icu: CVE-2017-7867 CVE-2017-7868: Heap-buffer-overflow in utf8TextAccess

Debian Bug report logs - #860314
icu: CVE-2017-7867 CVE-2017-7868: Heap-buffer-overflow in utf8TextAccess

Toggle useless messages

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Salvatore Bonaccorso <carnil@debian.org>

To: Debian Bug Tracking System <submit@bugs.debian.org>

Subject: icu: CVE-2017-7867: Heap-buffer-overflow in utf8TextAccess

Date: Fri, 14 Apr 2017 14:44:18 +0200

Source: icu
Version: 52.1-8
Severity: grave
Tags: patch security upstream
Justification: user security hole
Forwarded: https://ssl.icu-project.org/trac/ticket/12888



*** /tmp/icu.reportbug
Package: icu
X-Debbugs-CC: team@security.debian.org secure-testing-team@lists.alioth.debian.org
Severity: grave
Tags: security

Hi,

the following vulnerability was published for icu.

CVE-2017-7867[0]:
| International Components for Unicode (ICU) for C/C++ before 2017-02-13
| has an out-of-bounds write caused by a heap-based buffer overflow
| related to the utf8TextAccess function in common/utext.cpp and the
| utext_setNativeIndex* function.

If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2017-7867
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7867
[1] https://ssl.icu-project.org/trac/ticket/12888 (closed unfortunately)
[2] https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=213
[3] https://ssl.icu-project.org/trac/changeset/39671

Please adjust the affected versions in the BTS as needed.

Regards,
Salvatore

Message #10 received at 860314@bugs.debian.org (full text, mbox, reply):

From: Salvatore Bonaccorso <carnil@debian.org>

To: 860314@bugs.debian.org

Subject: Re: Bug#860314: icu: CVE-2017-7867 CVE-2017-7868: Heap-buffer-overflow in utf8TextAccess

Date: Fri, 14 Apr 2017 14:52:26 +0200

Control: retitle -1 icu: CVE-2017-7867 CVE-2017-7868: Heap-buffer-overflow in utf8TextAccess

Adding as well

CVE-2017-7868:
| International Components for Unicode (ICU) for C/C++ before 2017-02-13
| has an out-of-bounds write caused by a heap-based buffer overflow
| related to the utf8TextAccess function in common/utext.cpp and the
| utext_moveIndex32* function.

which has the same upstream ticket (closed) and same changeset to fix,
but are for issues via two different functions.

Still think both affect icu back to 52.1, but please double check if
I'm wrong possibly.

Regards,
Salvatore

Message #17 received at 860314@bugs.debian.org (full text, mbox, reply):

From: László Böszörményi (GCS) <gcs@debian.org>

To: Salvatore Bonaccorso <carnil@debian.org>, 860314@bugs.debian.org

Subject: Re: Bug#860314: icu: CVE-2017-7867 CVE-2017-7868: Heap-buffer-overflow in utf8TextAccess

Date: Sun, 16 Apr 2017 10:45:13 +0200

On Fri, Apr 14, 2017 at 2:52 PM, Salvatore Bonaccorso <carnil@debian.org> wrote:
> Control: retitle -1 icu: CVE-2017-7867 CVE-2017-7868: Heap-buffer-overflow in utf8TextAccess
>
> Adding as well
>
> CVE-2017-7868:
[...]
> which has the same upstream ticket (closed) and same changeset to fix,
> but are for issues via two different functions.
 With all the respect, I think these have different upstream tickets.
If I open the CVE-2017-7868 MITRE page[1] and follow the Chromium bug
page, on comment #2 [2] I see ICU ticket 12954 instead of 12888. But
both unavailable to view, I'm not 100% sure it's the same bug. At
least the ICU changeset 39671 [3] mentions only the latter ticket.

> Still think both affect icu back to 52.1, but please double check if
> I'm wrong possibly.
 Still on my TODO list.

