Bug#838694: icu: CVE-2016-7415: Stack based buffer overflow in locid.cpp

2016-11-25 Thread Salvatore Bonaccorso 
Hi

On Fri, Nov 25, 2016 at 07:17:41PM +0100, László Böszörményi (GCS) wrote:
> On Fri, Nov 25, 2016 at 7:01 PM, Salvatore Bonaccorso  
> wrote:
> > On Fri, Nov 18, 2016 at 06:38:57PM +0100, László Böszörményi wrote:
> > According to upstream this has been fixed in 58.1 upstream. The bug is
> > still not public, but this is as by
> > https://sites.google.com/site/icusite/security .
>  Seen that some minutes ago - but still don't have any clue why ICU
> upstream keep the actual fixing commit secret. Will check commits one
> by one, the question is, if I find a suspected fix, may you or anyone
> else from the Security Team double check it?

Keeping in mind my limited familarity with icu, sure if you find it I
can have a look or someone else of the team.

OTOH, hopefully those bugs get opened soonish. Everyone might profit
from it to understand the issues better.

Regards,
Salvatore

Bug#838694: icu: CVE-2016-7415: Stack based buffer overflow in locid.cpp

2016-11-25 Thread GCS 
On Fri, Nov 25, 2016 at 7:01 PM, Salvatore Bonaccorso  wrote:
> On Fri, Nov 18, 2016 at 06:38:57PM +0100, László Böszörményi wrote:
> According to upstream this has been fixed in 58.1 upstream. The bug is
> still not public, but this is as by
> https://sites.google.com/site/icusite/security .
 Seen that some minutes ago - but still don't have any clue why ICU
upstream keep the actual fixing commit secret. Will check commits one
by one, the question is, if I find a suspected fix, may you or anyone
else from the Security Team double check it?

Thanks,
Laszlo/GCS

Bug#838694: icu: CVE-2016-7415: Stack based buffer overflow in locid.cpp

2016-11-25 Thread Salvatore Bonaccorso 
Control: fixed -1 58.1-1

Hi,

On Fri, Nov 18, 2016 at 06:38:57PM +0100, László Böszörményi wrote:
> Hi Salvatore,
> 
> Thanks for the ping and the actual ICU bug link.
> 
> On Fri, Nov 18, 2016 at 3:34 PM, Salvatore Bonaccorso  
> wrote:
> > According to https://bugzilla.redhat.com/show_bug.cgi?id=1377361#c5
> > there is now an upstream bug about the issue, but unfortunately for
> > some reason it is still marked as private.
> >
> > http://bugs.icu-project.org/trac/ticket/12745
>  That's for two weeks now! I don't see a reason why this vulnerability
> takes such long to fix in ICU. :( Hopefully it will be open in time
> for Stretch. :-/

According to upstream this has been fixed in 58.1 upstream. The bug is
still not public, but this is as by
https://sites.google.com/site/icusite/security .

Regards,
Salvatore

Bug#838694: icu: CVE-2016-7415: Stack based buffer overflow in locid.cpp

2016-11-18 Thread GCS 
Hi Salvatore,

Thanks for the ping and the actual ICU bug link.

On Fri, Nov 18, 2016 at 3:34 PM, Salvatore Bonaccorso  wrote:
> According to https://bugzilla.redhat.com/show_bug.cgi?id=1377361#c5
> there is now an upstream bug about the issue, but unfortunately for
> some reason it is still marked as private.
>
> http://bugs.icu-project.org/trac/ticket/12745
 That's for two weeks now! I don't see a reason why this vulnerability
takes such long to fix in ICU. :( Hopefully it will be open in time
for Stretch. :-/

Cheers,
Laszlo/GCS

Bug#838694: icu: CVE-2016-7415: Stack based buffer overflow in locid.cpp

2016-11-18 Thread Salvatore Bonaccorso 
Hi,

On Tue, Oct 25, 2016 at 11:42:16AM -0400, Roberto C. Sánchez wrote:
> On Tue, Oct 04, 2016 at 10:59:52PM +0200, László Böszörményi (GCS) wrote:
> > I don't know more about this issue - upstream keep such bugreports
> > secret, if any. I don't have a good connection with them (yet), but
> > will try to know more about this.
> > 
> Hi Laszlo,
> 
> Have you been able to contact upstream regarding this issue?  Can I help
> in any way?

According to https://bugzilla.redhat.com/show_bug.cgi?id=1377361#c5
there is now an upstream bug about the issue, but unfortunately for
some reason it is still marked as private.

http://bugs.icu-project.org/trac/ticket/12745

Regards,
Salvatore

Bug#838694: icu: CVE-2016-7415: Stack based buffer overflow in locid.cpp

2016-10-25 Thread Roberto C . Sánchez 
On Tue, Oct 04, 2016 at 10:59:52PM +0200, László Böszörményi (GCS) wrote:
> I don't know more about this issue - upstream keep such bugreports
> secret, if any. I don't have a good connection with them (yet), but
> will try to know more about this.
> 
Hi Laszlo,

Have you been able to contact upstream regarding this issue?  Can I help
in any way?

-- 
Roberto C. Sánchez
http://people.connexer.com/~roberto
http://www.connexer.com


signature.asc
Description: Digital signature

Bug#838694: icu: CVE-2016-7415: Stack based buffer overflow in locid.cpp

2016-10-04 Thread Salvatore Bonaccorso 
On Tue, Oct 04, 2016 at 10:59:52PM +0200, László Böszörményi (GCS) wrote:
> > Laszlo, do you know more already? Other distributions seem in the same
> > boat, like Red Hat in
> > https://bugzilla.redhat.com/show_bug.cgi?id=1377361#c3
>  Sorry, I was on a trip and just arrived back on Sunday evening. Did
> an other security upload and then killed my machine. Minus one
> keyboard (a special one) and a monitor. Only now could boot the
> remaining hardware.
> I don't know more about this issue - upstream keep such bugreports
> secret, if any. I don't have a good connection with them (yet), but
> will try to know more about this.

Ack and thanks a lot already!

Regards,
Salvatore

Bug#838694: icu: CVE-2016-7415: Stack based buffer overflow in locid.cpp

2016-10-04 Thread GCS 
On Mon, Oct 3, 2016 at 2:37 PM, Salvatore Bonaccorso  wrote:
> On Sat, Oct 01, 2016 at 08:45:20PM -0400, Roberto C. Sánchez wrote:
>> I tried for quite some time to reproduce this based on the original PHP
>> bug report, but I was unable.  I have annotated the security tracker
>> with my (lack of) findings so far.
 That doesn't mean it's not vulnerable as Salvatore already noted.

> Laszlo, do you know more already? Other distributions seem in the same
> boat, like Red Hat in
> https://bugzilla.redhat.com/show_bug.cgi?id=1377361#c3
 Sorry, I was on a trip and just arrived back on Sunday evening. Did
an other security upload and then killed my machine. Minus one
keyboard (a special one) and a monitor. Only now could boot the
remaining hardware.
I don't know more about this issue - upstream keep such bugreports
secret, if any. I don't have a good connection with them (yet), but
will try to know more about this.

Regards,
Laszlo/GCS

Bug#838694: icu: CVE-2016-7415: Stack based buffer overflow in locid.cpp

2016-10-03 Thread Roberto C . Sánchez 
On Mon, Oct 03, 2016 at 02:37:07PM +0200, Salvatore Bonaccorso wrote:
> Hi 
> 
> On Sat, Oct 01, 2016 at 08:45:20PM -0400, Roberto C. Sánchez wrote:
> > On Fri, Sep 30, 2016 at 07:45:33AM -0400, Roberto C. Sánchez wrote:
> > > 
> > > I am currently preparing an LTS upload for this vulnerability.
> > > 
> > I tried for quite some time to reproduce this based on the original PHP
> > bug report, but I was unable.  I have annotated the security tracker
> > with my (lack of) findings so far.
> 
> That's okay. Just please remember that lack of reproducibility for an
> issue does not mean it's not present. In my initial mail I asked
> Laszlo if he can forward this to upstream and/if this is already know
> to upstream (which I hope in meanwhile it is). But I have not found an
> upstream ticket on this issue yet.
> 
> Laszlo, do you know more already? Other distributions seem in the same
> boat, like Red Hat in
> https://bugzilla.redhat.com/show_bug.cgi?id=1377361#c3 
> 
Good to know.  I can contact upstream if that would help.

