Ubuntu has issued an advisory today (March 5): http://www.ubuntu.com/usn/usn-2522-1/ We're not affected by the 2013 CVEs, and we fixed the other 2014 ones in Bug 15145. Patch for CVE-2014-6585 and CVE-2014-6591 checked into Mageia 4 and Cauldron SVN. Reproducible: Steps to Reproduce:
Whiteboard: (none) => MGA5TOO, MGA4TOO
Patched packages uploaded for Mageia 4 and Cauldron. Advisory: ======================== Updated icu packages fix security vulnerabilities: It was discovered that ICU incorrectly handled memory operations when processing fonts. If an application using ICU processed crafted data, an attacker could cause it to crash or potentially execute arbitrary code with the privileges of the user invoking the program (CVE-2014-6585, CVE-2014-6591). References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-6585 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-6591 http://www.ubuntu.com/usn/usn-2522-1/ ======================== Updated packages in core/updates_testing: ======================== icu-52.1-2.2.mga4 icu-data-52.1-2.2.mga4 icu-doc-52.1-2.2.mga4 libicu52-52.1-2.2.mga4 libicu-devel-52.1-2.2.mga4 from icu-52.1-2.2.mga4.src.rpm
Version: Cauldron => 4Assignee: bugsquad => qa-bugsWhiteboard: MGA5TOO, MGA4TOO => (none)
Just like last time I tested inserting special unicode characters into a LibreOffice Writer document. No issues noted. Tested Mageia 4 i586.
No PoC's that I can find. Marking OK for Mageia 4 i586.
Whiteboard: (none) => MGA4-32-OK
Testing on Mageia4x64 real hardware Using procedure found in previous testing : https://bugs.mageia.org/show_bug.cgi?id=15145#c8 From current packages : --------------------- icu-52.1-2.1.mga4 icu-data-52.1-2.1.mga4 icu-doc-52.1-2.1.mga4 lib64icu52-52.1-2.1.mga4 $ oowriter --strace Inserted special unicode characters in strace.log, could find : 8832 21:56:10.841741 open("/lib64/libicuuc.so.52", O_RDONLY|O_CLOEXEC) = 3 (...) 8837 21:56:11.026130 open("/lib64/libicuuc.so.52", O_RDONLY|O_CLOEXEC) = 4 To updated testing packages : --------------------------- icu-52.1-2.2.mga4 icu-data-52.1-2.2.mga4 icu-doc-52.1-2.2.mga4 lib64icu52-52.1-2.2.mga4 26291 22:05:30.833504 open("/lib64/libicuuc.so.52", O_RDONLY|O_CLOEXEC) = 3 (...) 26295 22:05:31.021346 open("/lib64/libicuuc.so.52", O_RDONLY|O_CLOEXEC) = 4 No regression found.
CC: (none) => olchalWhiteboard: MGA4-32-OK => MGA4-32-OK MGA4-64-OK
Advisory uploaded, validating. Please push to 4 core/updates.
Keywords: (none) => validated_updateWhiteboard: MGA4-32-OK MGA4-64-OK => MGA4-32-OK MGA4-64-OK advisoryCC: (none) => remi, sysadmin-bugs
An update for this issue has been pushed to Mageia Updates repository. http://advisories.mageia.org/MGASA-2015-0102.html
Status: NEW => RESOLVEDResolution: (none) => FIXED