Debian Bug report logs - #702346
icu: CVE-2013-0900

version graph

Package: icu; Maintainer for icu is Jay Berkenbilt <qjb@debian.org>;

Reported by: Moritz Muehlenhoff <jmm@inutil.org>

Date: Tue, 5 Mar 2013 14:48:01 UTC

Severity: grave

Tags: security

Fixed in version icu/4.8.1.1-12

Done: Jay Berkenbilt <qjb@debian.org>

Bug is archived. No further changes may be made.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox


Report forwarded to debian-bugs-dist@lists.debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Jay Berkenbilt <qjb@debian.org>:
Bug#702346; Package icu. (Tue, 05 Mar 2013 14:48:04 GMT) Full text and rfc822 format available.

Acknowledgement sent to Moritz Muehlenhoff <jmm@inutil.org>:
New Bug report received and forwarded. Copy sent to team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Jay Berkenbilt <qjb@debian.org>. (Tue, 05 Mar 2013 14:48:04 GMT) Full text and rfc822 format available.

Message #5 received at submit@bugs.debian.org (full text, mbox):

From: Moritz Muehlenhoff <jmm@inutil.org>
To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: icu: CVE-2013-0900
Date: Tue, 05 Mar 2013 15:43:11 +0100
Package: icu
Severity: grave
Tags: security
Justification: user security hole

Hi Jay,

Google fixed a security issue in icu, which is embedded in Chrome:
http://googlechromereleases.blogspot.de/2013/02/stable-channel-update_21.html

| [152442] Medium CVE-2013-0900: Race condition in ICU. Credit to Google Chrome Security Team (Inferno).

I contact the Google Chrome Security Team and they pointed me to the following
upstream bug (which is private ATM, but maybe you have access?):
http://bugs.icu-project.org/trac/ticket/9737

They also send me links to the upstream fixes:
http://bugs.icu-project.org/trac/changeset/32865
http://bugs.icu-project.org/trac/changeset/32908

Cheers,
        Moritz



Information forwarded to debian-bugs-dist@lists.debian.org:
Bug#702346; Package icu. (Sat, 16 Mar 2013 17:51:04 GMT) Full text and rfc822 format available.

Acknowledgement sent to Jay Berkenbilt <qjb@debian.org>:
Extra info received and forwarded to list. (Sat, 16 Mar 2013 17:51:04 GMT) Full text and rfc822 format available.

Message #10 received at 702346@bugs.debian.org (full text, mbox):

From: Jay Berkenbilt <qjb@debian.org>
To: Moritz Muehlenhoff <jmm@inutil.org>
Cc: 702346@bugs.debian.org
Subject: Re: Bug#702346: icu: CVE-2013-0900
Date: Sat, 16 Mar 2013 13:49:24 -0400
Moritz Muehlenhoff <jmm@inutil.org> wrote:

> Google fixed a security issue in icu, which is embedded in Chrome:
> http://googlechromereleases.blogspot.de/2013/02/stable-channel-update_21.html
>
> | [152442] Medium CVE-2013-0900: Race condition in ICU. Credit to
> Google Chrome Security Team (Inferno).
>
> I contact the Google Chrome Security Team and they pointed me to the following
> upstream bug (which is private ATM, but maybe you have access?):
> http://bugs.icu-project.org/trac/ticket/9737

I don't.

> They also send me links to the upstream fixes:
> http://bugs.icu-project.org/trac/changeset/32865
> http://bugs.icu-project.org/trac/changeset/32908

I can prepare a new upload with these fixes and call it CVE-2013-0900.
There's a one-line fix for a Malayalam rendering problem (which causes a
crash on certain codes and is therefore a potential DOS attack) which I
will probably include in the same upload.  Ordinarily I would not fix
two issues in the same upload, particularly during a freeze, but the
extreme simplicity of the second one makes me think this will be okay in
this case.

-- 
Jay Berkenbilt <qjb@debian.org>



Information forwarded to debian-bugs-dist@lists.debian.org:
Bug#702346; Package icu. (Sat, 16 Mar 2013 18:09:04 GMT) Full text and rfc822 format available.

Acknowledgement sent to Jay Berkenbilt <qjb@debian.org>:
Extra info received and forwarded to list. (Sat, 16 Mar 2013 18:09:04 GMT) Full text and rfc822 format available.

Message #15 received at 702346@bugs.debian.org (full text, mbox):

From: Jay Berkenbilt <qjb@debian.org>
To: Moritz Muehlenhoff <jmm@inutil.org>
Cc: 702346@bugs.debian.org
Subject: Re: Bug#702346: icu: CVE-2013-0900
Date: Sat, 16 Mar 2013 14:05:38 -0400
Jay Berkenbilt <qjb@debian.org> wrote:

>> They also send me links to the upstream fixes:
>> http://bugs.icu-project.org/trac/changeset/32865
>> http://bugs.icu-project.org/trac/changeset/32908
>
> I can prepare a new upload with these fixes and call it CVE-2013-0900.
> There's a one-line fix for a Malayalam rendering problem (which causes a
> crash on certain codes and is therefore a potential DOS attack) which I
> will probably include in the same upload.  Ordinarily I would not fix
> two issues in the same upload, particularly during a freeze, but the
> extreme simplicity of the second one makes me think this will be okay in
> this case.

Actually, these changes don't apply cleanly to ICU 4.8.  There are
namespace changes and other type changes so that even manually resolving
the conflicts doesn't produce something that compiles.  I don't have
time to resolve this....I may have to fall back to my de-facto
"strategy" of waiting for someone else who has more time than I do to
take care of it.  I think ICU 4.8 is still in active security support at
Red Hat.  I have often been the beneficiary of their good work on
backporting security issues.

-- 
Jay Berkenbilt <qjb@debian.org>



Information forwarded to debian-bugs-dist@lists.debian.org, Jay Berkenbilt <qjb@debian.org>:
Bug#702346; Package icu. (Mon, 18 Mar 2013 18:00:08 GMT) Full text and rfc822 format available.

Acknowledgement sent to Moritz Mühlenhoff <jmm@inutil.org>:
Extra info received and forwarded to list. Copy sent to Jay Berkenbilt <qjb@debian.org>. (Mon, 18 Mar 2013 18:00:08 GMT) Full text and rfc822 format available.

Message #20 received at 702346@bugs.debian.org (full text, mbox):

From: Moritz Mühlenhoff <jmm@inutil.org>
To: Jay Berkenbilt <qjb@debian.org>
Cc: Moritz Muehlenhoff <jmm@inutil.org>, 702346@bugs.debian.org
Subject: Re: Bug#702346: icu: CVE-2013-0900
Date: Mon, 18 Mar 2013 18:55:40 +0100
On Sat, Mar 16, 2013 at 01:49:24PM -0400, Jay Berkenbilt wrote:
> > They also send me links to the upstream fixes:
> > http://bugs.icu-project.org/trac/changeset/32865
> > http://bugs.icu-project.org/trac/changeset/32908
> 
> I can prepare a new upload with these fixes and call it CVE-2013-0900.
> There's a one-line fix for a Malayalam rendering problem (which causes a
> crash on certain codes and is therefore a potential DOS attack) which I
> will probably include in the same upload.  Ordinarily I would not fix
> two issues in the same upload, particularly during a freeze, but the
> extreme simplicity of the second one makes me think this will be okay in
> this case.

Sounds good to me (but I'm not a release team member)

Cheers,
        Moritz



Information forwarded to debian-bugs-dist@lists.debian.org, Jay Berkenbilt <qjb@debian.org>:
Bug#702346; Package icu. (Mon, 18 Mar 2013 21:15:17 GMT) Full text and rfc822 format available.

Acknowledgement sent to Julien Cristau <jcristau@debian.org>:
Extra info received and forwarded to list. Copy sent to Jay Berkenbilt <qjb@debian.org>. (Mon, 18 Mar 2013 21:15:17 GMT) Full text and rfc822 format available.

Message #25 received at 702346@bugs.debian.org (full text, mbox):

From: Julien Cristau <jcristau@debian.org>
To: Moritz Mühlenhoff <jmm@inutil.org>, 702346@bugs.debian.org
Cc: Jay Berkenbilt <qjb@debian.org>
Subject: Re: Bug#702346: icu: CVE-2013-0900
Date: Mon, 18 Mar 2013 22:14:32 +0100
[Message part 1 (text/plain, inline)]
On Mon, Mar 18, 2013 at 18:55:40 +0100, Moritz Mühlenhoff wrote:

> On Sat, Mar 16, 2013 at 01:49:24PM -0400, Jay Berkenbilt wrote:
> > > They also send me links to the upstream fixes:
> > > http://bugs.icu-project.org/trac/changeset/32865
> > > http://bugs.icu-project.org/trac/changeset/32908
> > 
> > I can prepare a new upload with these fixes and call it CVE-2013-0900.
> > There's a one-line fix for a Malayalam rendering problem (which causes a
> > crash on certain codes and is therefore a potential DOS attack) which I
> > will probably include in the same upload.  Ordinarily I would not fix
> > two issues in the same upload, particularly during a freeze, but the
> > extreme simplicity of the second one makes me think this will be okay in
> > this case.
> 
> Sounds good to me (but I'm not a release team member)
> 
Yes, that would be fine.

Cheers,
Julien
[signature.asc (application/pgp-signature, inline)]

Information forwarded to debian-bugs-dist@lists.debian.org:
Bug#702346; Package icu. (Thu, 21 Mar 2013 15:15:04 GMT) Full text and rfc822 format available.

Acknowledgement sent to Jay Berkenbilt <qjb@debian.org>:
Extra info received and forwarded to list. (Thu, 21 Mar 2013 15:15:04 GMT) Full text and rfc822 format available.

Message #30 received at 702346@bugs.debian.org (full text, mbox):

From: Jay Berkenbilt <qjb@debian.org>
To: 702346@bugs.debian.org
Cc: team@security.debian.org
Subject: CVE-2013-0900 (ICU race condition)
Date: Thu, 21 Mar 2013 11:10:08 -0400
I think I can grab Red Hat's fix to this from here.  I will try to do
this as soon as possible.

https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2013-0900



Reply sent to Jay Berkenbilt <qjb@debian.org>:
You have taken responsibility. (Thu, 21 Mar 2013 15:51:12 GMT) Full text and rfc822 format available.

Notification sent to Moritz Muehlenhoff <jmm@inutil.org>:
Bug acknowledged by developer. (Thu, 21 Mar 2013 15:51:12 GMT) Full text and rfc822 format available.

Message #35 received at 702346-close@bugs.debian.org (full text, mbox):

From: Jay Berkenbilt <qjb@debian.org>
To: 702346-close@bugs.debian.org
Subject: Bug#702346: fixed in icu 4.8.1.1-12
Date: Thu, 21 Mar 2013 15:48:20 +0000
Source: icu
Source-Version: 4.8.1.1-12

We believe that the bug you reported is fixed in the latest version of
icu, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 702346@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Jay Berkenbilt <qjb@debian.org> (supplier of updated icu package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.8
Date: Thu, 21 Mar 2013 11:29:08 -0400
Source: icu
Binary: libicu48 libicu48-dbg libicu-dev icu-doc
Architecture: source all amd64
Version: 4.8.1.1-12
Distribution: unstable
Urgency: high
Maintainer: Jay Berkenbilt <qjb@debian.org>
Changed-By: Jay Berkenbilt <qjb@debian.org>
Description: 
 icu-doc    - API documentation for ICU classes and functions
 libicu-dev - Development files for International Components for Unicode
 libicu48   - International Components for Unicode
 libicu48-dbg - International Components for Unicode
Closes: 702346
Changes: 
 icu (4.8.1.1-12) unstable; urgency=high
 .
   * Add patch to address CVE-2013-0900, a threading race condition.
     (Closes: #702346)
Checksums-Sha1: 
 e9ca6ccd45837ed177526c001262043b0737cf02 1895 icu_4.8.1.1-12.dsc
 3e43ec170dcf64cff93b11be4ecfbd97998d6469 22001 icu_4.8.1.1-12.debian.tar.gz
 f84ae5a1206fff74ecb32522c9865d5c8dc6f6ee 1794968 icu-doc_4.8.1.1-12_all.deb
 76b8670231d5d8c84d6e68804167f8bc4e8af657 4733774 libicu48_4.8.1.1-12_amd64.deb
 5504248636830293ae97d6b3c29962bd52d02d29 4851476 libicu48-dbg_4.8.1.1-12_amd64.deb
 48fdc1d6dd5ca59a5d05a63ac3141ee69acf7cc0 5706406 libicu-dev_4.8.1.1-12_amd64.deb
Checksums-Sha256: 
 450b76e17339acc20a31023c37d2706c52ad5f204121d99692277e7f76662ae0 1895 icu_4.8.1.1-12.dsc
 1c3186f5d1200cedfc43dee0cab776485639264e47e4b27df6afa6ed72a32bf1 22001 icu_4.8.1.1-12.debian.tar.gz
 0d21e6a1912626cb27e142e3c95ef310901506d543e57a69f3e69891af569688 1794968 icu-doc_4.8.1.1-12_all.deb
 8efb9f087e5625438ae5350dccf19b9ed85842bcc7f43517b2f234a37b34de70 4733774 libicu48_4.8.1.1-12_amd64.deb
 0363d8601e2345a128f5b73a6b223c161aed0d7ec5e3176e2c0e6dfe573698bc 4851476 libicu48-dbg_4.8.1.1-12_amd64.deb
 b107c06bfb299a536b617d033e6b7f8abd22d4d18ab3e9b4386357064e7993ea 5706406 libicu-dev_4.8.1.1-12_amd64.deb
Files: 
 69850d7d28b049ab08036aaa1705046b 1895 libs optional icu_4.8.1.1-12.dsc
 a6b8e696fff50f25d14b2b21d1b67af9 22001 libs optional icu_4.8.1.1-12.debian.tar.gz
 672debef0f03095b080fd51fca15a4a7 1794968 doc optional icu-doc_4.8.1.1-12_all.deb
 263d2c7f36a841f2662eeeabbaa5ba48 4733774 libs optional libicu48_4.8.1.1-12_amd64.deb
 887172857b7ab2111bcfbd5ed4337517 4851476 debug extra libicu48-dbg_4.8.1.1-12_amd64.deb
 21639904758a7c98fdfaa2f369ae26a1 5706406 libdevel optional libicu-dev_4.8.1.1-12_amd64.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)

iQIcBAEBAgAGBQJRSynxAAoJEIp10QmYASx+ZKsP/iCBvgKOjWlKwqLwyIomoFvp
Qb0/4ukZQdwxxqSbBsEx0Jg214TyVZCrk4GNn7+CjXQmuLCn/1sAa6pIOnoC7bZq
OrfQF2ithHYA6ntyPUzJzBi2H43MMeXZG062VVXG/wPpWmnOwEi0MoKQVSqg30mg
+2YnjyvhjXcM9bFadQnKKgeba/5JzLn5q/fzECMqrLKF6+XJSlHhuIzJT+Kfg2if
G4ojb/YtBzFBpTetCt4OxzlXch88uBv+lcng5nDJqyUt0Knm6p+tHQ4/OoYrdAc9
WakeRHjjrFb/ORhTkCzQx1ICdTysRGsxPkVmmxG2rjH8YHMllf8B23zpPeQIOSIM
NTi5tmjgZTgUhOGAOxNnAyruhGVLllxJXzmgsV5rQaXRmL1/jdman2q1M+RLhVVA
egcWel3g78Lh7doJ5HLdacgt7PtdRLBd+LpFBiW3Icp452rB/E3HagDtl+ngpIBm
vn5SXAhqszog6O4HQlXWbKn6KR78jYcKH9Vl74y0hNRzRUvS9h3Bpo9OHgBx/Zhh
bYiZHdPQJRJ+5cT0wP7NXvvsmGCga2YsTJPcZ2o1cqsluQRczVANpNN7GMJMYd7U
0+0uaurNVfOY2f5rkPydSx3OUDdrU7sOl/lMRUCZI4agZ2FbhmymNv9plc7by5qX
Mu3YEZ6K5a4HnaL1S4fJ
=He9c
-----END PGP SIGNATURE-----




Bug archived. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Fri, 19 Apr 2013 07:27:47 GMT) Full text and rfc822 format available.

Send a report that this bug log contains spam.


Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Sat Apr 19 19:48:23 2014; Machine Name: beach.debian.org

Debian Bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.