Bug#726477: security nmu

Michael Gilbert Sat, 26 Oct 2013 21:19:24 -0700

control: tag -1 patch

Hi,


I've uploaded an nmu fixing this issue.  Please see attached patch.

Best wishes,
Mike

diff -Nru icu-4.8.1.1/debian/changelog icu-4.8.1.1/debian/changelog
--- icu-4.8.1.1/debian/changelog	2013-08-22 00:01:15.000000000 +0000
+++ icu-4.8.1.1/debian/changelog	2013-10-27 04:11:40.000000000 +0000
@@ -1,3 +1,10 @@
+icu (4.8.1.1-13+nmu1) unstable; urgency=high
+
+  * Non-maintainer upload by the Security Team.
+  * Fix cve-2013-2924: use-after-free issue in csrucode.cpp (closes: #726477).
+
+ -- Michael Gilbert <mgilb...@debian.org>  Sun, 27 Oct 2013 03:49:58 +0000
+
 icu (4.8.1.1-13) unstable; urgency=low
 
   * Multi-arch libicu-dev.  Thanks Dmitrijs Ledkovs
diff -Nru icu-4.8.1.1/debian/patches/CVE-2013-2924.patch icu-4.8.1.1/debian/patches/CVE-2013-2924.patch
--- icu-4.8.1.1/debian/patches/CVE-2013-2924.patch	1970-01-01 00:00:00.000000000 +0000
+++ icu-4.8.1.1/debian/patches/CVE-2013-2924.patch	2013-10-27 04:11:45.000000000 +0000
@@ -0,0 +1,36 @@
+origin: https://ssl.icu-project.org/trac/changeset/34076
+Index: icu-4.8.1.1/source/i18n/csrucode.cpp
+===================================================================
+--- icu-4.8.1.1.orig/source/i18n/csrucode.cpp	2013-10-27 03:54:33.350069913 +0000
++++ icu-4.8.1.1/source/i18n/csrucode.cpp	2013-10-27 03:54:33.326069913 +0000
+@@ -31,8 +31,9 @@
+ int32_t CharsetRecog_UTF_16_BE::match(InputText* textIn)
+ {
+     const uint8_t *input = textIn->fRawInput;
++    int32_t length = textIn->fRawLength;
+ 
+-    if (input[0] == 0xFE && input[1] == 0xFF) {
++    if (length >=2 && input[0] == 0xFE && input[1] == 0xFF) {
+         return 100;
+     }
+ 
+@@ -53,8 +54,9 @@
+ int32_t CharsetRecog_UTF_16_LE::match(InputText* textIn)
+ {
+     const uint8_t *input = textIn->fRawInput;
++    int32_t length = textIn->fRawLength;
+ 
+-    if (input[0] == 0xFF && input[1] == 0xFE && (input[2] != 0x00 || input[3] != 0x00)) {
++    if (length >= 4 && input[0] == 0xFF && input[1] == 0xFE && (input[2] != 0x00 || input[3] != 0x00)) {
+         return 100;
+     }
+ 
+@@ -76,7 +78,7 @@
+     bool hasBOM = FALSE;
+     int32_t confidence = 0;
+ 
+-    if (getChar(input, 0) == 0x0000FEFFUL) {
++    if (limit > 0 && getChar(input, 0) == 0x0000FEFFUL) {
+         hasBOM = TRUE;
+     }
+ 
diff -Nru icu-4.8.1.1/debian/patches/series icu-4.8.1.1/debian/patches/series
--- icu-4.8.1.1/debian/patches/series	2013-03-21 15:21:58.000000000 +0000
+++ icu-4.8.1.1/debian/patches/series	2013-10-27 04:11:45.000000000 +0000
@@ -10,3 +10,4 @@
 indic-ccmp.patch
 mlym-crash.patch
 CVE-2013-0900.patch
+CVE-2013-2924.patch

Bug#726477: security nmu

Reply via email to