Regards,
Laszlo/GCS
[1] https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7868
[2] https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=437#c2
[3] https://ssl.icu-project.org/trac/changeset/39671

Message #22 received at 860314-close@bugs.debian.org (full text, mbox, reply):

From: Laszlo Boszormenyi (GCS) <gcs@debian.org>

To: 860314-close@bugs.debian.org

Subject: Bug#860314: fixed in icu 57.1-6

Date: Sun, 16 Apr 2017 10:04:07 +0000

Source: icu
Source-Version: 57.1-6

We believe that the bug you reported is fixed in the latest version of
icu, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 860314@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Laszlo Boszormenyi (GCS) <gcs@debian.org> (supplier of updated icu package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Format: 1.8
Date: Sun, 16 Apr 2017 08:50:52 +0000
Source: icu
Binary: libicu57 libicu57-dbg libicu-dev icu-devtools icu-devtools-dbg icu-doc
Architecture: source amd64 all
Version: 57.1-6
Distribution: unstable
Urgency: high
Maintainer: Laszlo Boszormenyi (GCS) <gcs@debian.org>
Changed-By: Laszlo Boszormenyi (GCS) <gcs@debian.org>
Description:
 icu-devtools - Development utilities for International Components for Unicode
 icu-devtools-dbg - Development utilities for International Components for Unicode (d
 icu-doc    - API documentation for ICU classes and functions
 libicu-dev - Development files for International Components for Unicode
 libicu57   - International Components for Unicode
 libicu57-dbg - International Components for Unicode (debug symbols)
Closes: 860314
Changes:
 icu (57.1-6) unstable; urgency=high
 .
   * Backport upstream security fix for CVE-2017-7867 and CVE-2017-7868,
     heap-buffer-overflow in utf8TextAccess (closes: #860314).
Checksums-Sha1:
 08e69c2fbd860d8fb6887775b50f0142f205d82f 2105 icu_57.1-6.dsc
 4fef403bae2b650734a986432a6306b6ab0db84d 32768 icu_57.1-6.debian.tar.xz
 5a30b59856c96b4c0c4fad3cfd422b041411ffa4 642958 icu-devtools-dbg_57.1-6_amd64.deb
 cce08540d1e80737addbeae6861cab7b6505dcdf 177570 icu-devtools_57.1-6_amd64.deb
 a285e65cb4332d87893afbc65922dc80b33a45b6 2396862 icu-doc_57.1-6_all.deb
 8bd6f06ceecd1c68d5dad8b3b88e2d875a4832a8 7583 icu_57.1-6_amd64.buildinfo
 04701fb58b11fa7116a290de8287fa17a86442a9 16481438 libicu-dev_57.1-6_amd64.deb
 90ee12b652bbcb12cc5d63a0f433aff77cd3c57f 7368098 libicu57-dbg_57.1-6_amd64.deb
 cae0a3bdb91b12cb7673a4c84da1978055233bcd 7701442 libicu57_57.1-6_amd64.deb
Checksums-Sha256:
 6d3979c7e13e23d4de31e0ff3b83c34e4824e4982cfed9887b21ab6b6c272e6b 2105 icu_57.1-6.dsc
 9c1239e6c395aa44880617a8f67f1f9936a9536ad0c85b8c0ceedf4c0bf40819 32768 icu_57.1-6.debian.tar.xz
 3d78289a964e9139a1d1754e2e6074236e9c776a32cb5471dd0e7cc4735c97f5 642958 icu-devtools-dbg_57.1-6_amd64.deb
 839f2ac21cbb7f6db4047ee8734249be1d74af6de16f5af10abcb06d546889a4 177570 icu-devtools_57.1-6_amd64.deb
 2dc20c33b56080c5872c7c6a68e2f468e2e9efe82975a1320d624ee6081368a1 2396862 icu-doc_57.1-6_all.deb
 5bc7a1a2e2b14ddb9331f775fe622e89a91ad56e2dd3efe06dd9ed796b194ba8 7583 icu_57.1-6_amd64.buildinfo
 19c854784e9bddece8f184c1d94925e2e6d577b0e2e58f0b649e17d5b10dbd13 16481438 libicu-dev_57.1-6_amd64.deb
 edb8480e5bbe5a6d0a5cbeb7cf0b12eaeabeb7f170085f5c7e1a16e85accdca5 7368098 libicu57-dbg_57.1-6_amd64.deb
 6d44f35bfc8b9a4c9040a420b72fa41fdb533490025c301d67c59ae8ff6d23f1 7701442 libicu57_57.1-6_amd64.deb
Files:
 e0b55515aa0a6b7c40d5d24f7e7dd3f9 2105 libs optional icu_57.1-6.dsc
 9ec396ee896de8d57ae92722403e3610 32768 libs optional icu_57.1-6.debian.tar.xz
 7d65c05a03f0d596b6d2b60c88ea769d 642958 debug extra icu-devtools-dbg_57.1-6_amd64.deb
 d28cec4ce656674580cdfba77002cf1d 177570 libdevel optional icu-devtools_57.1-6_amd64.deb
 f58ce0d9229e7b27dbc7a4d1a0c7fe6f 2396862 doc optional icu-doc_57.1-6_all.deb
 f60f491a8ea1299dad758bda071558a0 7583 libs optional icu_57.1-6_amd64.buildinfo
 8de9d0cffc8ee9e26d528a6972aa6bc4 16481438 libdevel optional libicu-dev_57.1-6_amd64.deb
 226ac83c6d60e664f4ae5a0df2e4bf79 7368098 debug extra libicu57-dbg_57.1-6_amd64.deb
 5dcf0e06d17a7da272497b202c956131 7701442 libs optional libicu57_57.1-6_amd64.deb

