1. Forum
  2. Usenet
  3. LINUX.DEBIAN.ANNOUNCE.SEC

  • [SECURITY] [DSA 3323-1] icu security update

    From Laszlo Boszormenyi@1:229/2 to All on Sat Aug 1 18:20:02 2015
    From: [email protected]

    -----BEGIN PGP SIGNED MESSAGE-----
    Hash: SHA512

    - ------------------------------------------------------------------------- Debian Security Advisory DSA-3323-1 [email protected] https://www.debian.org/security/ Laszlo Boszormenyi August 01, 2015 https://www.debian.org/security/faq
    - -------------------------------------------------------------------------

    Package : icu
    CVE ID : CVE-2014-6585 CVE-2014-8146 CVE-2014-8147 CVE-2015-4760
    Debian Bug : 778511 784773

    Several vulnerabilities were discovered in the International Components
    for Unicode (ICU) library.

    CVE-2014-8146

    The Unicode Bidirectional Algorithm implementation does not properly
    track directionally isolated pieces of text, which allows remote
    attackers to cause a denial of service (heap-based buffer overflow)
    or possibly execute arbitrary code via crafted text.

    CVE-2014-8147

    The Unicode Bidirectional Algorithm implementation uses an integer
    data type that is inconsistent with a header file, which allows
    remote attackers to cause a denial of service (incorrect malloc
    followed by invalid free) or possibly execute arbitrary code via
    crafted text.

    CVE-2015-4760

    The Layout Engine was missing multiple boundary checks. These could
    lead to buffer overflows and memory corruption. A specially crafted
    file could cause an application using ICU to parse untrusted font
    files to crash and, possibly, execute arbitrary code.

    Additionally, it was discovered that the patch applied to ICU in DSA-3187-1
    for CVE-2014-6585 was incomplete, possibly leading to an invalid memory
    access. This could allow remote attackers to disclose portion of private
    memory via crafted font files.

    For the oldstable distribution (wheezy), these problems have been fixed
    in version 4.8.1.1-12+deb7u3.

    For the stable distribution (jessie), these problems have been fixed in
    version 52.1-8+deb8u2.

    For the testing distribution (stretch), these problems have been fixed
    in version 52.1-10.

    For the unstable distribution (sid), these problems have been fixed in
    version 52.1-10.

    We recommend that you upgrade your icu packages.

    Further information about Debian Security Advisories, how to apply
    these updates to your system and frequently asked questions can be
    found at: https://www.debian.org/security/

    Mailing list: [email protected]
    -----BEGIN PGP SIGNATURE-----
    Version: GnuPG v1

    iQIcBAEBCgAGBQJVvO7bAAoJEK+lG9bN5XPLqVIP/2alCRdRKIAMleoNl1Eivpyz bkOww5mqMUezKBN/vcuZuIXaCXDbmEedCuqYsBs3+bKjyUunudrcMBHJ7fJoV19U 5cPQO/JGZtL9WPl2HowuWcsApvitiHgc37kblSUr2trmGtMUjm8glVnrI97qty9e Ory0Dbc8d4AYNlfV4jmJbqPXRRyxRFNObBwqoXvUNJ1sgUT1nyLt6QVYOqV07+Jy Vw6JJeqryNdpeMMBcAOlnSLSbjmmAxXDjs2HxUqWqZg8RHnnn2Dr45MQK/dymkdj xu2YBTT4cXAzvBtBTrpppj+9Dc+/nMfT47z1vncaiLFU8FBdt51Via8kutmut8ao 7zqqtcYiOn1/iUqxOOzlaqfVf+DMswhqaQmzGFNDI4ajMoC6M2Wf917AHt306W9p Ekk6aS9uVWrdZd2O1IawZ+scFETitNSE9nkNTyfRo75RhfHexAY1W3oeoVfTGMR4 gH+vkvqE2vQVDLLOdZDaMCtCKrurHgPhX+VGdaoHW0QD7wuNEbXoC2jvln0NLm1t VzHT3RtqdpmZvNGmCTL7muS/tVdgapNCavWEh4u1oDPB7DHDK8QYH4IJmi/sbfWP a9HC61Utok3TV4m+/G7THx4gvvKb13/4wfL0WMU5WOAaLUOpqSxXcDqJH5syytEu U5aclxl6oM8/CXeYbYQ8
    =WKJI
    -----END PGP SIGNATURE-----


    --
    To UNSUBSCRIBE, email to [email protected]
    with a subject of "unsubscribe". Trouble? Contact [email protected] Archive: https://lists.debian.org/[email protected]

    --- SoupGate-Win32 v1.05
    * Origin: you cannot sedate... all the things you hate (1:229/2)