please test update to the icu package (CVE-2015-4844, CVE-2016-0494)

To: debian-lts@lists.debian.org
Cc: gcs@debian.org
Subject: please test update to the icu package (CVE-2015-4844, CVE-2016-0494)
From: Antoine Beaupré <anarcat@orangeseeds.org>
Date: Sat, 30 Jan 2016 13:17:09 -0500
Message-id: <[🔎] 87bn83q6e2.fsf@marcos.anarc.at>

Hi,

I have spent some time trying to untangle the patches for the `icu`
package which has been noted as a priority package by LTS sponsors
here. Two issues are pending in the package:

https://security-tracker.debian.org/tracker/CVE-2015-4844
https://security-tracker.debian.org/tracker/CVE-2016-0494

CVE-2016-0494 was *introduced* through the fix for CVE-2015-4844, which
was itself never applied to icu. So in effect, icu is currently only
vulnerable to CVE-2015-4844.

the CVE-2015-4844 patch didn't completely apply cleanly, one chunk
failing. i don't believe that chunk is necessary, since
subtableHeader.addOffset() is called at the end of the loop, without any
extra statement after. The next loop iteration will do the check
directly, so no extra break is necessary.

the CVE-2016-0494 patch then applies cleanly. also, as recommended in
the upstream ticket 12020, i have added the -fno-strict-overflow flag to
CFLAGS, both in the debian/rules file and in the upstream runConfigure
script (which we don't use, but that is probably the right thing to do
for upstream).

I have sent the two patches upstream here, reviews would be appreciated:

https://ssl.icu-project.org/trac/ticket/12020#comment:5

Note that it seems the patches were assigned backwards in the security
tracker: dbb4e2bdfa9e was assigned to CVE-2016-0494 and f556d4c82ef1 was
assigned to CVE-2015-4844. Not sure how that happened, but it made
untangling this stuff pretty hard. I am also basically trusting the
folks at Redhat and on the upstream Trac for the patches: I haven't
audited the code myself.

Oracle hasn't disclosed the exact scope of the vulnerability, so it is
unfortunately impossible to test if the fix is correct. i am also not
very familiar with the ICU library so I would like users here to test
the packages if they can:

deb https://people.debian.org/~anarcat/debian squeeze-lts/
deb-src https://people.debian.org/~anarcat/debian squeeze-lts/

I am still building the amd64 library here, I will put it online
there shortly.

Finally, please note that the CVE-2016-0494 patch still has to be
backported to the OpenJDK 6 that lives in squeeze. CVE-2015-4844 has
already been fixed in OpenJDK 6.

A.

-- 
VBscript: la simplicité du C, la puissance du BASIC
                        - Mathieu Petit-Clair

Reply to:

Follow-Ups:
- Re: please test update to the icu package (CVE-2015-4844, CVE-2016-0494)
  - From: Antoine Beaupré <anarcat@orangeseeds.org>

Prev by Date: Re: squeeze update of phpmyadmin?
Next by Date: Re: squeeze update of prosody?
Previous by thread: Re: squeeze update of phpmyadmin?
Next by thread: Re: please test update to the icu package (CVE-2015-4844, CVE-2016-0494)
Index(es):
- Date
- Thread