icu: CVE-2016-7415: Stack based buffer overflow in locid.cpp

Debian Bug report logs - #838694
icu: CVE-2016-7415: Stack based buffer overflow in locid.cpp

Toggle useless messages

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Salvatore Bonaccorso <carnil@debian.org>

To: Debian Bug Tracking System <submit@bugs.debian.org>

Subject: icu: CVE-2016-7415: Stack based buffer overflow in locid.cpp

Date: Fri, 23 Sep 2016 19:26:28 +0200

Source: icu
Version: 52.1-8
Severity: important
Tags: security upstream

Hi,

the following vulnerability was published for icu.

CVE-2016-7415[0]:
| Stack-based buffer overflow in the Locale class in common/locid.cpp in
| International Components for Unicode (ICU) through 57.1 for C/C++
| allows remote attackers to cause a denial of service (application
| crash) or possibly have unspecified other impact via a long locale
| string.

The PHP Project indicated in [1] that it was an underlying issue in
icu, and thus MITRE assigned CVE-2016-7415 for the ICU specific issue.
Could you bring this to upstream? Is there a ticket upstream already
filled about it, and if not can you please forward the issue?

If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2016-7415
[1] https://bugs.php.net/bug.php?id=73007

Regards,
Salvatore

Message #10 received at 838694@bugs.debian.org (full text, mbox, reply):

From: Roberto C. Sánchez <roberto@connexer.com>

To: Salvatore Bonaccorso <carnil@debian.org>, 838694@bugs.debian.org

Subject: Re: icu: CVE-2016-7415: Stack based buffer overflow in locid.cpp

Date: Fri, 30 Sep 2016 07:45:33 -0400

[Message part 1 (text/plain, inline)]

found 838694 4.8.1.1-12+deb7u3
found 838694 4.8.1.1-12+deb7u5
thanks

On Fri, Sep 23, 2016 at 07:26:28PM +0200, Salvatore Bonaccorso wrote:
> 
> the following vulnerability was published for icu.
> 
> CVE-2016-7415[0]:
> | Stack-based buffer overflow in the Locale class in common/locid.cpp in
> | International Components for Unicode (ICU) through 57.1 for C/C++
> | allows remote attackers to cause a denial of service (application
> | crash) or possibly have unspecified other impact via a long locale
> | string.
> 

I am currently preparing an LTS upload for this vulnerability.

Regards,

-Roberto

-- 
Roberto C. Sánchez
http://people.connexer.com/~roberto
http://www.connexer.com

[signature.asc (application/pgp-signature, inline)]

Message #19 received at 838694@bugs.debian.org (full text, mbox, reply):

From: Roberto C. Sánchez <roberto@connexer.com>

To: Salvatore Bonaccorso <carnil@debian.org>, 838694@bugs.debian.org

Subject: Re: icu: CVE-2016-7415: Stack based buffer overflow in locid.cpp

Date: Sat, 1 Oct 2016 20:45:20 -0400

[Message part 1 (text/plain, inline)]

On Fri, Sep 30, 2016 at 07:45:33AM -0400, Roberto C. Sánchez wrote:
> 
> I am currently preparing an LTS upload for this vulnerability.
> 
I tried for quite some time to reproduce this based on the original PHP
bug report, but I was unable.  I have annotated the security tracker
with my (lack of) findings so far.

Regards,

-Roberto

-- 
Roberto C. Sánchez
http://people.connexer.com/~roberto
http://www.connexer.com

[signature.asc (application/pgp-signature, inline)]

Message #24 received at 838694@bugs.debian.org (full text, mbox, reply):

From: Salvatore Bonaccorso <carnil@debian.org>

To: 838694@bugs.debian.org

Subject: Re: icu: CVE-2016-7415: Stack based buffer overflow in locid.cpp

Date: Mon, 3 Oct 2016 14:37:07 +0200

Hi 

On Sat, Oct 01, 2016 at 08:45:20PM -0400, Roberto C. Sánchez wrote:
> On Fri, Sep 30, 2016 at 07:45:33AM -0400, Roberto C. Sánchez wrote:
> > 
> > I am currently preparing an LTS upload for this vulnerability.
> > 
> I tried for quite some time to reproduce this based on the original PHP
> bug report, but I was unable.  I have annotated the security tracker
> with my (lack of) findings so far.

