/356.html>