Fix was already committed to debian unstable: https://launchpad.net/ubuntu/+source/icu/52.1-10

CC: (none) => cjw

(In reply to Christiaan Welvaart from comment #1)
> Fix was already committed to debian unstable:
> https://launchpad.net/ubuntu/+source/icu/52.1-10

Thanks!

So it wasn't fixed in 55.1 :O

Patch now committed in Mageia 4, Mageia 5, and Cauldron.

Whiteboard: (none) => MGA4TOO

Patched packages uploaded for Mageia 4, Mageia 5, and Cauldron.

Advisory:
========================

Updated icu packages fixes security vulnerability:

It was discovered that ICU Layout Engine was missing multiple boundary checks.
These could lead to buffer overflows memory corruption.  A specially crafted
file could cause an application using ICU to parse untrusted font files to
crash and, possibly, execute arbitrary code (CVE-2015-4760).

References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-4760
https://bugzilla.redhat.com/show_bug.cgi?id=1242447
http://lwn.net/Alerts/652632/
========================

Updated packages in core/updates_testing:
========================
icu-52.1-2.5.mga4
icu-data-52.1-2.5.mga4
icu-doc-52.1-2.5.mga4
libicu52-52.1-2.5.mga4
libicu-devel-52.1-2.5.mga4
icu-53.1-12.2.mga5
icu53-data-53.1-12.2.mga5
icu-doc-53.1-12.2.mga5
libicu53-53.1-12.2.mga5
libicu-devel-53.1-12.2.mga5

from SRPMS:
icu-52.1-2.5.mga4.src.rpm
icu-53.1-12.2.mga5.src.rpm

Assignee: bugsquad => qa-bugs
Severity: normal => critical

MGA4-32 on Acer D620 Xfce
No installation issues
Ref to bug 1647 Comment 6 for test case
At CLI:
$ strace -o thund thunderbird 
not OK. I can insert special characters, but only the ones without a basic letter selection. In the selection box, the lower left button, to choose a "normal" letter as the base for the special character, is not accessible, so I cannot use characters like "ó".

and

$ grep icu thund 
open("/lib/libicui18n.so.52", O_RDONLY|O_CLOEXEC) = 4
open("/lib/libicuuc.so.52", O_RDONLY|O_CLOEXEC) = 4
open("/lib/libicudata.so.52", O_RDONLY|O_CLOEXEC) = 4
open("/usr/lib/icu/icuplugins52.txt", O_RDONLY) = -1 ENOENT (No such file or directory)
stat64("/usr/share/icu/52.1/icudt52l/cnvalias.icu", 0xbff197a0) = -1 ENOENT (No such file or directory)
stat64("/usr/share/icu/52.1/icudt52l.dat", {st_mode=S_IFREG|0644, st_size=23505296, ...}) = 0
open("/usr/share/icu/52.1/icudt52l.dat", O_RDONLY) = 17
read(66, "y/RT\nridicule/MGDS\nridiculous/PY"..., 4096) = 4096
Something missing ???

CC: (none) => herman.viaene

In VirtualBox, M4, KDE, 32-bit

Install strace thunderbird

Package(s) under test:
icu

default install of icu icu-data libicu52

[root@localhost wilcal]# urpmi icu
Package icu-52.1-2.4.mga4.i586 is already installed
[root@localhost wilcal]# urpmi icu-data
Package icu-data-52.1-2.4.mga4.noarch is already installed
[root@localhost wilcal]# urpmi libicu52
Package libicu52-52.1-2.4.mga4.i586 is already installed

LibreOffice -> Insert -> Special Character works fine
strace -o strace.out thunderbird ( worked )
[wilcal@localhost ~]$ grep icu strace.out
open("/lib/libicui18n.so.52", O_RDONLY|O_CLOEXEC) = 4
open("/lib/libicuuc.so.52", O_RDONLY|O_CLOEXEC) = 4
open("/lib/libicudata.so.52", O_RDONLY|O_CLOEXEC) = 4.....etc
Displays fine.

