icu: CVE-2015-1205 / CVE-2014-9654

Debian Bug report logs - #776719
icu: CVE-2015-1205 / CVE-2014-9654

Toggle useless messages

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Michael Gilbert <mgilbert@debian.org>

To: Debian Bug Tracking System <submit@bugs.debian.org>

Subject: icu: CVE-2015-1205 regex out of bounds issues

Date: Sat, 31 Jan 2015 11:58:35 -0500

package: src:icu
severity: serious
tags: security, patch

There is another icu issue fixed in chromium:
https://marc.info/?l=oss-security&m=142244042307425&w=2

Links to upstream patches in that mail.

This was rated as high severity by chromium.

Best wishes,
Mike

Message #10 received at 776719@bugs.debian.org (full text, mbox, reply):

From: Moritz Muehlenhoff <jmm@inutil.org>

To: Michael Gilbert <mgilbert@debian.org>

Cc: 776719@bugs.debian.org, control@bugs.debian.org

Subject: Re: icu: CVE-2015-1205 regex out of bounds issues

Date: Fri, 6 Feb 2015 07:45:31 +0100

retitle 776719 icu: CVE-2015-1205 / CVE-2014-9654
thanks 

On Sat, Jan 31, 2015 at 11:58:35AM -0500, Michael Gilbert wrote:
> package: src:icu
> severity: serious
> tags: security, patch
> 
> There is another icu issue fixed in chromium:
> https://marc.info/?l=oss-security&m=142244042307425&w=2
> 
> Links to upstream patches in that mail.
> 
> This was rated as high severity by chromium.

And this issue was assigned CVE-2014-9654:
https://ssl.icu-project.org/trac/changeset/36801
https://chromium.googlesource.com/chromium/deps/icu/+/dd727641e190d60e4593bcb3a35c7f51eb4925c5

Cheers,
        Moritz

Message #17 received at 776719@bugs.debian.org (full text, mbox, reply):

From: Michael Gilbert <mgilbert@debian.org>

To: 776264@bugs.debian.org, 776265@bugs.debian.org, 776719@bugs.debian.org

Subject: icu security upload

Date: Sun, 15 Feb 2015 21:53:28 -0500

[Message part 1 (text/plain, inline)]

control: tag -1 patch, pending

Hi,

I uploaded an nmu to delayed/5 fixing all of the known security
issues.  Please let me know if I should delay longer.

Best wishes,
Mike

[icu.patch (text/x-patch, attachment)]

Message #24 received at 776719@bugs.debian.org (full text, mbox, reply):

From: Jay Berkenbilt <qjb@debian.org>

To: Michael Gilbert <mgilbert@debian.org>

Cc: 776264@bugs.debian.org, 776265@bugs.debian.org, 776719@bugs.debian.org, László Böszörményi (GCS) <gcs@debian.org>

Subject: Re: Bug#776264: icu security upload

Date: Mon, 16 Feb 2015 13:15:51 -0500

Michael Gilbert <mgilbert@debian.org> wrote:

> I uploaded an nmu to delayed/5 fixing all of the known security
> issues.  Please let me know if I should delay longer.

From my perspective, this is fine. I think this provides a good
opportunity for the next maintainer (presumably László though I've seen
some discussion in the ITA about collaborative maintenance) to grab the
repo, incorporate the fixes, and do a new upload that completes the
adoption process of the package. I won't plan on taking any action, so
if the new maintainer doesn't act within the number of days, the NMU
will go through. Thanks for taking care of it.

I can do a quick review if desired, but I would only be reviewing
mechanics, not correctness of the patches, as I haven't and won't have
time to look into the details of the problems or their solutions.

