Linux Security
Linux Security
Linux Security

Debian: DSA-3323-1: icu security update

Date 01 Aug 2015
465
Posted By LinuxSecurity Advisories
Several vulnerabilities were discovered in the International Components for Unicode (ICU) library. CVE-2014-8146

- -------------------------------------------------------------------------
Debian Security Advisory DSA-3323-1                   This email address is being protected from spambots. You need JavaScript enabled to view it.
https://www.debian.org/security/                       Laszlo Boszormenyi
August 01, 2015                       https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package        : icu
CVE ID         : CVE-2014-6585 CVE-2014-8146 CVE-2014-8147 CVE-2015-4760
Debian Bug     : 778511 784773

Several vulnerabilities were discovered in the International Components
for Unicode (ICU) library.

CVE-2014-8146

    The Unicode Bidirectional Algorithm implementation does not properly
    track directionally isolated pieces of text, which allows remote
    attackers to cause a denial of service (heap-based buffer overflow)
    or possibly execute arbitrary code via crafted text.

CVE-2014-8147

    The Unicode Bidirectional Algorithm implementation uses an integer
    data type that is inconsistent with a header file, which allows
    remote attackers to cause a denial of service (incorrect malloc
    followed by invalid free) or possibly execute arbitrary code via
    crafted text.

CVE-2015-4760

    The Layout Engine was missing multiple boundary checks. These could
    lead to buffer overflows and memory corruption. A specially crafted
    file could cause an application using ICU to parse untrusted font
    files to crash and, possibly, execute arbitrary code.

Additionally, it was discovered that the patch applied to ICU in DSA-3187-1
for CVE-2014-6585 was incomplete, possibly leading to an invalid memory
access. This could allow remote attackers to disclose portion of private
memory via crafted font files.

For the oldstable distribution (wheezy), these problems have been fixed
in version 4.8.1.1-12+deb7u3.

For the stable distribution (jessie), these problems have been fixed in
version 52.1-8+deb8u2.

For the testing distribution (stretch), these problems have been fixed
in version 52.1-10.

For the unstable distribution (sid), these problems have been fixed in
version 52.1-10.

We recommend that you upgrade your icu packages.

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/

Mailing list: This email address is being protected from spambots. You need JavaScript enabled to view it.

LinuxSecurity Poll

How frequently do you patch/update your system?

No answer selected. Please try again.
Please select either existing option or enter your own, however not both.
Please select minimum 0 answer(s) and maximum 3 answer(s).
/main-polls/52-how-frequently-do-you-patch-update-your-system?task=poll.vote&format=json
52
radio
[{"id":"179","title":"As soon as patches\/updates are released - I track advisories for my distro(s) diligently","votes":"50","type":"x","order":"1","pct":80.65,"resources":[]},{"id":"180","title":"Every so often, when I think of it","votes":"7","type":"x","order":"2","pct":11.29,"resources":[]},{"id":"181","title":"Hardly ever","votes":"5","type":"x","order":"3","pct":8.06,"resources":[]}] ["#ff5b00","#4ac0f2","#b80028","#eef66c","#60bb22","#b96a9a","#62c2cc"] ["rgba(255,91,0,0.7)","rgba(74,192,242,0.7)","rgba(184,0,40,0.7)","rgba(238,246,108,0.7)","rgba(96,187,34,0.7)","rgba(185,106,154,0.7)","rgba(98,194,204,0.7)"] 350

Please vote first in order to view vote results.

VOTE ON THE POLL PAGE


VIEW MORE POLLS

bottom 200

Please enable / Bitte aktiviere JavaScript!
Veuillez activer / Por favor activa el Javascript![ ? ]