Debian Bug report logs -
#784773
icu: CVE-2014-8146 and CVE-2014-8147
Reported by: Marc Deslauriers <marc.deslauriers@ubuntu.com>
Date: Fri, 8 May 2015 17:27:02 UTC
Severity: normal
Tags: patch, security
Found in versions 52.1-8, 52.1-1
Fixed in versions 55.1-1, icu/52.1-9, icu/4.8.1.1-12+deb7u3, icu/52.1-8+deb8u2
Done: Laszlo Boszormenyi (GCS) <gcs@debian.org>
Bug is archived. No further changes may be made.
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, Laszlo Boszormenyi (GCS) <gcs@debian.org>:
Bug#784773; Package icu.
(Fri, 08 May 2015 17:27:07 GMT) (full text, mbox, link).
Acknowledgement sent
to Marc Deslauriers <marc.deslauriers@ubuntu.com>:
New Bug report received and forwarded. Copy sent to Laszlo Boszormenyi (GCS) <gcs@debian.org>.
(Fri, 08 May 2015 17:27:07 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
Package: icu
Version: 52.1-8
Severity: normal
Tags: patch
User: ubuntu-devel@lists.ubuntu.com
Usertags: origin-ubuntu wily ubuntu-patch
*** /tmp/tmp8_oq5o/bug_body
In Ubuntu, the attached patch was applied to achieve the following:
* SECURITY UPDATE: heap overflow via incorrect isolateCount
- debian/patches/CVE-2015-8146.patch: check for valid isolateCount in
source/common/ubidi.c.
- CVE-2015-8146
* SECURITY UPDATE: integer overflow via incorrect state size
- debian/patches/CVE-2015-8147.patch: change state to int32_t in
source/common/ubidiimp.h.
- CVE-2015-8147
Thanks for considering the patch.
-- System Information:
Debian Release: jessie/sid
APT prefers vivid-updates
APT policy: (500, 'vivid-updates'), (500, 'vivid-security'), (500, 'vivid-proposed'), (500, 'vivid'), (100, 'vivid-backports')
Architecture: amd64 (x86_64)
Foreign Architectures: i386
Kernel: Linux 3.19.0-15-generic (SMP w/4 CPU cores)
Locale: LANG=en_CA.UTF-8, LC_CTYPE=en_CA.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
[icu_52.1-8ubuntu1.debdiff (text/x-diff, attachment)]
Information forwarded
to debian-bugs-dist@lists.debian.org, Laszlo Boszormenyi (GCS) <gcs@debian.org>:
Bug#784773; Package icu.
(Fri, 08 May 2015 21:12:04 GMT) (full text, mbox, link).
Acknowledgement sent
to László Böszörményi (GCS) <gcs@debian.org>:
Extra info received and forwarded to list. Copy sent to Laszlo Boszormenyi (GCS) <gcs@debian.org>.
(Fri, 08 May 2015 21:12:04 GMT) (full text, mbox, link).
Message #10 received at 784773@bugs.debian.org (full text, mbox, reply):
Control: found -1 52.1-1
Control: fixed -1 55.1-1
Control: tags -1 + security pending
Hi Marc,
On Fri, May 8, 2015 at 7:26 PM, Marc Deslauriers
<marc.deslauriers@ubuntu.com> wrote:
> In Ubuntu, the attached patch was applied to achieve the following:
>
> * SECURITY UPDATE: heap overflow via incorrect isolateCount
> - debian/patches/CVE-2015-8146.patch: check for valid isolateCount in
> source/common/ubidi.c.
> - CVE-2015-8146
> * SECURITY UPDATE: integer overflow via incorrect state size
> - debian/patches/CVE-2015-8147.patch: change state to int32_t in
> source/common/ubidiimp.h.
> - CVE-2015-8147
Thanks for the heads-up, will use the same fixes of course.
Regards,
Laszlo/GCS
Marked as found in versions 52.1-1.
Request was from László Böszörményi (GCS) <gcs@debian.org>
to 784773-submit@bugs.debian.org.
(Fri, 08 May 2015 21:12:05 GMT) (full text, mbox, link).