icu works fine

install icu from updates_testing

[root@localhost wilcal]# urpmi icu
Package icu-52.1-2.5.mga4.i586 is already installed
[root@localhost wilcal]# urpmi icu-data
Package icu-data-52.1-2.5.mga4.noarch is already installed
[root@localhost wilcal]# urpmi libicu52
Package libicu52-52.1-2.5.mga4.i586 is already installed

LibreOffice -> Insert -> Special Character works fine
strace -o strace.out thunderbird ( worked )
[wilcal@localhost ~]$ grep icu strace.out
open("/lib/libicui18n.so.52", O_RDONLY|O_CLOEXEC) = 4
open("/lib/libicuuc.so.52", O_RDONLY|O_CLOEXEC) = 4
open("/lib/libicudata.so.52", O_RDONLY|O_CLOEXEC) = 4.....etc
Displays fine.

icu works fine

CC: (none) => wilcal.int

Advisory committed to svn. Based on comment 5 adding MGA4-64-OK to the whiteboard.

CC: (none) => davidwhodgins
Whiteboard: MGA4TOO => MGA4TOO advisory MGA4-64-OK

(In reply to Herman Viaene from comment #4)

> not OK. I can insert special characters, but only the ones without a basic
> letter selection. In the selection box, the lower left button, to choose a
> "normal" letter as the base for the special character, is not accessible, so
> I cannot use characters like "ó".

Herman this is a security update not a fix for a functional bug. If there
is a specific problem with icu and one of the apps that use it please raise
a separate bug. Thanks.

(In reply to William Kenney from comment #7)
> (In reply to Herman Viaene from comment #4)
> 
> > not OK. I can insert special characters, but only the ones without a basic
> > letter selection. In the selection box, the lower left button, to choose a
> > "normal" letter as the base for the special character, is not accessible, so
> > I cannot use characters like "ó".
> 
> Herman this is a security update not a fix for a functional bug. If there
> is a specific problem with icu and one of the apps that use it please raise
> a separate bug. Thanks.

You're telling that without even asking if it's a regression?

(In reply to Samuel VERSCHELDE from comment #8)
> (In reply to William Kenney from comment #7)
> > (In reply to Herman Viaene from comment #4)
> > 
> > > not OK. I can insert special characters, but only the ones without a basic
> > > letter selection. In the selection box, the lower left button, to choose a
> > > "normal" letter as the base for the special character, is not accessible, so
> > > I cannot use characters like "ó".
> > 
> > Herman this is a security update not a fix for a functional bug. If there
> > is a specific problem with icu and one of the apps that use it please raise
> > a separate bug. Thanks.
> 
> You're telling that without even asking if it's a regression?

Is it a regression?

In VirtualBox, M5, KDE, 32-bit

Install strace thunderbird

Package(s) under test:
icu

default install of icu icu53-data libicu53

[root@localhost wilcal]# urpmi icu
Package icu-53.1-12.1.mga5.i586 is already installed
[root@localhost wilcal]# urpmi icu53-data
Package icu53-data-53.1-12.1.mga5.noarch is already installed
[root@localhost wilcal]# urpmi libicu53
Package libicu53-53.1-12.1.mga5.i586 is already installed

LibreOffice -> Insert -> Special Character works fine
strace -o strace.out thunderbird ( worked )
[wilcal@localhost ~]$ grep icu strace.out
open("/lib/libicui18n.so.53", O_RDONLY|O_CLOEXEC) = 4
open("/lib/libicuuc.so.53", O_RDONLY|O_CLOEXEC) = 4
open("/lib/libicudata.so.53", O_RDONLY|O_CLOEXEC) = 4.....etc
Displays fine.

icu works fine

install icu from updates_testing

[root@localhost wilcal]# urpmi icu
Package icu-53.1-12.2.mga5.i586 is already installed
[root@localhost wilcal]# urpmi icu53-data
Package icu53-data-53.1-12.2.mga5.noarch is already installed
[root@localhost wilcal]# urpmi libicu53
Package libicu53-53.1-12.2.mga5.i586 is already installed

LibreOffice -> Insert -> Special Character works fine
strace -o strace.out thunderbird ( worked )
[wilcal@localhost ~]$ grep icu strace.out
open("/lib/libicui18n.so.53", O_RDONLY|O_CLOEXEC) = 4
open("/lib/libicuuc.so.53", O_RDONLY|O_CLOEXEC) = 4
open("/lib/libicudata.so.53", O_RDONLY|O_CLOEXEC) = 4.....etc
Displays fine.

icu works fine

In VirtualBox, M5, KDE, 64-bit

Install strace thunderbird

Package(s) under test:
icu

default install of icu icu53-data lib64icu53

[root@localhost wilcal]# urpmi icu
Package icu-53.1-12.1.mga5.x86_64 is already installed
[root@localhost wilcal]# urpmi icu53-data
Package icu53-data-53.1-12.1.mga5.noarch is already installed
[root@localhost wilcal]# urpmi lib64icu53
Package lib64icu53-53.1-12.1.mga5.x86_64 is already installed

LibreOffice -> Insert -> Special Character works fine
strace -o strace.out thunderbird ( worked )
[wilcal@localhost ~]$ grep icu strace.out
open("/lib64/libicui18n.so.53", O_RDONLY|O_CLOEXEC) = 4
open("/lib64/libicuuc.so.53", O_RDONLY|O_CLOEXEC) = 4
open("/lib64/libicudata.so.53", O_RDONLY|O_CLOEXEC) = 4.....etc
Displays fine.

icu works fine

install icu from updates_testing

[root@localhost wilcal]# urpmi icu
Package icu-53.1-12.2.mga5.x86_64 is already installed
[root@localhost wilcal]# urpmi icu53-data
Package icu53-data-53.1-12.2.mga5.noarch is already installed
[root@localhost wilcal]# urpmi lib64icu53
Package lib64icu53-53.1-12.2.mga5.x86_64 is already installed

LibreOffice -> Insert -> Special Character works fine
strace -o strace.out thunderbird ( worked )
[wilcal@localhost ~]$ grep icu strace.out
open("/lib64/libicui18n.so.53", O_RDONLY|O_CLOEXEC) = 4
open("/lib64/libicuuc.so.53", O_RDONLY|O_CLOEXEC) = 4
open("/lib64/libicudata.so.53", O_RDONLY|O_CLOEXEC) = 4.....etc
Displays fine.

icu works fine

Unless there's a regression caused by this update
can we move this on?

Trying to confirm regression now, I need some time to cover possible cases.

(In reply to Herman Viaene from comment #13)

> Trying to confirm regression now, I need some time to cover possible cases.

Go for it Herman. Just need to push critical security updates ASAP. Thanks.

MGA4-32 on Acer D620 Xfce
Same outcome with icu-52.1-2.4 as in Comment 4.
Could Xfce be the difference with Bill's results.

(In reply to Herman Viaene from comment #15)

> MGA4-32 on Acer D620 Xfce
> Same outcome with icu-52.1-2.4 as in Comment 4.
> Could Xfce be the difference with Bill's results.

The real question is should we hold up this security update
and open a separate bug? What do you think David?

Not a regression, so yeah don't hold this one since it's critical.  A separate bug can be filed, but honestly it's unlikely that we'll be able to fix it unless someone can locate an upstream patch that fixes it.

This is good to go. Validated. Thanks David.

This update works fine.
Testing complete for mga4&5 32-bit & 64-bit
Validating the update.
Could someone from the sysadmin team push to updates.
Thanks

An update for this issue has been pushed to Mageia Updates repository.

http://advisories.mageia.org/MGASA-2015-0297.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED