Debian Bug report logs - #726477
icu: CVE-2013-2924

version graph

Package: icu; Maintainer for icu is Jay Berkenbilt <qjb@debian.org>;

Reported by: Moritz Muehlenhoff <jmm@inutil.org>

Date: Wed, 16 Oct 2013 06:09:01 UTC

Severity: grave

Tags: patch, security

Fixed in version icu/4.8.1.1-13+nmu1

Done: Michael Gilbert <mgilbert@debian.org>

Bug is archived. No further changes may be made.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox


Report forwarded to debian-bugs-dist@lists.debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Jay Berkenbilt <qjb@debian.org>:
Bug#726477; Package icu. (Wed, 16 Oct 2013 06:09:05 GMT) Full text and rfc822 format available.

Acknowledgement sent to Moritz Muehlenhoff <jmm@inutil.org>:
New Bug report received and forwarded. Copy sent to team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Jay Berkenbilt <qjb@debian.org>. (Wed, 16 Oct 2013 06:09:06 GMT) Full text and rfc822 format available.

Message #5 received at submit@bugs.debian.org (full text, mbox):

From: Moritz Muehlenhoff <jmm@inutil.org>
To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: icu: CVE-2013-2924
Date: Wed, 16 Oct 2013 08:00:30 +0200
Package: icu
Severity: grave
Tags: security
Justification: user security hole

The Chrome developers found a security issue in the included ICU:
http://googlechromereleases.blogspot.de/2013/10/stable-channel-update.html

The bug http://bugs.icu-project.org/trac/ticket/10318 is restricted, but
the patch can be found here:
https://ssl.icu-project.org/trac/changeset/34076

Cheers,
        Moritz



Information forwarded to debian-bugs-dist@lists.debian.org, Jay Berkenbilt <qjb@debian.org>:
Bug#726477; Package icu. (Sun, 27 Oct 2013 04:18:08 GMT) Full text and rfc822 format available.

Acknowledgement sent to Michael Gilbert <mgilbert@debian.org>:
Extra info received and forwarded to list. Copy sent to Jay Berkenbilt <qjb@debian.org>. (Sun, 27 Oct 2013 04:18:08 GMT) Full text and rfc822 format available.

Message #10 received at 726477@bugs.debian.org (full text, mbox):

From: Michael Gilbert <mgilbert@debian.org>
To: 726477@bugs.debian.org
Subject: security nmu
Date: Sun, 27 Oct 2013 00:14:54 -0400
[Message part 1 (text/plain, inline)]
control: tag -1 patch

Hi,

I've uploaded an nmu fixing this issue.  Please see attached patch.

Best wishes,
Mike
[icu.patch (text/x-patch, attachment)]

Added tag(s) patch. Request was from Michael Gilbert <mgilbert@debian.org> to 726477-submit@bugs.debian.org. (Sun, 27 Oct 2013 04:18:08 GMT) Full text and rfc822 format available.

Reply sent to Michael Gilbert <mgilbert@debian.org>:
You have taken responsibility. (Sun, 27 Oct 2013 04:36:05 GMT) Full text and rfc822 format available.

Notification sent to Moritz Muehlenhoff <jmm@inutil.org>:
Bug acknowledged by developer. (Sun, 27 Oct 2013 04:36:05 GMT) Full text and rfc822 format available.

Message #17 received at 726477-close@bugs.debian.org (full text, mbox):

From: Michael Gilbert <mgilbert@debian.org>
To: 726477-close@bugs.debian.org
Subject: Bug#726477: fixed in icu 4.8.1.1-13+nmu1
Date: Sun, 27 Oct 2013 04:33:41 +0000
Source: icu
Source-Version: 4.8.1.1-13+nmu1

We believe that the bug you reported is fixed in the latest version of
icu, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 726477@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Michael Gilbert <mgilbert@debian.org> (supplier of updated icu package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Sun, 27 Oct 2013 03:49:58 +0000
Source: icu
Binary: libicu48 libicu48-dbg libicu-dev icu-devtools icu-doc
Architecture: source all amd64
Version: 4.8.1.1-13+nmu1
Distribution: unstable
Urgency: high
Maintainer: Jay Berkenbilt <qjb@debian.org>
Changed-By: Michael Gilbert <mgilbert@debian.org>
Description: 
 icu-devtools - Development utilities for International Components for Unicode
 icu-doc    - API documentation for ICU classes and functions
 libicu-dev - Development files for International Components for Unicode
 libicu48   - International Components for Unicode
 libicu48-dbg - International Components for Unicode
Closes: 726477
Changes: 
 icu (4.8.1.1-13+nmu1) unstable; urgency=high
 .
   * Non-maintainer upload by the Security Team.
   * Fix cve-2013-2924: use-after-free issue in csrucode.cpp (closes: #726477).
Checksums-Sha1: 
 4a9d7e12bb910e1dea7af6eec5cfeff4d0c530b5 2696 icu_4.8.1.1-13+nmu1.dsc
 4adce542ee1cb5298b91f4ca1a23990a8ae77429 22507 icu_4.8.1.1-13+nmu1.debian.tar.gz
 901098ed3b51441515df4620b2b85857fe645071 1913418 icu-doc_4.8.1.1-13+nmu1_all.deb
 10612759c9d61dc179f3a06654b82d3da82cd0c9 4739920 libicu48_4.8.1.1-13+nmu1_amd64.deb
 8fb5b1809fb8b6c2fae9f2a083a9a0f25fd7e330 4702976 libicu48-dbg_4.8.1.1-13+nmu1_amd64.deb
 a40d84e29f833ecf27c70cca06d7f2262a120a02 5580260 libicu-dev_4.8.1.1-13+nmu1_amd64.deb
 1b0c8aa0477de32dd93652bbed9bed20e034eafa 164832 icu-devtools_4.8.1.1-13+nmu1_amd64.deb
Checksums-Sha256: 
 3739bec292d3108a45b30ea9aa28e26c7b9c2bc9be66d4ea2a0603c052d8f147 2696 icu_4.8.1.1-13+nmu1.dsc
 2ff3dd59c63f60a09afc530c43df85cbd0bce8f1a0e312c012f2a41ba874accd 22507 icu_4.8.1.1-13+nmu1.debian.tar.gz
 c71dcc2392d3cc15d4f95c7ae437ff3c69fb39c298f439b9012995e3cfa7331a 1913418 icu-doc_4.8.1.1-13+nmu1_all.deb
 18b3ff5e594c76d3e0c3046d0c2017af31e68d2af3c04a72ce9da1b15a976403 4739920 libicu48_4.8.1.1-13+nmu1_amd64.deb
 01a4ef5b232b84a24392266945be8ccba869442c87bfa91c48e697de86e59d6b 4702976 libicu48-dbg_4.8.1.1-13+nmu1_amd64.deb
 d60262c05a941272aa2e06d21c16c47cf6be11a4157284637d8bdc91c4c29d76 5580260 libicu-dev_4.8.1.1-13+nmu1_amd64.deb
 e39a310d8c899284e51f1fa2712b2e99f85433ee3c12daa4f98c8e95bab933bf 164832 icu-devtools_4.8.1.1-13+nmu1_amd64.deb
Files: 
 f72ca154a0fb07dbde6d35e8aead1d9f 2696 libs optional icu_4.8.1.1-13+nmu1.dsc
 f763daa4684679f8cd485867d8f209d3 22507 libs optional icu_4.8.1.1-13+nmu1.debian.tar.gz
 6da00bf66c89b6d2d3c5e1075b447ef1 1913418 doc optional icu-doc_4.8.1.1-13+nmu1_all.deb
 9020d812e9e0d4334452895ebc5f4cc3 4739920 libs optional libicu48_4.8.1.1-13+nmu1_amd64.deb
 cf09847d19336c5dd88be11864692422 4702976 debug extra libicu48-dbg_4.8.1.1-13+nmu1_amd64.deb
 4384f18077ba0d63151d912ec0ef3a7c 5580260 libdevel optional libicu-dev_4.8.1.1-13+nmu1_amd64.deb
 166dcdcce46bfe39384d04131ca0fb1c 164832 libdevel optional icu-devtools_4.8.1.1-13+nmu1_amd64.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.15 (GNU/Linux)

