Debian Bug report logs -
#798647
icu: CVE-2015-1270
Reported by: Salvatore Bonaccorso <carnil@debian.org>
Date: Fri, 11 Sep 2015 12:45:01 UTC
Severity: important
Tags: fixed-upstream, patch, security, upstream
Found in versions icu/52.1-1, icu/55.1-4
Fixed in versions icu/55.1-5, icu/52.1-8+deb8u3
Done: Laszlo Boszormenyi (GCS) <gcs@debian.org>
Bug is archived. No further changes may be made.
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, carnil@debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Laszlo Boszormenyi (GCS) <gcs@debian.org>:
Bug#798647; Package src:icu.
(Fri, 11 Sep 2015 12:45:05 GMT) (full text, mbox, link).
Acknowledgement sent
to Salvatore Bonaccorso <carnil@debian.org>:
New Bug report received and forwarded. Copy sent to carnil@debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Laszlo Boszormenyi (GCS) <gcs@debian.org>.
(Fri, 11 Sep 2015 12:45:05 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Source: icu
Version: 55.1-4
Severity: important
Tags: security patch upstream fixed-upstream
Hi,
the following vulnerability was published for icu.
CVE-2015-1270[0]:
| The ucnv_io_getConverterName function in common/ucnv_io.cpp in
| International Components for Unicode (ICU), as used in Google Chrome
| before 44.0.2403.89, mishandles converter names with initial x-
| substrings, which allows remote attackers to cause a denial of service
| (read of uninitialized memory) or possibly have unspecified other
| impact via a crafted file.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2015-1270
A patch was actually appiled for 55.1-3 but the patch is currently
missapplied.
Regards,
Salvatore
Information forwarded
to debian-bugs-dist@lists.debian.org, Laszlo Boszormenyi (GCS) <gcs@debian.org>:
Bug#798647; Package src:icu.
(Fri, 11 Sep 2015 13:27:11 GMT) (full text, mbox, link).
Acknowledgement sent
to László Böszörményi (GCS) <gcs@debian.org>:
Extra info received and forwarded to list. Copy sent to Laszlo Boszormenyi (GCS) <gcs@debian.org>.
(Fri, 11 Sep 2015 13:27:11 GMT) (full text, mbox, link).
Message #10 received at 798647@bugs.debian.org (full text, mbox, reply):
Hi Salvatore,
On Fri, Sep 11, 2015 at 12:42 PM, Salvatore Bonaccorso
<carnil@debian.org> wrote:
> Source: icu
> Version: 55.1-4
> Severity: important
> Tags: security patch upstream fixed-upstream
>
> the following vulnerability was published for icu.
>
> CVE-2015-1270[0]:
[...]
> A patch was actually appiled for 55.1-3 but the patch is currently
> missapplied.
Good catch. Just fixing it immediately.
Thanks,
Laszlo/GCS
Information forwarded
to debian-bugs-dist@lists.debian.org, Laszlo Boszormenyi (GCS) <gcs@debian.org>:
Bug#798647; Package src:icu.
(Fri, 11 Sep 2015 14:15:04 GMT) (full text, mbox, link).
Acknowledgement sent
to Salvatore Bonaccorso <carnil@debian.org>:
Extra info received and forwarded to list. Copy sent to Laszlo Boszormenyi (GCS) <gcs@debian.org>.
(Fri, 11 Sep 2015 14:15:04 GMT) (full text, mbox, link).
Message #15 received at 798647@bugs.debian.org (full text, mbox, reply):
Hi László,
On Fri, Sep 11, 2015 at 01:23:39PM +0000, László Böszörményi (GCS) wrote:
> Hi Salvatore,
>
> On Fri, Sep 11, 2015 at 12:42 PM, Salvatore Bonaccorso
> <carnil@debian.org> wrote:
> > Source: icu
> > Version: 55.1-4
> > Severity: important
> > Tags: security patch upstream fixed-upstream
> >
> > the following vulnerability was published for icu.
> >
> > CVE-2015-1270[0]:
> [...]
> > A patch was actually appiled for 55.1-3 but the patch is currently
> > missapplied.
> Good catch. Just fixing it immediately.
Credit actually goes to Marc Deslauriers ;-)
Regards,
Salvatore
Reply sent
to Laszlo Boszormenyi (GCS) <gcs@debian.org>:
You have taken responsibility.
(Fri, 11 Sep 2015 16:09:04 GMT) (full text, mbox, link).
