Bug#780503: icu: incomplete fix for CVE-2014-7940

Sat, 14 Mar 2015 19:52:03 -0700 

control: tag -1 patch, pending

On Sat, Mar 14, 2015 at 9:48 PM, Michael Gilbert wrote:
> Google added another check in a later patch for this issue, which
> wasn't included in the previous nmu:

Hi,

I uploaded an nmu to delayed/3 fixing this problem.  Please see attached.

Best wishes,
Mike

diff -Nru icu-52.1/debian/changelog icu-52.1/debian/changelog
--- icu-52.1/debian/changelog	2015-02-16 02:35:11.000000000 +0000
+++ icu-52.1/debian/changelog	2015-03-15 02:05:39.000000000 +0000
@@ -1,3 +1,11 @@
+icu (52.1-7.2) unstable; urgency=high
+
+  * Non-maintainer upload.
+  * Apply a more complete fix for CVE-2014-7940 (closes: #780503).
+    - Thanks to Marc Deslauriers.
+
+ -- Michael Gilbert <mgilb...@debian.org>  Sun, 15 Mar 2015 01:57:48 +0000
+
 icu (52.1-7.1) unstable; urgency=high
 
   * Non-maintainer upload by the Security Team.
diff -Nru icu-52.1/debian/patches/CVE-2014-7940.patch icu-52.1/debian/patches/CVE-2014-7940.patch
--- icu-52.1/debian/patches/CVE-2014-7940.patch	2015-02-16 02:35:11.000000000 +0000
+++ icu-52.1/debian/patches/CVE-2014-7940.patch	2015-03-15 02:15:42.000000000 +0000
@@ -1,8 +1,12 @@
 description: uninitialized memory issue
-origin: https://chromium.googlesource.com/chromium/deps/icu/+/866ff696e9022a6000afbab516fba62cfa306075
+origin: https://chromium.googlesource.com/chromium/deps/icu/+/a626a75aad2675254073366fcaa9465dacf17100/patches/col.patch
 
---- icu-52.1.orig/source/i18n/ucol.cpp
-+++ icu-52.1/source/i18n/ucol.cpp
+Updated by Marc Deslauriers <marc.deslauri...@canonical.com> to also fix a
+regression when running the test suite because source->endp was being
+used without checking UCOL_ITER_HASLEN.
+
+--- a/source/i18n/ucol.cpp
++++ b/source/i18n/ucol.cpp
 @@ -2259,6 +2259,9 @@ inline UChar getNextNormalizedChar(collI
          if (data->pos + 1 == data->endp) {
              return *(data->pos ++);
@@ -13,13 +17,17 @@
      }
      else {
          if (innormbuf) {
-@@ -2821,7 +2824,13 @@ uint32_t ucol_prv_getSpecialCE(const UCo
+@@ -2820,8 +2823,16 @@ uint32_t ucol_prv_getSpecialCE(const UCo
+                                     goBackOne(source);
                                  }
                              }
-                         } else if (U16_IS_LEAD(schar)) {
+-                        } else if (U16_IS_LEAD(schar)) {
 -                            miss = U16_GET_SUPPLEMENTARY(schar, getNextNormalizedChar(source));
-+                            UChar nextChar = getNextNormalizedChar(source);
++                        } else if (U16_IS_LEAD(schar) &&
++                                   ((source->flags & UCOL_ITER_HASLEN) == 0 ||
++                                    source->pos + 1 < source->endp)) {
 +                            const UChar* prevPos = source->pos;
++                            UChar nextChar = getNextNormalizedChar(source);
 +                            if (U16_IS_TRAIL(nextChar)) {
 +                                miss = U16_GET_SUPPLEMENTARY(schar, nextChar);
 +                            } else if (prevPos < source->pos) {

Reply via email to