Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 616468 (CVE-2017-7867, CVE-2017-7868) - <dev-libs/icu-58.2-r1 : heap overflow
Summary: <dev-libs/icu-58.2-r1 : heap overflow
Status: RESOLVED FIXED
Alias: CVE-2017-7867, CVE-2017-7868
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal major (vote)
Assignee: Gentoo Security
URL:
Whiteboard: A2 [glsa+ cve]
Keywords:
: 620014 620346 (view as bug list)
Depends on:
Blocks:
 
Reported: 2017-04-24 11:38 UTC by Agostino Sarubbo
Modified: 2018-03-18 15:54 UTC (History)
5 users (show)

See Also:
Package list:
dev-libs/icu-58.2-r1 dev-libs/icu-layoutex-58.2 amd64 hppa ia64 ppc ppc64 x86 app-office/libreoffice-bin-5.2.7.2-r1 amd64 x86 app-office/libreoffice-bin-debug-5.2.7.2-r1 amd64 x86
Runtime testing required: Yes
stable-bot: sanity-check+

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Agostino Sarubbo gentoo-dev 2017-04-24 11:38:00 UTC 
From https://bugzilla.redhat.com/show_bug.cgi?id=1444098:

International Components for Unicode (ICU) for C/C++ has an out-of-bounds write caused by a heap-based buffer overflow related to the utf8TextAccess function in common/utext.cpp and 
the utext_moveIndex32* function.

References:
https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=437
Upstream patch:
http://bugs.icu-project.org/trac/changeset/39671


From https://bugzilla.redhat.com/show_bug.cgi?id=1444097:

International Components for Unicode (ICU) for C/C++ has an out-of-bounds write caused by a heap-based buffer overflow related to the utf8TextAccess function in common/utext.cpp and 
the utext_setNativeIndex* function. 

References:
https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=213
Upstream patch:
http://bugs.icu-project.org/trac/changeset/39671


@maintainer(s): after the bump, in case we need to stabilize the package, please let us know if it is ready for the stabilization or not.
Comment 1 Yury German Gentoo Infrastructure gentoo-dev 2017-05-09 05:32:12 UTC 
Jer, is bug 617888 includes the patch for this vulnerability?
Comment 2 Andreas K. Hüttel archtester gentoo-dev 2017-05-26 15:38:42 UTC 
(In reply to Yury German from comment #1)
> Jer, is bug 617888 includes the patch for this vulnerability?

AFAIK it's NOT fixed in ICU 59.1 (and the linked patch only works for 58.2).
The upstream ticket is restricted, so no clue what's happening there.
Comment 3 Andreas K. Hüttel archtester gentoo-dev 2017-05-26 15:52:42 UTC 
(In reply to Andreas K. Hüttel from comment #2)
> (In reply to Yury German from comment #1)
> > Jer, is bug 617888 includes the patch for this vulnerability?
> 
> AFAIK it's NOT fixed in ICU 59.1 (and the linked patch only works for 58.2).
> The upstream ticket is restricted, so no clue what's happening there.



Correction, last comment is wrong. It *is* fixed in 59.1 as-released.

Also Gentoo 58.2-r1 now contains a backport. Testing now.

[Note, the two CVEs describe the same issue and are fixed by the same patch.]
Comment 4 Andreas K. Hüttel archtester gentoo-dev 2017-05-27 21:40:04 UTC 
Arches please stabilize:

All stable arches: 
dev-libs/icu-58.2-r1

amd64 and x86:
app-office/libreoffice-bin-5.2.7.2-r1
app-office/libreoffice-bin-debug-5.2.7.2-r1
Comment 5 Agostino Sarubbo gentoo-dev 2017-05-29 11:30:28 UTC 
amd64 stable
Comment 6 Ortwin Glueck 2017-05-30 10:27:50 UTC 
what about sqlite?

dev-libs/icu:0

  (dev-libs/icu-58.1-r1:0/58.1::gentoo, installed) pulled in by
    dev-libs/icu:0/58.1=[abi_x86_64(-)] required by (dev-db/sqlite-3.17.0:3/3::gentoo, installed)
                ^^^^^^^^                                                                          
    (and 15 more with the same problem)

  (dev-libs/icu-58.2-r1:0/58.2::gentoo, ebuild scheduled for merge) pulled in by
    dev-libs/icu:0/58.2 required by (app-office/libreoffice-bin-5.2.7.2-r1:0/0::gentoo, ebuild scheduled for merge)
                ^^^^^^^
Comment 7 Alexander Tsoy 2017-05-31 14:08:08 UTC 
(In reply to Andreas K. Hüttel from comment #4)
> Arches please stabilize:
> 
> All stable arches: 
> dev-libs/icu-58.2-r1
> 
> amd64 and x86:
> app-office/libreoffice-bin-5.2.7.2-r1
> app-office/libreoffice-bin-debug-5.2.7.2-r1