That's okay. Just please remember that lack of reproducibility for an
issue does not mean it's not present. In my initial mail I asked
Laszlo if he can forward this to upstream and/if this is already know
to upstream (which I hope in meanwhile it is). But I have not found an
upstream ticket on this issue yet.

Laszlo, do you know more already? Other distributions seem in the same
boat, like Red Hat in
https://bugzilla.redhat.com/show_bug.cgi?id=1377361#c3 

Regards,
Salvatore

Message #31 received at 838694@bugs.debian.org (full text, mbox, reply):

From: Roberto C. Sánchez <roberto@connexer.com>

To: 838694@bugs.debian.org

Subject: Re: Bug#838694: icu: CVE-2016-7415: Stack based buffer overflow in locid.cpp

Date: Mon, 3 Oct 2016 09:55:29 -0400

On Mon, Oct 03, 2016 at 02:37:07PM +0200, Salvatore Bonaccorso wrote:
> Hi 
> 
> On Sat, Oct 01, 2016 at 08:45:20PM -0400, Roberto C. Sánchez wrote:
> > On Fri, Sep 30, 2016 at 07:45:33AM -0400, Roberto C. Sánchez wrote:
> > > 
> > > I am currently preparing an LTS upload for this vulnerability.
> > > 
> > I tried for quite some time to reproduce this based on the original PHP
> > bug report, but I was unable.  I have annotated the security tracker
> > with my (lack of) findings so far.
> 
> That's okay. Just please remember that lack of reproducibility for an
> issue does not mean it's not present. In my initial mail I asked
> Laszlo if he can forward this to upstream and/if this is already know
> to upstream (which I hope in meanwhile it is). But I have not found an
> upstream ticket on this issue yet.
> 
> Laszlo, do you know more already? Other distributions seem in the same
> boat, like Red Hat in
> https://bugzilla.redhat.com/show_bug.cgi?id=1377361#c3 
> 
Good to know.  I can contact upstream if that would help.

Regards,

-Roberto

-- 
Roberto C. Sánchez
http://people.connexer.com/~roberto
http://www.connexer.com

Message #36 received at 838694@bugs.debian.org (full text, mbox, reply):

From: László Böszörményi (GCS) <gcs@debian.org>

To: Salvatore Bonaccorso <carnil@debian.org>, 838694@bugs.debian.org

Subject: Re: Bug#838694: icu: CVE-2016-7415: Stack based buffer overflow in locid.cpp

Date: Tue, 4 Oct 2016 22:59:52 +0200

On Mon, Oct 3, 2016 at 2:37 PM, Salvatore Bonaccorso <carnil@debian.org> wrote:
> On Sat, Oct 01, 2016 at 08:45:20PM -0400, Roberto C. Sánchez wrote:
>> I tried for quite some time to reproduce this based on the original PHP
>> bug report, but I was unable.  I have annotated the security tracker
>> with my (lack of) findings so far.
 That doesn't mean it's not vulnerable as Salvatore already noted.

> Laszlo, do you know more already? Other distributions seem in the same
> boat, like Red Hat in
> https://bugzilla.redhat.com/show_bug.cgi?id=1377361#c3
 Sorry, I was on a trip and just arrived back on Sunday evening. Did
an other security upload and then killed my machine. Minus one
keyboard (a special one) and a monitor. Only now could boot the
remaining hardware.
I don't know more about this issue - upstream keep such bugreports
secret, if any. I don't have a good connection with them (yet), but
will try to know more about this.

Regards,
Laszlo/GCS

Message #41 received at 838694@bugs.debian.org (full text, mbox, reply):

From: Salvatore Bonaccorso <carnil@debian.org>

To: László Böszörményi (GCS) <gcs@debian.org>

Cc: 838694@bugs.debian.org

Subject: Re: Bug#838694: icu: CVE-2016-7415: Stack based buffer overflow in locid.cpp

Date: Wed, 5 Oct 2016 07:10:46 +0200

On Tue, Oct 04, 2016 at 10:59:52PM +0200, László Böszörményi (GCS) wrote:
> > Laszlo, do you know more already? Other distributions seem in the same
> > boat, like Red Hat in
> > https://bugzilla.redhat.com/show_bug.cgi?id=1377361#c3
>  Sorry, I was on a trip and just arrived back on Sunday evening. Did
> an other security upload and then killed my machine. Minus one
> keyboard (a special one) and a monitor. Only now could boot the
> remaining hardware.
> I don't know more about this issue - upstream keep such bugreports
> secret, if any. I don't have a good connection with them (yet), but
> will try to know more about this.

Ack and thanks a lot already!

Regards,
Salvatore

Message #46 received at 838694@bugs.debian.org (full text, mbox, reply):

From: Roberto C. Sánchez <roberto@connexer.com>

To: László Böszörményi (GCS) <gcs@debian.org>

Cc: 838694@bugs.debian.org

Subject: Re: Bug#838694: icu: CVE-2016-7415: Stack based buffer overflow in locid.cpp

Date: Tue, 25 Oct 2016 11:42:16 -0400

[Message part 1 (text/plain, inline)]

On Tue, Oct 04, 2016 at 10:59:52PM +0200, László Böszörményi (GCS) wrote:
> I don't know more about this issue - upstream keep such bugreports
> secret, if any. I don't have a good connection with them (yet), but
> will try to know more about this.
> 
Hi Laszlo,

Have you been able to contact upstream regarding this issue?  Can I help
in any way?

-- 
Roberto C. Sánchez
http://people.connexer.com/~roberto
http://www.connexer.com

[signature.asc (application/pgp-signature, inline)]

Message #51 received at 838694@bugs.debian.org (full text, mbox, reply):

From: Salvatore Bonaccorso <carnil@debian.org>

To: László Böszörményi <gcs@debian.org>, 838694@bugs.debian.org

Subject: Re: Bug#838694: icu: CVE-2016-7415: Stack based buffer overflow in locid.cpp

Date: Fri, 18 Nov 2016 15:34:04 +0100

Hi,

On Tue, Oct 25, 2016 at 11:42:16AM -0400, Roberto C. Sánchez wrote:
> On Tue, Oct 04, 2016 at 10:59:52PM +0200, László Böszörményi (GCS) wrote:
> > I don't know more about this issue - upstream keep such bugreports
> > secret, if any. I don't have a good connection with them (yet), but
> > will try to know more about this.
> > 
> Hi Laszlo,
> 
> Have you been able to contact upstream regarding this issue?  Can I help
> in any way?

According to https://bugzilla.redhat.com/show_bug.cgi?id=1377361#c5
there is now an upstream bug about the issue, but unfortunately for
some reason it is still marked as private.

http://bugs.icu-project.org/trac/ticket/12745

Regards,
Salvatore

Message #58 received at 838694@bugs.debian.org (full text, mbox, reply):

From: László Böszörményi (GCS) <gcs@debian.org>

To: Salvatore Bonaccorso <carnil@debian.org>

Cc: 838694@bugs.debian.org

Subject: Re: Bug#838694: icu: CVE-2016-7415: Stack based buffer overflow in locid.cpp

Date: Fri, 18 Nov 2016 18:38:57 +0100

Hi Salvatore,

Thanks for the ping and the actual ICU bug link.

On Fri, Nov 18, 2016 at 3:34 PM, Salvatore Bonaccorso <carnil@debian.org> wrote:
> According to https://bugzilla.redhat.com/show_bug.cgi?id=1377361#c5
> there is now an upstream bug about the issue, but unfortunately for
> some reason it is still marked as private.
>
> http://bugs.icu-project.org/trac/ticket/12745
 That's for two weeks now! I don't see a reason why this vulnerability
takes such long to fix in ICU. :( Hopefully it will be open in time
for Stretch. :-/

Cheers,
Laszlo/GCS

Message #63 received at 838694@bugs.debian.org (full text, mbox, reply):

From: Salvatore Bonaccorso <carnil@debian.org>

To: László Böszörményi <gcs@debian.org>, 838694@bugs.debian.org

Subject: Re: Bug#838694: icu: CVE-2016-7415: Stack based buffer overflow in locid.cpp

Date: Fri, 25 Nov 2016 19:01:43 +0100

Control: fixed -1 58.1-1

Hi,

On Fri, Nov 18, 2016 at 06:38:57PM +0100, László Böszörményi wrote:
> Hi Salvatore,
> 
> Thanks for the ping and the actual ICU bug link.
> 
> On Fri, Nov 18, 2016 at 3:34 PM, Salvatore Bonaccorso <carnil@debian.org> wrote:
> > According to https://bugzilla.redhat.com/show_bug.cgi?id=1377361#c5
> > there is now an upstream bug about the issue, but unfortunately for
> > some reason it is still marked as private.
> >
> > http://bugs.icu-project.org/trac/ticket/12745
>  That's for two weeks now! I don't see a reason why this vulnerability
> takes such long to fix in ICU. :( Hopefully it will be open in time
> for Stretch. :-/

According to upstream this has been fixed in 58.1 upstream. The bug is
still not public, but this is as by
https://sites.google.com/site/icusite/security .

