Created attachment 474576 [details, diff] icu-58.2-r1-CVE-2017-7867-CVE-2017-7868.patch https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7867 "International Components for Unicode (ICU) for C/C++ before 2017-02-13 has an out-of-bounds write caused by a heap-based buffer overflow related to the utf8TextAccess function in common/utext.cpp and the utext_setNativeIndex* function. " https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7868 "International Components for Unicode (ICU) for C/C++ before 2017-02-13 has an out-of-bounds write caused by a heap-based buffer overflow related to the utf8TextAccess function in common/utext.cpp and the utext_moveIndex32* function."
From the first analysis: CVE-2017-7867 is not in in 58.1 but it is in 58.2 CVE-2017-7868 is in each release and should be fixed in 59.1
(In reply to Agostino Sarubbo from comment #1) > From the first analysis: > > CVE-2017-7867 is not in in 58.1 but it is in 58.2 > CVE-2017-7868 is in each release and should be fixed in 59.1 Debian is listing the same changeset (https://ssl.icu-project.org/trac/changeset/39671) for both vulnerabilities. But your posting indicates that each vulnerability requires an own patch. Can you please clarify where your analysis is based on? Thanks.
Scratch the previous question, another dupe. *** This bug has been marked as a duplicate of bug 616468 ***
