Bug 21929 - icu new security issue CVE-2017-14952
Summary: icu new security issue CVE-2017-14952
Status: RESOLVED FIXED
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 6
Hardware: All Linux
Priority: Normal major
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL:
Whiteboard: MGA5TOO MGA5-32-OK MGA6-64-OK MGA5-64...
Keywords: advisory, validated_update
Depends on:
Blocks:
 
Reported: 2017-10-24 23:27 CEST by David Walser
Modified: 2017-11-16 09:37 CET (History)
7 users (show)

See Also:
Source RPM: icu-58.2-3.mga6.src.rpm
CVE:
Status comment:


Attachments

Description David Walser 2017-10-24 23:27:31 CEST
Ubuntu has issued an advisory on October 23:
https://usn.ubuntu.com/usn/usn-3458-1/

Mageia 5 and Mageia 6 are also affected.
David Walser 2017-10-24 23:27:36 CEST

Whiteboard: (none) => MGA6TOO, MGA5TOO

Comment 1 Marja Van Waes 2017-10-25 09:47:42 CEST
Assigning to the registered maintainer.

Assignee: bugsquad => shlomif
CC: (none) => marja11

Comment 2 David Walser 2017-11-10 21:50:33 CET
Patched packages uploaded for Mageia 5, Mageia 6, and Cauldron.

Advisory:
========================

Updated icu packages fix security vulnerability:

Double free in i18n/zonemeta.cpp in International Components for Unicode
(ICU) for C/C++ through 59.1 allows remote attackers to execute arbitrary
code via a crafted string, aka a "redundant UVector entry clean up function
call" issue (CVE-2017-14952).

References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-14952
https://usn.ubuntu.com/usn/usn-3458-1/
========================

Updated packages in core/updates_testing:
========================
icu-53.1-12.8.mga5
icu53-data-53.1-12.8.mga5
icu-doc-53.1-12.8.mga5
libicu53-53.1-12.8.mga5
libicu-devel-53.1-12.8.mga5
icu-58.2-3.1.mga6
icu58-data-58.2-3.1.mga6
icu-doc-58.2-3.1.mga6
libicu58-58.2-3.1.mga6
libicu-devel-58.2-3.1.mga6

from SRPMS:
icu-53.1-12.8.mga5.src.rpm
icu-58.2-3.1.mga6.src.rpm

Version: Cauldron => 6
Assignee: shlomif => qa-bugs
CC: (none) => shlomif
Whiteboard: MGA6TOO, MGA5TOO => MGA5TOO

Comment 3 David Walser 2017-11-10 21:51:11 CET
It didn't build in Cauldron due to test failures:
http://pkgsubmit.mageia.org/uploads/failure/cauldron/core/release/20171110203059.luigiwalser.duvel.27947/log/icu-59.1-3.mga7/build.0.20171110203106.log

CC'ing tv who upgraded it to 59.1.

CC: (none) => thierry.vignaud

Comment 4 Herman Viaene 2017-11-11 11:28:24 CET
MGA5-32 on Asus A6000VM Xfce
No installation issues
Following some of the tests in bug 20706 Comment 5:
at CLI:
$ icuinfo
 <icuSystemParams type="icu4c">
    <param name="copyright"> Copyright (C) 2014, International Business Machines Corporation and others. All Rights Reserved. </param>
    <param name="product">icu4c</param>
    <param name="product.full">International Components for Unicode for C/C++</param>
    <param name="version">53.1</param>
    <param name="version.unicode">6.3</param>
...and more of those
 </icuSystemParams>


ICU Initialization returned: U_ZERO_ERROR
Plugin file is: /usr/lib/icu/icuplugins53.txt
$ uconv --list
UTF-8 ibm-1208 ibm-1209 ibm-5304 ibm-5305 ibm-13496 ibm-13497 ibm-17592 ibm-17593 windows-65001 cp1208 x-UTF_8J unicode-1-1-utf-8 unicode-2-0-utf-8 
and a lot more
$ uconv --default-code
UTF-8
using some txt file from previous update traces:
$ uconv -f UTF8 -t UTF16 -o botan16.txt botan.txt 
used hexedit to see both files, result looks OK.

Whiteboard: MGA5TOO => MGA5TOO MGA5-32-OK
CC: (none) => herman.viaene

Comment 5 Len Lawrence 2017-11-12 11:42:21 CET
Mageia 6 on x86_64

Updated the packages.  Note that wine was updated as well.