Regards,
Salvatore

Message #70 received at 838694@bugs.debian.org (full text, mbox, reply):

From: László Böszörményi (GCS) <gcs@debian.org>

To: Salvatore Bonaccorso <carnil@debian.org>

Cc: 838694@bugs.debian.org

Subject: Re: Bug#838694: icu: CVE-2016-7415: Stack based buffer overflow in locid.cpp

Date: Fri, 25 Nov 2016 19:17:41 +0100

On Fri, Nov 25, 2016 at 7:01 PM, Salvatore Bonaccorso <carnil@debian.org> wrote:
> On Fri, Nov 18, 2016 at 06:38:57PM +0100, László Böszörményi wrote:
> According to upstream this has been fixed in 58.1 upstream. The bug is
> still not public, but this is as by
> https://sites.google.com/site/icusite/security .
 Seen that some minutes ago - but still don't have any clue why ICU
upstream keep the actual fixing commit secret. Will check commits one
by one, the question is, if I find a suspected fix, may you or anyone
else from the Security Team double check it?

Thanks,
Laszlo/GCS

Message #75 received at 838694@bugs.debian.org (full text, mbox, reply):

From: Salvatore Bonaccorso <carnil@debian.org>

To: László Böszörményi (GCS) <gcs@debian.org>

Cc: 838694@bugs.debian.org

Subject: Re: Bug#838694: icu: CVE-2016-7415: Stack based buffer overflow in locid.cpp

Date: Fri, 25 Nov 2016 19:24:18 +0100

Hi

On Fri, Nov 25, 2016 at 07:17:41PM +0100, László Böszörményi (GCS) wrote:
> On Fri, Nov 25, 2016 at 7:01 PM, Salvatore Bonaccorso <carnil@debian.org> wrote:
> > On Fri, Nov 18, 2016 at 06:38:57PM +0100, László Böszörményi wrote:
> > According to upstream this has been fixed in 58.1 upstream. The bug is
> > still not public, but this is as by
> > https://sites.google.com/site/icusite/security .
>  Seen that some minutes ago - but still don't have any clue why ICU
> upstream keep the actual fixing commit secret. Will check commits one
> by one, the question is, if I find a suspected fix, may you or anyone
> else from the Security Team double check it?

Keeping in mind my limited familarity with icu, sure if you find it I
can have a look or someone else of the team.

OTOH, hopefully those bugs get opened soonish. Everyone might profit
from it to understand the issues better.

Regards,
Salvatore

Message #80 received at 838694-close@bugs.debian.org (full text, mbox, reply):

