| Summary: | <dev-libs/icu-57.1: integer overflow in LETableReference verifyLength() (CVE-2015-2632) | ||
|---|---|---|---|
| Product: | Gentoo Security | Reporter: | Ian Zimmerman <nobrowser> |
| Component: | Vulnerabilities | Assignee: | Gentoo Security <security> |
| Status: | RESOLVED FIXED | ||
| Severity: | normal | ||
| Priority: | Normal | ||
| Version: | unspecified | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | A3 [glsa cve] | ||
| Package list: | Runtime testing required: | --- | |
| Bug Depends on: | 594494, 603792 | ||
| Bug Blocks: | |||
|
Description
Ian Zimmerman
2016-12-01 22:38:18 UTC
CVE-2015-2632 was assigned for a vulnerability in JAVA (which uses icu). Debian shipped https://sources.debian.net/src/icu/52.1-8%2Bdeb8u4/debian/patches/CVE-2015-2632.patch/ but according to https://sources.debian.net/src/icu/58.1-1/debian/changelog/#L45 this should be fixed upstream since 57.1. However, I am unable to locate the files or code the patch changes so I cannot confirm and http://site.icu-project.org/security doesn't list this vulnerability. I am going to contact upstream to ask for a status update. Upstream replied and confirmed that this fix was released with icu-57.1 (http://site.icu-project.org/security is now updated). icu-57.1 appeared in Gentoo repository but isn't stable across all arches yet (bug 594494). Anyways, superseded by icu-58.1, bug 594494. Cleanup done. Office out. Had to revert the cleanup since it depends on bug 603792 Added to existing GLSA request. Cleanup will happen as part of bug 594494. This issue was resolved and addressed in GLSA 201701-58 at https://security.gentoo.org/glsa/201701-58 by GLSA coordinator Aaron Bauman (b-man). |
