Bug#838694: icu: CVE-2016-7415: Stack based buffer overflow in locid.cpp
Hi On Fri, Nov 25, 2016 at 07:17:41PM +0100, László Böszörményi (GCS) wrote: > On Fri, Nov 25, 2016 at 7:01 PM, Salvatore Bonaccorso> wrote: > > On Fri, Nov 18, 2016 at 06:38:57PM +0100, László Böszörményi wrote: > > According to upstream this has been fixed in 58.1 upstream. The bug is > > still not public, but this is as by > > https://sites.google.com/site/icusite/security . > Seen that some minutes ago - but still don't have any clue why ICU > upstream keep the actual fixing commit secret. Will check commits one > by one, the question is, if I find a suspected fix, may you or anyone > else from the Security Team double check it? Keeping in mind my limited familarity with icu, sure if you find it I can have a look or someone else of the team. OTOH, hopefully those bugs get opened soonish. Everyone might profit from it to understand the issues better. Regards, Salvatore
Bug#838694: icu: CVE-2016-7415: Stack based buffer overflow in locid.cpp
On Fri, Nov 25, 2016 at 7:01 PM, Salvatore Bonaccorsowrote: > On Fri, Nov 18, 2016 at 06:38:57PM +0100, László Böszörményi wrote: > According to upstream this has been fixed in 58.1 upstream. The bug is > still not public, but this is as by > https://sites.google.com/site/icusite/security . Seen that some minutes ago - but still don't have any clue why ICU upstream keep the actual fixing commit secret. Will check commits one by one, the question is, if I find a suspected fix, may you or anyone else from the Security Team double check it? Thanks, Laszlo/GCS
Bug#838694: icu: CVE-2016-7415: Stack based buffer overflow in locid.cpp
Control: fixed -1 58.1-1 Hi, On Fri, Nov 18, 2016 at 06:38:57PM +0100, László Böszörményi wrote: > Hi Salvatore, > > Thanks for the ping and the actual ICU bug link. > > On Fri, Nov 18, 2016 at 3:34 PM, Salvatore Bonaccorso> wrote: > > According to https://bugzilla.redhat.com/show_bug.cgi?id=1377361#c5 > > there is now an upstream bug about the issue, but unfortunately for > > some reason it is still marked as private. > > > > http://bugs.icu-project.org/trac/ticket/12745 > That's for two weeks now! I don't see a reason why this vulnerability > takes such long to fix in ICU. :( Hopefully it will be open in time > for Stretch. :-/ According to upstream this has been fixed in 58.1 upstream. The bug is still not public, but this is as by https://sites.google.com/site/icusite/security . Regards, Salvatore
Bug#838694: icu: CVE-2016-7415: Stack based buffer overflow in locid.cpp
Hi Salvatore, Thanks for the ping and the actual ICU bug link. On Fri, Nov 18, 2016 at 3:34 PM, Salvatore Bonaccorsowrote: > According to https://bugzilla.redhat.com/show_bug.cgi?id=1377361#c5 > there is now an upstream bug about the issue, but unfortunately for > some reason it is still marked as private. > > http://bugs.icu-project.org/trac/ticket/12745 That's for two weeks now! I don't see a reason why this vulnerability takes such long to fix in ICU. :( Hopefully it will be open in time for Stretch. :-/ Cheers, Laszlo/GCS
Bug#838694: icu: CVE-2016-7415: Stack based buffer overflow in locid.cpp
Hi, On Tue, Oct 25, 2016 at 11:42:16AM -0400, Roberto C. Sánchez wrote: > On Tue, Oct 04, 2016 at 10:59:52PM +0200, László Böszörményi (GCS) wrote: > > I don't know more about this issue - upstream keep such bugreports > > secret, if any. I don't have a good connection with them (yet), but > > will try to know more about this. > > > Hi Laszlo, > > Have you been able to contact upstream regarding this issue? Can I help > in any way? According to https://bugzilla.redhat.com/show_bug.cgi?id=1377361#c5 there is now an upstream bug about the issue, but unfortunately for some reason it is still marked as private. http://bugs.icu-project.org/trac/ticket/12745 Regards, Salvatore
Bug#838694: icu: CVE-2016-7415: Stack based buffer overflow in locid.cpp
On Tue, Oct 04, 2016 at 10:59:52PM +0200, László Böszörményi (GCS) wrote: > I don't know more about this issue - upstream keep such bugreports > secret, if any. I don't have a good connection with them (yet), but > will try to know more about this. > Hi Laszlo, Have you been able to contact upstream regarding this issue? Can I help in any way? -- Roberto C. Sánchez http://people.connexer.com/~roberto http://www.connexer.com signature.asc Description: Digital signature
Bug#838694: icu: CVE-2016-7415: Stack based buffer overflow in locid.cpp
On Tue, Oct 04, 2016 at 10:59:52PM +0200, László Böszörményi (GCS) wrote: > > Laszlo, do you know more already? Other distributions seem in the same > > boat, like Red Hat in > > https://bugzilla.redhat.com/show_bug.cgi?id=1377361#c3 > Sorry, I was on a trip and just arrived back on Sunday evening. Did > an other security upload and then killed my machine. Minus one > keyboard (a special one) and a monitor. Only now could boot the > remaining hardware. > I don't know more about this issue - upstream keep such bugreports > secret, if any. I don't have a good connection with them (yet), but > will try to know more about this. Ack and thanks a lot already! Regards, Salvatore
Bug#838694: icu: CVE-2016-7415: Stack based buffer overflow in locid.cpp
On Mon, Oct 3, 2016 at 2:37 PM, Salvatore Bonaccorsowrote: > On Sat, Oct 01, 2016 at 08:45:20PM -0400, Roberto C. Sánchez wrote: >> I tried for quite some time to reproduce this based on the original PHP >> bug report, but I was unable. I have annotated the security tracker >> with my (lack of) findings so far. That doesn't mean it's not vulnerable as Salvatore already noted. > Laszlo, do you know more already? Other distributions seem in the same > boat, like Red Hat in > https://bugzilla.redhat.com/show_bug.cgi?id=1377361#c3 Sorry, I was on a trip and just arrived back on Sunday evening. Did an other security upload and then killed my machine. Minus one keyboard (a special one) and a monitor. Only now could boot the remaining hardware. I don't know more about this issue - upstream keep such bugreports secret, if any. I don't have a good connection with them (yet), but will try to know more about this. Regards, Laszlo/GCS
Bug#838694: icu: CVE-2016-7415: Stack based buffer overflow in locid.cpp
On Mon, Oct 03, 2016 at 02:37:07PM +0200, Salvatore Bonaccorso wrote: > Hi > > On Sat, Oct 01, 2016 at 08:45:20PM -0400, Roberto C. Sánchez wrote: > > On Fri, Sep 30, 2016 at 07:45:33AM -0400, Roberto C. Sánchez wrote: > > > > > > I am currently preparing an LTS upload for this vulnerability. > > > > > I tried for quite some time to reproduce this based on the original PHP > > bug report, but I was unable. I have annotated the security tracker > > with my (lack of) findings so far. > > That's okay. Just please remember that lack of reproducibility for an > issue does not mean it's not present. In my initial mail I asked > Laszlo if he can forward this to upstream and/if this is already know > to upstream (which I hope in meanwhile it is). But I have not found an > upstream ticket on this issue yet. > > Laszlo, do you know more already? Other distributions seem in the same > boat, like Red Hat in > https://bugzilla.redhat.com/show_bug.cgi?id=1377361#c3 > Good to know. I can contact upstream if that would help. Regards, -Roberto -- Roberto C. Sánchez http://people.connexer.com/~roberto http://www.connexer.com
Bug#838694: icu: CVE-2016-7415: Stack based buffer overflow in locid.cpp
Hi On Sat, Oct 01, 2016 at 08:45:20PM -0400, Roberto C. Sánchez wrote: > On Fri, Sep 30, 2016 at 07:45:33AM -0400, Roberto C. Sánchez wrote: > > > > I am currently preparing an LTS upload for this vulnerability. > > > I tried for quite some time to reproduce this based on the original PHP > bug report, but I was unable. I have annotated the security tracker > with my (lack of) findings so far. That's okay. Just please remember that lack of reproducibility for an issue does not mean it's not present. In my initial mail I asked Laszlo if he can forward this to upstream and/if this is already know to upstream (which I hope in meanwhile it is). But I have not found an upstream ticket on this issue yet. Laszlo, do you know more already? Other distributions seem in the same boat, like Red Hat in https://bugzilla.redhat.com/show_bug.cgi?id=1377361#c3 Regards, Salvatore
Bug#838694: icu: CVE-2016-7415: Stack based buffer overflow in locid.cpp
On Fri, Sep 30, 2016 at 07:45:33AM -0400, Roberto C. Sánchez wrote: > > I am currently preparing an LTS upload for this vulnerability. > I tried for quite some time to reproduce this based on the original PHP bug report, but I was unable. I have annotated the security tracker with my (lack of) findings so far. Regards, -Roberto -- Roberto C. Sánchez http://people.connexer.com/~roberto http://www.connexer.com signature.asc Description: Digital signature
Bug#838694: icu: CVE-2016-7415: Stack based buffer overflow in locid.cpp
found 838694 4.8.1.1-12+deb7u3 found 838694 4.8.1.1-12+deb7u5 thanks On Fri, Sep 23, 2016 at 07:26:28PM +0200, Salvatore Bonaccorso wrote: > > the following vulnerability was published for icu. > > CVE-2016-7415[0]: > | Stack-based buffer overflow in the Locale class in common/locid.cpp in > | International Components for Unicode (ICU) through 57.1 for C/C++ > | allows remote attackers to cause a denial of service (application > | crash) or possibly have unspecified other impact via a long locale > | string. > I am currently preparing an LTS upload for this vulnerability. Regards, -Roberto -- Roberto C. Sánchez http://people.connexer.com/~roberto http://www.connexer.com signature.asc Description: Digital signature
Bug#838694: icu: CVE-2016-7415: Stack based buffer overflow in locid.cpp
Source: icu Version: 52.1-8 Severity: important Tags: security upstream Hi, the following vulnerability was published for icu. CVE-2016-7415[0]: | Stack-based buffer overflow in the Locale class in common/locid.cpp in | International Components for Unicode (ICU) through 57.1 for C/C++ | allows remote attackers to cause a denial of service (application | crash) or possibly have unspecified other impact via a long locale | string. The PHP Project indicated in [1] that it was an underlying issue in icu, and thus MITRE assigned CVE-2016-7415 for the ICU specific issue. Could you bring this to upstream? Is there a ticket upstream already filled about it, and if not can you please forward the issue? If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2016-7415 [1] https://bugs.php.net/bug.php?id=73007 Regards, Salvatore