Bug 41952

Summary: icu: Multiple issues (4.1)
Product: UCS Reporter: Arvid Requate <requate>
Component: Security updatesAssignee: Arvid Requate <requate>
Status: CLOSED FIXED QA Contact: Felix Botner <botner>
Severity: normal    
Priority: P5 CC: gohmann, walkenhorst
Version: UCS 4.1Flags: requate: Patch_Available+
Target Milestone: UCS 4.1-4-errata   
Hardware: Other   
OS: Linux   
What kind of report is it?: Security Issue What type of bug is this?: ---
Who will be affected by this bug?: --- How will those affected feel about the bug?: ---
User Pain: Enterprise Customer affected?:
School Customer affected?: ISV affected?:
Waiting Support: Flags outvoted (downgraded) after PO Review:
Ticket number: Bug group (optional): Security
Max CVSS v3 score: 8.4 CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Bug Depends on:    
Bug Blocks: 41953    

Description Arvid Requate univentionstaff 2016-08-09 22:36:19 CEST 
Upstream Debian package version 4.8.1.1-12+deb7u4 fixes these issues:

* Unspecified vulnerability in Oracle Java SE 6u95, 7u80, and 8u45 allows remote attackers to affect confidentiality via unknown vectors related to 2D. (CVE-2015-2632)

* Unspecified vulnerability in Oracle Java SE 6u101, 7u85, and 8u60, and Java SE Embedded 8u51, allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors related to 2D. (CVE-2015-4844)

* Unspecified vulnerability in the Java SE and Java SE Embedded components in Oracle Java SE 6u105, 7u91, and 8u66 and Java SE Embedded 8u65 allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors related to 2D. (CVE-2016-0494)

These issues found in java also affect the International Components for Unicode (icu).
Comment 1 Arvid Requate univentionstaff 2016-08-09 22:37:42 CEST 
CVE-2015-2632: CVSS v2 base score: 4.3 (AV:N/AC:M/Au:N/C:P/I:N/A:N)
CVE-2015-4844: CVSS v2 base score: 6.8 (AV:N/AC:M/Au:N/C:P/I:P/A:P)
CVE-2016-0494: CVSS v2 base score: 6.8 (AV:N/AC:M/Au:N/C:P/I:P/A:P)
Comment 2 Janek Walkenhorst univentionstaff 2016-09-15 16:24:49 CEST 
4.8.1.1-12+deb7u5:

CVE-2016-6293
The uloc_acceptLanguageFromHTTP function in common/uloc.cpp in International Components for Unicode (ICU) through 57.1 for C/C++ does not ensure that there is a '\0' character at the end of a certain temporary array, which allows remote attackers to cause a denial of service (out-of-bounds read) or possibly have unspecified other impact via a call with a long httpAcceptLanguage argument.
Comment 3 Arvid Requate univentionstaff 2016-12-19 13:06:44 CET 
Upstream Debian package version 4.8.1.1-12+deb7u6 fixes these issues:

* buffer overflow problem in uresbund.c (CVE-2014-9911)
* stack-based buffer overflow in the Locale class via a long locale string (CVE-2016-7415)
Comment 4 Arvid Requate univentionstaff 2016-12-19 16:40:58 CET 
Advisory: icu.yaml
Comment 5 Felix Botner univentionstaff 2016-12-20 17:44:46 CET 
OK - 4.8.1.1-12+deb7u6 with 
     - CVE-2015-2632
     - CVE-2015-4844
     - CVE-2016-0494
     - CVE-2016-6293
     - CVE-2014-9911
     - CVE-2016-7415
OK - update
OK - YAML
Comment 6 Philipp Hahn univentionstaff 2016-12-21 15:32:55 CET 
<http://errata.software-univention.de/ucs/4.1/364.html>