Bug 16487 - icu new security issue CVE-2015-4760
Summary: icu new security issue CVE-2015-4760
Status: RESOLVED FIXED
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 5
Hardware: i586 Linux
Priority: Normal critical
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL: http://lwn.net/Vulnerabilities/651087/
Whiteboard: MGA4TOO advisory MGA4-32-OK MGA4-64-O...
Keywords: validated_update
Depends on:
Blocks:
 
Reported: 2015-07-28 18:50 CEST by David Walser
Modified: 2015-08-01 00:47 CEST (History)
5 users (show)

See Also:
Source RPM: icu-53.1-11.1.mga5.src.rpm
CVE:
Status comment:


Attachments

Description David Walser 2015-07-28 18:50:35 CEST
Debian-LTS has issued an advisory today (July 28):
http://lwn.net/Alerts/652632/

This is one of the CVEs from the recent Java updates.  I would imagine that it's fixed in 55.1, which Cauldron was just updated to.  Other versions may need to be fixed.

Reproducible: 

Steps to Reproduce:
Comment 1 Christiaan Welvaart 2015-07-28 19:44:52 CEST
Fix was already committed to debian unstable: https://launchpad.net/ubuntu/+source/icu/52.1-10

CC: (none) => cjw

Comment 2 David Walser 2015-07-29 00:12:53 CEST
(In reply to Christiaan Welvaart from comment #1)
> Fix was already committed to debian unstable:
> https://launchpad.net/ubuntu/+source/icu/52.1-10

Thanks!

So it wasn't fixed in 55.1 :O

Patch now committed in Mageia 4, Mageia 5, and Cauldron.

Whiteboard: (none) => MGA4TOO

Comment 3 David Walser 2015-07-29 00:23:33 CEST
Patched packages uploaded for Mageia 4, Mageia 5, and Cauldron.

Advisory:
========================

Updated icu packages fixes security vulnerability:

It was discovered that ICU Layout Engine was missing multiple boundary checks.
These could lead to buffer overflows memory corruption.  A specially crafted
file could cause an application using ICU to parse untrusted font files to
crash and, possibly, execute arbitrary code (CVE-2015-4760).

References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-4760
https://bugzilla.redhat.com/show_bug.cgi?id=1242447
http://lwn.net/Alerts/652632/
========================

Updated packages in core/updates_testing:
========================
icu-52.1-2.5.mga4
icu-data-52.1-2.5.mga4
icu-doc-52.1-2.5.mga4
libicu52-52.1-2.5.mga4
libicu-devel-52.1-2.5.mga4
icu-53.1-12.2.mga5
icu53-data-53.1-12.2.mga5
icu-doc-53.1-12.2.mga5
libicu53-53.1-12.2.mga5
libicu-devel-53.1-12.2.mga5

from SRPMS:
icu-52.1-2.5.mga4.src.rpm
icu-53.1-12.2.mga5.src.rpm

Assignee: bugsquad => qa-bugs
Severity: normal => critical

Comment 4 Herman Viaene 2015-07-29 10:53:31 CEST
MGA4-32 on Acer D620 Xfce
No installation issues
Ref to bug 1647 Comment 6 for test case
At CLI:
$ strace -o thund thunderbird 
not OK. I can insert special characters, but only the ones without a basic letter selection. In the selection box, the lower left button, to choose a "normal" letter as the base for the special character, is not accessible, so I cannot use characters like "ó".

and

$ grep icu thund 
open("/lib/libicui18n.so.52", O_RDONLY|O_CLOEXEC) = 4
open("/lib/libicuuc.so.52", O_RDONLY|O_CLOEXEC) = 4
open("/lib/libicudata.so.52", O_RDONLY|O_CLOEXEC) = 4
open("/usr/lib/icu/icuplugins52.txt", O_RDONLY) = -1 ENOENT (No such file or directory)
stat64("/usr/share/icu/52.1/icudt52l/cnvalias.icu", 0xbff197a0) = -1 ENOENT (No such file or directory)
stat64("/usr/share/icu/52.1/icudt52l.dat", {st_mode=S_IFREG|0644, st_size=23505296, ...}) = 0
open("/usr/share/icu/52.1/icudt52l.dat", O_RDONLY) = 17
read(66, "y/RT\nridicule/MGDS\nridiculous/PY"..., 4096) = 4096
Something missing ???

CC: (none) => herman.viaene

Comment 5 William Kenney 2015-07-29 19:57:52 CEST
In VirtualBox, M4, KDE, 32-bit

Install strace thunderbird

Package(s) under test:
icu

default install of icu icu-data libicu52

[root@localhost wilcal]# urpmi icu
Package icu-52.1-2.4.mga4.i586 is already installed
[root@localhost wilcal]# urpmi icu-data
Package icu-data-52.1-2.4.mga4.noarch is already installed
[root@localhost wilcal]# urpmi libicu52
Package libicu52-52.1-2.4.mga4.i586 is already installed

LibreOffice -> Insert -> Special Character works fine
strace -o strace.out thunderbird ( worked )
[wilcal@localhost ~]$ grep icu strace.out
open("/lib/libicui18n.so.52", O_RDONLY|O_CLOEXEC) = 4
open("/lib/libicuuc.so.52", O_RDONLY|O_CLOEXEC) = 4
open("/lib/libicudata.so.52", O_RDONLY|O_CLOEXEC) = 4.....etc
Displays fine.

icu works fine

install icu from updates_testing

[root@localhost wilcal]# urpmi icu
Package icu-52.1-2.5.mga4.i586 is already installed
[root@localhost wilcal]# urpmi icu-data
Package icu-data-52.1-2.5.mga4.noarch is already installed
[root@localhost wilcal]# urpmi libicu52
Package libicu52-52.1-2.5.mga4.i586 is already installed

LibreOffice -> Insert -> Special Character works fine
strace -o strace.out thunderbird ( worked )
[wilcal@localhost ~]$ grep icu strace.out
open("/lib/libicui18n.so.52", O_RDONLY|O_CLOEXEC) = 4
open("/lib/libicuuc.so.52", O_RDONLY|O_CLOEXEC) = 4
open("/lib/libicudata.so.52", O_RDONLY|O_CLOEXEC) = 4.....etc
Displays fine.

icu works fine

CC: (none) => wilcal.int

Comment 6 Dave Hodgins 2015-07-30 19:56:56 CEST
Advisory committed to svn. Based on comment 5 adding MGA4-64-OK to the whiteboard.

CC: (none) => davidwhodgins
Whiteboard: MGA4TOO => MGA4TOO advisory MGA4-64-OK

Comment 7 William Kenney 2015-07-31 15:54:04 CEST
(In reply to Herman Viaene from comment #4)

> not OK. I can insert special characters, but only the ones without a basic
> letter selection. In the selection box, the lower left button, to choose a
> "normal" letter as the base for the special character, is not accessible, so
> I cannot use characters like "ó".

Herman this is a security update not a fix for a functional bug. If there
is a specific problem with icu and one of the apps that use it please raise
a separate bug. Thanks.
William Kenney 2015-07-31 15:54:56 CEST

Whiteboard: MGA4TOO advisory MGA4-64-OK => MGA4TOO advisory MGA4-32-OK MGA4-64-OK

Comment 8 Samuel Verschelde 2015-07-31 16:06:38 CEST
(In reply to William Kenney from comment #7)
> (In reply to Herman Viaene from comment #4)
> 
> > not OK. I can insert special characters, but only the ones without a basic
> > letter selection. In the selection box, the lower left button, to choose a
> > "normal" letter as the base for the special character, is not accessible, so
> > I cannot use characters like "ó".
> 
> Herman this is a security update not a fix for a functional bug. If there
> is a specific problem with icu and one of the apps that use it please raise
> a separate bug. Thanks.

You're telling that without even asking if it's a regression?
Comment 9 William Kenney 2015-07-31 16:12:33 CEST
(In reply to Samuel VERSCHELDE from comment #8)
> (In reply to William Kenney from comment #7)
> > (In reply to Herman Viaene from comment #4)
> > 
> > > not OK. I can insert special characters, but only the ones without a basic
> > > letter selection. In the selection box, the lower left button, to choose a
> > > "normal" letter as the base for the special character, is not accessible, so
> > > I cannot use characters like "ó".
> > 
> > Herman this is a security update not a fix for a functional bug. If there
> > is a specific problem with icu and one of the apps that use it please raise
> > a separate bug. Thanks.
> 
> You're telling that without even asking if it's a regression?

Is it a regression?
Comment 10 William Kenney 2015-07-31 16:14:04 CEST
In VirtualBox, M5, KDE, 32-bit

Install strace thunderbird

Package(s) under test:
icu

default install of icu icu53-data libicu53

[root@localhost wilcal]# urpmi icu
Package icu-53.1-12.1.mga5.i586 is already installed
[root@localhost wilcal]# urpmi icu53-data
Package icu53-data-53.1-12.1.mga5.noarch is already installed
[root@localhost wilcal]# urpmi libicu53
Package libicu53-53.1-12.1.mga5.i586 is already installed

LibreOffice -> Insert -> Special Character works fine
strace -o strace.out thunderbird ( worked )
[wilcal@localhost ~]$ grep icu strace.out
open("/lib/libicui18n.so.53", O_RDONLY|O_CLOEXEC) = 4
open("/lib/libicuuc.so.53", O_RDONLY|O_CLOEXEC) = 4
open("/lib/libicudata.so.53", O_RDONLY|O_CLOEXEC) = 4.....etc
Displays fine.

icu works fine

install icu from updates_testing

[root@localhost wilcal]# urpmi icu
Package icu-53.1-12.2.mga5.i586 is already installed
[root@localhost wilcal]# urpmi icu53-data
Package icu53-data-53.1-12.2.mga5.noarch is already installed
[root@localhost wilcal]# urpmi libicu53
Package libicu53-53.1-12.2.mga5.i586 is already installed