From: Laszlo Boszormenyi (GCS) <gcs@debian.org>

To: 838694-close@bugs.debian.org

Subject: Bug#838694: fixed in icu 57.1-5

Date: Sun, 27 Nov 2016 09:05:06 +0000

Source: icu
Source-Version: 57.1-5

We believe that the bug you reported is fixed in the latest version of
icu, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 838694@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Laszlo Boszormenyi (GCS) <gcs@debian.org> (supplier of updated icu package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Format: 1.8
Date: Sat, 26 Nov 2016 10:58:31 +0000
Source: icu
Binary: libicu57 libicu57-dbg libicu-dev icu-devtools icu-devtools-dbg icu-doc
Architecture: source amd64 all
Version: 57.1-5
Distribution: unstable
Urgency: high
Maintainer: Laszlo Boszormenyi (GCS) <gcs@debian.org>
Changed-By: Laszlo Boszormenyi (GCS) <gcs@debian.org>
Description:
 icu-devtools - Development utilities for International Components for Unicode
 icu-devtools-dbg - Development utilities for International Components for Unicode (d
 icu-doc    - API documentation for ICU classes and functions
 libicu-dev - Development files for International Components for Unicode
 libicu57   - International Components for Unicode
 libicu57-dbg - International Components for Unicode (debug symbols)
Closes: 838694
Changes:
 icu (57.1-5) unstable; urgency=high
 .
   * Backport upstream fix for CVE-2016-7415: stack-based buffer overflow in
     the Locale class via a long locale string (closes: #838694).
Checksums-Sha1:
 a7da4ce3eecc49f03b47db0707e9f6bbd8e290f5 2105 icu_57.1-5.dsc
 3af0c9c5ca8777b39cb0eb04f84d4b4ded2bf74d 30696 icu_57.1-5.debian.tar.xz
 0603c1ff8aaccba8cbc3969316786747e8568e95 642760 icu-devtools-dbg_57.1-5_amd64.deb
 8c007898a5cf1d0214760ded2ded530c486db1df 177288 icu-devtools_57.1-5_amd64.deb
 a88903fe31cb2bca1392dd9554b56ce4bee3ae5e 2395882 icu-doc_57.1-5_all.deb
 88c97b6f6c3fa4d3323c1cbb741a4b9d35924217 6578 icu_57.1-5_amd64.buildinfo
 3aa48dfae3e4c97f8fc7915a8b38e1a3e68842a6 16482392 libicu-dev_57.1-5_amd64.deb
 746b5bb81bcf5b0a9c395bdc69e50f6b211f71da 7368908 libicu57-dbg_57.1-5_amd64.deb
 ea3c27ca5f16a264ef086dad2b31db7ea5e02936 7699922 libicu57_57.1-5_amd64.deb
Checksums-Sha256:
 46210c5e254e13e38948bad23ce19ad773e54872af1489eb6752e44ea74d16ef 2105 icu_57.1-5.dsc
 bb40a948b1ad71a4a597231fbf4c94ebc1ed9a17c5b4ff897fdf1b066c0b387b 30696 icu_57.1-5.debian.tar.xz
 3cecc4f2b8efe338ee44883b1c9c14060a48633d4e04b7397a2e39a0b02da7e6 642760 icu-devtools-dbg_57.1-5_amd64.deb
 12616cd312e252cc3cecd8b6b1b7007ba12d8ec9baef913d6a26e3aa44f30ff1 177288 icu-devtools_57.1-5_amd64.deb
 cf7f7d15c140fd97f5fcfd3223f6eb7fd489d8bb4cf634fa6f0907da18e69423 2395882 icu-doc_57.1-5_all.deb
 4799e3c75afec2d6236acf1f65f0d10b5b3929f4bd6c502203b3228779a7e93a 6578 icu_57.1-5_amd64.buildinfo
 3c5cdc20d0915871a41e10e023ca66ffa40d5e6a3bbf4e786b8ff66d29a143a7 16482392 libicu-dev_57.1-5_amd64.deb
 fddc07033a8c64b547308fb3377249e7cd965e55b89c4ef1a8161a1799d13a3d 7368908 libicu57-dbg_57.1-5_amd64.deb
 fcd1d9e5e2f8276ed0e237fcbd1878b4fa3c0acb32f6287164b5210fcceff36e 7699922 libicu57_57.1-5_amd64.deb
Files:
 414b2a765be89fdd832b7982a0f24bb0 2105 libs optional icu_57.1-5.dsc
 49e7e60d1e1e5bebc7c324dddc44d4b3 30696 libs optional icu_57.1-5.debian.tar.xz
 b20c6cb1a2707005003e7e632c845d6d 642760 debug extra icu-devtools-dbg_57.1-5_amd64.deb
 12a95ac7764f52af6c7a924b21ea05d3 177288 libdevel optional icu-devtools_57.1-5_amd64.deb
 d9989f15e10f35314d83029387d2461c 2395882 doc optional icu-doc_57.1-5_all.deb
 3a6476c130839fab6c3ba50894e2481c 6578 libs optional icu_57.1-5_amd64.buildinfo
 39a1ac108c5aa7bb69a73dd2a82a140d 16482392 libdevel optional libicu-dev_57.1-5_amd64.deb
 ecbb2b2594abc1d1b631e14114c24e00 7368908 debug extra libicu57-dbg_57.1-5_amd64.deb
 9154b707910e05b0ba435fde46c831a8 7699922 libs optional libicu57_57.1-5_amd64.deb

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCAAdFiEEfYh9yLp7u6e4NeO63OMQ54ZMyL8FAlg6njcACgkQ3OMQ54ZM
yL+lSg/8C+Nr1DsmY1J9NT8vn3V5cMCi9EajAzuxEdQlbZsmJdLeML5TRUB7xh4w
2tvaklh4Xzz9KRRmlpJ2vwb+x6hrR1Zgv+igt9+nPdfC8OqXKnLPdaDy9av89iQH
771s942qhx7COxm+2Bt3oPiPtaPfjiP7Pfu88M/bqJhRAqk2sahtnmXPU73YaLQm
rRe9DexIYb9P2TR1z1TlFJAe2mcgPsn4+UbdU0LNE8ZTkqCYwwryRtVpG3J0hl6f
4oQ+ojuj/PxlkqZiCkHoo3bcrgLYxa7qkj5zlCQmjf+VshvD8uHf33cy0Aoo0iWG
GVjcHgEGTK9/j3RoXHv7dSQvU3/CnYjBOYPN7TDJUwsUID8a5NK87+5sNSPDmwM6
jo6tqarGUUrVNI18zdGEeWuOS9kRA1R9fL1E0i5YFLhQppEFs64ek3kuYAAxWsvT
Y/hBpNN+VRDdGIGBXcZ2vuzHL/Obd5BA4qYsatlx89MjRRKXY0xKBCKTETiSY1/J
JhftLKHZYxGDD4E6NmEeDCys13iiHFJ1zhgjLt80UoGeJyIadtRCf7RjTX8WUD73
bSszlfHPKHwfyKfnMIvKL9IZl3jvuS4hE17rYijjC3/o7npeKS20/tYuOc1XdDef
PAplBJgaWMbWrmyuxbLCH6dWlYRKXTrEPr8LNLWAbwVMDpYt9UY=
=t8C6
-----END PGP SIGNATURE-----

Message #85 received at 838694-close@bugs.debian.org (full text, mbox, reply):

From: Laszlo Boszormenyi (GCS) <gcs@debian.org>

To: 838694-close@bugs.debian.org

Subject: Bug#838694: fixed in icu 52.1-8+deb8u4

Date: Sat, 03 Dec 2016 22:32:09 +0000

Source: icu
Source-Version: 52.1-8+deb8u4

We believe that the bug you reported is fixed in the latest version of
icu, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 838694@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Laszlo Boszormenyi (GCS) <gcs@debian.org> (supplier of updated icu package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Format: 1.8
Date: Sat, 10 Sep 2016 12:41:51 +0000
Source: icu
Binary: libicu52 libicu52-dbg libicu-dev icu-devtools icu-doc
Architecture: source all amd64
Version: 52.1-8+deb8u4
Distribution: jessie-security
Urgency: high
Maintainer: Laszlo Boszormenyi (GCS) <gcs@debian.org>
Changed-By: Laszlo Boszormenyi (GCS) <gcs@debian.org>
Description:
 icu-devtools - Development utilities for International Components for Unicode
 icu-doc    - API documentation for ICU classes and functions
 libicu-dev - Development files for International Components for Unicode
 libicu52   - International Components for Unicode
 libicu52-dbg - International Components for Unicode
Closes: 838694
Changes:
 icu (52.1-8+deb8u4) jessie-security; urgency=high
 .
   * Backport upstream fix for CVE-2014-9911: buffer overflow problem in
     uresbund.cpp .
   * Backport upstream fix for CVE-2015-2632: unspecified vulnerability allows
     remote attackers to affect confidentiality via unknown vectors.
   * Backport upstream fix for CVE-2015-4844: missing boundary checks in
     layout engine.
   * Backport upstream fix for CVE-2016-0494: integer signedness issue in
     IndicRearrangementProcessor.
   * Backport upstream fix for CVE-2016-6293: the uloc_acceptLanguageFromHTTP
     function does not ensure that there is a '\0' character at the end of a
     certain temporary array.
   * Backport upstream fix for CVE-2016-7415: stack-based buffer overflow in
     the Locale class via a long locale string (closes: #838694).
Checksums-Sha1:
 a418170840c349ce3f13be3a10c3e06110229127 2015 icu_52.1-8+deb8u4.dsc
 f15e0b4672a166f0972421d5c4057cc09a5f68fe 35588 icu_52.1-8+deb8u4.debian.tar.xz
 d50459e760db3662a9b460f7598c81f0ee753e1d 2631750 icu-doc_52.1-8+deb8u4_all.deb
 51e46195f86939e8d12a847b5e79a9a368dc69d4 6791206 libicu52_52.1-8+deb8u4_amd64.deb
 597ae811385d75ee3ddf14cf44b6f3112ee57cad 5936428 libicu52-dbg_52.1-8+deb8u4_amd64.deb
 061e72fe500e8c4f3cb29dd273d53e4dce2cba52 7641108 libicu-dev_52.1-8+deb8u4_amd64.deb
 c29d89cce309725978aca5907d494b8d16304114 172472 icu-devtools_52.1-8+deb8u4_amd64.deb
Checksums-Sha256:
 cabdf27f9976550a61f1b5c84d7353f19f3338b55b2b9002f0db593fccda86c7 2015 icu_52.1-8+deb8u4.dsc
 cf298a04a576aaa8016d25ebe1387f6c923de1acea4411a27f9858bf1af72f5a 35588 icu_52.1-8+deb8u4.debian.tar.xz
 0b9c79ad24640bebe3a5ae4616e0adbcf0e3d7ca9499f74bce7436eab95bc282 2631750 icu-doc_52.1-8+deb8u4_all.deb
 d093682f5e37be6dd2ddde27919d73d1504f0f55681d2391eca141a4f5bb2551 6791206 libicu52_52.1-8+deb8u4_amd64.deb
 8b72fd149776759082100c1a859cb615a801a5c496e633350224f8d0639db243 5936428 libicu52-dbg_52.1-8+deb8u4_amd64.deb
 41f61bb03fcc75e66a1506ad767a9d3b534146630434685e0ff21948ee01e805 7641108 libicu-dev_52.1-8+deb8u4_amd64.deb
 a9817ffb9602efded068be2632e1b29453c153e4ea7d66b06028c1731f496fa0 172472 icu-devtools_52.1-8+deb8u4_amd64.deb
Files:
 61ad760e42c2af05dd4769f2c15824f1 2015 libs optional icu_52.1-8+deb8u4.dsc
 77a596741aed9fad6ea5bac64c84c52c 35588 libs optional icu_52.1-8+deb8u4.debian.tar.xz
 f412d6e099f67eaa7667b0ec55f6bdc3 2631750 doc optional icu-doc_52.1-8+deb8u4_all.deb
 b0bc812b59254114fa8e5f758501fec7 6791206 libs optional libicu52_52.1-8+deb8u4_amd64.deb
 10d1048e284ed6e3984b687a235332ad 5936428 debug extra libicu52-dbg_52.1-8+deb8u4_amd64.deb
 844e68100d68e723d0a015eaa1815872 7641108 libdevel optional libicu-dev_52.1-8+deb8u4_amd64.deb
 b73259a4381f7b84cef871fdf4b9c067 172472 libdevel optional icu-devtools_52.1-8+deb8u4_amd64.deb

