Bug 16478

The advisory in Comment 0 is sufficient for Mageia 5.

For Mageia 4, it also fixes some other pending CVEs.  Use this advisory.

I'm not sure if there's any relationship with CVE-2015-1270 and the old ones.  I know we still ran into an issue testing the old ones, but I think it was determined that we had just uncovered another unfixed issue.

Advisory (Mageia 4):
========================

Updated icu packages fix security vulnerabilities:

The ICU Project's ICU4C library, before 55.1, contains a heap-based buffer
overflow in the resolveImplicitLevels function of ubidi.c (CVE-2014-8146).

The ICU Project's ICU4C library, before 55.1, contains an integer overflow in
the resolveImplicitLevels function of ubidi.c due to the assignment of an
int32 value to an int16 type (CVE-2014-8147).

The ucnv_io_getConverterName function in common/ucnv_io.cpp in International Components for Unicode (ICU) mishandles converter names with initial x-
substrings, which allows remote attackers to cause a denial of service (read
of uninitialized memory) or possibly have unspecified other impact via a
crafted file (CVE-2015-1270).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-8146
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-8147
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-1270
https://www.kb.cert.org/vuls/id/602540
http://googlechromereleases.blogspot.cz/2015/07/stable-channel-update_21.html

Blocks: (none) => 15852
Whiteboard: (none) => MGA4TOO

adding mga4-32-ok because tested with chromium-browser.

CC: (none) => shlomif
Whiteboard: MGA4TOO => MGA4TOO MGA4-32-OK

Testing hints: https://bugs.mageia.org/show_bug.cgi?id=15145#c4 and https://bugs.mageia.org/show_bug.cgi?id=15145#c9

In VirtualBox, M4, KDE, 64-bit

Install thunderbird strace

Package(s) under test:
icu

default install of icu

[root@localhost wilcal]# urpmi icu
Package icu-52.1-2.2.mga4.x86_64 is already installed

LibreOffice -> Insert -> Special Character works fine
strace -o strace.out thunderbird ( worked )
[wilcal@localhost ~]$ grep icu strace.out
open("/lib64/libicui18n.so.52", O_RDONLY|O_CLOEXEC) = 4
open("/lib64/libicuuc.so.52", O_RDONLY|O_CLOEXEC) = 4
open("/lib64/libicudata.so.52", O_RDONLY|O_CLOEXEC) = 4.....etc
Displays fine.

icu works fine

install icu from updates_testing

[root@localhost wilcal]# urpmi icu
Package icu-52.1-2.4.mga4.x86_64 is already installed

LibreOffice -> Insert -> Special Character works fine
strace -o strace.out thunderbird ( worked )
[wilcal@localhost ~]$ grep icu strace.out
open("/lib64/libicui18n.so.52", O_RDONLY|O_CLOEXEC) = 4
open("/lib64/libicuuc.so.52", O_RDONLY|O_CLOEXEC) = 4
open("/lib64/libicudata.so.52", O_RDONLY|O_CLOEXEC) = 4.....etc

Test platform:
Intel Core i7-2600K Sandy Bridge 3.4GHz
GIGABYTE GA-Z68X-UD3-B3 LGA 1155 MoBo
GIGABYTE GV-N440D3-1GI Nvidia GeForce GT 440 (Fermi) 1GB
RTL8111/8168B PCI Express 1Gbit Ethernet
DRAM 16GB (4 x 4GB)
Mageia 4 64-bit, Nvidia driver
virtualbox-4.3.28-1.mga4.x86_64
virtualbox-guest-additions-4.3.28-1.mga4.x86_64

CC: (none) => wilcal.int

In VirtualBox, M5, KDE, 32-bit

Install thunderbird strace

Package(s) under test:
icu

default install of icu

[root@localhost wilcal]# urpmi icu
Package icu-53.1-12.mga5.i586 is already installed

LibreOffice -> Insert -> Special Character works fine
strace -o strace.out thunderbird ( worked )
[wilcal@localhost ~]$ grep icu strace.out
open("/lib/libicui18n.so.53", O_RDONLY|O_CLOEXEC) = 4
open("/lib/libicuuc.so.53", O_RDONLY|O_CLOEXEC) = 4
open("/lib/libicudata.so.53", O_RDONLY|O_CLOEXEC) = 4.....etc
Displays fine.

icu works fine

install icu from updates_testing

[root@localhost wilcal]# urpmi icu
Package icu-53.1-12.1.mga5.i586 is already installed

LibreOffice -> Insert -> Special Character works fine
strace -o strace.out thunderbird ( worked )
[wilcal@localhost ~]$ grep icu strace.out
open("/lib/libicui18n.so.53", O_RDONLY|O_CLOEXEC) = 4
open("/lib/libicuuc.so.53", O_RDONLY|O_CLOEXEC) = 4
open("/lib/libicudata.so.53", O_RDONLY|O_CLOEXEC) = 4.....etc
Displays fine.

