Bug 23155

Summary: icu new security issue CVE-2018-18928
Product: Mageia Reporter: David Walser <luigiwalser>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact: Sec team <security>
Severity: major    
Priority: Normal CC: andrewsfarm, cjw, herman.viaene, marja11, nicolas.salguero, sysadmin-bugs, thierry.vignaud, tmb
Version: 7Keywords: advisory, validated_update
Target Milestone: ---   
Hardware: All   
OS: Linux   
Whiteboard: MGA7-64-OK
Source RPM: icu-63.1-1.mga7.src.rpm CVE: CVE-2018-18928
Status comment:

Description David Walser 2018-06-08 20:32:17 CEST 
openSUSE has issued an advisory on May 25:
https://lists.opensuse.org/opensuse-updates/2018-05/msg00114.html

Mageia 5 and Mageia 6 are also affected.

The SUSE bug has more details:
https://bugzilla.suse.com/show_bug.cgi?id=1072193
Comment 1 Marja Van Waes 2018-06-08 21:38:14 CEST 
Assigning to the registered maintainer.

Assignee: bugsquad => shlomif
CC: (none) => marja11

Comment 2 David Walser 2018-11-09 18:34:24 CET 
Fedora has issued an advisory today (November 9):
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/DHAC6XIATCPVSWFNBGGL2MRSBMN2F7D5/

The issue is fixed upstream in 64.1.

Severity: normal => major
Summary: icu new security issue CVE-2017-17484 => icu new security issues CVE-2017-17484 and CVE-2018-18928
Whiteboard: (none) => MGA6TOO

David Walser 2019-05-13 04:15:07 CEST

QA Contact: (none) => security
Component: RPM Packages => Security

David Walser 2019-06-23 19:23:44 CEST

Whiteboard: MGA6TOO => MGA7TOO, MGA6TOO

Comment 3 Lewis Smith 2019-11-28 15:59:30 CET 
Re-assigning globally due to change to no specific maintainer.

Assignee: shlomif => pkg-bugs
CC: (none) => cjw, thierry.vignaud

Comment 4 Nicolas Salguero 2019-11-29 09:21:42 CET 
Mga 6 is EOL and CVE-2017-17484 is already fixed in ICU 63.1.

Source RPM: icu-59.1-6.mga7.src.rpm => icu-63.1-1.mga7.src.rpm
CVE: (none) => CVE-2018-18928
Whiteboard: MGA7TOO, MGA6TOO => (none)
Summary: icu new security issues CVE-2017-17484 and CVE-2018-18928 => icu new security issue CVE-2018-18928
CC: (none) => nicolas.salguero
Version: Cauldron => 7

Comment 5 Nicolas Salguero 2019-11-29 10:05:01 CET 
Suggested advisory:
========================

The updated packages fix a security vulnerability:

International Components for Unicode (ICU) for C/C++ 63.1 has an integer overflow in number::impl::DecimalQuantity::toScientificString() in i18n/number_decimalquantity.cpp. (CVE-2018-18928)

References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-18928
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/DHAC6XIATCPVSWFNBGGL2MRSBMN2F7D5/
========================

Updated packages in core/updates_testing:
========================
icu-63.1-1.1.mga7
icu63-data-63.1-1.1.mga7
icu-doc-63.1-1.1.mga7
lib(64)icu63-63.1-1.1.mga7
lib(64)icu-devel-63.1-1.1.mga7

from SRPMS:
icu-63.1-1.1.mga7.src.rpm

Status: NEW => ASSIGNED
Assignee: pkg-bugs => qa-bugs

Comment 6 Herman Viaene 2019-12-04 17:09:38 CET 
MGA7-64 Plasma on Lenovo B50
No installation issues.
Followed wiki, installed openttd and got as far asbuilding a bus station. Good enough for me.

Whiteboard: (none) => MGA7-64-OK
CC: (none) => herman.viaene

Comment 7 Thomas Andrews 2019-12-04 22:30:15 CET 
Validating. Advisory in Comment 5.

CC: (none) => andrewsfarm, sysadmin-bugs
Keywords: (none) => validated_update

Thomas Backlund 2019-12-06 12:12:10 CET

Keywords: (none) => advisory
CC: (none) => tmb

Comment 8 Mageia Robot 2019-12-06 15:17:05 CET 
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2019-0353.html

Resolution: (none) => FIXED
Status: ASSIGNED => RESOLVED