Can we add dev-libs/icu-layoutex-58.2 to this list please?
Comment 8 Markus Meier gentoo-dev 2017-06-01 04:33:14 UTC 
arm stable
Comment 9 Agostino Sarubbo gentoo-dev 2017-06-01 09:13:32 UTC 
x86 stable
Comment 10 Andreas K. Hüttel archtester gentoo-dev 2017-06-04 11:10:43 UTC 
Adding arches back, please *also* stabilize 
=dev-libs/icu-layoutex-58.2
(needs to be at the same version as icu)

Pachakge list is updated
Comment 11 Andreas K. Hüttel archtester gentoo-dev 2017-06-04 11:11:42 UTC 
*** Bug 620346 has been marked as a duplicate of this bug. ***
Comment 12 Stabilization helper bot gentoo-dev 2017-06-04 12:01:52 UTC 
An automated check of this bug failed - repoman reported dependency errors (21 lines truncated): 

> dependency.bad dev-libs/icu-layoutex/icu-layoutex-58.2.ebuild: DEPEND: alpha(default/linux/alpha/13.0) ['dev-libs/icu-le-hb[abi_x86_32(-)?,abi_x86_64(-)?,abi_x86_x32(-)?,abi_mips_n32(-)?,abi_mips_n64(-)?,abi_mips_o32(-)?,abi_ppc_32(-)?,abi_ppc_64(-)?,abi_s390_32(-)?,abi_s390_64(-)?]']
> dependency.bad dev-libs/icu-layoutex/icu-layoutex-58.2.ebuild: RDEPEND: alpha(default/linux/alpha/13.0) ['dev-libs/icu-le-hb[abi_x86_32(-)?,abi_x86_64(-)?,abi_x86_x32(-)?,abi_mips_n32(-)?,abi_mips_n64(-)?,abi_mips_o32(-)?,abi_ppc_32(-)?,abi_ppc_64(-)?,abi_s390_32(-)?,abi_s390_64(-)?]']
> dependency.bad dev-libs/icu-layoutex/icu-layoutex-58.2.ebuild: DEPEND: alpha(default/linux/alpha/13.0) ['dev-libs/icu-le-hb[abi_x86_32(-)?,abi_x86_64(-)?,abi_x86_x32(-)?,abi_mips_n32(-)?,abi_mips_n64(-)?,abi_mips_o32(-)?,abi_ppc_32(-)?,abi_ppc_64(-)?,abi_s390_32(-)?,abi_s390_64(-)?]']
Comment 13 Tobias Klausmann (RETIRED) gentoo-dev 2017-06-04 19:22:19 UTC 
Stable on alpha.
Comment 14 Agostino Sarubbo gentoo-dev 2017-06-05 11:06:09 UTC 
amd64 stable
Comment 15 Markus Meier gentoo-dev 2017-06-08 05:06:49 UTC 
arm stable
Comment 16 Thomas Deutschmann (RETIRED) gentoo-dev 2017-06-08 19:12:33 UTC 
*** Bug 620014 has been marked as a duplicate of this bug. ***
Comment 17 Agostino Sarubbo gentoo-dev 2017-06-09 10:20:32 UTC 
x86 stable
Comment 18 Agostino Sarubbo gentoo-dev 2017-06-10 13:46:08 UTC 
sparc stable
Comment 19 Agostino Sarubbo gentoo-dev 2017-06-10 15:16:27 UTC 
ia64 stable
Comment 20 Agostino Sarubbo gentoo-dev 2017-06-13 12:32:27 UTC 
ppc64 stable
Comment 21 Agostino Sarubbo gentoo-dev 2017-06-21 11:58:49 UTC 
ppc stable
Comment 22 Christopher Díaz Riveros (RETIRED) gentoo-dev Security 2017-08-16 14:55:52 UTC 
Arches, please finish stabilizing hppa

Gentoo Security Padawan
ChrisADR
Comment 23 Sergei Trofimovich (RETIRED) gentoo-dev 2017-10-03 15:09:33 UTC 
hppa stable
Comment 24 Christopher Díaz Riveros (RETIRED) gentoo-dev Security 2017-10-03 15:56:27 UTC 
Thank you all,

New GLSA Request filed.

Gentoo Security Padawan
ChrisADR
Comment 25 Christopher Díaz Riveros (RETIRED) gentoo-dev Security 2017-10-03 15:58:02 UTC 
@Maintainers please remove vulnerable versions.
Comment 26 GLSAMaker/CVETool Bot gentoo-dev 2017-10-08 13:30:53 UTC 
This issue was resolved and addressed in
 GLSA 201710-03 at https://security.gentoo.org/glsa/201710-03
by GLSA coordinator Aaron Bauman (b-man).
Comment 27 Aaron Bauman (RETIRED) gentoo-dev 2017-10-08 13:31:34 UTC 
re-opened for cleanup.
Comment 28 Christopher Díaz Riveros (RETIRED) gentoo-dev Security 2018-03-18 15:54:39 UTC 
cleanup done.

Thank you all,