Package: release.debian.org Severity: normal User: release.debian....@packages.debian.org Usertags: unblock
Please unblock package icu A small, localized fix to ICU fixes CVE-2014-6591 and CVE-2014-6585. ICU passes its test suite after application of this patch. The security team requested that this be included for Jessie. See https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=775884 for additional details. unblock icu/52.1-7 -- System Information: Debian Release: jessie/sid APT prefers unstable APT policy: (500, 'unstable'), (200, 'experimental') Architecture: amd64 (x86_64) Foreign Architectures: i386 Kernel: Linux 3.14-2-amd64 (SMP w/8 CPU cores) Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash
diff -Nru icu-52.1/debian/changelog icu-52.1/debian/changelog --- icu-52.1/debian/changelog 2014-09-29 10:27:22.000000000 -0400 +++ icu-52.1/debian/changelog 2015-01-21 21:47:39.000000000 -0500 @@ -1,3 +1,10 @@ +icu (52.1-7) unstable; urgency=high + + * Patch to CVE-2014-6591, CVE-2014-6585 a font parsing bug. + (Closes: #775884) + + -- Jay Berkenbilt <q...@debian.org> Wed, 21 Jan 2015 21:33:19 -0500 + icu (52.1-6) unstable; urgency=medium * Ensure that only flags intended to be set by users make it into diff -Nru icu-52.1/debian/patches/CVE-2014-6591.patch icu-52.1/debian/patches/CVE-2014-6591.patch --- icu-52.1/debian/patches/CVE-2014-6591.patch 1969-12-31 19:00:00.000000000 -0500 +++ icu-52.1/debian/patches/CVE-2014-6591.patch 2015-01-21 21:47:39.000000000 -0500 @@ -0,0 +1,59 @@ +Description: fix ICU font parsing problem +Bug-Debian: http://bugs.debian.org/775884 +Bug-RedHat: https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2014-6591 + +Index: icu/source/layout/CursiveAttachmentSubtables.cpp +=================================================================== +--- icu.orig/source/layout/CursiveAttachmentSubtables.cpp ++++ icu/source/layout/CursiveAttachmentSubtables.cpp +@@ -20,6 +20,9 @@ le_uint32 CursiveAttachmentSubtable::pro + le_int32 coverageIndex = getGlyphCoverage(base, glyphID, success); + le_uint16 eeCount = SWAPW(entryExitCount); + ++ LEReferenceToArrayOf<EntryExitRecord> ++ entryExitRecordsArrayRef(base, success, entryExitRecords, coverageIndex); ++ + if (coverageIndex < 0 || coverageIndex >= eeCount) { + glyphIterator->setCursiveGlyph(); + return 0; +Index: icu/source/layout/Features.cpp +=================================================================== +--- icu.orig/source/layout/Features.cpp ++++ icu/source/layout/Features.cpp +@@ -15,6 +15,9 @@ U_NAMESPACE_BEGIN + + LEReferenceTo<FeatureTable> FeatureListTable::getFeatureTable(const LETableReference &base, le_uint16 featureIndex, LETag *featureTag, LEErrorCode &success) const + { ++ LEReferenceToArrayOf<FeatureRecord> ++ featureRecordArrayRef(base, success, featureRecordArray, featureIndex); ++ + if (featureIndex >= SWAPW(featureCount) || LE_FAILURE(success)) { + return LEReferenceTo<FeatureTable>(); + } +Index: icu/source/layout/LigatureSubstSubtables.cpp +=================================================================== +--- icu.orig/source/layout/LigatureSubstSubtables.cpp ++++ icu/source/layout/LigatureSubstSubtables.cpp +@@ -27,6 +27,9 @@ le_uint32 LigatureSubstitutionSubtable:: + Offset ligTableOffset = SWAPW(ligSetTable->ligatureTableOffsetArray[lig]); + const LigatureTable *ligTable = (const LigatureTable *) ((char *)ligSetTable + ligTableOffset); + le_uint16 compCount = SWAPW(ligTable->compCount) - 1; ++ LEReferenceToArrayOf<TTGlyphID> ++ componentArrayRef(base, success, ligTable->componentArray, compCount); ++ if (LE_FAILURE(success)) { return 0; } + le_int32 startPosition = glyphIterator->getCurrStreamPosition(); + TTGlyphID ligGlyph = SWAPW(ligTable->ligGlyph); + le_uint16 comp; +Index: icu/source/layout/MultipleSubstSubtables.cpp +=================================================================== +--- icu.orig/source/layout/MultipleSubstSubtables.cpp ++++ icu/source/layout/MultipleSubstSubtables.cpp +@@ -35,6 +35,8 @@ le_uint32 MultipleSubstitutionSubtable:: + + le_int32 coverageIndex = getGlyphCoverage(base, glyph, success); + le_uint16 seqCount = SWAPW(sequenceCount); ++ LEReferenceToArrayOf<Offset> ++ sequenceTableOffsetArrayRef(base, success, sequenceTableOffsetArray, seqCount); + + if (coverageIndex >= 0 && coverageIndex < seqCount) { + Offset sequenceTableOffset = SWAPW(sequenceTableOffsetArray[coverageIndex]); diff -Nru icu-52.1/debian/patches/series icu-52.1/debian/patches/series --- icu-52.1/debian/patches/series 2014-09-29 10:27:22.000000000 -0400 +++ icu-52.1/debian/patches/series 2015-01-21 21:47:39.000000000 -0500 @@ -6,3 +6,4 @@ mlym-crash.patch two-digit-year-test.patch icu-config.patch +CVE-2014-6591.patch