Bug#878840: marked as done (icu: CVE-2017-14952: Double free in i18n/zonemeta.cpp)

[Debian Bug Tracking System]

Your message dated Tue, 17 Oct 2017 05:49:03 +0000
with message-id <e1e4kkr-0009sv...@fasolo.debian.org>
and subject line Bug#878840: fixed in icu 57.1-7
has caused the Debian Bug report #878840,
regarding icu: CVE-2017-14952: Double free in i18n/zonemeta.cpp
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
878840: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=878840
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

--- Begin Message ---

Source: icu
Version: 57.1-6
Severity: grave
Tags: patch security upstream

Hi,

the following vulnerability was published for icu.

CVE-2017-14952[0]:
| Double free in i18n/zonemeta.cpp in International Components for
| Unicode (ICU) for C/C++ through 59.1 allows remote attackers to
| execute arbitrary code via a crafted string, aka a "redundant UVector
| entry clean up function call" issue.

If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2017-14952
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-14952
[1] 
http://www.sourcebrella.com/blog/double-free-vulnerability-international-components-unicode-icu/
[2] 
https://ssl.icu-project.org/trac/changeset/40324/trunk/icu4c/source/i18n/zonemeta.cpp

Please adjust the affected versions in the BTS as needed, unstable
seem to contain the issue, experimental not checked. Older version
have as well not been verified.

Regards,
Salvatore

--- End Message ---

--- Begin Message ---

Source: icu
Source-Version: 57.1-7

We believe that the bug you reported is fixed in the latest version of
icu, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 878...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Laszlo Boszormenyi (GCS) <g...@debian.org> (supplier of updated icu package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Format: 1.8
Date: Tue, 17 Oct 2017 04:48:25 +0000
Source: icu
Binary: libicu57 libicu57-dbg libicu-dev icu-devtools icu-devtools-dbg icu-doc
Architecture: source amd64 all
Version: 57.1-7
Distribution: unstable
Urgency: high
Maintainer: Laszlo Boszormenyi (GCS) <g...@debian.org>
Changed-By: Laszlo Boszormenyi (GCS) <g...@debian.org>
Description:
 icu-devtools - Development utilities for International Components for Unicode
 icu-devtools-dbg - Development utilities for International Components for 
Unicode (d
 icu-doc    - API documentation for ICU classes and functions
 libicu-dev - Development files for International Components for Unicode
 libicu57   - International Components for Unicode
 libicu57-dbg - International Components for Unicode (debug symbols)
Closes: 878840
Changes:
 icu (57.1-7) unstable; urgency=high
 .
   * Backport upstream security fix for CVE-2017-14952: double free in
     createMetazoneMappings() (closes: #878840).
Checksums-Sha1:
 d91ea3535d19c000682c086ec16849bb5457bde5 2105 icu_57.1-7.dsc
 67a58944ae4342d94abebe35a1bac3883659d6eb 32968 icu_57.1-7.debian.tar.xz
 b6179f080b4077a90b28438f3abeab39796b3dd2 640210 
icu-devtools-dbg_57.1-7_amd64.deb
 3bec816ca71c3e15f9783e2a80f5078ffc5fa958 177318 icu-devtools_57.1-7_amd64.deb
 36e16655295b956ea1c3c638ce8ca7a88dc6551c 2396950 icu-doc_57.1-7_all.deb
 207f2a46d23036583b8b6004e77d38ab2f78af72 7627 icu_57.1-7_amd64.buildinfo
 4d4890523ac91f316a40555ab50680b95b71965a 16568332 libicu-dev_57.1-7_amd64.deb
 a5085de9634d29695c1c9764002761f8e4ad1d8b 7366738 libicu57-dbg_57.1-7_amd64.deb
 dfabd5296cd5d1f06481fe212724ca7eba8960a0 7699328 libicu57_57.1-7_amd64.deb
Checksums-Sha256:
 f003ae5827e43f79cb3ab5afb34c46886ac438a0d3afa6f3c3b6d7e499af58f1 2105 
icu_57.1-7.dsc
 7edb7536b98f4f48336f6d909f39ccfb2edbad6f8e2422edc8b6318022eb702d 32968 
icu_57.1-7.debian.tar.xz
 cdb74de653541250039dd6c5006af7c934e6fdf35d8870c493f2fbe8e0ad510b 640210 
icu-devtools-dbg_57.1-7_amd64.deb
 7826728eb5d846f7dc5920cbb7e05325c5bf3888ede827a4b1689195e6392f1d 177318 
icu-devtools_57.1-7_amd64.deb
 313c54f37716e70a424d386c84115ce93e7902c1a73ef6c0a1d9a7a5c2b749ed 2396950 
icu-doc_57.1-7_all.deb
 65c4a9354e92bd24602e9cbf8924315d766f49fd412e704e50c6759abd52ec98 7627 
icu_57.1-7_amd64.buildinfo
 c1c6d7afbe2b6ec3351821e95146d0b4a75a7d57f29841c5ad3f6df6c8f1f501 16568332 
libicu-dev_57.1-7_amd64.deb
 6d18d6b29822044d69076ea35e600d920d317734b263c664703081ebb0f08f79 7366738 
libicu57-dbg_57.1-7_amd64.deb
 6d58f65de684078bc6ba358e19c38bff80712fb6dc78e5081fd0939cce33b2ea 7699328 
libicu57_57.1-7_amd64.deb
Files:
 9f2787381c76ffe015990331cdbacd50 2105 libs optional icu_57.1-7.dsc
 811848ad96e0d31c7a3cbdd632518112 32968 libs optional icu_57.1-7.debian.tar.xz
 82db47f9933e9b47fe120c208bad5b21 640210 debug extra 
icu-devtools-dbg_57.1-7_amd64.deb
 684d5e422bdaad0931fddbe986b07a68 177318 libdevel optional 
icu-devtools_57.1-7_amd64.deb
 6cd35c97355a6417f10dd16f68f167f5 2396950 doc optional icu-doc_57.1-7_all.deb
 37bf784a7c3d3085f4d99ff52d614c39 7627 libs optional icu_57.1-7_amd64.buildinfo
 a2b7c6cdaae2f7015a07d7731089a59d 16568332 libdevel optional 
libicu-dev_57.1-7_amd64.deb
 8c901a63bb7363022e7daa989caf096a 7366738 debug extra 
libicu57-dbg_57.1-7_amd64.deb
 57c531b85e789b93e151fa18c1a25c8e 7699328 libs optional 
libicu57_57.1-7_amd64.deb

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCAAdFiEEfYh9yLp7u6e4NeO63OMQ54ZMyL8FAlnllgcACgkQ3OMQ54ZM
yL/6Sw/9HGruwrTXyeMroZi8cXfu/kCbqPqn9+0b2qOyj7b+V6Hx7jDlMM2edRuI
uH/5n4vROgwNq9GU9AWcFDsp6aFIVqq4N8Uup4yABLCACz7iPRQi9XIftfeN8MAp
xsD2BMgbdJt85wJvPSRVWMhdnXoFPvvpNRXTcjVKnU5QUFUCfhaeuETEEXXi2PVt
sN3PdgYsvQ3kmhMe6wnodUrBQpY/+o0sTdA80GW6SJeJLrLnhZEb5vQ8aZ1OVG4a
5uBVUgVWvd8zj7bHCz1L3WHILCtodTmoRug+rNO2n/Ht/yABAGuGVRKCA0eGy5YU
U9nqRoEflYT13Y0Afs2EzM1PHk/K8sRAiLqkdki+N1zPxi2Zi5liV78VcKz9VaAq
gEhGG6oRjKhqwt4/uI3+0e7MZybKMb0G58T7nOHQGD1WrYt7fbv7dFAhAvurziKx
EaoAXbwFw0wwE1KYsmohUgx/iF5x86lTZFsTkdlU9lUAE5J6cTfBeze+vnDETfoN
mfTBud3mIV7QhXT9q+cDam1At4MDI5aD1EYiXwl2NUq4P8jvLlKl/bP8/UVYjzy8
a5Lr/I9qbAbXDHHZ1iusMzUDleyki0UpFHgjLxdzBNMnSSNKqiQy06Afy1JlQrh1
AlrgSA5iVVp3uB8OK7s+BoVkvcV1umpQrpfpUh7rF7Tz2Oadruc=
=tPji
-----END PGP SIGNATURE-----

--- End Message ---