| Summary: | icu new security issue CVE-2015-4844 | ||
|---|---|---|---|
| Product: | Mageia | Reporter: | David Walser <luigiwalser> |
| Component: | Security | Assignee: | QA Team <qa-bugs> |
| Status: | RESOLVED FIXED | QA Contact: | Sec team <security> |
| Severity: | critical | ||
| Priority: | Normal | CC: | davidwhodgins, lewyssmith, shlomif, sysadmin-bugs |
| Version: | 5 | Keywords: | validated_update |
| Target Milestone: | --- | ||
| Hardware: | i586 | ||
| OS: | Linux | ||
| URL: | http://lwn.net/Vulnerabilities/661762/ | ||
| Whiteboard: | has_procedure MGA5-32-OK MGA5-64-OK advisory | ||
| Source RPM: | icu-56.1-1.mga6.src.rpm | CVE: | |
| Status comment: | |||
|
Description
David Walser
2016-01-22 01:15:49 CET
David Walser
2016-01-22 01:15:55 CET
Whiteboard:
(none) =>
MGA5TOO Assigning to maintainer. Assignee:
bugsquad =>
shlomif Can I find the patch anywhere? See the discussion on the upstream bug. It looks like this is in the process of being addressed there. Patches are now attached to the upstream bug. The CVE-2015-4844 patch made it in for 57.1, which is committed in Cauldron SVN but not pushed yet, as it bumps the major to 57, so everything linked to it will have to be rebuilt. I have checked the CVE-2015-4844 patch into Mageia 5 SVN and the CVE-2016-0494 patch into Mageia 5 and Cauldron SVN. Shlomi, would you mind taking care of the push and rebuilds in Cauldron? (In reply to David Walser from comment #4) > Patches are now attached to the upstream bug. > > The CVE-2015-4844 patch made it in for 57.1, which is committed in Cauldron > SVN but not pushed yet, as it bumps the major to 57, so everything linked to > it will have to be rebuilt. > > I have checked the CVE-2015-4844 patch into Mageia 5 SVN and the > CVE-2016-0494 patch into Mageia 5 and Cauldron SVN. > > Shlomi, would you mind taking care of the push and rebuilds in Cauldron? Yes, I'll do that. Thanks Shlomi for taking care of Cauldron (and everyone else who helped with that). Other than the mpd package, the rebuilds are done. Patched package uploaded for Mageia 5. Advisory: ======================== Updated icu packages fix security vulnerability: It was discovered that ICU Layout Engine was missing multiple boundary and error return checks. These could lead to buffer overflows and memory corruption. A specially crafted font file could cause an application using ICU to parse untrusted fonts to crash and, possibly, execute arbitrary code (CVE-2015-4844). References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-4844 https://bugzilla.redhat.com/show_bug.cgi?id=1273318 https://bugzilla.redhat.com/show_bug.cgi?id=1298906 ======================== Updated packages in core/updates_testing: ======================== icu-53.1-12.3.mga5 icu53-data-53.1-12.3.mga5 icu-doc-53.1-12.3.mga5 libicu53-53.1-12.3.mga5 libicu-devel-53.1-12.3.mga5 from icu-53.1-12.3.mga5.src.rpm Whiteboard:
MGA5TOO =>
(none) Inserting special characters works fine in LibreOffice Writer, and Firefox works fine, Mageia 5 i586. Whiteboard:
(none) =>
has_procedure MGA5-32-OK Testing M5 x64 Did a cursory pre-update test of inserting obscure characters in LibreOffice Writer. All seemed well. Updated to: icu53-data-53.1-12.3.mga5 lib64icu53-53.1-12.3.mga5 lib64icu-devel-53.1-12.3.mga5 Did a lot of obscure special character insertion with LO Writer, different fonts & different subsets thereof. Everything appeared correctly. Played with Firefox on French sites (to get some accented letters). No visible problems. [Is there a way of inserting special characters with Firefox?] Update deemed OK. Validating. CC:
(none) =>
lewyssmith, sysadmin-bugs
Dave Hodgins
2016-05-20 11:09:31 CEST
CC:
(none) =>
davidwhodgins An update for this issue has been pushed to the Mageia Updates repository. http://advisories.mageia.org/MGASA-2016-0186.html Resolution:
(none) =>
FIXED |