Bug#775968: unblock: icu/52.1-7
Package: release.debian.org
Severity: normal
User: release.debian.org@packages.debian.org
Usertags: unblock
Please unblock package icu
A small, localized fix to ICU fixes CVE-2014-6591 and CVE-2014-6585. ICU
passes its test suite after application of this patch. The security team
requested that this be included for Jessie. See
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=775884 for additional
details.
unblock icu/52.1-7
-- System Information:
Debian Release: jessie/sid
APT prefers unstable
APT policy: (500, 'unstable'), (200, 'experimental')
Architecture: amd64 (x86_64)
Foreign Architectures: i386
Kernel: Linux 3.14-2-amd64 (SMP w/8 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
diff -Nru icu-52.1/debian/changelog icu-52.1/debian/changelog
--- icu-52.1/debian/changelog 2014-09-29 10:27:22.000000000 -0400
+++ icu-52.1/debian/changelog 2015-01-21 21:47:39.000000000 -0500
@@ -1,3 +1,10 @@
+icu (52.1-7) unstable; urgency=high
+
+ * Patch to CVE-2014-6591, CVE-2014-6585 a font parsing bug.
+ (Closes: #775884)
+
+ -- Jay Berkenbilt <qjb@debian.org> Wed, 21 Jan 2015 21:33:19 -0500
+
icu (52.1-6) unstable; urgency=medium
* Ensure that only flags intended to be set by users make it into
diff -Nru icu-52.1/debian/patches/CVE-2014-6591.patch icu-52.1/debian/patches/CVE-2014-6591.patch
--- icu-52.1/debian/patches/CVE-2014-6591.patch 1969-12-31 19:00:00.000000000 -0500
+++ icu-52.1/debian/patches/CVE-2014-6591.patch 2015-01-21 21:47:39.000000000 -0500
@@ -0,0 +1,59 @@
+Description: fix ICU font parsing problem
+Bug-Debian: http://bugs.debian.org/775884
+Bug-RedHat: https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2014-6591
+
+Index: icu/source/layout/CursiveAttachmentSubtables.cpp
+===================================================================
+--- icu.orig/source/layout/CursiveAttachmentSubtables.cpp
++++ icu/source/layout/CursiveAttachmentSubtables.cpp
+@@ -20,6 +20,9 @@ le_uint32 CursiveAttachmentSubtable::pro
+ le_int32 coverageIndex = getGlyphCoverage(base, glyphID, success);
+ le_uint16 eeCount = SWAPW(entryExitCount);
+
++ LEReferenceToArrayOf<EntryExitRecord>
++ entryExitRecordsArrayRef(base, success, entryExitRecords, coverageIndex);
++
+ if (coverageIndex < 0 || coverageIndex >= eeCount) {
+ glyphIterator->setCursiveGlyph();
+ return 0;
+Index: icu/source/layout/Features.cpp
+===================================================================
+--- icu.orig/source/layout/Features.cpp
++++ icu/source/layout/Features.cpp
+@@ -15,6 +15,9 @@ U_NAMESPACE_BEGIN
+
+ LEReferenceTo<FeatureTable> FeatureListTable::getFeatureTable(const LETableReference &base, le_uint16 featureIndex, LETag *featureTag, LEErrorCode &success) const
+ {
++ LEReferenceToArrayOf<FeatureRecord>
++ featureRecordArrayRef(base, success, featureRecordArray, featureIndex);
++
+ if (featureIndex >= SWAPW(featureCount) || LE_FAILURE(success)) {
+ return LEReferenceTo<FeatureTable>();
+ }
+Index: icu/source/layout/LigatureSubstSubtables.cpp
+===================================================================
+--- icu.orig/source/layout/LigatureSubstSubtables.cpp
++++ icu/source/layout/LigatureSubstSubtables.cpp
+@@ -27,6 +27,9 @@ le_uint32 LigatureSubstitutionSubtable::
+ Offset ligTableOffset = SWAPW(ligSetTable->ligatureTableOffsetArray[lig]);
+ const LigatureTable *ligTable = (const LigatureTable *) ((char *)ligSetTable + ligTableOffset);
+ le_uint16 compCount = SWAPW(ligTable->compCount) - 1;
++ LEReferenceToArrayOf<TTGlyphID>
++ componentArrayRef(base, success, ligTable->componentArray, compCount);
++ if (LE_FAILURE(success)) { return 0; }
+ le_int32 startPosition = glyphIterator->getCurrStreamPosition();
+ TTGlyphID ligGlyph = SWAPW(ligTable->ligGlyph);
+ le_uint16 comp;
+Index: icu/source/layout/MultipleSubstSubtables.cpp
+===================================================================
+--- icu.orig/source/layout/MultipleSubstSubtables.cpp
++++ icu/source/layout/MultipleSubstSubtables.cpp
+@@ -35,6 +35,8 @@ le_uint32 MultipleSubstitutionSubtable::
+
+ le_int32 coverageIndex = getGlyphCoverage(base, glyph, success);
+ le_uint16 seqCount = SWAPW(sequenceCount);
++ LEReferenceToArrayOf<Offset>
++ sequenceTableOffsetArrayRef(base, success, sequenceTableOffsetArray, seqCount);
+
+ if (coverageIndex >= 0 && coverageIndex < seqCount) {
+ Offset sequenceTableOffset = SWAPW(sequenceTableOffsetArray[coverageIndex]);
diff -Nru icu-52.1/debian/patches/series icu-52.1/debian/patches/series
--- icu-52.1/debian/patches/series 2014-09-29 10:27:22.000000000 -0400
+++ icu-52.1/debian/patches/series 2015-01-21 21:47:39.000000000 -0500
@@ -6,3 +6,4 @@
mlym-crash.patch
two-digit-year-test.patch
icu-config.patch
+CVE-2014-6591.patch
Reply to: