Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 620014

Summary: dev-libs/icu: Multiple vulnerabilities CVE-2017-7867, CVE-2017-7868
Product: Gentoo Security Reporter: Andrey Ovcharov <sudormrfhalt>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED DUPLICATE    
Severity: normal CC: office, phmagic
Priority: Normal    
Version: unspecified   
Hardware: All   
OS: Linux   
Whiteboard: A2 [stable?]
Package list:
Runtime testing required: ---
Attachments:
Description Flags
icu-58.2-r1-CVE-2017-7867-CVE-2017-7868.patch none

Description Andrey Ovcharov 2017-05-28 12:26:31 UTC 
Created attachment 474576 [details, diff]
icu-58.2-r1-CVE-2017-7867-CVE-2017-7868.patch

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7867

"International Components for Unicode (ICU) for C/C++ before 2017-02-13 has an out-of-bounds write caused by a heap-based buffer overflow related to the utf8TextAccess function in common/utext.cpp and the utext_setNativeIndex* function. "

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7868

"International Components for Unicode (ICU) for C/C++ before 2017-02-13 has an out-of-bounds write caused by a heap-based buffer overflow related to the utf8TextAccess function in common/utext.cpp and the utext_moveIndex32* function."
Comment 1 Agostino Sarubbo gentoo-dev 2017-05-29 09:06:54 UTC 
From the first analysis:

CVE-2017-7867 is not in in 58.1 but it is in 58.2
CVE-2017-7868 is in each release and should be fixed in 59.1
Comment 2 Thomas Deutschmann (RETIRED) gentoo-dev 2017-06-08 19:10:24 UTC 
(In reply to Agostino Sarubbo from comment #1)
> From the first analysis:
> 
> CVE-2017-7867 is not in in 58.1 but it is in 58.2
> CVE-2017-7868 is in each release and should be fixed in 59.1

Debian is listing the same changeset (https://ssl.icu-project.org/trac/changeset/39671) for both vulnerabilities. But your posting indicates that each vulnerability requires an own patch. Can you please clarify where your analysis is based on? Thanks.
Comment 3 Thomas Deutschmann (RETIRED) gentoo-dev 2017-06-08 19:12:33 UTC 
Scratch the previous question, another dupe.

*** This bug has been marked as a duplicate of bug 616468 ***