Bug 616468 (CVE-2017-7867, CVE-2017-7868)

Summary:	<dev-libs/icu-58.2-r1 : heap overflow
Product:	Gentoo Security	Reporter:	Agostino Sarubbo <ago>
Component:	Vulnerabilities	Assignee:	Gentoo Security <security>
Status:	RESOLVED FIXED
Severity:	major	CC:	alexander, arthur, melendro, office, sudormrfhalt
Priority:	Normal	Flags:	stable-bot: sanity-check+
Version:	unspecified
Hardware:	All
OS:	Linux
See Also:	https://bugs.gentoo.org/show_bug.cgi?id=617888
Whiteboard:	A2 [glsa+ cve]
Package list:	dev-libs/icu-58.2-r1 dev-libs/icu-layoutex-58.2 amd64 hppa ia64 ppc ppc64 x86 app-office/libreoffice-bin-5.2.7.2-r1 amd64 x86 app-office/libreoffice-bin-debug-5.2.7.2-r1 amd64 x86	Runtime testing required:	Yes

Description Agostino Sarubbo gentoo-dev

2017-04-24 11:38:00 UTC

From https://bugzilla.redhat.com/show_bug.cgi?id=1444098:

International Components for Unicode (ICU) for C/C++ has an out-of-bounds write caused by a heap-based buffer overflow related to the utf8TextAccess function in common/utext.cpp and 
the utext_moveIndex32* function.

References:
https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=437
Upstream patch:
http://bugs.icu-project.org/trac/changeset/39671


From https://bugzilla.redhat.com/show_bug.cgi?id=1444097:

International Components for Unicode (ICU) for C/C++ has an out-of-bounds write caused by a heap-based buffer overflow related to the utf8TextAccess function in common/utext.cpp and 
the utext_setNativeIndex* function. 

References:
https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=213
Upstream patch:
http://bugs.icu-project.org/trac/changeset/39671


@maintainer(s): after the bump, in case we need to stabilize the package, please let us know if it is ready for the stabilization or not.

Comment 1 Yury German Gentoo Infrastructure

2017-05-09 05:32:12 UTC

Jer, is bug 617888 includes the patch for this vulnerability?

Comment 2 Andreas K. Hüttel archtester

2017-05-26 15:38:42 UTC

(In reply to Yury German from comment #1)
> Jer, is bug 617888 includes the patch for this vulnerability?

AFAIK it's NOT fixed in ICU 59.1 (and the linked patch only works for 58.2).
The upstream ticket is restricted, so no clue what's happening there.

Comment 3 Andreas K. Hüttel archtester

2017-05-26 15:52:42 UTC

(In reply to Andreas K. Hüttel from comment #2)
> (In reply to Yury German from comment #1)
> > Jer, is bug 617888 includes the patch for this vulnerability?
> 
> AFAIK it's NOT fixed in ICU 59.1 (and the linked patch only works for 58.2).
> The upstream ticket is restricted, so no clue what's happening there.



Correction, last comment is wrong. It *is* fixed in 59.1 as-released.

Also Gentoo 58.2-r1 now contains a backport. Testing now.

[Note, the two CVEs describe the same issue and are fixed by the same patch.]

Comment 4 Andreas K. Hüttel archtester

2017-05-27 21:40:04 UTC

Arches please stabilize:

All stable arches: 
dev-libs/icu-58.2-r1

amd64 and x86:
app-office/libreoffice-bin-5.2.7.2-r1
app-office/libreoffice-bin-debug-5.2.7.2-r1

Comment 5 Agostino Sarubbo gentoo-dev

2017-05-29 11:30:28 UTC

amd64 stable

Comment 6 Ortwin Glueck 2017-05-30 10:27:50 UTC

what about sqlite?

dev-libs/icu:0

  (dev-libs/icu-58.1-r1:0/58.1::gentoo, installed) pulled in by
    dev-libs/icu:0/58.1=[abi_x86_64(-)] required by (dev-db/sqlite-3.17.0:3/3::gentoo, installed)
                ^^^^^^^^                                                                          
    (and 15 more with the same problem)

  (dev-libs/icu-58.2-r1:0/58.2::gentoo, ebuild scheduled for merge) pulled in by
    dev-libs/icu:0/58.2 required by (app-office/libreoffice-bin-5.2.7.2-r1:0/0::gentoo, ebuild scheduled for merge)
                ^^^^^^^

Comment 7 Alexander Tsoy 2017-05-31 14:08:08 UTC

(In reply to Andreas K. Hüttel from comment #4)
> Arches please stabilize:
> 
> All stable arches: 
> dev-libs/icu-58.2-r1
> 
> amd64 and x86:
> app-office/libreoffice-bin-5.2.7.2-r1
> app-office/libreoffice-bin-debug-5.2.7.2-r1

Can we add dev-libs/icu-layoutex-58.2 to this list please?

