Bug#953747: marked as done (icu: CVE-2020-10531)

[Debian Bug Tracking System]

Your message dated Sat, 28 Mar 2020 18:02:45 +0000
with message-id <e1jifnb-0003pk...@fasolo.debian.org>
and subject line Bug#953747: fixed in icu 63.1-6+deb10u1
has caused the Debian Bug report #953747,
regarding icu: CVE-2020-10531
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
953747: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=953747
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

--- Begin Message ---

Source: icu
Version: 63.2-2
Severity: grave
Tags: security upstream
Justification: user security hole
Forwarded: https://github.com/unicode-org/icu/pull/971

Hi,

The following vulnerability was published for icu.

CVE-2020-10531[0]:
| An issue was discovered in International Components for Unicode (ICU)
| for C/C++ through 66.1. An integer overflow, leading to a heap-based
| buffer overflow, exists in the UnicodeString::doAppend() function in
| common/unistr.cpp.


If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2020-10531
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-10531
[1] https://bugs.chromium.org/p/chromium/issues/detail?id=1044570 (not public)
[2] https://unicode-org.atlassian.net/browse/ICU-20958 (private)
[3] https://github.com/unicode-org/icu/pull/971
[4] 
https://github.com/unicode-org/icu/commit/b7d08bc04a4296982fcef8b6b8a354a9e4e7afca

Please adjust the affected versions in the BTS as needed.

Regards,
Salvatore

--- End Message ---

--- Begin Message ---

Source: icu
Source-Version: 63.1-6+deb10u1
Done: Laszlo Boszormenyi (GCS) <g...@debian.org>

We believe that the bug you reported is fixed in the latest version of
icu, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 953...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Laszlo Boszormenyi (GCS) <g...@debian.org> (supplier of updated icu package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Fri, 13 Mar 2020 18:49:33 +0000
Source: icu
Binary: icu-devtools icu-devtools-dbgsym icu-doc libicu-dev libicu63 
libicu63-dbgsym
Architecture: source amd64 all
Version: 63.1-6+deb10u1
Distribution: buster-security
Urgency: high
Maintainer: Laszlo Boszormenyi (GCS) <g...@debian.org>
Changed-By: Laszlo Boszormenyi (GCS) <g...@debian.org>
Description:
 icu-devtools - Development utilities for International Components for Unicode
 icu-doc    - API documentation for ICU classes and functions
 libicu-dev - Development files for International Components for Unicode
 libicu63   - International Components for Unicode
Closes: 953747
Changes:
 icu (63.1-6+deb10u1) buster-security; urgency=high
 .
   * Backport upstream security fix for CVE-2020-10531: SEGV_MAPERR in
     UnicodeString::doAppend() (closes: #953747).
Checksums-Sha1:
 ca2b728f10b18b2a221e1626811c4d417dad062b 1997 icu_63.1-6+deb10u1.dsc
 405064370baf3922528eda82cb5673fb6ef401b8 13638120 icu_63.1.orig.tar.xz
 6aa6f3e8fd06509b80375f4f2617f3941a7ca956 25004 icu_63.1-6+deb10u1.debian.tar.xz
 e2b46169952c12b8a55f44edc1037aa8ad16b75a 850776 
icu-devtools-dbgsym_63.1-6+deb10u1_amd64.deb
 219db7b922c1b5f8f4e32e1bd1f45bf5b81adb45 188624 
icu-devtools_63.1-6+deb10u1_amd64.deb
 35bacf95ce1cd3f96d52ebf030780bfc89005c7b 2519480 icu-doc_63.1-6+deb10u1_all.deb
 8a9e9d563a5ba6e5a65ec15f8e17a6d0adec598c 6954 
icu_63.1-6+deb10u1_amd64.buildinfo
 bd43974e0da46194fd28e5acd0c1526bb7972ca7 9186164 
libicu-dev_63.1-6+deb10u1_amd64.deb
 a7bc715a6cb53cae0a8a77f902cbe64bde9f190a 10089820 
libicu63-dbgsym_63.1-6+deb10u1_amd64.deb
 488feb0d753aba1947127cafbeab976fa0465b15 8300324 
libicu63_63.1-6+deb10u1_amd64.deb
Checksums-Sha256:
 c33329e44a83af47cdfd6ca2639611d960b163a5cce39e71945b0ed4b6971ec9 1997 
icu_63.1-6+deb10u1.dsc
 347d0e6c39c3538b812c10c6c83815d4a089d578380387ae7d94c5b820948e82 13638120 
icu_63.1.orig.tar.xz
 d65fde3a61d0ba935b493b46fd42addeb24e0398b8d778124cb489770ec50a6d 25004 
icu_63.1-6+deb10u1.debian.tar.xz
 278ecb105b212d838165deba330c8260679dacf01988a161754653ca99520491 850776 
icu-devtools-dbgsym_63.1-6+deb10u1_amd64.deb
 509544ee3cc6a772fa4c70c6ebf397eea39f0b88b12583d41fc9233f0e3a1727 188624 
icu-devtools_63.1-6+deb10u1_amd64.deb
 4b4de3914e101c76ef5e1ffbd877485a6d7fe827f9ed39e53ad893769fcd1452 2519480 
icu-doc_63.1-6+deb10u1_all.deb
 0cacee1fa8a95e84886b5c18ff456e93cf606059cb7f347a5c01969e3dc2724d 6954 
icu_63.1-6+deb10u1_amd64.buildinfo
 f6a8364f02650789a91cf7b0687f88af782c317f54ce76918e1e9224e432e4a6 9186164 
libicu-dev_63.1-6+deb10u1_amd64.deb
 4daf0106275956931fe43416974c5a9cfe5674f3bce209f2458d2f37c58136b9 10089820 
libicu63-dbgsym_63.1-6+deb10u1_amd64.deb
 603f929d1ae548a8faa1f892ae93e623bde97de7ddbe4a796618c735ca7ff8b8 8300324 
libicu63_63.1-6+deb10u1_amd64.deb
Files:
 4ef8f5ac063c768b2bdd8ff15427d26e 1997 libs optional icu_63.1-6+deb10u1.dsc
 6228af26279d727d6dec5d5597722b1d 13638120 libs optional icu_63.1.orig.tar.xz
 7f7beb5864de3307f1a5ed8ee04dc771 25004 libs optional 
icu_63.1-6+deb10u1.debian.tar.xz
 8e81087a00f0cc69431e27dda4f1f012 850776 debug optional 
icu-devtools-dbgsym_63.1-6+deb10u1_amd64.deb
 251ed4c337069ac8c17f815fcab462dc 188624 libdevel optional 
icu-devtools_63.1-6+deb10u1_amd64.deb
 d8d96f3ab44da505c697f72fca795645 2519480 doc optional 
icu-doc_63.1-6+deb10u1_all.deb
 dff43105b74bbb70f6999bcd18c3bbad 6954 libs optional 
icu_63.1-6+deb10u1_amd64.buildinfo
 e505a3364d0a91a5756291aaa65502ec 9186164 libdevel optional 
libicu-dev_63.1-6+deb10u1_amd64.deb
 3fae69df4899e542192bbb41e83db52b 10089820 debug optional 
libicu63-dbgsym_63.1-6+deb10u1_amd64.deb
 ec76fcf6e21308b9bcc6a9b3a92baf4a 8300324 libs optional 
libicu63_63.1-6+deb10u1_amd64.deb