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCAAdFiEEfYh9yLp7u6e4NeO63OMQ54ZMyL8FAlg6uisACgkQ3OMQ54ZM
yL8u2Q//QMP5UCvHFG8K7T5a0ycyCY5NwszCfpHgtKSEmtTL+9lxqPS7X+g2Vgtz
ojIiH5Rii9NwkvU/UIhHHxI6avDBEoEtQ2n15kGCfrM6sjI0DJ+sjz3ha9KMKwpL
r61iTEpKAJuQ+CePIRwIbbA3O6hnZmz0XnC8DCOS2WmlyjD5DwndqgfvXjUyVI2F
88XUqkrZIql3GmzZaKHhd9kRQiTuLQ1Yoriw53ETQGSGtqDsFBZHblV/IL40lj3n
bSlf9f8cWzfSDb2Pxy/2nigHBbMXPC78TeXnbfscO9JXSmH4wdV8RZ/Dpry4tpGx
Ts7GpcgbxaOlW+Kc/PNOyirUu6XBP3JdDJD738tyRMlWpZAuylVavyjA0PTXytft
Ba+stK+N74AiQYbeVSi4CjnAUkU2GnvCahzwi4iRVOs73B41Vsmbj/tcjxjFk/aL
o0tloIgSIct40+Fj/Y/OjuXEZMMuPl5dqkM27fLB0ynQlCLb23DMyhuzGSowBrgf
Qqed2Wj56HeX9RXgTjFIkzGIED8JxJ683K6Ih454VE5gq+gJ8bZ26iSUV0PP78Hd
o6FIqMtzyMXpFx9evwIqNIo8aJUS4mGTBAVIC9xGnSYYWxyeJFjz2Xjs2F6jFhbQ
OLHZh46h4K12avdeijHHxYP04UlHnrdxMm/AEkOGCKh4TIQw+m4=
=roEz
-----END PGP SIGNATURE-----

Send a report that this bug log contains spam.