Bug 37629

Summary: icu: Multiple issues (4.0)
Product: UCS Reporter: Janek Walkenhorst <walkenhorst>
Component: Security updatesAssignee: Stefan Gohmann <gohmann>
Status: CLOSED FIXED QA Contact: Janek Walkenhorst <walkenhorst>
Severity: normal    
Priority: P3 CC: gohmann, jmm, requate
Version: UCS 4.0Flags: requate: Patch_Available+
Target Milestone: UCS 4.0-3-errata   
Hardware: Other   
OS: Linux   
What kind of report is it?: --- What type of bug is this?: ---
Who will be affected by this bug?: --- How will those affected feel about the bug?: ---
User Pain: Enterprise Customer affected?:
School Customer affected?: ISV affected?:
Waiting Support: Flags outvoted (downgraded) after PO Review:
Ticket number: Bug group (optional):
Max CVSS v3 score:

Description Janek Walkenhorst univentionstaff 2015-01-27 12:53:07 CET 
The Regular Expressions package in International Components for Unicode (ICU) 52 before SVN revision 292944 allows remote attackers to cause a denial of service (memory corruption) or possibly have unspecified other impact via vectors related to a (1) zero-length quantifier or (2) look-behind expression, a different vulnerability than CVE-2014-7926. (CVE-2014-7923)

The Regular Expressions package in International Components for Unicode (ICU) 52 before SVN revision 292944 allows remote attackers to cause a denial of service (memory corruption) or possibly have unspecified other impact via vectors related to a (1) zero-length quantifier or (2) look-behind expression, a different vulnerability than CVE-2014-7923. (CVE-2014-7926)

The collator implementation in i18n/ucol.cpp in International Components for Unicode (ICU) 52 through SVN revision 293126 does not initialize memory for a data structure, which allows remote attackers to cause a denial of service or possibly have unspecified other impact via a crafted character sequence. (CVE-2014-7940)
Comment 1 Janek Walkenhorst univentionstaff 2015-01-27 13:05:36 CET 
Additional issues: CVE-2014-6585 CVE-2014-6591
Comment 2 Moritz Muehlenhoff univentionstaff 2015-02-06 08:01:08 CET 
Denial of service in regular expression handling (CVE-2014-9654, CVE-2015-1205)
Comment 3 Arvid Requate univentionstaff 2015-03-17 18:18:20 CET 
CVE-2013-1569 CVE-2013-2383 CVE-2013-2384 CVE-2013-2419:

Potential execution of arbitrary code with user privileges due to incorrect memory handling while processing fonts.
Comment 4 Arvid Requate univentionstaff 2015-04-30 19:49:46 CEST 
Fix available in Debian version 4.8.1.1-12+deb7u2
Comment 5 Arvid Requate univentionstaff 2015-07-16 12:00:19 CEST 
* missing boundary checks in layout engine (CVE-2015-4760)
Comment 6 Arvid Requate univentionstaff 2015-08-04 21:13:44 CEST 
Fixed in upstream Debian package version 4.8.1.1-12+deb7u2:

* Glyph table issue (CVE-2013-1569)
* Glyph table issue (CVE-2013-2383)
* Font layout issue (CVE-2013-2384)
* Font processing issue (CVE-2013-2419)
* Out-of-bounds read (CVE-2014-6585)
* Additional out-of-bounds reads (CVE-2014-6591)
* Memory corruption in regular expression comparison (CVE-2014-7923)
* Memory corruption in regular expression comparison (CVE-2014-7926)
* Uninitialized memory (CVE-2014-7940)
* More regular expression flaws (CVE-2014-9654).


Fixed in upstream Debian package version 4.8.1.1-12+deb7u3:

* missing boundary checks in layout engine (CVE-2015-4760)
* heap overflow via incorrect isolateCount (CVE-2014-8146)
* integer truncation in the resolveImplicitLevels function (CVE-2014-8147)
Comment 7 Stefan Gohmann univentionstaff 2015-08-28 17:19:11 CEST 
(In reply to Moritz Muehlenhoff from comment #2)
> Denial of service in regular expression handling (CVE-2014-9654,
> CVE-2015-1205)

CVE-2015-1205 is a Google Chrome issue: https://security-tracker.debian.org/tracker/CVE-2015-1205

All other CVE have been added:  2015-08-28-icu.yaml
Comment 8 Janek Walkenhorst univentionstaff 2015-09-01 15:39:02 CEST 
Advisory: OK
Tests (amd64): OK
Comment 9 Janek Walkenhorst univentionstaff 2015-09-02 12:57:38 CEST 
<http://errata.univention.de/ucs/4.0/298.html>