| Summary: | icu new security issues CVE-2014-9911 and CVE-2016-7415 | ||
|---|---|---|---|
| Product: | Mageia | Reporter: | David Walser <luigiwalser> |
| Component: | Security | Assignee: | QA Team <qa-bugs> |
| Status: | RESOLVED FIXED | QA Contact: | Sec team <security> |
| Severity: | major | ||
| Priority: | Normal | CC: | lewyssmith, mageia, sysadmin-bugs, tarazed25 |
| Version: | 5 | Keywords: | validated_update |
| Target Milestone: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| URL: | https://lwn.net/Vulnerabilities/707360/ | ||
| Whiteboard: | MGA5-64-OK MGA5-32-OK advisory | ||
| Source RPM: | icu-53.1-12.4.mga5.src.rpm | CVE: | |
| Status comment: | |||
| Attachments: | Trivial test case for the overflow vulnerability | ||
|
Description
David Walser
2016-11-25 18:19:23 CET
Fedora has issued an advisory on November 24: https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/OAJGWQ3FEZJMVTFPJHKJJPCUKMX7XBTX/ Patched packages uploaded for Mageia 5 and Cauldron. Advisory: ======================== Updated icu packages fix security vulnerabilities: Stack overflow in ures_getByKeyWithFallback() in ICU before 54.1 could lead to a crash (CVE-2014-9911). It was found that a big locale string causes a stack based overflow inside libicu in locid.cpp (CVE-2016-7415). References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-9911 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-7415 http://openwall.com/lists/oss-security/2016/11/25/1 https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/OAJGWQ3FEZJMVTFPJHKJJPCUKMX7XBTX/ ======================== Updated packages in core/updates_testing: ======================== icu-53.1-12.6.mga5 icu53-data-53.1-12.6.mga5 icu-doc-53.1-12.6.mga5 libicu53-53.1-12.6.mga5 libicu-devel-53.1-12.6.mga5 from icu-53.1-12.6.mga5.src.rpm URL:
(none) =>
https://lwn.net/Vulnerabilities/707360/ Tested on x86_64 real hardware. Copied PoC from http://bugs.icu-project.org/trac/ticket/10891 and compiled it to produce the object file funicu. $ ./funicu *** stack smashing detected ***: ./funicu terminated Segmentation fault Installed the five update packages and recompiled the test script. $ ./funicu No output, which indicates that the patch is successful. CC:
(none) =>
tarazed25 Created attachment 8696 [details]
Trivial test case for the overflow vulnerability
Use the embedded compiler command to create the executable test file.
Len Lawrence
2016-11-26 00:34:25 CET
Whiteboard:
(none) =>
MGA5-64-OK Tested on i586 in VirtualBox Followed the same procedure as in comment 3. Before: $ gcc -o funicu funicu.c `pkg-config --libs --cflags icu-uc icu-i18n icu-le icu-lx icu-io` $ ./funicu *** stack smashing detected ***: ./funicu terminated Segmentation fault $ After: Recompiled... $ ./funicu $ OK for 32-bits. There is a similar fault which affects PHP but that is covered by a different CVE. Validating this. Would some overworked sysadmin please push this to Core Updates.
Len Lawrence
2016-11-26 00:52:59 CET
Keywords:
(none) =>
validated_update
Len Lawrence
2016-11-26 00:54:26 CET
Whiteboard:
MGA5-64-OK MGA-32-OK advisory =>
MGA5-64-OK MGA5-32-OK advisory i do not see any advisory on the svn CC:
(none) =>
mageia (In reply to Len Lawrence from comment #4) > Would some overworked sysadmin please push this to Core Updates. A little premature! (In reply to Nicolas Lécureuil from comment #5) > i do not see any advisory on the svn Well there is now, taken from Comment 1. CC:
(none) =>
lewyssmith Sorry, that was me blundering about. An update for this issue has been pushed to the Mageia Updates repository. http://advisories.mageia.org/MGASA-2016-0404.html Status:
NEW =>
RESOLVED LWN reference for CVE-2014-9911: https://lwn.net/Vulnerabilities/707489/ |