Notification sent
to Salvatore Bonaccorso <carnil@debian.org>:
Bug acknowledged by developer.
(Fri, 11 Sep 2015 16:09:04 GMT) (full text, mbox, link).
Message #20 received at 798647-close@bugs.debian.org (full text, mbox, reply):
Source: icu
Source-Version: 55.1-5
We believe that the bug you reported is fixed in the latest version of
icu, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 798647@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Laszlo Boszormenyi (GCS) <gcs@debian.org> (supplier of updated icu package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Format: 1.8
Date: Fri, 11 Sep 2015 15:23:53 +0000
Source: icu
Binary: libicu55 libicu55-dbg libicu-dev icu-devtools icu-doc
Architecture: source amd64 all
Version: 55.1-5
Distribution: unstable
Urgency: high
Maintainer: Laszlo Boszormenyi (GCS) <gcs@debian.org>
Changed-By: Laszlo Boszormenyi (GCS) <gcs@debian.org>
Description:
icu-devtools - Development utilities for International Components for Unicode
icu-doc - API documentation for ICU classes and functions
libicu-dev - Development files for International Components for Unicode
libicu55 - International Components for Unicode
libicu55-dbg - International Components for Unicode
Closes: 798647
Changes:
icu (55.1-5) unstable; urgency=high
.
* Correct patch for CVE-2015-1270 (closes: #798647).
Checksums-Sha1:
6757505cf8b6bc5a133c434a49f2f411e454adb7 2033 icu_55.1-5.dsc
1a7d5bb84cbc4bddac105ba67a2974a1010362f9 20488 icu_55.1-5.debian.tar.xz
62395b74999c8ac70d7312cc7d323b8e5b21f893 176436 icu-devtools_55.1-5_amd64.deb
4c2c29f88463aa9af06cf10d6ee323b2e79f48db 2741682 icu-doc_55.1-5_all.deb
125bfef77a11e4de404239e690f26a3c0660dbda 8552808 libicu-dev_55.1-5_amd64.deb
fe2c620314b2187891b204ce0d4a75a06883cce3 6824850 libicu55-dbg_55.1-5_amd64.deb
6392a846c56938794f640c46d162382bbe4124b8 7650918 libicu55_55.1-5_amd64.deb
Checksums-Sha256:
cfcf4ea8ac76590c43c2a3a81cbd50c860debb1c0d61120e3b18b87bd3d06c4d 2033 icu_55.1-5.dsc
8cc59cc125a8eeee06e2d96a7d5e9fa1080eda2d6d10b25652a1810ab3d5f97e 20488 icu_55.1-5.debian.tar.xz
7dbccdf1155cb24f882897975e60178f58bb48c085277c46d96df5de6ca3605f 176436 icu-devtools_55.1-5_amd64.deb
9f28fbfbc226d8a47310d7a6c19a27de5def460838c0b927aa398e755806b7fa 2741682 icu-doc_55.1-5_all.deb
eda8afa2eb7ba75b6a4eafc1f9904b933e61206e57d9e6dfb87c7ab9121ea770 8552808 libicu-dev_55.1-5_amd64.deb
d5822862378ecbd3ebbc5beb3e9c51ff4bf718242fa3ea1db7eb438708f60a2c 6824850 libicu55-dbg_55.1-5_amd64.deb
40715b9a76ff26d390c4f94f094635774ad621910dd0c8092d869f4a9a08976c 7650918 libicu55_55.1-5_amd64.deb
Files:
64992ffb74a53ecd46753acac8c0b053 2033 libs optional icu_55.1-5.dsc
8ffc1c8187b89937f37b4c0b37e35b2c 20488 libs optional icu_55.1-5.debian.tar.xz
f47927bb9add0f71ea92e20512e16b53 176436 libdevel optional icu-devtools_55.1-5_amd64.deb