-- 
Jay Berkenbilt <qjb@debian.org>

Message #29 received at 776719-close@bugs.debian.org (full text, mbox, reply):

From: Michael Gilbert <mgilbert@debian.org>

To: 776719-close@bugs.debian.org

Subject: Bug#776719: fixed in icu 52.1-7.1

Date: Sat, 21 Feb 2015 03:34:18 +0000

Source: icu
Source-Version: 52.1-7.1

We believe that the bug you reported is fixed in the latest version of
icu, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 776719@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Michael Gilbert <mgilbert@debian.org> (supplier of updated icu package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Sun, 15 Feb 2015 22:19:14 +0000
Source: icu
Binary: libicu52 libicu52-dbg libicu-dev icu-devtools icu-doc
Architecture: source all
Version: 52.1-7.1
Distribution: unstable
Urgency: high
Maintainer: Jay Berkenbilt <qjb@debian.org>
Changed-By: Michael Gilbert <mgilbert@debian.org>
Description:
 icu-devtools - Development utilities for International Components for Unicode
 icu-doc    - API documentation for ICU classes and functions
 libicu-dev - Development files for International Components for Unicode
 libicu52   - International Components for Unicode
 libicu52-dbg - International Components for Unicode
Closes: 776264 776265 776719
Changes:
 icu (52.1-7.1) unstable; urgency=high
 .
   * Non-maintainer upload by the Security Team.
   * Unfixed issue from the previous upload (closes: #776264)
     - CVE-2014-6585: out-of-bounds read.
   * Issues fixed in chromium 40.0.2214.91 (closes: #776265, #776719).
     - CVE-2014-7923: memory corruption in regular expression comparison.
     - CVE-2014-7926: memory corruption in regular expression comparison.
     - CVE-2014-7940: uninitialized memory in i18n/icol.cpp.
     - CVE-2014-9654: more regular expression handling issues.
Checksums-Sha1:
 1846ec71b350e8a9d86ccf3f567667f8c7a79c82 2665 icu_52.1-7.1.dsc
 a14ee646205791d253022cf9f26b120e1884ea05 25340 icu_52.1-7.1.debian.tar.xz
 b05936b447196166439ef61f5b65f8ab910611e9 2648362 icu-doc_52.1-7.1_all.deb
Checksums-Sha256:
 715880248e2278fdf41ef9b662e8077d1ff2064d62121f8faff0a0382db57918 2665 icu_52.1-7.1.dsc
 0141af871d3fd2ca3dba9b8b255b2443f2fae2b9fb70aa7eedfdb5383303841d 25340 icu_52.1-7.1.debian.tar.xz
 1a00488027a70ee2ac03a4dcc908db3b03e7e78b3db4ce8b6f9543056d488dad 2648362 icu-doc_52.1-7.1_all.deb
Files:
 46368b593a435efa0de898f1bc10c09f 2665 libs optional icu_52.1-7.1.dsc
 15603a20bc70b87f0d0af3737d899cc1 25340 libs optional icu_52.1-7.1.debian.tar.xz
 48e3db476ad7d3041edf86857bdda374 2648362 doc optional icu-doc_52.1-7.1_all.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQQcBAEBCgAGBQJU4VtCAAoJELjWss0C1vRzxp8gAKZB/jVOflWrNGGbk8ILP872
aBCH10s7z2FSvdRhBRDTJMf5i72YzbNB2JG4NxHxFi7FKPmkpim8cyOoAMK2TZko
beqeaArUS+ziI7o6WY0K8M8lWC5ml1k19EIzLpsZJ7RrpqjIMkqiUw/0C6ErZJDl
F+7ru/jduK7CaeEMR7KhPWQpGZ3bOWm3yPUO+YRB8EUv+T+ZoNkvCNfWMkq1qXql
mzVzfdqx0+b7glllROFdNvgls5vdBehW4TOUBc3oiYrbQs7jYwqXHWsTkJDbdwim
UQVfq7j7QKSScST7oxqPlfOJYXO1eq4HWc3y8kZ8RMQ90ozJq295FhaZxaEgRbvH
q3CTNJB3aubMHydMaGNJcZ9V9og2G/RbXG3cHfebv6roe1tVaU9ea9aiDsS2MXLR
tH5qF8EAUvUdfd6ayW3YytxHy31DeNsGzo2h0PZwYjWPyXfs5sVUltf6Ni2zPQwA
x37XJJRUiSrsjh+1ICWg8XOxHgrT+9TF3k0iTndIe2qK1GQSVRrIOMhYp6bf68B/
RBVDn3xV9LRNLb4sXzAySU33MomY31xgWbfC6RR7STPhnnyIgGG2rdsjky5yIj1p
s4s/CtOEAesPsIgp/4My5fYJcpCo7rRAgMgK92sjgxFeCKiLJvbDuLe43EVBH0MX
qsUo539WmSQ1qug6pdMKla9F7YiNUR7J69CBE+gBZZRRKL4YDb65ITelP58TFQCJ
b1G6fgksfLA2QQVjddM1tcIHTmsVpGyEA2REtwcBUnrrR08CHSJTl93huJ78SdGo
oRdpttmWr9/0pLV6u5AD7fauGCbBFiJydvlY4edwLzlGvezIQwB2TiUUozvLZB37
6eBT33kcm/+THkhPBEQaO0zA+JMgv5cHc3xyi3O8pduer6HSQMnSvAQSo1H4BX5q
XV3u2c1jLPa5vH1MABOQmMYty67JlICtcJARghfZPZ4OJiDV/4xb+oF3AoYvLQ7j
FkPxXTZMPX23eFrNeMrpOCTCiqXuHrkunaWf4QryeDAGV/y6/drJYaQ/RLdXd9YD
lJSSi+iEqoPSQO0uCajC4WqqBDWYB44MxUqQpEgxqG7I2mNiG/EOlm6QZKO7CKIO
dO67I/j+JF08jrWQsC/RIakn4GJvFQrNNCdNLNEz9gMtf3BmYB0uZTTLz70Ag5zm
fMs8K1zfJL9BEG+F9nsq9TOTPKwqzZ9hyVw+niK/S/vJClxRKpgVZ5Jcn7No+A7F
Wy6nBR1C3aKF/ySaRcELUnTS3CAx2Ttx4w98HUKTc8337eOO718jBrqyWLqEF3vk
bPnaqMrx7Yr4iC7rhsdaIETbSsWABLF/HgdkjkGQcmMS1LrY3omFxgB/PiJnzPE=
=PeGE
-----END PGP SIGNATURE-----