iQQcBAEBCgAGBQJSbJYMAAoJELjWss0C1vRzFHcf/3cd9QXYkzn3rpXNavyPpaNh
k6FU1eg5u575FkfE+tUwRPlY+gYkBxO1Mfpyu1awSteqhxpLaagsSDgD/xjqwqOF
0JneoJ000fqAhnkW1favyod86nMsuMBUFet0tXr3iYkOoXBnn5cua5DsHgStElte
WmPDKXiePQ2w8t9zK0MPwji9asVbhnXj/wKZkpmOLZDIjwB+uFH4CxW8P9VVOoQV
nfds6dESdOiTSDbOsaDwgeNI0BjRovGbybXbiTsDfAsbVl70D7FvqCiQBK4IPiA2
uG2vL7Nt98HXtZQ+ZAJmp/Sunv4DIoxa0hOwe+u3fy4Y2lNOjtQwdLAmJQQNpXEh
gEnNaWMPrv6udT80ZIjr3am127AjGx7yBfsGrdBTY1ilrHg2v1NRCJ7oPGd1piUj
pP39h9E7QQ9Rg4boqB8NJJqeeFX2sPGdsjQR78lR3cMrYoQ0am2FAjBzEYFnDBom
XsNfMpuuFdcRhTATPmD0mmbIf/aXfEFBWkyDjYmWamuv8Hm7bV9dCFdirK1QvH7i
PORsE0sT2ivjnyJ67HCAzWsBzM2jsIseYfpWfmG4jTexT0+/JZk1wu30FV1GK95v
LRMPeMEE+QOhii/2peZGHWCphzp1ihsN1D9n+GalAQWzNV9La7E2sNI4h38vg5HO
R88Gqs+Z0Iy2EfjgHVq2B4N9pYCaW1bIIjEF8KUg/WR5tPOuvhllYuRycVn0w1nJ
VcbR1r/OKTLfXdwav6ENPjX+UNW6jdUPwJHhPJqlMXEkGdu4ax+T0IuWQ1DoeJSL
d81BsJ28kG9b7bTxyxSG89SokJmy2QajaOV57zNYRPV+v6TZi4ZoB0aZDE4ReYsM
inZoqu/NXWHT5QUyT5xkJEEmRqT9N1/txo5kMUlEd0VTeVwJzpmWARrNCmvBq4ZM
ByiSWKEkEN+sKnXOi4HvyK9nUKJIAA/tRv86FuM8If3uid3KUvVaCifRyFrRJSsQ
dnL9b/eAOLV7tyDxd+zah8XQyASJ98rja5amkMU+XZaJE4pIr/bnVYgtQb7L+Xk/
Ws0qbPXJIin9JXFTLHYSvSCfZiRm+EduYdWShwsSeFcHcxB2VpxuIsfqEz09xiDm
LSsK1b/ij9HHu/dYWhjH8VBicU5S8lo9lwXQAjgg1BUXN3WXYSAQ0Mwnp2ipHczS
ZPa7AwRB/cHdHkXwFCEDc7zH1UJtCK3HXukeiy1ZptM8eTKAZLwKBZUuKzE6GmS5
ilOW0APWdFuosuII5+7krABVTkUjJqeXKoZlSVtPAi0fETR+L4oKDKtWlIX9RY99
v7i+0J/mLp5buHQx7Ly8+EnoyP8G5OTW1tb8f4M9S9vmNEI+Z0FA/A/cvphv1wQ=
=bsez
-----END PGP SIGNATURE-----




Information forwarded to debian-bugs-dist@lists.debian.org:
Bug#726477; Package icu. (Thu, 31 Oct 2013 15:24:09 GMT) Full text and rfc822 format available.

Acknowledgement sent to Jay Berkenbilt <qjb@debian.org>:
Extra info received and forwarded to list. (Thu, 31 Oct 2013 15:24:09 GMT) Full text and rfc822 format available.

Message #22 received at 726477@bugs.debian.org (full text, mbox):

From: Jay Berkenbilt <qjb@debian.org>
To: Moritz Muehlenhoff <jmm@inutil.org>
Cc: 726477@bugs.debian.org
Subject: Re: Bug#726477: icu: CVE-2013-2924
Date: Thu, 31 Oct 2013 11:22:48 -0400
Moritz Muehlenhoff <jmm@inutil.org> wrote:

> Package: icu
> Severity: grave
> Tags: security
> Justification: user security hole
>
> The Chrome developers found a security issue in the included ICU:
> http://googlechromereleases.blogspot.de/2013/10/stable-channel-update.html
>
> The bug http://bugs.icu-project.org/trac/ticket/10318 is restricted, but
> the patch can be found here:
> https://ssl.icu-project.org/trac/changeset/34076

Sorry for not getting to this quickly.  I will wait for the NMU to
transition to jessie and then incorporate it.  I am going to hopefully
have time this weekend to catch up on my debian work including packaging
ICU 52 and requesting a transition.  I will make sure the fix is
incorporated into ICU 52 or, if not, carry the patch forward.

-- 
Jay Berkenbilt <qjb@debian.org>



Bug archived. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Sun, 15 Dec 2013 07:32:25 GMT) Full text and rfc822 format available.

Send a report that this bug log contains spam.


Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Sat Apr 19 15:25:30 2014; Machine Name: beach.debian.org

Debian Bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.