Univention Bugzilla – Bug 41953
icu: Multiple issues (ES 3.3)
Last modified: 2017-05-24 13:11:14 CEST
Upstream Debian wheezy package version 4.8.1.1-12+deb7u4 fixes these issues: * Unspecified vulnerability in Oracle Java SE 6u95, 7u80, and 8u45 allows remote attackers to affect confidentiality via unknown vectors related to 2D. (CVE-2015-2632) * Unspecified vulnerability in Oracle Java SE 6u101, 7u85, and 8u60, and Java SE Embedded 8u51, allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors related to 2D. (CVE-2015-4844) * Unspecified vulnerability in the Java SE and Java SE Embedded components in Oracle Java SE 6u105, 7u91, and 8u66 and Java SE Embedded 8u65 allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors related to 2D. (CVE-2016-0494) These issues found in java also affect the International Components for Unicode (icu). We should check if the patches can be backported to the 4.4.1-8+squeeze4 package in UCS 3.x. If that's possible the bug should also be cloned for errata 3.2.
4.8.1.1-12+deb7u5: CVE-2016-6293 The uloc_acceptLanguageFromHTTP function in common/uloc.cpp in International Components for Unicode (ICU) through 57.1 for C/C++ does not ensure that there is a '\0' character at the end of a certain temporary array, which allows remote attackers to cause a denial of service (out-of-bounds read) or possibly have unspecified other impact via a call with a long httpAcceptLanguage argument.
Upstream Debian package version 4.8.1.1-12+deb7u6 fixes these issues: * buffer overflow problem in uresbund.c (CVE-2014-9911) * stack-based buffer overflow in the Locale class via a long locale string (CVE-2016-7415)
Patches backported. CVE-2016-0494 doesn't apply. The patch looks like too intrusive to packport. Advisory: icu.yaml
The patch for CVS-2016-7415 is too intrusive to backport, the CharString class interface has been extended quite a bit in 4.8.1 compared to 4.4.1.
Advisory: OK Tests (amd64): OK
Two new issues have been fixed in the wheezy package and the patches applied also to the squeeze version, so I've rebuilt the package with them: * out-of-bounds write caused by a heap-based buffer overflow related to the utf8TextAccess function in common/utext.cpp and the utext_setNativeIndex* function (CVE-2017-7867) * out-of-bounds write caused by a heap-based buffer overflow related to the utf8TextAccess function in common/utext.cpp and the utext_moveIndex32* function (CVE-2017-7868) Advisory updated.
<http://errata.software-univention.de/ucs/3.3/34.html>