Message #34 received at 776719@bugs.debian.org (full text, mbox, reply):

From: Raphael Hertzog <hertzog@debian.org>

To: Jay Berkenbilt <qjb@debian.org>, László Böszörményi <gcs@debian.org>

Cc: debian-lts@lists.debian.org, 776265@bugs.debian.org, 776719@bugs.debian.org

Subject: squeeze update of icu?

Date: Mon, 23 Feb 2015 12:09:06 +0100

Hello dear maintainer(s),

the Debian LTS team would like to fix the security issues which are
currently open in the Squeeze version of your package:
https://security-tracker.debian.org/tracker/source-package/icu

Would you like to take care of this yourself?

If yes, please follow the workflow we have defined here:
http://wiki.debian.org/LTS/Development

If that workflow is a burden to you, feel free to just prepare an
updated source package and send it to debian-lts@lists.debian.org
(via a debdiff, or with an URL pointing to the the source package,
or even with a pointer to your packaging repository), and the members
of the LTS team will take care of the rest. Indicate clearly whether you
have tested the updated package or not.

If you don't want to take care of this update, it's not a problem, we
will do our best with your package. Just let us know whether you would
like to review and/or test the updated package before it gets released.

Thank you very much.

Raphaël Hertzog,
  on behalf of the Debian LTS team.

PS: A member of the LTS team might start working on this update at
any point in time. You can verify whether someone is registered
on this update in this file:
https://anonscm.debian.org/viewvc/secure-testing/data/dla-needed.txt?view=markup
-- 
Raphaël Hertzog ◈ Debian Developer

Support Debian LTS: http://www.freexian.com/services/debian-lts.html
Learn to master Debian: http://debian-handbook.info/get/

Send a report that this bug log contains spam.