Marked as fixed in versions 55.1-1.
Request was from László Böszörményi (GCS) <gcs@debian.org>
to 784773-submit@bugs.debian.org.
(Fri, 08 May 2015 21:12:06 GMT) (full text, mbox, link).
Added tag(s) security and pending.
Request was from László Böszörményi (GCS) <gcs@debian.org>
to 784773-submit@bugs.debian.org.
(Fri, 08 May 2015 21:12:07 GMT) (full text, mbox, link).
Reply sent
to Laszlo Boszormenyi (GCS) <gcs@debian.org>:
You have taken responsibility.
(Fri, 08 May 2015 22:24:09 GMT) (full text, mbox, link).
Notification sent
to Marc Deslauriers <marc.deslauriers@ubuntu.com>:
Bug acknowledged by developer.
(Fri, 08 May 2015 22:24:09 GMT) (full text, mbox, link).
Message #21 received at 784773-close@bugs.debian.org (full text, mbox, reply):
Source: icu
Source-Version: 52.1-9
We believe that the bug you reported is fixed in the latest version of
icu, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 784773@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Laszlo Boszormenyi (GCS) <gcs@debian.org> (supplier of updated icu package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Format: 1.8
Date: Fri, 08 May 2015 20:35:32 +0000
Source: icu
Binary: libicu52 libicu52-dbg libicu-dev icu-devtools icu-doc
Architecture: source all amd64
Version: 52.1-9
Distribution: unstable
Urgency: high
Maintainer: Laszlo Boszormenyi (GCS) <gcs@debian.org>
Changed-By: Laszlo Boszormenyi (GCS) <gcs@debian.org>
Description:
icu-devtools - Development utilities for International Components for Unicode
icu-doc - API documentation for ICU classes and functions
libicu-dev - Development files for International Components for Unicode
libicu52 - International Components for Unicode
libicu52-dbg - International Components for Unicode
Closes: 784773
Changes:
icu (52.1-9) unstable; urgency=high
.
* Fix security bugs (closes: #784773):
- CVE-2014-8146 , a heap overflow,
- CVE-2014-8147 , an integer overflow.
Checksums-Sha1:
1748e7476f5727d7ae2e96043b4a3b7c2866b8d4 1973 icu_52.1-9.dsc
387f20776bc201b2310e93d2fec9b204f611b8f9 26248 icu_52.1-9.debian.tar.xz
6ea695ea9044593d37fb886b248a864a7b130a7b 2615762 icu-doc_52.1-9_all.deb
b9d5a27b8023ac3c4efe91238015d1ca048a4087 6787498 libicu52_52.1-9_amd64.deb
1db30dcbf5e00b806c8ebb681ea8ee60ce62290e 5924874 libicu52-dbg_52.1-9_amd64.deb
5765fb482508de73a05d9661f64fbd496eb59229 7640156 libicu-dev_52.1-9_amd64.deb
6931717a346ca50e4e3599e8c67be0f6283e491d 172076 icu-devtools_52.1-9_amd64.deb
Checksums-Sha256:
944bdf77f7b95a5a479b587db9120e506a809fa1118c09dedc4ffc3037ea6328 1973 icu_52.1-9.dsc
bcc43b87deb4ea733e9acd6f81f8a65456afda8eba6c7662868388e82ac8747b 26248 icu_52.1-9.debian.tar.xz
0582abe360431b57a61b6d342e45ea7d17c70e1f3ea769c05a504648ee21cef9 2615762 icu-doc_52.1-9_all.deb
a4948011a219178128309d70213bb42318df50ce3285edc91a97a5d3bc4c4bbe 6787498 libicu52_52.1-9_amd64.deb
ab1dce7cb14351fbc7e259c10b526aca2c8710016f45a379619a130121aa0259 5924874 libicu52-dbg_52.1-9_amd64.deb
4c5fa491300f1dd63b8294e37d360df02fc0aab587e42950c90c6600fe5c7eb2 7640156 libicu-dev_52.1-9_amd64.deb
5b4da0089d3e5ff3074d0e08ec72d8e77ea59246df9a44f0e1db09264c61cdbb 172076 icu-devtools_52.1-9_amd64.deb
Files:
4964ef2fa2848c463376e6bb9fc0aa97 1973 libs optional icu_52.1-9.dsc
bff1a846f523aa939ee17d2a4d0196f9 26248 libs optional icu_52.1-9.debian.tar.xz
fa92f3f7acc66bfe30071f0736d1d40c 2615762 doc optional icu-doc_52.1-9_all.deb
35c1f837baf25cd84bfb35894606118e 6787498 libs optional libicu52_52.1-9_amd64.deb
b57e46de49473bfcd5f181847909704a 5924874 debug extra libicu52-dbg_52.1-9_amd64.deb
e52316d0716d59897f0d7178d46c5256 7640156 libdevel optional libicu-dev_52.1-9_amd64.deb
48852749428bbbec0959833071410ca5 172076 libdevel optional icu-devtools_52.1-9_amd64.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iQIcBAEBCAAGBQJVTSvfAAoJENzjEOeGTMi/tPkP/jrycNVDKvbKCF1XJMiWdpir
AiEnTjqmqsZhyBkYbmlcSw1rwz4/B2JyCZG1uhQ74DFOA3ugbOmTlXbEXgIqe51s
jv0FRShBRZmrL9o7PH5O5ytL30H5GHdgHbFrTIpp3JAPMnpR19PDfbwWyPhCSK4e
AIV396sLXdoNYi5UTa6Jks47X1h/FmVx2lz2XV0yr3wUmunBO9REpfIxEeOTdp7h
RvDvMJsbFERmX06vitzp8mu6nrSPsruOTthr5nB0VHwtuhY4LF2Ek0EO1XvRki2/
cGNdmqa4E8Jd5ZPFBxltoSSjZlMHP4i7gKmgpEbB7QNpm/RB5ExZ65eZaNQ3WU8T
R9xuu2urey9Rnxc8X/H9LfNOuqBeyvdpXv9ww3TNfuH4V+8z9MQGXukgQrhrO3Kl
8JwRsGQHXsvabpzTvHllqWCs89Ow8ejUSa+RZb7yFVeTFEPNxpqT93UTHjwOVvMo
kltJfOnQum2ap3zqd/+B3WKE3kjLPGst1EyQFz4jgLlEmJCnh+LZMcK/WnFptiX6
w42qk+EJWXrbxBPuLzytsI16GnQHxFLmyauRaZzHlINPWlyxp03qSoXh4H+OhRMb
AXUFfxmg1j1oV52P+A0ZMVRVYs4SZn44ZWOQykQDnU5kECok0BvBYyc82fbYpABD
xvIgM7lZ/xwBG0YWM2vc
=m6RG
-----END PGP SIGNATURE-----
Changed Bug title to 'icu: CVE-2014-8146 and CVE-2014-8147' from 'icu: CVE-2015-8146 and CVE-2015-8147'
Request was from Salvatore Bonaccorso <carnil@debian.org>
to control@bugs.debian.org.
(Tue, 19 May 2015 06:30:04 GMT) (full text, mbox, link).
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org.
(Tue, 16 Jun 2015 07:36:41 GMT) (full text, mbox, link).
Bug unarchived.
Request was from Alessandro Ghedini <ghedo@debian.org>
to control@bugs.debian.org.
(Sat, 01 Aug 2015 16:39:08 GMT) (full text, mbox, link).
Marked as fixed in versions icu/4.8.1.1-12+deb7u3.
Request was from Alessandro Ghedini <ghedo@debian.org>
to control@bugs.debian.org.
(Sat, 01 Aug 2015 16:39:08 GMT) (full text, mbox, link).
Marked as fixed in versions icu/52.1-8+deb8u2.
Request was from Alessandro Ghedini <ghedo@debian.org>
to control@bugs.debian.org.
(Sat, 01 Aug 2015 16:39:09 GMT) (full text, mbox, link).
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org.
(Sun, 30 Aug 2015 07:29:44 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed Jun 19 15:49:05 2019;
Machine Name:
beach
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.
Vulmon