Bug 15145

Summary: icu new security issues CVE-2014-7923, CVE-2014-7926, and CVE-2014-7940
Product: Mageia Reporter: David Walser <luigiwalser>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact: Sec team <security>
Severity: critical    
Priority: Normal CC: cjw, herman.viaene, rverschelde, sysadmin-bugs
Version: 4Keywords: validated_update
Target Milestone: ---   
Hardware: i586   
OS: Linux   
URL: http://lwn.net/Vulnerabilities/630804/
Whiteboard: has_procedure advisory mga4-32-ok mga4-64-ok
Source RPM: icu CVE:
Status comment:

Description David Walser 2015-01-27 20:37:15 CET 
The latest Google Chrome update fixed multiple issues in ICU:
http://googlechromereleases.blogspot.com/2015/01/stable-update.html

Our package uses the system icu, so these still need to be fixed there.

Christiaan located patches in the Chromium source for these, and said the first two also apply to ICU 53 in Cauldron.

Reproducible: 

Steps to Reproduce:
David Walser 2015-01-27 20:37:26 CET

Whiteboard: (none) => MGA4TOO

Comment 1 David Walser 2015-01-27 21:47:35 CET 
Cauldron is still pending investigation.

Christiaan has uploaded a patched package for Mageia 4:
icu-52.1-2.1.mga4
icu-data-52.1-2.1.mga4
icu-doc-52.1-2.1.mga4
libicu52-52.1-2.1.mga4
libicu-devel-52.1-2.1.mga4

from icu-52.1-2.1.mga4.src.rpm
Comment 2 David Walser 2015-01-27 22:16:10 CET 
The RedHat bug for CVE-2014-7940 says the affected code was completely rewritten in ICU 53, which confirms what Christiaan told me earlier.

The RedHat bugs for CVE-2014-7923 and CVE-2014-7926 identify upstream commits, which I have rediffed for 53.1 and applied in Cauldron.
https://bugzilla.redhat.com/show_bug.cgi?id=1185202
https://bugzilla.redhat.com/show_bug.cgi?id=1185205
Comment 3 David Walser 2015-01-27 22:23:06 CET 
Thanks Christiaan for your help with this!

Advisory:
========================

Updated icu packages fix security vulnerabilities:

The Regular Expressions package in International Components for Unicode (ICU)
52 before SVN revision 292944 allows remote attackers to cause a denial of
service (memory corruption) or possibly have unspecified other impact via
vectors related to a zero-length quantifier or look-behind expression
(CVE-2014-7923, CVE-2014-7926).

The collator implementation in i18n/ucol.cpp in International Components for
Unicode (ICU) 52 through SVN revision 293126 does not initialize memory for a
data structure, which allows remote attackers to cause a denial of service or
possibly have unspecified other impact via a crafted character sequence
(CVE-2014-7940).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-7923
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-7926
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-7940
http://googlechromereleases.blogspot.com/2015/01/stable-update.html
========================

Updated packages in core/updates_testing:
========================
icu-52.1-2.1.mga4
icu-data-52.1-2.1.mga4
icu-doc-52.1-2.1.mga4
libicu52-52.1-2.1.mga4
libicu-devel-52.1-2.1.mga4

from icu-52.1-2.1.mga4.src.rpm

Whiteboard: MGA4TOO => (none)
Assignee: cjw => qa-bugs
Version: Cauldron => 4
CC: (none) => cjw

Comment 4 David Walser 2015-01-27 23:52:48 CET 
ICU is used by LibreOffice, Chromium Browser, Qt4, Webkit, and Thunderbird for Unicode stuff.  Looking at Insert > Special Character in LibreOffice Writer, it looks to me like things are fine with this update.

