Bug 41952 – icu: Multiple issues (4.1)

Bug 41952 - icu: Multiple issues (4.1)


Summary:	icu: Multiple issues (4.1)

Status:	CLOSED FIXED

Product:	UCS
Classification:	Unclassified
Component:	Security updates
Version:	UCS 4.1
Hardware:	Other Linux

Importance:	P5 normal (vote)
Target Milestone:	UCS 4.1-4-errata
Assigned To:	Arvid Requate
QA Contact:	Felix Botner

URL:
Keywords:

Depends on:
Blocks:	41953
	Show dependency tree / graph

Reported:	2016-08-09 22:36 CEST by Arvid Requate
Modified:	2017-04-19 16:50 CEST (History)
CC List:	2 users (show)

See Also:
What kind of report is it?:	Security Issue
What type of bug is this?:	---
Who will be affected by this bug?:	---
How will those affected feel about the bug?:	---
User Pain:
Enterprise Customer affected?:
School Customer affected?:
ISV affected?:
Waiting Support:
Flags outvoted (downgraded) after PO Review:
Ticket number:
Bug group (optional):	Security
Max CVSS v3 score:	8.4 CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Flags:	requate: Patch_Available+

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Arvid Requate

2016-08-09 22:36:19 CEST

Upstream Debian package version 4.8.1.1-12+deb7u4 fixes these issues:

* Unspecified vulnerability in Oracle Java SE 6u95, 7u80, and 8u45 allows remote attackers to affect confidentiality via unknown vectors related to 2D. (CVE-2015-2632)

* Unspecified vulnerability in Oracle Java SE 6u101, 7u85, and 8u60, and Java SE Embedded 8u51, allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors related to 2D. (CVE-2015-4844)

* Unspecified vulnerability in the Java SE and Java SE Embedded components in Oracle Java SE 6u105, 7u91, and 8u66 and Java SE Embedded 8u65 allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors related to 2D. (CVE-2016-0494)

These issues found in java also affect the International Components for Unicode (icu).

Comment 1 Arvid Requate

2016-08-09 22:37:42 CEST

CVE-2015-2632: CVSS v2 base score: 4.3 (AV:N/AC:M/Au:N/C:P/I:N/A:N)
CVE-2015-4844: CVSS v2 base score: 6.8 (AV:N/AC:M/Au:N/C:P/I:P/A:P)
CVE-2016-0494: CVSS v2 base score: 6.8 (AV:N/AC:M/Au:N/C:P/I:P/A:P)

Comment 2 Janek Walkenhorst

2016-09-15 16:24:49 CEST

4.8.1.1-12+deb7u5:

CVE-2016-6293
The uloc_acceptLanguageFromHTTP function in common/uloc.cpp in International Components for Unicode (ICU) through 57.1 for C/C++ does not ensure that there is a '\0' character at the end of a certain temporary array, which allows remote attackers to cause a denial of service (out-of-bounds read) or possibly have unspecified other impact via a call with a long httpAcceptLanguage argument.

Comment 3 Arvid Requate

2016-12-19 13:06:44 CET

Upstream Debian package version 4.8.1.1-12+deb7u6 fixes these issues:

* buffer overflow problem in uresbund.c (CVE-2014-9911)
* stack-based buffer overflow in the Locale class via a long locale string (CVE-2016-7415)

Comment 4 Arvid Requate

2016-12-19 16:40:58 CET

Advisory: icu.yaml

Comment 5 Felix Botner

2016-12-20 17:44:46 CET

OK - 4.8.1.1-12+deb7u6 with 
     - CVE-2015-2632
     - CVE-2015-4844
     - CVE-2016-0494
     - CVE-2016-6293
     - CVE-2014-9911
     - CVE-2016-7415
OK - update
OK - YAML

Comment 6 Philipp Hahn

2016-12-21 15:32:55 CET

<http://errata.software-univention.de/ucs/4.1/364.html>