lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [day] [month] [year] [list]
Message-Id: <20150801161459.71B087A@bendel.debian.org>
Date: Sat, 01 Aug 2015 18:07:55 +0200
From: Laszlo Boszormenyi <gcs@...ian.org>
To: bugtraq@...urityfocus.com
Subject: [SECURITY] [DSA 3323-1] icu security update

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

- -------------------------------------------------------------------------
Debian Security Advisory DSA-3323-1                   security@...ian.org
https://www.debian.org/security/                       Laszlo Boszormenyi
August 01, 2015                       https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package        : icu
CVE ID         : CVE-2014-6585 CVE-2014-8146 CVE-2014-8147 CVE-2015-4760
Debian Bug     : 778511 784773

Several vulnerabilities were discovered in the International Components
for Unicode (ICU) library.

CVE-2014-8146

    The Unicode Bidirectional Algorithm implementation does not properly
    track directionally isolated pieces of text, which allows remote
    attackers to cause a denial of service (heap-based buffer overflow)
    or possibly execute arbitrary code via crafted text.

CVE-2014-8147

    The Unicode Bidirectional Algorithm implementation uses an integer
    data type that is inconsistent with a header file, which allows
    remote attackers to cause a denial of service (incorrect malloc
    followed by invalid free) or possibly execute arbitrary code via
    crafted text.

CVE-2015-4760

    The Layout Engine was missing multiple boundary checks. These could
    lead to buffer overflows and memory corruption. A specially crafted
    file could cause an application using ICU to parse untrusted font
    files to crash and, possibly, execute arbitrary code.

Additionally, it was discovered that the patch applied to ICU in DSA-3187-1
for CVE-2014-6585 was incomplete, possibly leading to an invalid memory
access. This could allow remote attackers to disclose portion of private
memory via crafted font files.

For the oldstable distribution (wheezy), these problems have been fixed
in version 4.8.1.1-12+deb7u3.

For the stable distribution (jessie), these problems have been fixed in
version 52.1-8+deb8u2.

For the testing distribution (stretch), these problems have been fixed
in version 52.1-10.

For the unstable distribution (sid), these problems have been fixed in
version 52.1-10.

We recommend that you upgrade your icu packages.

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/

Mailing list: debian-security-announce@...ts.debian.org
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIcBAEBCgAGBQJVvO7bAAoJEK+lG9bN5XPLqVIP/2alCRdRKIAMleoNl1Eivpyz
bkOww5mqMUezKBN/vcuZuIXaCXDbmEedCuqYsBs3+bKjyUunudrcMBHJ7fJoV19U
5cPQO/JGZtL9WPl2HowuWcsApvitiHgc37kblSUr2trmGtMUjm8glVnrI97qty9e
Ory0Dbc8d4AYNlfV4jmJbqPXRRyxRFNObBwqoXvUNJ1sgUT1nyLt6QVYOqV07+Jy
Vw6JJeqryNdpeMMBcAOlnSLSbjmmAxXDjs2HxUqWqZg8RHnnn2Dr45MQK/dymkdj
xu2YBTT4cXAzvBtBTrpppj+9Dc+/nMfT47z1vncaiLFU8FBdt51Via8kutmut8ao
7zqqtcYiOn1/iUqxOOzlaqfVf+DMswhqaQmzGFNDI4ajMoC6M2Wf917AHt306W9p
Ekk6aS9uVWrdZd2O1IawZ+scFETitNSE9nkNTyfRo75RhfHexAY1W3oeoVfTGMR4
gH+vkvqE2vQVDLLOdZDaMCtCKrurHgPhX+VGdaoHW0QD7wuNEbXoC2jvln0NLm1t
VzHT3RtqdpmZvNGmCTL7muS/tVdgapNCavWEh4u1oDPB7DHDK8QYH4IJmi/sbfWP
a9HC61Utok3TV4m+/G7THx4gvvKb13/4wfL0WMU5WOAaLUOpqSxXcDqJH5syytEu
U5aclxl6oM8/CXeYbYQ8
=WKJI
-----END PGP SIGNATURE-----

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