Search This Blog

Saturday, August 01, 2015

[SECURITY] [DSA 3323-1] icu security update

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

- -------------------------------------------------------------------------
Debian Security Advisory DSA-3323-1 security@debian.org
https://www.debian.org/security/ Laszlo Boszormenyi
August 01, 2015 https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package : icu
CVE ID : CVE-2014-6585 CVE-2014-8146 CVE-2014-8147 CVE-2015-4760
Debian Bug : 778511 784773

Several vulnerabilities were discovered in the International Components
for Unicode (ICU) library.

CVE-2014-8146

The Unicode Bidirectional Algorithm implementation does not properly
track directionally isolated pieces of text, which allows remote
attackers to cause a denial of service (heap-based buffer overflow)
or possibly execute arbitrary code via crafted text.

CVE-2014-8147

The Unicode Bidirectional Algorithm implementation uses an integer
data type that is inconsistent with a header file, which allows
remote attackers to cause a denial of service (incorrect malloc
followed by invalid free) or possibly execute arbitrary code via
crafted text.

CVE-2015-4760

The Layout Engine was missing multiple boundary checks. These could
lead to buffer overflows and memory corruption. A specially crafted
file could cause an application using ICU to parse untrusted font
files to crash and, possibly, execute arbitrary code.

Additionally, it was discovered that the patch applied to ICU in DSA-3187-1
for CVE-2014-6585 was incomplete, possibly leading to an invalid memory
access. This could allow remote attackers to disclose portion of private
memory via crafted font files.

For the oldstable distribution (wheezy), these problems have been fixed
in version 4.8.1.1-12+deb7u3.

For the stable distribution (jessie), these problems have been fixed in
version 52.1-8+deb8u2.

For the testing distribution (stretch), these problems have been fixed
in version 52.1-10.

For the unstable distribution (sid), these problems have been fixed in
version 52.1-10.

We recommend that you upgrade your icu packages.

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/

Mailing list: debian-security-announce@lists.debian.org
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIcBAEBCgAGBQJVvO7bAAoJEK+lG9bN5XPLqVIP/2alCRdRKIAMleoNl1Eivpyz
bkOww5mqMUezKBN/vcuZuIXaCXDbmEedCuqYsBs3+bKjyUunudrcMBHJ7fJoV19U
5cPQO/JGZtL9WPl2HowuWcsApvitiHgc37kblSUr2trmGtMUjm8glVnrI97qty9e
Ory0Dbc8d4AYNlfV4jmJbqPXRRyxRFNObBwqoXvUNJ1sgUT1nyLt6QVYOqV07+Jy
Vw6JJeqryNdpeMMBcAOlnSLSbjmmAxXDjs2HxUqWqZg8RHnnn2Dr45MQK/dymkdj
xu2YBTT4cXAzvBtBTrpppj+9Dc+/nMfT47z1vncaiLFU8FBdt51Via8kutmut8ao
7zqqtcYiOn1/iUqxOOzlaqfVf+DMswhqaQmzGFNDI4ajMoC6M2Wf917AHt306W9p
Ekk6aS9uVWrdZd2O1IawZ+scFETitNSE9nkNTyfRo75RhfHexAY1W3oeoVfTGMR4
gH+vkvqE2vQVDLLOdZDaMCtCKrurHgPhX+VGdaoHW0QD7wuNEbXoC2jvln0NLm1t
VzHT3RtqdpmZvNGmCTL7muS/tVdgapNCavWEh4u1oDPB7DHDK8QYH4IJmi/sbfWP
a9HC61Utok3TV4m+/G7THx4gvvKb13/4wfL0WMU5WOAaLUOpqSxXcDqJH5syytEu
U5aclxl6oM8/CXeYbYQ8
=WKJI
-----END PGP SIGNATURE-----


--
To UNSUBSCRIBE, email to debian-security-announce-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
Archive: https://lists.debian.org/20150801161459.71B087A@bendel.debian.org

No comments: