Bug#880862: stretch-pu: package icu/57.1-6+deb9u1
Package: release.debian.org
Severity: normal
Tags: stretch
User: release.debian.org@packages.debian.org
Usertags: pu
Hi SRMs,
There's a security vulnerability[1] in ICU - International Components
for Unicode, which doesn't warrant a DSA. It's an one line change and
would be good to have it for Stretch.
Thanks for considering,
Laszlo/GCS
[1] https://security-tracker.debian.org/tracker/CVE-2017-14952
diff -Nru icu-57.1/debian/changelog icu-57.1/debian/changelog
--- icu-57.1/debian/changelog 2017-04-16 08:50:52.000000000 +0000
+++ icu-57.1/debian/changelog 2017-10-24 17:28:30.000000000 +0000
@@ -1,3 +1,10 @@
+icu (57.1-6+deb9u1) stretch; urgency=high
+
+ * Backport upstream security fix for CVE-2017-14952: double free in
+ createMetazoneMappings() (closes: #878840).
+
+ -- Laszlo Boszormenyi (GCS) <gcs@debian.org> Tue, 24 Oct 2017 17:28:30 +0000
+
icu (57.1-6) unstable; urgency=high
* Backport upstream security fix for CVE-2017-7867 and CVE-2017-7868,
diff -Nru icu-57.1/debian/patches/CVE-2017-14952.patch icu-57.1/debian/patches/CVE-2017-14952.patch
--- icu-57.1/debian/patches/CVE-2017-14952.patch 1970-01-01 00:00:00.000000000 +0000
+++ icu-57.1/debian/patches/CVE-2017-14952.patch 2017-10-24 17:28:30.000000000 +0000
@@ -0,0 +1,10 @@
+Index: source/i18n/zonemeta.cpp
+===================================================================
+--- a/source/i18n/zonemeta.cpp (revision 40283)
++++ b/source/i18n/zonemeta.cpp (revision 40324)
+@@ -682,5 +682,4 @@
+ if (U_FAILURE(status)) {
+ delete mzMappings;
+- deleteOlsonToMetaMappingEntry(entry);
+ uprv_free(entry);
+ break;
diff -Nru icu-57.1/debian/patches/series icu-57.1/debian/patches/series
--- icu-57.1/debian/patches/series 2017-04-16 08:50:35.000000000 +0000
+++ icu-57.1/debian/patches/series 2017-10-24 17:28:30.000000000 +0000
@@ -10,3 +10,4 @@
CVE-2016-6293.patch
CVE-2016-7415.patch
CVE-2017-7867_CVE-2017-7868.patch
+CVE-2017-14952.patch
Reply to: