A CVE has been assigned for a security issue fixed in ICU 54.1: http://openwall.com/lists/oss-security/2016/11/25/1 Patched package uploaded for Mageia 5. Advisory: ======================== Updated icu packages fix security vulnerability: Stack overflow in ures_getByKeyWithFallback() in ICU before 54.1 could lead to a crash (CVE-2014-9911). References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-9911 http://openwall.com/lists/oss-security/2016/11/25/1 ======================== Updated packages in core/updates_testing: ======================== icu-53.1-12.5.mga5 icu53-data-53.1-12.5.mga5 icu-doc-53.1-12.5.mga5 libicu53-53.1-12.5.mga5 libicu-devel-53.1-12.5.mga5 from icu-53.1-12.5.mga5.src.rpm
Fedora has issued an advisory on November 24: https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/OAJGWQ3FEZJMVTFPJHKJJPCUKMX7XBTX/ Patched packages uploaded for Mageia 5 and Cauldron. Advisory: ======================== Updated icu packages fix security vulnerabilities: Stack overflow in ures_getByKeyWithFallback() in ICU before 54.1 could lead to a crash (CVE-2014-9911). It was found that a big locale string causes a stack based overflow inside libicu in locid.cpp (CVE-2016-7415). References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-9911 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-7415 http://openwall.com/lists/oss-security/2016/11/25/1 https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/OAJGWQ3FEZJMVTFPJHKJJPCUKMX7XBTX/ ======================== Updated packages in core/updates_testing: ======================== icu-53.1-12.6.mga5 icu53-data-53.1-12.6.mga5 icu-doc-53.1-12.6.mga5 libicu53-53.1-12.6.mga5 libicu-devel-53.1-12.6.mga5 from icu-53.1-12.6.mga5.src.rpm
URL: (none) => https://lwn.net/Vulnerabilities/707360/Summary: icu new security issue CVE-2014-9911 => icu new security issues CVE-2014-9911 and CVE-2016-7415Severity: normal => major
Tested on x86_64 real hardware. Copied PoC from http://bugs.icu-project.org/trac/ticket/10891 and compiled it to produce the object file funicu. $ ./funicu *** stack smashing detected ***: ./funicu terminated Segmentation fault Installed the five update packages and recompiled the test script. $ ./funicu No output, which indicates that the patch is successful.
CC: (none) => tarazed25
Created attachment 8696 [details] Trivial test case for the overflow vulnerability Use the embedded compiler command to create the executable test file.
Whiteboard: (none) => MGA5-64-OK
Tested on i586 in VirtualBox Followed the same procedure as in comment 3. Before: $ gcc -o funicu funicu.c `pkg-config --libs --cflags icu-uc icu-i18n icu-le icu-lx icu-io` $ ./funicu *** stack smashing detected ***: ./funicu terminated Segmentation fault $ After: Recompiled... $ ./funicu $ OK for 32-bits. There is a similar fault which affects PHP but that is covered by a different CVE. Validating this. Would some overworked sysadmin please push this to Core Updates.
Keywords: (none) => validated_updateWhiteboard: MGA5-64-OK => MGA5-64-OK MGA-32-OK advisoryCC: (none) => sysadmin-bugs
Whiteboard: MGA5-64-OK MGA-32-OK advisory => MGA5-64-OK MGA5-32-OK advisory
i do not see any advisory on the svn
CC: (none) => mageiaWhiteboard: MGA5-64-OK MGA5-32-OK advisory => MGA5-64-OK MGA5-32-OK
(In reply to Len Lawrence from comment #4) > Would some overworked sysadmin please push this to Core Updates. A little premature! (In reply to Nicolas Lécureuil from comment #5) > i do not see any advisory on the svn Well there is now, taken from Comment 1.
CC: (none) => lewyssmithWhiteboard: MGA5-64-OK MGA5-32-OK => MGA5-64-OK MGA5-32-OK advisory
Sorry, that was me blundering about.
An update for this issue has been pushed to the Mageia Updates repository. http://advisories.mageia.org/MGASA-2016-0404.html
Status: NEW => RESOLVEDResolution: (none) => FIXED
LWN reference for CVE-2014-9911: https://lwn.net/Vulnerabilities/707489/