Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 594494 (CVE-2016-7415) - <dev-libs/icu-58.1: Stack based buffer overflow in locid.cpp (CVE-2016-7415)
Summary: <dev-libs/icu-58.1: Stack based buffer overflow in locid.cpp (CVE-2016-7415)
Status: RESOLVED FIXED
Alias: CVE-2016-7415
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal major (vote)
Assignee: Gentoo Security
URL: http://bugs.icu-project.org/trac/tick...
Whiteboard: A2 [glsa cve]
Keywords:
: 601400 (view as bug list)
Depends on: 599346 lo-stable 603792
Blocks: CVE-2016-6293 601396
  Show dependency tree
 
Reported: 2016-09-20 10:54 UTC by Agostino Sarubbo
Modified: 2017-02-22 11:13 UTC (History)
2 users (show)

See Also:
Package list:
=dev-libs/icu-58.1-r1
Runtime testing required: ---
kensington: sanity-check+


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Agostino Sarubbo gentoo-dev 2016-09-20 10:54:15 UTC
From ${URL} :

It was found that big locale string causes stack based overflow inside libicu.

PHP bug:

https://bugs.php.net/bug.php?id=73007

CVE assignment:

http://seclists.org/oss-sec/2016/q3/518


@maintainer(s): after the bump, in case we need to stabilize the package, please let us know if it is ready for the stabilization or not.
Comment 1 Thomas Deutschmann (RETIRED) gentoo-dev 2016-11-18 16:55:34 UTC
This was fixed in v58.1 (see http://site.icu-project.org/security) which is available in Gentoo repository since https://gitweb.gentoo.org/repo/gentoo.git/commit/dev-libs/icu?id=b4293900b8325feb1be4ad127dd4823ed022985d


@ maintainer(s): Please tell us how to proceed. Is =dev-libs/icu-58.1-r1 ready for stabilization?
Comment 2 Andreas K. Hüttel archtester gentoo-dev 2016-11-18 17:07:05 UTC
(In reply to Thomas Deutschmann from comment #1)
> This was fixed in v58.1 (see http://site.icu-project.org/security) which is
> available in Gentoo repository since
> https://gitweb.gentoo.org/repo/gentoo.git/commit/dev-libs/
> icu?id=b4293900b8325feb1be4ad127dd4823ed022985d
> 
> 
> @ maintainer(s): Please tell us how to proceed. Is =dev-libs/icu-58.1-r1
> ready for stabilization?

58.1 is rather fresh and made a few things explode. I've asked for a tinderbox run, so we can find a list of other stuff that needs to be stabilized at the same time. 

(I know about chromium and libreoffice. The known firefox problem is patched in -r1.)
Comment 3 Mike Gilbert gentoo-dev 2016-11-19 01:59:36 UTC
Current stable chromium-54 uses a bundled copy of ICU, so no need to wait for us.
Comment 4 GLSAMaker/CVETool Bot gentoo-dev 2016-11-19 04:37:58 UTC
CVE-2016-7415 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-7415):
  Stack-based buffer overflow in the Locale class in common/locid.cpp in
  International Components for Unicode (ICU) through 57.1 for C/C++ allows
  remote attackers to cause a denial of service (application crash) or
  possibly have unspecified other impact via a long locale string.
Comment 5 Andreas K. Hüttel archtester gentoo-dev 2016-11-26 19:30:43 UTC
Arches please stabilize =dev-libs/icu-58.1-r1
Target: all stable arches

amd64, x86: please do it in bug 600038
Comment 6 Aaron Bauman (RETIRED) gentoo-dev 2016-11-27 04:01:56 UTC
(In reply to Andreas K. Hüttel from comment #5)
> Arches please stabilize =dev-libs/icu-58.1-r1
> Target: all stable arches
> 
> amd64, x86: please do it in bug 600038

Which arches are you asking to stabilize here?
Comment 7 Andreas K. Hüttel archtester gentoo-dev 2016-11-27 19:52:04 UTC
Arches please stabilize =dev-libs/icu-58.1-r1
Target: all stable arches

all arches except amd64, x86: please proceed here

amd64, x86: please proceed in bug 600038
Comment 8 Agostino Sarubbo gentoo-dev 2016-11-29 10:41:37 UTC
amd64 stable
Comment 9 Agostino Sarubbo gentoo-dev 2016-11-29 10:44:00 UTC
x86 stable
Comment 10 Andreas K. Hüttel archtester gentoo-dev 2016-11-29 11:52:54 UTC
(In reply to Agostino Sarubbo from comment #8)
> amd64 stable

(In reply to Agostino Sarubbo from comment #9)
> x86 stable

OK that just broke deptree resolution for all libreoffice-bin users...
Comment 11 tt_1 2016-11-29 16:38:53 UTC
This broke as well the dependency tree for the source based libreoffice if the user is having a stable x86/amd64 system. First libreoffice ebuild that does allow to be build with dev-libs/icu:= is libreoffice-5.2.3.3
Comment 12 Andreas K. Hüttel archtester gentoo-dev 2016-11-29 19:57:01 UTC
(In reply to Andreas K. Hüttel from comment #10)
> (In reply to Agostino Sarubbo from comment #8)
> > amd64 stable
> 
> (In reply to Agostino Sarubbo from comment #9)
> > x86 stable
> 
> OK that just broke deptree resolution for all libreoffice-bin users...

(In reply to tt_1 from comment #11)
> This broke as well the dependency tree for the source based libreoffice if
> the user is having a stable x86/amd64 system. First libreoffice ebuild that
> does allow to be build with dev-libs/icu:= is libreoffice-5.2.3.3

Fixed now, thanks ago.
Comment 13 Coacher 2016-12-01 22:49:43 UTC
*** Bug 601400 has been marked as a duplicate of this bug. ***
Comment 14 Tobias Klausmann (RETIRED) gentoo-dev 2016-12-02 14:21:49 UTC
Stable on alpha.
Comment 15 Markus Meier gentoo-dev 2016-12-18 11:39:54 UTC
arm stable
Comment 16 Agostino Sarubbo gentoo-dev 2016-12-19 14:37:34 UTC
sparc stable
Comment 17 Agostino Sarubbo gentoo-dev 2016-12-19 15:14:26 UTC
ia64 stable
Comment 18 Agostino Sarubbo gentoo-dev 2016-12-20 09:47:17 UTC
ppc stable
Comment 19 Agostino Sarubbo gentoo-dev 2016-12-22 09:37:00 UTC
ppc64 stable
Comment 20 Jeroen Roovers (RETIRED) gentoo-dev 2017-01-15 19:45:51 UTC
Stable for HPPA.
Comment 21 Andreas K. Hüttel archtester gentoo-dev 2017-01-15 19:57:20 UTC
Cleanup done. Office out.
Comment 22 Andreas K. Hüttel archtester gentoo-dev 2017-01-15 21:28:15 UTC
Had to revert the cleanup since it depends on bug 603792
Comment 23 Thomas Deutschmann (RETIRED) gentoo-dev 2017-01-16 18:33:51 UTC
New GLSA request filed.
Comment 24 GLSAMaker/CVETool Bot gentoo-dev 2017-01-24 10:47:29 UTC
This issue was resolved and addressed in
 GLSA 201701-58 at https://security.gentoo.org/glsa/201701-58
by GLSA coordinator Aaron Bauman (b-man).
Comment 25 Aaron Bauman (RETIRED) gentoo-dev 2017-01-24 10:50:34 UTC
re-opened for cleanup
Comment 26 Aaron Bauman (RETIRED) gentoo-dev 2017-02-22 11:13:05 UTC
tree is clean