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCAAdFiEEfYh9yLp7u6e4NeO63OMQ54ZMyL8FAljzO7gACgkQ3OMQ54ZM
yL+tMBAAms673oeipmAnZsV4BHhErMnvlhwQx6M5VsYfrI3GZ+wDTztlPjtqJUby
kXuPdM8Xm64V0uZcWZwVXraeP0GtlKm/aF/S2TMSJBsKO0Hp32hKY3dlet2iv9DG
ac04bLQcmpI5p3w3cDq7g9Hm8DRhm8iiyAlxt7lZik1OF0qHR8lkMND4MBtUwaoC
tk7sA6cFqfaIyXF4viGOFarLEB7+q1HcSnSw0Avp5RXMf8wPBUkyp1S+7Gx0aU38
MZklE5iQfR2SxVCduzXVrrknId2NdpulU4YffdNlmJ1+gnMawQJ73hNsbs8WVDKR
Gn8iH4ksZahHIGMzfOM/8dozW3dzQJHmiDPQRDiA1KW5QqpOySWzT62gnmcqx1Sy
dWnexOCbaNSVs6FCNkgZXGMqjLd1FLMxVKENwnmCOwXmf3Xyi3YpAEhiAmNMkZ5K
43/wq1gqVsVqfoyZ9DucpFPgPc4RHah8MqPt+cbhQxocpsSfmclrNu+6h4AYEEM5
pxNBc4RtCDo344xhRGa8lA0QwsAKJDLmiMRo2IsSITeEnvnqnyf3FDmEMId7gRhq
XBCgm59d0JPeDsBN1rvupkfPvFTGPBeyCOWgkAksbycA8jp8qHBEmhPi06cs4Agz
95f8A8PCIH6h+7cnX7tW6qoXeBKAJp7y6pqJCjjgpEdSIXaCQTU=
=X4+p
-----END PGP SIGNATURE-----

Message #27 received at 860314@bugs.debian.org (full text, mbox, reply):

From: Salvatore Bonaccorso <carnil@debian.org>

To: László Böszörményi <gcs@debian.org>, 860314@bugs.debian.org

Subject: Re: Bug#860314: icu: CVE-2017-7867 CVE-2017-7868: Heap-buffer-overflow in utf8TextAccess

Date: Mon, 17 Apr 2017 05:21:29 +0200

Hi,

On Sun, Apr 16, 2017 at 10:45:13AM +0200, László Böszörményi wrote:
> On Fri, Apr 14, 2017 at 2:52 PM, Salvatore Bonaccorso <carnil@debian.org> wrote:
> > Control: retitle -1 icu: CVE-2017-7867 CVE-2017-7868: Heap-buffer-overflow in utf8TextAccess
> >
> > Adding as well
> >
> > CVE-2017-7868:
> [...]
> > which has the same upstream ticket (closed) and same changeset to fix,
> > but are for issues via two different functions.
>  With all the respect, I think these have different upstream tickets.

Yes, thanks for spotting. I was misslead by the only ticket reference
in the testsuite part of changeset/39671.

But I'm unable to view both, so I don't know what is discussed in the
respective contents.

Regards,
Salvatore

Send a report that this bug log contains spam.