Debian Bug report logs -
#775884
CVE-2014-6591 CVE-2014-6585
Reported by: Moritz Muehlenhoff <jmm@inutil.org>
Date: Wed, 21 Jan 2015 06:45:02 UTC
Severity: important
Tags: security
Fixed in version icu/52.1-7
Done: Jay Berkenbilt <qjb@debian.org>
Bug is archived. No further changes may be made.
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Jay Berkenbilt <qjb@debian.org>:
Bug#775884; Package icu.
(Wed, 21 Jan 2015 06:45:06 GMT) (full text, mbox, link).
Acknowledgement sent
to Moritz Muehlenhoff <jmm@inutil.org>:
New Bug report received and forwarded. Copy sent to team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Jay Berkenbilt <qjb@debian.org>.
(Wed, 21 Jan 2015 06:45:06 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Package: icu
Severity: important
Tags: security
Hi,
the issue CVE-2014-6585 from today's Oracle patch update
(http://www.oracle.com/technetwork/topics/security/cpujan2015-1972971.html)
is actually a vulnerability in ICU (since Java embeds a copy). Red Hat
has tracked this down further and isolated the patch, please see
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2014-6591 for more
details. The patch isn't in ICU trunk yet, so please forward it
upstream unless they are not aware of it yet. It would be nice to
get that fixed in jessie.
Cheers,
Moritz
Information forwarded
to debian-bugs-dist@lists.debian.org, Jay Berkenbilt <qjb@debian.org>:
Bug#775884; Package icu.
(Wed, 21 Jan 2015 06:51:10 GMT) (full text, mbox, link).
Acknowledgement sent
to Moritz Muehlenhoff <jmm@inutil.org>:
Extra info received and forwarded to list. Copy sent to Jay Berkenbilt <qjb@debian.org>.
(Wed, 21 Jan 2015 06:51:10 GMT) (full text, mbox, link).
Message #10 received at 775884@bugs.debian.org (full text, mbox, reply):
retitle 775884 CVE-2014-6591 CVE-2014-6585
thanks
On Wed, Jan 21, 2015 at 07:36:51AM +0100, Moritz Muehlenhoff wrote:
> Package: icu
> Severity: important
> Tags: security
>
> Hi,
> the issue CVE-2014-6585 from today's Oracle patch update
> (http://www.oracle.com/technetwork/topics/security/cpujan2015-1972971.html)
> is actually a vulnerability in ICU (since Java embeds a copy). Red Hat
> has tracked this down further and isolated the patch, please see
> https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2014-6591 for more
> details. The patch isn't in ICU trunk yet, so please forward it
> upstream unless they are not aware of it yet. It would be nice to
> get that fixed in jessie.
Actually there's another one:
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2014-6591
Cheers,
Moritz
Changed Bug title to 'CVE-2014-6591 CVE-2014-6585' from 'icu: CVE-2014-6591'
Request was from Moritz Muehlenhoff <jmm@inutil.org>
to control@bugs.debian.org.
(Wed, 21 Jan 2015 06:51:13 GMT) (full text, mbox, link).
Information forwarded
to debian-bugs-dist@lists.debian.org:
Bug#775884; Package icu.
(Thu, 22 Jan 2015 02:51:04 GMT) (full text, mbox, link).
Acknowledgement sent
to Jay Berkenbilt <qjb@debian.org>:
Extra info received and forwarded to list.
(Thu, 22 Jan 2015 02:51:04 GMT) (full text, mbox, link).
Message #17 received at 775884@bugs.debian.org (full text, mbox, reply):
Moritz Muehlenhoff <jmm@inutil.org> wrote:
> Package: icu
> Severity: important
> Tags: security
>
> Hi,
> the issue CVE-2014-6585 from today's Oracle patch update
> (http://www.oracle.com/technetwork/topics/security/cpujan2015-1972971.html)
> is actually a vulnerability in ICU (since Java embeds a copy). Red Hat
> has tracked this down further and isolated the patch, please see
> https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2014-6591 for more
> details. The patch isn't in ICU trunk yet, so please forward it
> upstream unless they are not aware of it yet. It would be nice to
> get that fixed in jessie.
>
> Actually there's another one:
> https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2014-6591
The patch was easy to apply to ICU 52, which is in Jessie. It didn't
apply perfectly, but it was very easy to see how to apply it manually. I
noticed that the RedHat bug is closed with WONTFIX but it also looks
like they have a RHSA that addresses it. As for whether my application
of the patch is correct, all I have to go on is whether ICU's test suite
passes, which it does. I'll upload 52.1-7 to unstable with urgency=high
(though I believe urgency is ignored right now) and will request a
freeze exception justified by this fixing a security bug. Please advise
as to whether this should be fixed in stable. I'm not sure how urgent it
is given that a formal CVE has not yet been issued (right?) and that
this is classified as low risk.
--
Jay Berkenbilt <qjb@debian.org>
Reply sent
to Jay Berkenbilt <qjb@debian.org>:
You have taken responsibility.
(Thu, 22 Jan 2015 03:21:11 GMT) (full text, mbox, link).
Notification sent
to Moritz Muehlenhoff <jmm@inutil.org>:
Bug acknowledged by developer.
(Thu, 22 Jan 2015 03:21:11 GMT) (full text, mbox, link).
Message #22 received at 775884-close@bugs.debian.org (full text, mbox, reply):
Source: icu
Source-Version: 52.1-7
We believe that the bug you reported is fixed in the latest version of
icu, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 775884@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Jay Berkenbilt <qjb@debian.org> (supplier of updated icu package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.8
Date: Wed, 21 Jan 2015 21:33:19 -0500
Source: icu
Binary: libicu52 libicu52-dbg libicu-dev icu-devtools icu-doc
Architecture: source all amd64
Version: 52.1-7
Distribution: unstable
Urgency: high
Maintainer: Jay Berkenbilt <qjb@debian.org>
Changed-By: Jay Berkenbilt <qjb@debian.org>
Description:
icu-devtools - Development utilities for International Components for Unicode
icu-doc - API documentation for ICU classes and functions
libicu-dev - Development files for International Components for Unicode
libicu52 - International Components for Unicode
libicu52-dbg - International Components for Unicode
Closes: 775884
Changes:
icu (52.1-7) unstable; urgency=high
.
* Patch to CVE-2014-6591, CVE-2014-6585 a font parsing bug.
(Closes: #775884)
Checksums-Sha1:
f0dbba05eba9721ec04f84db8f2b4f0f420b4ae7 1961 icu_52.1-7.dsc
456fb0b7a0554d8615b4ee50c16e174df4aa84b1 18704 icu_52.1-7.debian.tar.xz
29ad699707fbcb4b440f37104f408403c799783c 2544878 icu-doc_52.1-7_all.deb
c6877486f88dca5f3cd992b56ada303323363179 6786760 libicu52_52.1-7_amd64.deb
6be8fca98afab80da9f50d123d6888ebab0fe25d 5930950 libicu52-dbg_52.1-7_amd64.deb
ee2152ef4bc8223dbcca2693a4bf24ceef459b99 7633224 libicu-dev_52.1-7_amd64.deb
8b990b0b82059d0d58422e9c0952ec341fab1ef2 171456 icu-devtools_52.1-7_amd64.deb
Checksums-Sha256:
e469ce5c2b1ccdcde9df886199133e3b524e2bfaeb86bed82656eef50a563c2e 1961 icu_52.1-7.dsc
fedb8bcab4e66eb28516bac931f31c806d26358629253fb2bb4966ad24776b7b 18704 icu_52.1-7.debian.tar.xz
9670a9ca1030c397b7d1c2ef96529cbc97a18abe6e523529ca8f21624936b378 2544878 icu-doc_52.1-7_all.deb
d4486ede8530ec157f5c45a1c447a64742c08e0e6d54d9cf70e37fd1b4395991 6786760 libicu52_52.1-7_amd64.deb
aaa26a4d43a2545da51119c7db21813736e8141982a452051c071df2bb2f74c5 5930950 libicu52-dbg_52.1-7_amd64.deb
33a24a15ecc1b26bd771ab5accdee82153c0af4c415f1a1ceed93175822267fa 7633224 libicu-dev_52.1-7_amd64.deb
ed1b3bb171411104d5e76d898ac995fcdb48e71260879693c6859815a6b90416 171456 icu-devtools_52.1-7_amd64.deb
Files:
b7d645f747ea08e6f3dd971581062c65 1961 libs optional icu_52.1-7.dsc
aaf13afa697a88bfe9e07e539a6c14cc 18704 libs optional icu_52.1-7.debian.tar.xz
0341ec919f2c74059cd1ad9bdd4b0acc 2544878 doc optional icu-doc_52.1-7_all.deb
3d21073f4e9ca7d0fe9d435d8496bebd 6786760 libs optional libicu52_52.1-7_amd64.deb
6d49a8d7e9fb32f7591488a84f194187 5930950 debug extra libicu52-dbg_52.1-7_amd64.deb
20992ab90ad45251b54dc619a4acca10 7633224 libdevel optional libicu-dev_52.1-7_amd64.deb
c64aa2216b86cf711767443527d7ce50 171456 libdevel optional icu-devtools_52.1-7_amd64.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iQIcBAEBAgAGBQJUwGi+AAoJEIp10QmYASx+8HkQALBUSHt2IcdfOt5N9CM0/JRx
y8bg6HxtKts9saGtf2IPrcBDu9DqhebgwPaXgH5zPi7nJK5D8H0UpX9H9Q+c86qU
Dims+NIBVSqHtvfhafidmg710jdJ4DBhrHITDHhR6tQBuLXoLZXqturGutXQhCpY
KUaNmGb3DEd2nr+sq6v90CJPFwwxpbLZWtHsVq8moMvFg4eVIhjgcYAfzFqaoJSv
RbIKf6WtvsPQ0oPIsqHs5omQeh5o36keRll4i1S1J9JU1hr3z4W0BGVdyUh7rPdz
2zlmBx1WPJoLSa8aqx12md5uM4NhWF4pvve/4BWVziRzT8ubleKtOUhDvfNViPHP
hBskjbWU+o7w1tEmtW4++4NY0JmVOxYaMBiTME0GpjNC8UchaikyTeAxUXbjcjYV
luA9BFRa6gSYv3MexF53R0AGPwTKKC2kavYs0PKJJhwjbvZtpuLjHTJLU9Aq5a2p
Tj8Icnf7hqmEw6jhOxUJUPP3tQ+EvRSTWzJmH5Rej+mTDWgQi9+g45TDLk7d95Yh
h4cGN5RVlKpMYy9i4C1FyQlVZJ0WsEsL+aZA/oa5Axi3dswKnWZQM2nsRJKD+jHS
xldJb+Xu9l8FD1Mr59kIMdlweZHdzUEMYH7EhibihBmpTtkEbOyESAR47k7balm2
6k9AIfv+n3EMstlDeGe7
=4IMU
-----END PGP SIGNATURE-----
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org.
(Sat, 21 Feb 2015 07:27:17 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed Jun 19 12:56:57 2019;
Machine Name:
buxtehude
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.
Vulmon