Regards,

-Roberto

-- 
Roberto C. Sánchez
http://people.connexer.com/~roberto
http://www.connexer.com

Bug#838694: icu: CVE-2016-7415: Stack based buffer overflow in locid.cpp

2016-10-03 Thread Salvatore Bonaccorso 
Hi 

On Sat, Oct 01, 2016 at 08:45:20PM -0400, Roberto C. Sánchez wrote:
> On Fri, Sep 30, 2016 at 07:45:33AM -0400, Roberto C. Sánchez wrote:
> > 
> > I am currently preparing an LTS upload for this vulnerability.
> > 
> I tried for quite some time to reproduce this based on the original PHP
> bug report, but I was unable.  I have annotated the security tracker
> with my (lack of) findings so far.

That's okay. Just please remember that lack of reproducibility for an
issue does not mean it's not present. In my initial mail I asked
Laszlo if he can forward this to upstream and/if this is already know
to upstream (which I hope in meanwhile it is). But I have not found an
upstream ticket on this issue yet.

Laszlo, do you know more already? Other distributions seem in the same
boat, like Red Hat in
https://bugzilla.redhat.com/show_bug.cgi?id=1377361#c3 

Regards,
Salvatore

Bug#838694: icu: CVE-2016-7415: Stack based buffer overflow in locid.cpp

2016-10-01 Thread Roberto C . Sánchez 
On Fri, Sep 30, 2016 at 07:45:33AM -0400, Roberto C. Sánchez wrote:
> 
> I am currently preparing an LTS upload for this vulnerability.
> 
I tried for quite some time to reproduce this based on the original PHP
bug report, but I was unable.  I have annotated the security tracker
with my (lack of) findings so far.

Regards,

-Roberto

-- 
Roberto C. Sánchez
http://people.connexer.com/~roberto
http://www.connexer.com


signature.asc
Description: Digital signature

Bug#838694: icu: CVE-2016-7415: Stack based buffer overflow in locid.cpp

2016-09-30 Thread Roberto C . Sánchez 
found 838694 4.8.1.1-12+deb7u3
found 838694 4.8.1.1-12+deb7u5
thanks

On Fri, Sep 23, 2016 at 07:26:28PM +0200, Salvatore Bonaccorso wrote:
> 
> the following vulnerability was published for icu.
> 
> CVE-2016-7415[0]:
> | Stack-based buffer overflow in the Locale class in common/locid.cpp in
> | International Components for Unicode (ICU) through 57.1 for C/C++
> | allows remote attackers to cause a denial of service (application
> | crash) or possibly have unspecified other impact via a long locale
> | string.
> 

I am currently preparing an LTS upload for this vulnerability.

Regards,

-Roberto

-- 
Roberto C. Sánchez
http://people.connexer.com/~roberto
http://www.connexer.com


signature.asc
Description: Digital signature

Bug#838694: icu: CVE-2016-7415: Stack based buffer overflow in locid.cpp

2016-09-23 Thread Salvatore Bonaccorso 
Source: icu
Version: 52.1-8
Severity: important
Tags: security upstream

Hi,

the following vulnerability was published for icu.

CVE-2016-7415[0]:
| Stack-based buffer overflow in the Locale class in common/locid.cpp in
| International Components for Unicode (ICU) through 57.1 for C/C++
| allows remote attackers to cause a denial of service (application
| crash) or possibly have unspecified other impact via a long locale
| string.

The PHP Project indicated in [1] that it was an underlying issue in
icu, and thus MITRE assigned CVE-2016-7415 for the ICU specific issue.
Could you bring this to upstream? Is there a ticket upstream already
filled about it, and if not can you please forward the issue?

If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2016-7415
[1] https://bugs.php.net/bug.php?id=73007

Regards,
Salvatore