Package: icu
Version: 52.1-8
Severity: normal
Tags: patch
User: ubuntu-de...@lists.ubuntu.com
Usertags: origin-ubuntu wily ubuntu-patch
*** /tmp/tmp8_oq5o/bug_body
In Ubuntu, the attached patch was applied to achieve the following:
* SECURITY UPDATE: heap overflow via incorrect isolateCount
- debian/patches/CVE-2015-8146.patch: check for valid isolateCount in
source/common/ubidi.c.
- CVE-2015-8146
* SECURITY UPDATE: integer overflow via incorrect state size
- debian/patches/CVE-2015-8147.patch: change state to int32_t in
source/common/ubidiimp.h.
- CVE-2015-8147
Thanks for considering the patch.
-- System Information:
Debian Release: jessie/sid
APT prefers vivid-updates
APT policy: (500, 'vivid-updates'), (500, 'vivid-security'), (500,
'vivid-proposed'), (500, 'vivid'), (100, 'vivid-backports')
Architecture: amd64 (x86_64)
Foreign Architectures: i386
Kernel: Linux 3.19.0-15-generic (SMP w/4 CPU cores)
Locale: LANG=en_CA.UTF-8, LC_CTYPE=en_CA.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
diff -Nru icu-52.1/debian/changelog icu-52.1/debian/changelog
diff -Nru icu-52.1/debian/patches/CVE-2015-8146.patch icu-52.1/debian/patches/CVE-2015-8146.patch
--- icu-52.1/debian/patches/CVE-2015-8146.patch 1969-12-31 19:00:00.000000000 -0500
+++ icu-52.1/debian/patches/CVE-2015-8146.patch 2015-05-08 08:27:11.000000000 -0400
@@ -0,0 +1,16 @@
+Description: fix heap overflow via incorrect isolateCount
+Origin: backport, http://bugs.icu-project.org/trac/changeset/37162
+
+Index: icu-52.1/source/common/ubidi.c
+===================================================================
+--- icu-52.1.orig/source/common/ubidi.c 2013-10-04 16:49:28.000000000 -0400
++++ icu-52.1/source/common/ubidi.c 2015-05-08 08:19:47.924746439 -0400
+@@ -2049,7 +2049,7 @@
+ /* The isolates[] entries contain enough information to
+ resume the bidi algorithm in the same state as it was
+ when it was interrupted by an isolate sequence. */
+- if(dirProps[start]==PDI) {
++ if(dirProps[start]==PDI && pBiDi->isolateCount >= 0) {
+ start1=pBiDi->isolates[pBiDi->isolateCount].start1;
+ stateImp=pBiDi->isolates[pBiDi->isolateCount].stateImp;
+ levState.state=pBiDi->isolates[pBiDi->isolateCount].state;
diff -Nru icu-52.1/debian/patches/CVE-2015-8147.patch icu-52.1/debian/patches/CVE-2015-8147.patch
--- icu-52.1/debian/patches/CVE-2015-8147.patch 1969-12-31 19:00:00.000000000 -0500
+++ icu-52.1/debian/patches/CVE-2015-8147.patch 2015-05-08 08:27:31.000000000 -0400
@@ -0,0 +1,17 @@
+Description: fix integer overflow via incorrect state size
+Origin: backport, http://bugs.icu-project.org/trac/changeset/37080
+
+Index: icu-52.1/source/common/ubidiimp.h
+===================================================================
+--- icu-52.1.orig/source/common/ubidiimp.h 2013-10-04 16:49:24.000000000 -0400
++++ icu-52.1/source/common/ubidiimp.h 2015-05-08 08:20:48.901252416 -0400
+@@ -193,8 +193,8 @@
+
+ typedef struct Isolate {
+ int32_t start1;
++ int32_t state;
+ int16_t stateImp;
+- int16_t state;
+ } Isolate;
+
+ typedef struct Run {
diff -Nru icu-52.1/debian/patches/series icu-52.1/debian/patches/series
--- icu-52.1/debian/patches/series 2015-02-15 21:35:11.000000000 -0500
+++ icu-52.1/debian/patches/series 2015-05-08 08:20:42.000000000 -0400
@@ -12,3 +12,5 @@
CVE-2014-7923+7926.patch
CVE-2014-7940.patch
CVE-2014-9654.patch
+CVE-2015-8146.patch
+CVE-2015-8147.patch