Firefox in Mageia 4 isn't built against system icu.  This should probably be corrected.  It was fixed in Cauldron in r655459.
Comment 5 David Walser 2015-01-28 13:46:46 CET 
As pointed out on oss-security, the upstream patches I added in from the links from the RedHat bugs for the two CVEs only corresponded to the "regex.patch" from Chromium, but the "regex2.patch" corresponds to an additional upstream commit:
http://openwall.com/lists/oss-security/2015/01/28/12

I've now added the additional commit in Cauldron's icu.  A CVE has been requested for this change in the message above.  I'll update the advisory when it has been assigned.
Comment 6 Herman Viaene 2015-01-28 14:56:55 CET 
MGA4-64 on HP Probook 6555b.
No installation issues.
Tried Insert > Special Character in LibreOffice Writer, works OK, but shouldn't I see icu appearing in its strace? It does not.

CC: (none) => herman.viaene

Comment 7 Christiaan Welvaart 2015-01-28 15:03:50 CET 
(In reply to Herman Viaene from comment #6)
> shouldn't I see icu appearing in its strace? It does not.

No, strace only catches system calls. ltrace is meant for tracing library calls but it never seems to work properly when I try to use it.
Comment 8 David Walser 2015-01-28 15:05:10 CET 
I'm guessing you forgot to use the -f option to strace to follow child processes.  The libreoffice commands run a series of scripts before they run the real executable.  Alternatively, you can run "oowriter --strace" as the libreoffice scripts have the option, and it will run it through strace for you, and save it in the current directory as "strace.log"

You should see libicuuc.so.52 being loaded.
Comment 9 claire robinson 2015-01-28 16:46:26 CET 
Testing complete mga4 32

Used thunderbird.

$ strace -o strace.out thunderbird

$ grep icu strace.out
open("/lib/libicui18n.so.52", O_RDONLY|O_CLOEXEC) = 4
open("/lib/libicuuc.so.52", O_RDONLY|O_CLOEXEC) = 4
open("/lib/libicudata.so.52", O_RDONLY|O_CLOEXEC) = 4
..etc

Everything displays normally.

Whiteboard: (none) => has_procedure mga4-32-ok

Comment 10 claire robinson 2015-01-28 18:16:21 CET 
Advisory uploaded.

Whiteboard: has_procedure mga4-32-ok => has_procedure advisory mga4-32-ok

Comment 11 claire robinson 2015-01-28 18:45:10 CET 
Testing complete mga4 64

Validating. Please push to 4 updates

Thanks

Whiteboard: has_procedure advisory mga4-32-ok => has_procedure advisory mga4-32-ok mga4-64-ok
CC: (none) => sysadmin-bugs
Keywords: (none) => validated_update

Comment 12 Mageia Robot 2015-01-31 14:24:28 CET 
An update for this issue has been pushed to Mageia Updates repository.

http://advisories.mageia.org/MGASA-2015-0047.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED

Comment 13 David Walser 2015-02-06 13:49:10 CET 
(In reply to David Walser from comment #5)
> As pointed out on oss-security, the upstream patches I added in from the
> links from the RedHat bugs for the two CVEs only corresponded to the
> "regex.patch" from Chromium, but the "regex2.patch" corresponds to an
> additional upstream commit:
> http://openwall.com/lists/oss-security/2015/01/28/12
> 
> I've now added the additional commit in Cauldron's icu.  A CVE has been
> requested for this change in the message above.  I'll update the advisory
> when it has been assigned.

CVE-2014-9654 has been assigned:
http://openwall.com/lists/oss-security/2015/02/05/15

I don't have a description for this one yet, but it sounds like a stack overflow.

Debian also lists a CVE-2015-1205, I don't know where that came from:
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=776719
Comment 14 Rémi Verschelde 2015-02-06 14:10:35 CET 
CVE-2015-1205 seems to be mentioned here: https://marc.info/?l=oss-security&m=142244042307425&w=2

CC: (none) => remi

Comment 15 David Walser 2015-02-06 14:24:54 CET 
(In reply to Rémi Verschelde from comment #14)
> CVE-2015-1205 seems to be mentioned here:
> https://marc.info/?l=oss-security&m=142244042307425&w=2

Ahh yes, the original post in that thread.  So I guess it's been separated out as CVE-2014-9654 and the other one isn't relevant to this issue now.
Comment 16 David Walser 2015-03-16 19:12:14 CET 
LWN reference for CVE-2014-9654:
http://lwn.net/Vulnerabilities/636939/