779b7f25a7d05f53259133a6431bc039 2741682 doc optional icu-doc_55.1-5_all.deb
928d716afa56c0635f25be2df89a1c77 8552808 libdevel optional libicu-dev_55.1-5_amd64.deb
f267235885aff82ab08d9dfbbcdef937 6824850 debug extra libicu55-dbg_55.1-5_amd64.deb
e1ab16d0d5466cbb2008fdc77886f680 7650918 libs optional libicu55_55.1-5_amd64.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iQIcBAEBCAAGBQJV8vj/AAoJENzjEOeGTMi/rsAP/ioaZYy3ju3QyEQRu1BqC8Dr
U7ZU1AHzTtt0rX5yNVBaBONHQe1VFktJnOyrgsD/y7KQc35wuPQ1Gh51VYUDUYMl
TiUNaSUKUHzwA5WuHKqkWa78Zxw7H/n6Mk1sNTSr5PI5/u3shRu8c1p3VMAOM4DA
VLAAfoBa5n1r8W7lP6anLwQiNtsRQQ+HNYMlYgRRhSzd3R/yn6/Q+rSKVzpaKgYl
13LiOUZNR03z4hn19CWLb18RBL0+r3/tAXK31zdmlT922pW7jk7Y6RvUI+u+71Y8
8SeMNSNMibw387NE210fYuwFCqzvGWRrO5H8Mv+8LXdno3LProjMzRCzZOoB/Iss
tQHrUWKXe85VAa5Bvwq5VhEUez5qx5+J1BEDeOMOG+up4wG/XPKaYpEFn4o+VN/t
oC7vUrsKuA/rZBwMyh0CttxJ3j56Oq61N65X7N0LJU0798ZghqQWwcj8Guj8XLIH
sTj6zTfeD0eoN0AchYdyX15mpw+v8aeBTYi3i1/5NfaXV+gYo2qT7BLLEZ1uJXQV
MKi/4CnVTbwVfgKp46bWBPmToziOQHyFenXfHmV+ipWJS3k0fHSvmA7ezHflGp9Y
Efg/BnU9o/1hM7h+HrW/4VUa7Jmm/lSwWoNmmMA+8y/Jey/2DQ6FinLOzDHAK3ts
djtOPnky4NOFYTB0Gi+x
=KNfR
-----END PGP SIGNATURE-----
Marked as found in versions icu/52.1-1.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to control@bugs.debian.org.
(Mon, 14 Sep 2015 20:27:08 GMT) (full text, mbox, link).
Reply sent
to Laszlo Boszormenyi (GCS) <gcs@debian.org>:
You have taken responsibility.
(Tue, 15 Sep 2015 21:33:24 GMT) (full text, mbox, link).
Notification sent
to Salvatore Bonaccorso <carnil@debian.org>:
Bug acknowledged by developer.
(Tue, 15 Sep 2015 21:33:24 GMT) (full text, mbox, link).
Message #27 received at 798647-close@bugs.debian.org (full text, mbox, reply):
Source: icu
Source-Version: 52.1-8+deb8u3
We believe that the bug you reported is fixed in the latest version of
icu, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 798647@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Laszlo Boszormenyi (GCS) <gcs@debian.org> (supplier of updated icu package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Format: 1.8
Date: Mon, 14 Sep 2015 17:24:55 +0200
Source: icu
Binary: libicu52 libicu52-dbg libicu-dev icu-devtools icu-doc
Architecture: source all amd64
Version: 52.1-8+deb8u3
Distribution: jessie-security
Urgency: high
Maintainer: Laszlo Boszormenyi (GCS) <gcs@debian.org>
Changed-By: Laszlo Boszormenyi (GCS) <gcs@debian.org>
Description:
icu-devtools - Development utilities for International Components for Unicode
icu-doc - API documentation for ICU classes and functions
libicu-dev - Development files for International Components for Unicode
libicu52 - International Components for Unicode
libicu52-dbg - International Components for Unicode
Closes: 798647
Changes:
icu (52.1-8+deb8u3) jessie-security; urgency=high
.
* Fix CVE-2015-1270 - uninitialized memory read (closes: #798647).
Checksums-Sha1:
2d8c9058226847470019c251e728a5f5d410a5e1 2001 icu_52.1-8+deb8u3.dsc
defbbf4639e70cc75fcde93f12eb7b8b9253337d 28472 icu_52.1-8+deb8u3.debian.tar.xz
d8241f8d8945864bb9a0541922573463bf3dcf74 2631132 icu-doc_52.1-8+deb8u3_all.deb
e5575a844f3d3ce13ddcfac2e6b0fbc0e617ab4b 6784216 libicu52_52.1-8+deb8u3_amd64.deb
0c64297d993c84d7a65b39fb16b5c0e93e8dce2a 5927026 libicu52-dbg_52.1-8+deb8u3_amd64.deb
202146e09ff40e8e05cbda4f7a28bf5ed33f0a4b 7642100 libicu-dev_52.1-8+deb8u3_amd64.deb
ee1eb65c8f121f741fe78bdd94e42a2d58288c5f 172118 icu-devtools_52.1-8+deb8u3_amd64.deb
Checksums-Sha256:
1b29e00096d1b02018416f5bfc231f46ddcfcf8f2cc15256c553e282c5ea404f 2001 icu_52.1-8+deb8u3.dsc
aa47fef8f659e6e1ed2a69e1615f5f9ca0b20ed8276fc96c91c0a061f5d12626 28472 icu_52.1-8+deb8u3.debian.tar.xz
eca3333f1fec6fd0391f801814c659a2ac6cdf7f5aeafcc9a01d4840427a9a4c 2631132 icu-doc_52.1-8+deb8u3_all.deb
2d5468b219f0684fe22bc577b296d51683b7c7ece8a4a91ed702085adaaca47e 6784216 libicu52_52.1-8+deb8u3_amd64.deb
4a23eb465619fb689507b994ea5ebb173b9555428977891bad239f7a729a9236 5927026 libicu52-dbg_52.1-8+deb8u3_amd64.deb
788fb8df1872c24c1bec030f835e768a594165c57cb7cfd18ced8839e904c6c3 7642100 libicu-dev_52.1-8+deb8u3_amd64.deb
7bb6efee28578c23745ffb64130681818149e1d15d9caed3c01269efef8276f7 172118 icu-devtools_52.1-8+deb8u3_amd64.deb
Files:
1155b34e88a86fdea80acfb9be2a93f5 2001 libs optional icu_52.1-8+deb8u3.dsc
63ce326ec2513d01ce820bd5f52ddd9a 28472 libs optional icu_52.1-8+deb8u3.debian.tar.xz
b9f09f5d544a18caaa6936b4dbe9b518 2631132 doc optional icu-doc_52.1-8+deb8u3_all.deb
1780a1025369d21fb231849fead60af5 6784216 libs optional libicu52_52.1-8+deb8u3_amd64.deb
00334cd09128d577deaddb3a2747b917 5927026 debug extra libicu52-dbg_52.1-8+deb8u3_amd64.deb
198af6b55d7f31406a037b7daf5376f8 7642100 libdevel optional libicu-dev_52.1-8+deb8u3_amd64.deb
c763e5bc0ba6dcadee6aedc544c66b92 172118 libdevel optional icu-devtools_52.1-8+deb8u3_amd64.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iQIcBAEBCAAGBQJV9yscAAoJENzjEOeGTMi/Zi4QAJnMAYZabqOtXA0qQZRhsNvK
hM/wzb4D5oAncEorrPxw3N5uEC9caGwIX0m9/Tl63d4Gj/7oow17dXEYAI6NOOP9
vZZWKJ+TDqe51n/tnGPBHsneWPahecxOMiAAfbBoG3yzzZ5i5unBHyRAkjaQxAwi
jdPLJ0iLe470xU+3bYFu8isf9605OgguDHPyt0x58FpGW54T5QykM/Su0dxLMMfq
jYEtWVTl2ibezENqoXC+k1rrrtvfl6ZFqvvIvfAEN0k0V02rksM0pw2p2vwVv0Ji
4MxecjCi+l1uh97mwB4xRoDYi1ahNBK9Zw0G2Zt55DnfWqbvmok1txC26B0X6O7F
WP7pjHwNLdZR0x0p9RnpbhnrmtsXvhcNYeTeeyw0sPZdp0Z+g4JJVzQaNsKZQJjz
yuczNlIm7oWU/K5nmgdWuN/1JdnYicIqiSgkie8W3L/LCAPae1m97kzn9KHooRe7
q8DAbc4Q7oKQvbKpwR3L+6yuRAR165o8EpJX4aCi9HAPlNAwfWkolXOP7o6sJraC
a5y/UuUGdHVKMRI8Xq5qy02e6+zgGvthe2yvSe8hVmNhbtp9Xt1IeufDBNkFfbZW
lTu3VunYFyfMPHYlpNITXdZWKD3kKzztWmpHeIAWov9sSds6JabBZYDj1Ypsvmc2
cA7rzfUHOCoarE92ivyz
=WpBw
-----END PGP SIGNATURE-----
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org.
(Wed, 14 Oct 2015 07:32:55 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed Jun 19 18:25:48 2019;
Machine Name:
buxtehude
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.
Vulmon