[security-announce] ICU 53.1: Security update

Sona Sarmadi sona.sarmadi at enea.com
Fri Aug 28 14:10:49 CEST 2015


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

	Enea Linux Security Advisory
	
=========================================================
Product/package: ICU 53.1
Severity: Low
CVE Name: CVE-2014-8146 and CVE-2014-8147
=========================================================
This security update fixes:
CVE-2014-8146 icu: heap overflow via incorrect isolateCount
CVE-2014-8147 icu: integer truncation in the
resolveImplicitLevels function

Signed patch and README files
================================
0030-icu-CVE-2014-8146-CVE-2014-8147.patch
0030-icu-CVE-2014-8146-CVE-2014-8147.patch.sig
0030-icu-CVE-2014-8146-CVE-2014-8147.README.asc

Description
===========
CVE-2014-8146
ReferencesolveImplicitLevels function in common/ubidi.c
in the Unicode Bidirectional Algorithm implementation in
ICU4C in International Components for Unicode (ICU) before
55.1 does not properly track directionally isolated pieces
of text, which allows remote attackers to cause a denial
of service (heap-based buffer overflow) or possibly execute
arbitrary code via crafted text.

CVE-2014-8147
The resolveImplicitLevels function in common/ubidi.c in
the Unicode Bidirectional Algorithm implementation in
ICU4C in International Components for Unicode (ICU) before
55.1 uses an integer data type that is inconsistent with a
header file, which allows remote attackers to cause a denial
of service (incorrect malloc followed by invalid free) or
possibly execute arbitrary code via crafted text.

References
===========
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-8146
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-8147
https://github.com/pedrib/PoC/raw/master/generic/i-c-u-fail.7z
https://www.kb.cert.org/vuls/id/602540
http://bugs.icu-project.org/trac/changeset/37080
http://bugs.icu-project.org/trac/changeset/37162

How to apply the patches
=======================
 - Preparation
Make sure that you have an installation of Enea Linux and have
applied the existing patches in the right order

wget https://linux.enea.com/5.0-beta-m400/\
Enea-Linux-5.0-beta-m400.tar.gz
tar zxf Enea-Linux-5.0-beta-m400.tar.gz
cd Enea-Linux-5.0-beta-m400/poky
<Fetch and apply the existing patches >

 - Fetch, verify and apply the new patch
wget https://linux.enea.com/5.0-beta-m400/\
patches/0030-icu-CVE-2014-8146-CVE-2014-8147.patch
wget https://linux.enea.com/5.0-beta-m400/\
patches/0030-icu-CVE-2014-8146-CVE-2014-8147.patch.sig
gpg --verify 0030-icu-CVE-2014-8146-CVE-2014-8147.patch.sig
patch -p1 < ./0030-icu-CVE-2014-8146-CVE-2014-8147.patch

If you have any questions regarding the security patches and security
updates please contact security at enea.com.

Enea Security Team
Sona Sarmadi
Mobile: +46 70 971 4475
www.enea.com
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2

iQIcBAEBCAAGBQJV4E/JAAoJEHc+9u9ocWoUsgsP/2DD0FDX1t5BFlRRa8vvTAPB
EpEEkSLBRcY9OoT1NDtxk+KVgxlI76AfR4317qBJzc3VzAerPpyR+aBteavHQMjn
3FFSss7dMBZzgYsIGn9zG8+hrFZvGmJjc2WQ18Rp1c0R1OiME2Drxe4L9mMEKMch
X2CZIbHXH2xvaWlhjSYQHTwYlt18sn8ZftSlJf8OLy0tHLNFxfcFkb0RdaqfeBey
zabyTOiWTXP3xOPrbuzZsvmi7d+cgQQ7OuXKrI7idWdKwScJJOh5umUu4NgN8yd/
vTUQP1SY5LpiA7iec7ml6xPYLxGxKNv9oFIla+OOLvchnALDao6IQBmAV9/YLzR1
51jzVjMS18F0j8I/d6r2aV8pcVkXioMGsy9WkNw5AfUuFBUpxLS9Uc1QiweSUycU
oElCSk1CAB6BeuFEHkyi2SB4Q5HFBxflbnZ7wswKaxIIy47PCRTU5COUujd2leRD
3Q/Kog1CLlVnrPd5cXO6TbMa+VUadgmI0ZD3lv7eeKYTsjLRxlmNmYrJW4JqBAdt
RWaQdItshSMPqcQ4WFkMnyY8UrI1gXQ8JgFsJ9KsTF3KN1z35s/IuHvVcAer/IVi
F+I9z0iInqB8fVWFG8WGSYQFzhiRONKaakG8GCqph/YSbpfrjYvwFTWAmdp57pgN
2bQvTsL1lcMdv7oolVOE
=WjRB
-----END PGP SIGNATURE-----



More information about the security-announce mailing list