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEEfYh9yLp7u6e4NeO63OMQ54ZMyL8FAl55t4wACgkQ3OMQ54ZM
yL+m8A//f/Lvp4TZ79yE0Bn110H/MxoHpUKigk+1+4EHQh/5T0fsXeixkq7Zj6XR
cucrneK3/RLrkpLkf6E2xMkSQ3nYmkmWsoekjUI9WiPE8abbqbGuIDNEdrZlR0tp
jleQEV65J8qy7JeMJk04DFDKUIrhpIQdb1lYu5CF7okD+2CiSNxZ18k1ABOcUP6U
QEP73K0572E/oaQhvGwRJmnWFdxo4B39xF+2tHoYFrlg8VIk1LIzyOX8dLrxt9Jz
nTl+YLZ1+tFwCveb3unTvk1/2WA+Mucdcmqwp9HOcolGqwCeWCEAUuAD7icIRRfM
gPOATUZOPm/PGnEiQstQv7ENOx2wLCshsBNJyZ1LO893qqn5n0VWZuN0EOgO1e7p
zr6xnWZGnHMCw2a9Zow+mYp3TRf5oeVxaDGVuPeAIztEI/3dsKz2ALi+5mkVTw2p
vTcm+G5xJgmgivffcMRlZ10nZPeBo6Dz4E9WIo/fVO/ztdp1hTSbsIgigRY7vPxD
1LWKfOvYMuCL+RZbXNro1kQuY/ZhH2hzK+8D+DSZyMC7ls3goOpDDoECiXtFhIp3
YJiCB+28CbxncIE0HY4598/br9BgUDWg3kq6ryfBuhPNGoExe2S2QMNcCSwGlGOU
nltSIcnfC3fsMDAvzqkrt/2yiwgsBHQeKLMC6WOb67WSJLG1T1c=
=fgkr
-----END PGP SIGNATURE-----

--- End Message ---