Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 601396 - <dev-libs/icu-57.1: integer overflow in LETableReference verifyLength() (CVE-2015-2632)
Summary: <dev-libs/icu-57.1: integer overflow in LETableReference verifyLength() (CVE-...
Status: RESOLVED FIXED
Alias: None
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal normal (vote)
Assignee: Gentoo Security
URL:
Whiteboard: A3 [glsa cve]
Keywords:
Depends on: CVE-2016-7415 603792
Blocks:
  Show dependency tree
 
Reported: 2016-12-01 22:38 UTC by Ian Zimmerman
Modified: 2017-01-24 10:47 UTC (History)
0 users

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Ian Zimmerman 2016-12-01 22:38:18 UTC
According to the RedHat summary:

An integer overflow flaw, leading to out-of-bounds read, was found in the LETableReference's verifyLength() method.  A specially crafted file could cause an application using ICU to parse untrusted font files to perform an invalid memory access, leading to crash and possibly disclosure of portion of application memory.

Upstream ticket, members only :-(
http://bugs.icu-project.org/trac/ticket/11865

Reproducible: Always
Comment 1 Thomas Deutschmann gentoo-dev 2016-12-04 23:30:52 UTC
CVE-2015-2632 was assigned for a vulnerability in JAVA (which uses icu).

Debian shipped https://sources.debian.net/src/icu/52.1-8%2Bdeb8u4/debian/patches/CVE-2015-2632.patch/ but according to https://sources.debian.net/src/icu/58.1-1/debian/changelog/#L45 this should be fixed upstream since 57.1.

However, I am unable to locate the files or code the patch changes so I cannot confirm and http://site.icu-project.org/security doesn't list this vulnerability.

I am going to contact upstream to ask for a status update.
Comment 2 Thomas Deutschmann gentoo-dev 2016-12-05 16:18:53 UTC
Upstream replied and confirmed that this fix was released with icu-57.1 (http://site.icu-project.org/security is now updated).

icu-57.1 appeared in Gentoo repository but isn't stable across all arches yet (bug 594494).

Anyways, superseded by icu-58.1, bug 594494.
Comment 3 Andreas K. Hüttel archtester gentoo-dev 2017-01-15 19:58:59 UTC
Cleanup done. Office out.
Comment 4 Andreas K. Hüttel archtester gentoo-dev 2017-01-15 21:28:58 UTC
Had to revert the cleanup since it depends on bug 603792
Comment 5 Thomas Deutschmann gentoo-dev 2017-01-16 18:36:33 UTC
Added to existing GLSA request.

Cleanup will happen as part of bug 594494.
Comment 6 GLSAMaker/CVETool Bot gentoo-dev 2017-01-24 10:47:40 UTC
This issue was resolved and addressed in
 GLSA 201701-58 at https://security.gentoo.org/glsa/201701-58
by GLSA coordinator Aaron Bauman (b-man).