Comment 8 Markus Meier gentoo-dev

2017-06-01 04:33:14 UTC

arm stable

Comment 9 Agostino Sarubbo gentoo-dev

2017-06-01 09:13:32 UTC

x86 stable

Comment 10 Andreas K. Hüttel archtester

2017-06-04 11:10:43 UTC

Adding arches back, please *also* stabilize 
=dev-libs/icu-layoutex-58.2
(needs to be at the same version as icu)

Pachakge list is updated

Comment 11 Andreas K. Hüttel archtester

2017-06-04 11:11:42 UTC

*** Bug 620346 has been marked as a duplicate of this bug. ***

Comment 12 Stabilization helper bot gentoo-dev

2017-06-04 12:01:52 UTC

An automated check of this bug failed - repoman reported dependency errors (21 lines truncated): 

> dependency.bad dev-libs/icu-layoutex/icu-layoutex-58.2.ebuild: DEPEND: alpha(default/linux/alpha/13.0) ['dev-libs/icu-le-hb[abi_x86_32(-)?,abi_x86_64(-)?,abi_x86_x32(-)?,abi_mips_n32(-)?,abi_mips_n64(-)?,abi_mips_o32(-)?,abi_ppc_32(-)?,abi_ppc_64(-)?,abi_s390_32(-)?,abi_s390_64(-)?]']
> dependency.bad dev-libs/icu-layoutex/icu-layoutex-58.2.ebuild: RDEPEND: alpha(default/linux/alpha/13.0) ['dev-libs/icu-le-hb[abi_x86_32(-)?,abi_x86_64(-)?,abi_x86_x32(-)?,abi_mips_n32(-)?,abi_mips_n64(-)?,abi_mips_o32(-)?,abi_ppc_32(-)?,abi_ppc_64(-)?,abi_s390_32(-)?,abi_s390_64(-)?]']
> dependency.bad dev-libs/icu-layoutex/icu-layoutex-58.2.ebuild: DEPEND: alpha(default/linux/alpha/13.0) ['dev-libs/icu-le-hb[abi_x86_32(-)?,abi_x86_64(-)?,abi_x86_x32(-)?,abi_mips_n32(-)?,abi_mips_n64(-)?,abi_mips_o32(-)?,abi_ppc_32(-)?,abi_ppc_64(-)?,abi_s390_32(-)?,abi_s390_64(-)?]']

Comment 13 Tobias Klausmann (RETIRED) gentoo-dev

2017-06-04 19:22:19 UTC

Stable on alpha.

Comment 14 Agostino Sarubbo gentoo-dev

2017-06-05 11:06:09 UTC

amd64 stable

Comment 15 Markus Meier gentoo-dev

2017-06-08 05:06:49 UTC

arm stable

Comment 16 Thomas Deutschmann (RETIRED) gentoo-dev

2017-06-08 19:12:33 UTC

*** Bug 620014 has been marked as a duplicate of this bug. ***

Comment 17 Agostino Sarubbo gentoo-dev

2017-06-09 10:20:32 UTC

x86 stable

Comment 18 Agostino Sarubbo gentoo-dev

2017-06-10 13:46:08 UTC

sparc stable

Comment 19 Agostino Sarubbo gentoo-dev

2017-06-10 15:16:27 UTC

ia64 stable

Comment 20 Agostino Sarubbo gentoo-dev

2017-06-13 12:32:27 UTC

ppc64 stable

Comment 21 Agostino Sarubbo gentoo-dev

2017-06-21 11:58:49 UTC

ppc stable

Comment 22 Christopher Díaz Riveros (RETIRED) gentoo-dev

2017-08-16 14:55:52 UTC

Arches, please finish stabilizing hppa

Gentoo Security Padawan
ChrisADR

Comment 23 Sergei Trofimovich (RETIRED) gentoo-dev

2017-10-03 15:09:33 UTC

hppa stable

Comment 24 Christopher Díaz Riveros (RETIRED) gentoo-dev

2017-10-03 15:56:27 UTC

Thank you all,

New GLSA Request filed.

Gentoo Security Padawan
ChrisADR

Comment 25 Christopher Díaz Riveros (RETIRED) gentoo-dev

2017-10-03 15:58:02 UTC

@Maintainers please remove vulnerable versions.

Comment 26 GLSAMaker/CVETool Bot gentoo-dev

2017-10-08 13:30:53 UTC

This issue was resolved and addressed in
 GLSA 201710-03 at https://security.gentoo.org/glsa/201710-03
by GLSA coordinator Aaron Bauman (b-man).

Comment 27 Aaron Bauman (RETIRED) gentoo-dev

2017-10-08 13:31:34 UTC

re-opened for cleanup.

Comment 28 Christopher Díaz Riveros (RETIRED) gentoo-dev

2018-03-18 15:54:39 UTC

cleanup done.

Thank you all,