Bug 11362 - icu new security issues CVE-2013-0900 and CVE-2013-2924
: icu new security issues CVE-2013-0900 and CVE-2013-2924
Status: RESOLVED FIXED
Product: Mageia
Classification: Unclassified
Component: Security
: 3
: i586 Linux
: Normal Severity: major
: ---
Assigned To: QA Team
: Sec team
: http://lwn.net/Vulnerabilities/570525/
: MGA2TOO mga2-32-ok mga2-64-ok mga3-32...
: validated_update
:
:
  Show dependency treegraph
 
Reported: 2013-10-02 18:48 CEST by David Walser
Modified: 2013-10-25 23:22 CEST (History)
4 users (show)

See Also:
Source RPM: icu-50.1.2-1.mga3.src.rpm
CVE:
Status comment:


Attachments

Description David Walser 2013-10-02 18:48:57 CEST
The newest Chromium browser release lists a security issue fixed in ICU:
http://googlechromereleases.blogspot.ro/2013/10/stable-channel-update.html

There doesn't seem to be any information available about the issue yet.

I tried to load the Chromium SVN log to see if there's information about it there, but Firefox freezes every time I try to load that.

Reproducible: 

Steps to Reproduce:
Comment 1 David Walser 2013-10-16 18:26:25 CEST
Ubuntu has issued an advisory for this on October 15:
http://www.ubuntu.com/usn/usn-1989-1/
Comment 2 David Walser 2013-10-16 19:37:36 CEST
The Ubuntu advisory also lists CVE-2013-0900, a low-severity issue fixed by Fedora back in March.  I missed it because it got mixed in with Chromium CVEs.  Here's the LWN reference for that one: http://lwn.net/Vulnerabilities/542922/

CVE-2013-0900 only affects the version we have in Mageia 2.

CVE-2013-2924 affects Mageia 2 and Mageia 3.

Both CVEs are already fixed in the version we have in Cauldron.

Patched packages uploaded for Mageia 2 and Mageia 3.

Advisory (Mageia 2):
========================

Updated icu packages fix security vulnerabilities:

It was discovered that ICU contained a race condition affecting multi-
threaded applications. If an application using ICU processed crafted data,
an attacker could cause it to crash or potentially execute arbitrary code
with the privileges of the user invoking the program (CVE-2013-0900).

It was discovered that ICU incorrectly handled memory operations. If an
application using ICU processed crafted data, an attacker could cause it to
crash or potentially execute arbitrary code with the privileges of the user
invoking the program (CVE-2013-2924).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-0900
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2924
http://www.ubuntu.com/usn/usn-1989-1/
========================

Updated packages in core/updates_testing:
========================
icu-4.8.1.1-2.1.mga2
icu-doc-4.8.1.1-2.1.mga2
libicu48-4.8.1.1-2.1.mga2
libicu-devel-4.8.1.1-2.1.mga2

from icu-4.8.1.1-2.1.mga2.src.rpm


Advisory (Mageia 3):
========================

Updated icu packages fix security vulnerability:

It was discovered that ICU incorrectly handled memory operations. If an
application using ICU processed crafted data, an attacker could cause it to
crash or potentially execute arbitrary code with the privileges of the user
invoking the program (CVE-2013-2924).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2924
http://www.ubuntu.com/usn/usn-1989-1/
========================

Updated packages in core/updates_testing:
========================
icu-50.1.2-1.1.mga3
icu-data-50.1.2-1.1.mga3
icu-doc-50.1.2-1.1.mga3
libicu50-50.1.2-1.1.mga3
libicu-devel-50.1.2-1.1.mga3

from icu-50.1.2-1.1.mga3.src.rpm
Comment 3 roelof Wobben 2013-10-18 22:23:40 CEST
What is the right way to test this package ?

Roelof
Comment 4 roelof Wobben 2013-10-18 22:36:23 CEST
ON MGA3 x86_64 no problem installing the package and deleting it.

Roelof
Comment 5 David Walser 2013-10-18 22:42:48 CEST
The best way to test it is to run LibreOffice and play with some Unicode characters.
Comment 6 roelof Wobben 2013-10-18 23:18:34 CEST
Oke, 

Tommorrow I will try to find out how to work with Unicode characters. 
And test it.

Roelof
Comment 7 roelof Wobben 2013-10-19 09:46:06 CEST
I tried from keyboard some Unicode and they all work.
After that I tried with insert - special keys and also not a problem.

After that I tried with hexadecimal codes and I cannot make it work but I think I do not know how to make this work on M3.

So for me M3 x86_64 ok. 

Roelof
Comment 8 claire robinson 2013-10-22 16:39:38 CEST
Testing complete mga2 32

No PoC's.

Tested with unicode in libreoffice (ctrl-shift-u followed by 4 numbers, then release ctrl-shift)
Comment 9 claire robinson 2013-10-22 16:50:19 CEST
Testing complete mga2 64
Comment 10 claire robinson 2013-10-22 17:28:58 CEST
Two advisories uploaded for this one.

11362.mga2.adv
11362.mga3.adv

Validating.

Could sysadmin please push from 2&3 core/updates_testing to updates.

Thanks!
Comment 11 Thomas Backlund 2013-10-25 23:22:13 CEST
Mga2 update pushed:
http://advisories.mageia.org/MGASA-2013-0315.html

Mga3 update pushed:
http://advisories.mageia.org/MGASA-2013-0316.html

Note You need to log in before you can comment on or make changes to this bug.