Test platform:
Intel Core i7-2600K Sandy Bridge 3.4GHz
GIGABYTE GA-Z68X-UD3-B3 LGA 1155 MoBo
GIGABYTE GV-N440D3-1GI Nvidia GeForce GT 440 (Fermi) 1GB
RTL8111/8168B PCI Express 1Gbit Ethernet
DRAM 16GB (4 x 4GB)
Mageia 4 64-bit, Nvidia driver
virtualbox-4.3.28-1.mga4.x86_64
virtualbox-guest-additions-4.3.28-1.mga4.x86_64

Whiteboard: MGA4TOO MGA4-32-OK MGA4-64-OK => MGA4TOO MGA4-32-OK MGA4-64-OK MGA5-32-OK

In VirtualBox, M5, KDE, 64-bit

Install thunderbird strace

Package(s) under test:
icu

default install of icu

[root@localhost wilcal]# urpmi icu
Package icu-53.1-12.mga5.x86_64 is already installed

LibreOffice -> Insert -> Special Character works fine
strace -o strace.out thunderbird ( worked )
[wilcal@localhost ~]$ grep icu strace.out
open("/lib64/libicui18n.so.53", O_RDONLY|O_CLOEXEC) = 4
open("/lib64/libicuuc.so.53", O_RDONLY|O_CLOEXEC) = 4
open("/lib64/libicudata.so.53", O_RDONLY|O_CLOEXEC) = 4.....etc
Displays fine.

icu works fine

install icu from updates_testing

[root@localhost wilcal]# urpmi icu
Package icu-53.1-12.1.mga5.x86_64 is already installed

LibreOffice -> Insert -> Special Character works fine
strace -o strace.out thunderbird ( worked )
[wilcal@localhost ~]$ grep icu strace.out
open("/lib64/libicui18n.so.53", O_RDONLY|O_CLOEXEC) = 4
open("/lib64/libicuuc.so.53", O_RDONLY|O_CLOEXEC) = 4
open("/lib64/libicudata.so.53", O_RDONLY|O_CLOEXEC) = 4.....etc
Displays fine.

Test platform:
Intel Core i7-2600K Sandy Bridge 3.4GHz
GIGABYTE GA-Z68X-UD3-B3 LGA 1155 MoBo
GIGABYTE GV-N440D3-1GI Nvidia GeForce GT 440 (Fermi) 1GB
RTL8111/8168B PCI Express 1Gbit Ethernet
DRAM 16GB (4 x 4GB)
Mageia 4 64-bit, Nvidia driver
virtualbox-4.3.28-1.mga4.x86_64
virtualbox-guest-additions-4.3.28-1.mga4.x86_64

This update works fine.
Testing complete for mga4&5 32-bit & 64-bit
Validating the update.
Could someone from the sysadmin team push to updates.
Thanks

Keywords: (none) => validated_update
CC: (none) => sysadmin-bugs

William, if possible add a summary on top of your detailed testing results. It's a good practice to give as much detail as you do, but if you want anybody to actually read them it's even better practice to give a short summary at the top. I can never say, from a quick look to your reports, whether it went fine or not.

(In reply to Samuel VERSCHELDE from comment #8)
> William, if possible add a summary on top of your detailed testing results.
> It's a good practice to give as much detail as you do, but if you want
> anybody to actually read them it's even better practice to give a short
> summary at the top. I can never say, from a quick look to your reports,
> whether it went fine or not.

Sorry I thought what I was putting into Comment 7 was a Summary.
"This update works fine". = Summary
FWIW I'm really only following the testing that was done in previous bugs.

(In reply to William Kenney from comment #9)
> (In reply to Samuel VERSCHELDE from comment #8)
> > William, if possible add a summary on top of your detailed testing results.
> > It's a good practice to give as much detail as you do, but if you want
> > anybody to actually read them it's even better practice to give a short
> > summary at the top. I can never say, from a quick look to your reports,
> > whether it went fine or not.
> 
> Sorry I thought what I was putting into Comment 7 was a Summary.
> "This update works fine". = Summary
> FWIW I'm really only following the testing that was done in previous bugs.

Comment 7 is a summary for your whole testing of the update, but each individual test (32 and 64 bits) would be much more easy to understand individually (when we receive the notification e-mail from bugzilla for example) with a status on top. Just a matter of readability :)

(In reply to Samuel VERSCHELDE from comment #10)
> (In reply to William Kenney from comment #9)
> > (In reply to Samuel VERSCHELDE from comment #8)
> > > William, if possible add a summary on top of your detailed testing results.
> > > It's a good practice to give as much detail as you do, but if you want
> > > anybody to actually read them it's even better practice to give a short
> > > summary at the top. I can never say, from a quick look to your reports,
> > > whether it went fine or not.
> > 
> > Sorry I thought what I was putting into Comment 7 was a Summary.
> > "This update works fine". = Summary
> > FWIW I'm really only following the testing that was done in previous bugs.
> 
> Comment 7 is a summary for your whole testing of the update, but each
> individual test (32 and 64 bits) would be much more easy to understand
> individually (when we receive the notification e-mail from bugzilla for
> example) with a status on top. Just a matter of readability :)

Indeed, they are overall not very readable reports.  Signal-to-noise ratio is a problem.  Details about the test platform/hardware need only be included when they're relevant, and showing running urpmi on a bunch of already installed packages doesn't make sense.  If you want to explicitly list which packages you installed to test, that's fine, but then just do that.  The most valuable part of your reports are the actual test procedure and test results, but they currently are getting lost in too much other noise.  Try to be more concise if you can.

Advisories 16478.mga4.adv and 16478.mga5.adv committed to svn.

CC: (none) => davidwhodgins
Whiteboard: MGA4TOO MGA4-32-OK MGA4-64-OK MGA5-32-OK MGA5-64-OK => MGA4TOO MGA4-32-OK MGA4-64-OK MGA5-32-OK MGA5-64-OK advisory

An update for this issue has been pushed to Mageia Updates repository.

http://advisories.mageia.org/MGASA-2015-0286.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED

An update for this issue has been pushed to Mageia Updates repository.

http://advisories.mageia.org/MGASA-2015-0287.html