First Last Prev Next    This bug is not in your last search results.
Bug 41953 - icu: Multiple issues (ES 3.3)
icu: Multiple issues (ES 3.3)
Status: CLOSED FIXED
Product: UCS
Classification: Unclassified
Component: Security updates
UCS 3.3
Other Linux
: P5 normal (vote)
: UCS 3.3-1-errata
Assigned To: Arvid Requate
Janek Walkenhorst
:
Depends on: 41952
Blocks:
  Show dependency treegraph
 
Reported: 2016-08-09 22:39 CEST by Arvid Requate
Modified: 2017-05-24 13:11 CEST (History)
2 users (show)

See Also:
What kind of report is it?: Security Issue
What type of bug is this?: ---
Who will be affected by this bug?: ---
How will those affected feel about the bug?: ---
User Pain:
Enterprise Customer affected?:
School Customer affected?:
ISV affected?:
Waiting Support:
Flags outvoted (downgraded) after PO Review:
Ticket number:
Bug group (optional): Security
Max CVSS v3 score: 8.4 CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
requate: Patch_Available+

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Arvid Requate univentionstaff 2016-08-09 22:39:45 CEST 
Upstream Debian wheezy package version 4.8.1.1-12+deb7u4 fixes these issues:

* Unspecified vulnerability in Oracle Java SE 6u95, 7u80, and 8u45 allows remote attackers to affect confidentiality via unknown vectors related to 2D. (CVE-2015-2632)

* Unspecified vulnerability in Oracle Java SE 6u101, 7u85, and 8u60, and Java SE Embedded 8u51, allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors related to 2D. (CVE-2015-4844)

* Unspecified vulnerability in the Java SE and Java SE Embedded components in Oracle Java SE 6u105, 7u91, and 8u66 and Java SE Embedded 8u65 allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors related to 2D. (CVE-2016-0494)

These issues found in java also affect the International Components for Unicode (icu).

We should check if the patches can be backported to the 4.4.1-8+squeeze4 package in UCS 3.x. If that's possible the bug should also be cloned for errata 3.2.
Comment 1 Janek Walkenhorst univentionstaff 2016-09-15 16:24:48 CEST 
4.8.1.1-12+deb7u5:

CVE-2016-6293
The uloc_acceptLanguageFromHTTP function in common/uloc.cpp in International Components for Unicode (ICU) through 57.1 for C/C++ does not ensure that there is a '\0' character at the end of a certain temporary array, which allows remote attackers to cause a denial of service (out-of-bounds read) or possibly have unspecified other impact via a call with a long httpAcceptLanguage argument.
Comment 2 Arvid Requate univentionstaff 2016-12-19 13:07:31 CET 
Upstream Debian package version 4.8.1.1-12+deb7u6 fixes these issues:

* buffer overflow problem in uresbund.c (CVE-2014-9911)
* stack-based buffer overflow in the Locale class via a long locale string (CVE-2016-7415)
Comment 3 Arvid Requate univentionstaff 2016-12-19 16:39:03 CET 
Patches backported. CVE-2016-0494 doesn't apply. The patch looks like too intrusive to packport.

Advisory: icu.yaml
Comment 4 Arvid Requate univentionstaff 2017-05-18 18:23:38 CEST 
The patch for CVS-2016-7415 is too intrusive to backport, the CharString class interface has been extended quite a bit in 4.8.1 compared to 4.4.1.
Comment 5 Janek Walkenhorst univentionstaff 2017-05-18 18:28:00 CEST 
Advisory: OK
Tests (amd64): OK
Comment 6 Arvid Requate univentionstaff 2017-05-23 15:18:02 CEST 
Two new issues have been fixed in the wheezy package and the patches applied also to the squeeze version, so I've rebuilt the package with them:

* out-of-bounds write caused by a heap-based buffer overflow related to the utf8TextAccess function in common/utext.cpp and the utext_setNativeIndex* function (CVE-2017-7867)

* out-of-bounds write caused by a heap-based buffer overflow related to the utf8TextAccess function in common/utext.cpp and the utext_moveIndex32* function (CVE-2017-7868)

Advisory updated.
Comment 7 Janek Walkenhorst univentionstaff 2017-05-23 18:26:08 CEST 
Advisory: OK
Tests (amd64): OK
Comment 8 Janek Walkenhorst univentionstaff 2017-05-24 13:11:14 CEST 
<http://errata.software-univention.de/ucs/3.3/34.html>
First Last Prev Next    This bug is not in your last search results.