Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 546156 (CVE-2014-8146)

Summary: <dev-libs/icu-55.1: Multiple vulnerabilities - integer and heap overflows (CVE-2014-{8146,8147})
Product: Gentoo Security Reporter: Arfrever Frehtes Taifersar Arahesis <arfrever.fta>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: normal CC: hanno
Priority: Normal    
Version: unspecified   
Hardware: All   
OS: All   
URL: https://raw.githubusercontent.com/pedrib/PoC/master/generic/i-c-u-fail.txt
Whiteboard: A2 [glsa cve]
Package list:
Runtime testing required: ---

Description Arfrever Frehtes Taifersar Arahesis 2015-04-10 10:24:38 UTC
dev-libs/icu-55.1 was released on 2015-04-01.
Comment 1 Hanno Böck gentoo-dev 2015-05-05 15:30:03 UTC
This also fixes two security issues, so changing this to be a security bug. Details in URL, CVEs are already assigned.
Comment 2 Agostino Sarubbo gentoo-dev 2015-05-06 08:27:49 UTC
changing to A3 -> A2 because of possible code execution.
Comment 3 Andreas K. Hüttel archtester gentoo-dev 2015-05-16 21:21:46 UTC
Guys, this is FIXED in 55.1, and this means the vulnerability is in <55.1
Please be careful when changing the titles...
Comment 4 Andreas K. Hüttel archtester gentoo-dev 2015-05-16 21:40:57 UTC
Test-building 55.1 and revdeps locally.
Comment 5 Andreas K. Hüttel archtester gentoo-dev 2015-05-17 21:57:44 UTC
Bumped as ~arch. Lets wait a few days to check for breakage and then stabilize.
Comment 6 Andreas K. Hüttel archtester gentoo-dev 2015-05-22 23:33:32 UTC
Let's sync this with bug 547900 (libreoffice-4.4.3.2 stabilization) because of libreoffice-bin.

In preparation.
Comment 7 Andreas K. Hüttel archtester gentoo-dev 2015-05-24 16:45:20 UTC
Arches please stabilize
Target: all stable arches (amd64 and x86 are handled in bug 547900)

=dev-libs/icu-55.1
Comment 8 Matt Turner gentoo-dev 2015-05-24 18:22:47 UTC
alpha stable
Comment 9 Jeroen Roovers (RETIRED) gentoo-dev 2015-05-26 05:28:54 UTC
Stable for PPC64.
Comment 10 Agostino Sarubbo gentoo-dev 2015-05-27 13:01:24 UTC
arm stable
Comment 11 Jeroen Roovers (RETIRED) gentoo-dev 2015-05-28 05:41:27 UTC
Stable for HPPA.
Comment 12 GLSAMaker/CVETool Bot gentoo-dev 2015-05-28 17:11:33 UTC
CVE-2014-8147 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-8147):
  The resolveImplicitLevels function in common/ubidi.c in the Unicode
  Bidirectional Algorithm implementation in ICU4C in International Components
  for Unicode (ICU) before 55.1 uses an integer data type that is inconsistent
  with a header file, which allows remote attackers to cause a denial of
  service (incorrect malloc followed by invalid free) or possibly execute
  arbitrary code via crafted text.

CVE-2014-8146 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-8146):
  The resolveImplicitLevels function in common/ubidi.c in the Unicode
  Bidirectional Algorithm implementation in ICU4C in International Components
  for Unicode (ICU) before 55.1 does not properly track directionally isolated
  pieces of text, which allows remote attackers to cause a denial of service
  (heap-based buffer overflow) or possibly execute arbitrary code via crafted
  text.
Comment 13 Jack Morgan (RETIRED) gentoo-dev 2015-06-01 01:49:36 UTC
ia64 stable
Comment 14 Jack Morgan (RETIRED) gentoo-dev 2015-06-02 05:04:38 UTC
sparc stable
Comment 15 Agostino Sarubbo gentoo-dev 2015-06-24 07:55:30 UTC
ppc stable.

Maintainer(s), please cleanup.
Security, please add it to the existing request, or file a new one.
Comment 16 Yury German Gentoo Infrastructure gentoo-dev 2015-06-30 20:32:39 UTC
Arches and Maintainer(s), Thank you for your work.

New GLSA Request filed.

Maintainer(s), please drop the vulnerable version(s).
Comment 17 GLSAMaker/CVETool Bot gentoo-dev 2015-07-07 06:57:55 UTC
This issue was resolved and addressed in
 GLSA 201507-04 at https://security.gentoo.org/glsa/201507-04
by GLSA coordinator Mikle Kolyada (Zlogene).
Comment 18 Yury German Gentoo Infrastructure gentoo-dev 2015-08-05 06:05:53 UTC
Re-opening for Cleanup.
Maintainer please drop version 54.1-r1 so we can close bug.
Comment 19 Yury German Gentoo Infrastructure gentoo-dev 2015-09-27 03:08:30 UTC
Maintainer(s), please drop the vulnerable version(s).
Comment 20 Yury German Gentoo Infrastructure gentoo-dev 2015-10-10 02:55:54 UTC
Maintainer(s), please drop the vulnerable version(s).
Comment 21 Yury German Gentoo Infrastructure gentoo-dev 2015-11-02 20:35:53 UTC
Maintainer(s), Thank you for you for cleanup.
Comment 22 Andreas K. Hüttel archtester gentoo-dev 2016-02-28 22:26:48 UTC
Nothing to do here for office anymore