Moritz Muehlenhoff <muehlenh...@univention.de> wrote:
> Package: icu
> Severity: grave
> Tags: security
>
> Please see https://bugzilla.redhat.com/show_bug.cgi?id=765812 for
> details and references to patches.
>
> Cheers,
> Moritz
I'm uploading a new version momentarily to unstable to fix it. Sorry
for the delay. I'm also preparing packages for stable-security and
oldstable-security. The patch is trivial to backport. Should I do the
uploads? I'm attaching the patches. If okay, I'll build against
oldstable and stable and upload.
--Jay
diff -urN ../icu-3.8.1-3+lenny2/debian/changelog ./debian/changelog
--- ../icu-3.8.1-3+lenny2/debian/changelog 2012-01-21 19:52:51.000000000 -0500
+++ ./debian/changelog 2012-01-21 19:56:44.763574027 -0500
@@ -1,3 +1,9 @@
+icu (3.8.1-3+lenny3) oldstable-security; urgency=high
+
+ * Apply patch CVE-2011-4599 to address a buffer overflow.
+
+ -- Jay Berkenbilt <q...@debian.org> Sat, 21 Jan 2012 19:56:44 -0500
+
icu (3.8.1-3+lenny2) stable-security; urgency=high
* Apply patch CVE-2009-0153.patch to fix problem handling invalid byte
diff -urN ../icu-3.8.1-3+lenny2/debian/patches/CVE-2011-4599.patch ./debian/patches/CVE-2011-4599.patch
--- ../icu-3.8.1-3+lenny2/debian/patches/CVE-2011-4599.patch 1969-12-31 19:00:00.000000000 -0500
+++ ./debian/patches/CVE-2011-4599.patch 2012-01-21 19:55:47.099574235 -0500
@@ -0,0 +1,11 @@
+--- icu.orig/source/common/uloc.c 2007-12-12 13:57:24.000000000 -0500
++++ icu/source/common/uloc.c 2012-01-21 19:54:19.603574549 -0500
+@@ -1716,7 +1716,7 @@
+ /* Check for EURO variants. */
+ sawEuro = _deleteVariant(variant, uprv_min(variantSize, (nameCapacity-len)), "EURO", 4);
+ len -= sawEuro;
+- if (sawEuro > 0 && name[len-1] == '_') { /* delete trailing '_' */
++ if (sawEuro > 0 && len > 0 && len <= nameCapacity && name[len-1] == '_') { /* delete trailing '_' */
+ --len;
+ }
+
diff -urN ../icu-4.4.1-7/debian/changelog ./debian/changelog
--- ../icu-4.4.1-7/debian/changelog 2010-11-25 12:07:26.000000000 -0500
+++ ./debian/changelog 2012-01-21 20:04:32.591572352 -0500
@@ -1,3 +1,9 @@
+icu (4.4.1-8) stable-security; urgency=high
+
+ * Add patch to address CVE-2011-4599, a potential buffer overflow.
+
+ -- Jay Berkenbilt <q...@debian.org> Sat, 21 Jan 2012 20:04:26 -0500
+
icu (4.4.1-7) testing-proposed-updates; urgency=high
* Apply patch to fix Malayam rendering. (Closes: #591615)
diff -urN ../icu-4.4.1-7/debian/patches/CVE-2011-4599.patch ./debian/patches/CVE-2011-4599.patch
--- ../icu-4.4.1-7/debian/patches/CVE-2011-4599.patch 1969-12-31 19:00:00.000000000 -0500
+++ ./debian/patches/CVE-2011-4599.patch 2012-01-21 20:03:35.283572558 -0500
@@ -0,0 +1,22 @@
+Index: icu-4.4.1/source/common/uloc.c
+===================================================================
+--- icu-4.4.1.orig/source/common/uloc.c 2010-04-28 11:27:40.000000000 -0400
++++ icu-4.4.1/source/common/uloc.c 2012-01-21 20:03:30.423572573 -0500
+@@ -1736,7 +1736,7 @@
+ int32_t variantLen = _deleteVariant(variant, uprv_min(variantSize, (nameCapacity-len)), variantToCompare, n);
+ len -= variantLen;
+ if (variantLen > 0) {
+- if (name[len-1] == '_') { /* delete trailing '_' */
++ if (len > 0 && name[len-1] == '_') { /* delete trailing '_' */
+ --len;
+ }
+ addKeyword = VARIANT_MAP[j].keyword;
+@@ -1744,7 +1744,7 @@
+ break;
+ }
+ }
+- if (name[len-1] == '_') { /* delete trailing '_' */
++ if (len > 0 && len <= nameCapacity && name[len-1] == '_') { /* delete trailing '_' */
+ --len;
+ }
+ }
diff -urN ../icu-4.4.1-7/debian/patches/series ./debian/patches/series
--- ../icu-4.4.1-7/debian/patches/series 2010-11-25 12:05:25.000000000 -0500
+++ ./debian/patches/series 2012-01-21 20:02:07.283572873 -0500
@@ -5,3 +5,4 @@
arm-assembler.patch
doc-gif.patch
malayalam-rendering.patch
+CVE-2011-4599.patch
