Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 394201 (CVE-2011-4599)

Summary: <dev-libs/icu-49.1.1-r1 : out of bounds access in _canonicalize (CVE-2011-4599)
Product: Gentoo Security Reporter: Tim Sammut (RETIRED) <underling>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: normal CC: arfrever.fta, chromium, kripton, neurogeek
Priority: Normal    
Version: unspecified   
Hardware: All   
OS: Linux   
URL: https://ssl.icu-project.org/trac/ticket/8984
Whiteboard: B2 [glsa]
Package list:
Runtime testing required: ---
Bug Depends on: 410777, 413541, 414271    
Bug Blocks: 414241, 416119    

Description Tim Sammut (RETIRED) gentoo-dev 2011-12-10 00:53:33 UTC
From the upstream bug at $URL:

len can be greater than nameCapacity here:  http://bugs.icu-project.org/trac/browser/icu/trunk/source/common/uloc.cpp#L1808

It also looks possible for len to be zero here and a few lines above.
Comment 1 Arfrever Frehtes Taifersar Arahesis 2012-03-25 02:48:32 UTC
Fixed in ICU 49.1, which will be unmasked after testing.
Comment 2 Mike Gilbert gentoo-dev 2012-04-23 14:32:43 UTC
I have removed the mask. However, www-client/chromium still depends on <dev-libs/icu-49.
Comment 3 Tim Sammut (RETIRED) gentoo-dev 2012-04-30 21:54:51 UTC
(In reply to comment #2)
> I have removed the mask. However, www-client/chromium still depends on
> <dev-libs/icu-49.

Thank you. I believe we only need bug 410777 resolved before removing <=dev-libs/icu-49.

Shall we stabilize =dev-libs/icu-49.1 or =dev-libs/icu-49.1.1?
Comment 4 Arfrever Frehtes Taifersar Arahesis 2012-04-30 22:11:16 UTC
Stabilize dev-libs/icu-49.1.1.
Comment 5 Tim Sammut (RETIRED) gentoo-dev 2012-05-01 03:25:26 UTC
Great, thanks.

Arches, please test and mark stable:
=dev-libs/icu-49.1.1
Target keywords : "alpha amd64 arm hppa ia64 ppc ppc64 s390 sh sparc x86"
Comment 6 Maurizio Camisaschi (amd64 AT) 2012-05-01 16:39:21 UTC
amd64 ok
Comment 7 Agostino Sarubbo gentoo-dev 2012-05-01 16:58:24 UTC
(In reply to comment #6)
> amd64 ok

Just to explain, Maurizio compiled all icu RDEPEND and the 'ok' is related to all packages, apart chromium.
Comment 8 Agostino Sarubbo gentoo-dev 2012-05-03 16:17:57 UTC
No need to have arches in CC list since there is no fix atm for chromium. They will be re-added in the future.
Comment 9 Mike Gilbert gentoo-dev 2012-05-03 18:37:06 UTC
(In reply to comment #8)
> No need to have arches in CC list since there is no fix atm for chromium.
> They will be re-added in the future.

Given the lack of movement in chromium upstream, I think we have 2 options here:

1. Backport the security fix to icu-4.8.
2. Switch chromium to use the bundled copy of ICU, which should have the fix.
Comment 10 Paweł Hajdan, Jr. (RETIRED) gentoo-dev 2012-05-05 13:42:57 UTC
(In reply to comment #9)
> 2. Switch chromium to use the bundled copy of ICU, which should have the fix.

It does. We can do that easily, just waiting for decision by maintainers or the security team.
Comment 11 Paweł Hajdan, Jr. (RETIRED) gentoo-dev 2012-05-07 15:15:22 UTC
Arches please test and mark stable:

dev-libs/icu-49.1.1-r1

Note that bug #414271 is hppa-specific. Maintainers, you may need to backport the fix to 4.8 "branch" and use that as stable hppa target.
Comment 12 Markos Chandras (RETIRED) gentoo-dev 2012-05-07 16:55:35 UTC
I'm confused. Is there something for us to stabilize in here?
Comment 13 Arfrever Frehtes Taifersar Arahesis 2012-05-07 16:57:16 UTC
Stabilize dev-libs/icu-49.1.1-r1.
Comment 14 Michael Harrison 2012-05-09 08:52:55 UTC
amd64 ok =dev-libs/icu-4.8.1.1-r1
Comment 15 Paweł Hajdan, Jr. (RETIRED) gentoo-dev 2012-05-09 14:13:15 UTC
x86 stable
Comment 16 Brent Baude (RETIRED) gentoo-dev 2012-05-10 19:24:29 UTC
ppc64 done
Comment 17 Tobias Klausmann (RETIRED) gentoo-dev 2012-05-12 16:18:18 UTC
Stable on alpha.
Comment 18 Andreas K. Hüttel archtester gentoo-dev 2012-05-15 07:53:51 UTC
FYI, new libreoffice binpackages have been uploaded which use icu-49. These need stabilization too (amd64, x86), see also bug 411449

app-office/libreoffice-bin-3.5.2.2-r1
app-office/libreoffice-bin-debug-3.5.2.2-r1
Comment 19 Agostino Sarubbo gentoo-dev 2012-05-19 06:52:40 UTC
amd64 stable
Comment 20 Markus Meier gentoo-dev 2012-05-26 09:55:35 UTC
arm stable
Comment 21 Tomáš Chvátal (RETIRED) gentoo-dev 2012-05-29 12:07:35 UTC
ppc done
Comment 22 Raúl Porcel (RETIRED) gentoo-dev 2012-06-03 17:17:51 UTC
ia64/s390/sh/sparc stable
Comment 23 Jeroen Roovers (RETIRED) gentoo-dev 2012-06-05 21:01:35 UTC
Stable for HPPA.
Comment 24 Sean Amoss (RETIRED) gentoo-dev Security 2012-06-07 15:28:25 UTC
Thanks, everyone. GLSA draft filed.
Comment 25 GLSAMaker/CVETool Bot gentoo-dev 2012-07-12 00:43:27 UTC
CVE-2011-4599 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-4599):
  Stack-based buffer overflow in the _canonicalize function in common/uloc.c
  in International Components for Unicode (ICU) before 49.1 allows remote
  attackers to execute arbitrary code via a crafted locale ID that is not
  properly handled during variant canonicalization.
Comment 26 GLSAMaker/CVETool Bot gentoo-dev 2012-09-24 23:49:07 UTC
This issue was resolved and addressed in
 GLSA 201209-07 at http://security.gentoo.org/glsa/glsa-201209-07.xml
by GLSA coordinator Sean Amoss (ackle).