- icu-58.2-3.1.mga6.x86_64
- icu-doc-58.2-3.1.mga6.noarch
- icu58-data-58.2-3.1.mga6.noarch
- lib64icu-devel-58.2-3.1.mga6.x86_64
- lib64icu58-58.2-3.1.mga6.x86_64
- wine64-2.0.3-1.mga6.x86_64

$ icuinfo returned information about the installation, parameters etc.  Finished on
"ICU Initialization returned: U_ZERO_ERROR
Plugins are disabled."
$ ls /usr/lib64/icu
58.2/  current@  Makefile.inc@  pkgdata.inc@

As Herman says uconv returns a very long list of encodings.
$ uconv --list
UTF-8 ibm-1208 ibm-1209 ibm-5304 ibm-5305 ibm-13496 ibm-13497 ibm-17592 ibm-17593 windows-65001 cp1208 x-UTF_8J unicode-1-1-utf-8 unicode-2-0-utf-8 
...............................
$ uconv --default-code
UTF-8
$ uconv -f UTF-8 -t SJIS -o sjis.txt jabberwocky
$ diff jabberwocky sjis.txt
$ $ uconv -f SJIS -t ISO-8859-1 -o iso.txt sjis.txt
diff, hexdump and file show that there is no difference between these three files; jabberwocky, iso.txt and sjis.txt.
$ cat part2
π = 3.14159 or thereabouts
$ uconv -f UTF-8 -t SJIS -o part3 part2
$ cat part3
�� = 3.14159 or thereabouts
$ file part3
part3: Non-ISO extended-ASCII text
$ uconv -f UTF-8 -t ISO-8859-1 -o part4 part2
Conversion from Unicode to codepage failed at input byte position 0. Unicode: 03c0 Error: Invalid character found
So, the pi character cannot be handled at all by iso-8859-1.  sjis can but transforms it to an unprintable character.  
$ hexdump part2
0000000 80cf 3d20 3320 312e 3134 3935 6f20 2072
0000010 6874 7265 6165 6f62 7475 0a73          
000001c
$ hexdump part3
0000000 ce83 3d20 3320 312e 3134 3935 6f20 2072
0000010 6874 7265 6165 6f62 7475 0a73          
000001c
π is the first two bytes of the dump.

$  uconv -f UTF-8 -t IBM-1047 -o ibm.txt jabberwocky
[lcl@belexeuli icu]$ cat ibm.txt
%㦁�@�������@���@���@������@�����%ĉ�@����@���@���@������@��@���@����K%���@�����@����@���@���������%���@���@����@�����@��������K%%
$ file ibm.txt
ibm.txt: Non-ISO extended-ASCII text, with NEL line terminators
$ uconv -f IBM-1047 -t us-ascii -o usa.txt ibm.txt
$ file usa.txt
usa.txt: ASCII text
$ cat usa.txt

Twas brillig and the slithy toves
Did gyre and and gimble in the wabe.
All mimsy were the borogoves
And the mome raths outgrabe.


This looks fine for 64 bits.

CC: (none) => tarazed25

Len Lawrence 2017-11-12 11:42:34 CET

Whiteboard: MGA5TOO MGA5-32-OK => MGA5TOO MGA5-32-OK MGA-64-OK

Len Lawrence 2017-11-12 20:57:48 CET

Whiteboard: MGA5TOO MGA5-32-OK MGA-64-OK => MGA5TOO MGA5-32-OK MGA6-64-OK

Comment 6 Len Lawrence 2017-11-12 21:35:13 CET
Updated the packages on Mageia 5 for x86_64.
Clean install.
Followed the same testing procedure as in comment 5.
$ icuinfo ended with the lines:
ICU Initialization returned: U_ZERO_ERROR
Plugin file is: /usr/lib64/icu/icuplugins53.txt
That file does not exist.

$ ls -l /usr/lib64/icu/
drwxr-xr-x 2 root root 4096 Nov 12 20:18 53.1/
lrwxrwxrwx 1 root root    4 Nov 10 20:42 current -> 53.1/
lrwxrwxrwx 1 root root   20 Nov 10 20:42 Makefile.inc -> current/Makefile.inc
lrwxrwxrwx 1 root root   19 Nov 10 20:42 pkgdata.inc -> current/pkgdata.inc

Ran 'uconv --list' OK.
$ uconv --default-code
UTF-8

Ran conversions on available text files as before.
No problems.  Converting to a non-printing code and back again to ascii worked fine.

Passing this for 64 bits.
Len Lawrence 2017-11-12 21:35:28 CET

Whiteboard: MGA5TOO MGA5-32-OK MGA6-64-OK => MGA5TOO MGA5-32-OK MGA6-64-OK MGA5-64-OK

Comment 7 Len Lawrence 2017-11-15 15:31:30 CET
Mageia 6 : i586 in virtualbox

The five packages upgraded cleanly.
Copied the previous tests and the results agreed in every detail.

Good for 32 bits.
Len Lawrence 2017-11-15 15:58:21 CET

Whiteboard: MGA5TOO MGA5-32-OK MGA6-64-OK MGA5-64-OK => MGA5TOO MGA5-32-OK MGA6-64-OK MGA5-64-OK MGA6-32-OK

Len Lawrence 2017-11-15 15:58:35 CET

CC: (none) => sysadmin-bugs
Keywords: (none) => validated_update

Comment 8 Thomas Backlund 2017-11-16 08:58:39 CET
advisory uploaded

Keywords: (none) => advisory
CC: (none) => tmb

Comment 9 Mageia Robot 2017-11-16 09:37:05 CET
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2017-0411.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED


Note You need to log in before you can comment on or make changes to this bug.