LibreOffice -> Insert -> Special Character works fine
strace -o strace.out thunderbird ( worked )
[wilcal@localhost ~]$ grep icu strace.out
open("/lib/libicui18n.so.53", O_RDONLY|O_CLOEXEC) = 4
open("/lib/libicuuc.so.53", O_RDONLY|O_CLOEXEC) = 4
open("/lib/libicudata.so.53", O_RDONLY|O_CLOEXEC) = 4.....etc
Displays fine.

icu works fine
William Kenney 2015-07-31 16:14:26 CEST

Whiteboard: MGA4TOO advisory MGA4-32-OK MGA4-64-OK => MGA4TOO advisory MGA4-32-OK MGA4-64-OK MGA5-32-OK

Comment 11 William Kenney 2015-07-31 16:31:17 CEST
In VirtualBox, M5, KDE, 64-bit

Install strace thunderbird

Package(s) under test:
icu

default install of icu icu53-data lib64icu53

[root@localhost wilcal]# urpmi icu
Package icu-53.1-12.1.mga5.x86_64 is already installed
[root@localhost wilcal]# urpmi icu53-data
Package icu53-data-53.1-12.1.mga5.noarch is already installed
[root@localhost wilcal]# urpmi lib64icu53
Package lib64icu53-53.1-12.1.mga5.x86_64 is already installed

LibreOffice -> Insert -> Special Character works fine
strace -o strace.out thunderbird ( worked )
[wilcal@localhost ~]$ grep icu strace.out
open("/lib64/libicui18n.so.53", O_RDONLY|O_CLOEXEC) = 4
open("/lib64/libicuuc.so.53", O_RDONLY|O_CLOEXEC) = 4
open("/lib64/libicudata.so.53", O_RDONLY|O_CLOEXEC) = 4.....etc
Displays fine.

icu works fine

install icu from updates_testing

[root@localhost wilcal]# urpmi icu
Package icu-53.1-12.2.mga5.x86_64 is already installed
[root@localhost wilcal]# urpmi icu53-data
Package icu53-data-53.1-12.2.mga5.noarch is already installed
[root@localhost wilcal]# urpmi lib64icu53
Package lib64icu53-53.1-12.2.mga5.x86_64 is already installed

LibreOffice -> Insert -> Special Character works fine
strace -o strace.out thunderbird ( worked )
[wilcal@localhost ~]$ grep icu strace.out
open("/lib64/libicui18n.so.53", O_RDONLY|O_CLOEXEC) = 4
open("/lib64/libicuuc.so.53", O_RDONLY|O_CLOEXEC) = 4
open("/lib64/libicudata.so.53", O_RDONLY|O_CLOEXEC) = 4.....etc
Displays fine.

icu works fine
William Kenney 2015-07-31 16:31:39 CEST

Whiteboard: MGA4TOO advisory MGA4-32-OK MGA4-64-OK MGA5-32-OK => MGA4TOO advisory MGA4-32-OK MGA4-64-OK MGA5-32-OK MGA5-64-OK

Comment 12 William Kenney 2015-07-31 16:33:01 CEST
Unless there's a regression caused by this update
can we move this on?
Comment 13 Herman Viaene 2015-07-31 16:49:10 CEST
Trying to confirm regression now, I need some time to cover possible cases.
Comment 14 William Kenney 2015-07-31 17:10:07 CEST
(In reply to Herman Viaene from comment #13)

> Trying to confirm regression now, I need some time to cover possible cases.

Go for it Herman. Just need to push critical security updates ASAP. Thanks.
Comment 15 Herman Viaene 2015-07-31 20:33:57 CEST
MGA4-32 on Acer D620 Xfce
Same outcome with icu-52.1-2.4 as in Comment 4.
Could Xfce be the difference with Bill's results.
Dave Hodgins 2015-07-31 20:58:40 CEST

Keywords: (none) => validated_update
CC: (none) => sysadmin-bugs

Comment 16 William Kenney 2015-07-31 21:15:00 CEST
(In reply to Herman Viaene from comment #15)

> MGA4-32 on Acer D620 Xfce
> Same outcome with icu-52.1-2.4 as in Comment 4.
> Could Xfce be the difference with Bill's results.

The real question is should we hold up this security update
and open a separate bug? What do you think David?
Comment 17 David Walser 2015-07-31 21:32:07 CEST
Not a regression, so yeah don't hold this one since it's critical.  A separate bug can be filed, but honestly it's unlikely that we'll be able to fix it unless someone can locate an upstream patch that fixes it.
Comment 18 William Kenney 2015-07-31 21:45:16 CEST
This is good to go. Validated. Thanks David.
Comment 19 William Kenney 2015-07-31 21:46:17 CEST
This update works fine.
Testing complete for mga4&5 32-bit & 64-bit
Validating the update.
Could someone from the sysadmin team push to updates.
Thanks
Comment 20 Mageia Robot 2015-08-01 00:47:06 CEST
An update for this issue has been pushed to Mageia Updates repository.

http://advisories.mageia.org/MGASA-2015-0297.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED


Note You need to log in before you can comment on or make changes to this bug.