Vulmon Recent Vulnerabilities Research Posts Trends Blog About Contact

icu: possibly more to CVE-2014-6585

Related Vulnerabilities: CVE-2014-6585  

Source

Debian Bug report logs - #778511
icu: possibly more to CVE-2014-6585

version graph

Package: src:icu; Maintainer for src:icu is Laszlo Boszormenyi (GCS) <gcs@debian.org>;

Reported by: Michael Gilbert <mgilbert@debian.org>

Date: Mon, 16 Feb 2015 02:36:02 UTC

Severity: important

Tags: security

Found in version icu/52.1-7

Fixed in versions icu/55.1-1, icu/4.8.1.1-12+deb7u3, icu/52.1-10, icu/52.1-8+deb8u2

Done: Alessandro Ghedini <ghedo@debian.org>

Bug is archived. No further changes may be made.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox

Report forwarded to debian-bugs-dist@lists.debian.org, Jay Berkenbilt <qjb@debian.org>:
Bug#778511; Package src:icu. (Mon, 16 Feb 2015 02:36:06 GMT) (full text, mbox, link).

Acknowledgement sent to Michael Gilbert <mgilbert@debian.org>:
New Bug report received and forwarded. Copy sent to Jay Berkenbilt <qjb@debian.org>. (Mon, 16 Feb 2015 02:36:06 GMT) (full text, mbox, link).

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Michael Gilbert <mgilbert@debian.org>
To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: icu: possibly more to CVE-2014-6585
Date: Sun, 15 Feb 2015 21:32:53 -0500
package: src:icu
version: 52.1-7
severity: important
tags: security

openjdk's changes for CVE-2014-6585 [0] add some additional checking
for the pointers in source/layout/ContextualSubstSubtables.cpp that
have yet to be included in upstream icu.

Also see even more checks added to embedded icu in the latest openjdk-8 package:
jdk-jdk8u40-b22/src/share/native/sun/font/layout/ContextualSubstSubtables.cpp

These are possibly the currently private changes hinted at in upstream
bug #11422:
http://bugs.icu-project.org/trac/ticket/11422

Best wishes,
Mike

[0] https://bugzilla.redhat.com/attachment.cgi?id=981489

Reply sent to Alessandro Ghedini <ghedo@debian.org>:
You have taken responsibility. (Sat, 09 May 2015 11:21:09 GMT) (full text, mbox, link).

Notification sent to Michael Gilbert <mgilbert@debian.org>:
Bug acknowledged by developer. (Sat, 09 May 2015 11:21:09 GMT) (full text, mbox, link).

Message #10 received at 778511-done@bugs.debian.org (full text, mbox, reply):

From: Alessandro Ghedini <ghedo@debian.org>
To: Michael Gilbert <mgilbert@debian.org>, 778511-done@bugs.debian.org
Subject: Re: Bug#778511: icu: possibly more to CVE-2014-6585
Date: Sat, 9 May 2015 13:17:51 +0200
[Message part 1 (text/plain, inline)]
Source: icu
Source-Version: 55.1-1

On dom, feb 15, 2015 at 09:32:53 -0500, Michael Gilbert wrote:
> package: src:icu
> version: 52.1-7
> severity: important
> tags: security
> 
> openjdk's changes for CVE-2014-6585 [0] add some additional checking
> for the pointers in source/layout/ContextualSubstSubtables.cpp that
> have yet to be included in upstream icu.
> 
> Also see even more checks added to embedded icu in the latest openjdk-8 package:
> jdk-jdk8u40-b22/src/share/native/sun/font/layout/ContextualSubstSubtables.cpp
> 
> These are possibly the currently private changes hinted at in upstream
> bug #11422:
> http://bugs.icu-project.org/trac/ticket/11422

It seems these changes have now been merged upstream (along with other ones) in
http://bugs.icu-project.org/trac/changeset/37086 and uploaded to experimental.

Closing this bug now.

Cheers

[signature.asc (application/pgp-signature, inline)]

Marked as fixed in versions icu/52.1-10. Request was from Salvatore Bonaccorso <carnil@debian.org> to control@bugs.debian.org. (Sat, 18 Jul 2015 13:27:07 GMT) (full text, mbox, link).

Marked as fixed in versions icu/4.8.1.1-12+deb7u3. Request was from Alessandro Ghedini <ghedo@debian.org> to control@bugs.debian.org. (Sat, 01 Aug 2015 16:30:04 GMT) (full text, mbox, link).

Marked as fixed in versions icu/52.1-8+deb8u2. Request was from Alessandro Ghedini <ghedo@debian.org> to control@bugs.debian.org. (Sat, 01 Aug 2015 16:30:04 GMT) (full text, mbox, link).

Bug archived. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Sun, 30 Aug 2015 07:25:35 GMT) (full text, mbox, link).

Send a report that this bug log contains spam.

Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Wed Jun 19 16:26:58 2019; Machine Name: beach

Debian Bug tracking system

Debbugs is free software and licensed under the terms of the GNU Public License version 2. The current version can be obtained from https://bugs.debian.org/debbugs-source/.

Copyright © 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson, 2005-2017 Don Armstrong, and many other contributors.

Vulmon Search

Vulmon Search is a vulnerability search engine. It gives comprehensive vulnerability information through a very simple user interface.

About

Home Recent Vulnerabilities Research Posts Trends Blog About Contact

Products

Vulmon Search Vulmon Research Vulmon Alerts Vulmap

Connect

Twitter Reddit Linkedin Facebook

Vulnerability Notification Service
You don’t have to wait for vulnerability scanning results
Get Started