From: akuster808 <akuster808@gmail.com>
To: openembedded-core@lists.openembedded.org
Subject: Re: [PATCH][dizzy] icu: CVE-2014-8146-CVE-2014-8147
Date: Fri, 04 Sep 2015 16:47:58 -0700 [thread overview]
Message-ID: <55EA2DAE.40606@gmail.com> (raw)
In-Reply-To: <1441363860-25700-1-git-send-email-sona.sarmadi@enea.com>
queuing up,
thanks,
Armin
On 09/04/2015 03:51 AM, Sona Sarmadi wrote:
> CVE-2014-8146 icu: heap overflow via incorrect isolateCount
> CVE-2014-8147 icu: integer truncation in the resolveImplicitLevels function
>
> References:
> [1] https://github.com/pedrib/PoC/raw/master/generic/i-c-u-fail.7z
> [2] https://www.kb.cert.org/vuls/id/602540
> [3] http://bugs.icu-project.org/trac/changeset/37080
> [4] http://bugs.icu-project.org/trac/changeset/37162
>
> Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com>
> ---
> .../icu/icu/icu-CVE-2014-8146-CVE-2014-8147.patch | 49 ++++++++++++++++++++++
> meta/recipes-support/icu/icu_53.1.bb | 1 +
> 2 files changed, 50 insertions(+)
> create mode 100644 meta/recipes-support/icu/icu/icu-CVE-2014-8146-CVE-2014-8147.patch
>
> diff --git a/meta/recipes-support/icu/icu/icu-CVE-2014-8146-CVE-2014-8147.patch b/meta/recipes-support/icu/icu/icu-CVE-2014-8146-CVE-2014-8147.patch
> new file mode 100644
> index 0000000..2460357
> --- /dev/null
> +++ b/meta/recipes-support/icu/icu/icu-CVE-2014-8146-CVE-2014-8147.patch
> @@ -0,0 +1,49 @@
> +icu: CVE-2014-8146-CVE-2014-8147
> +
> +CVE-2014-8146 icu: heap overflow via incorrect isolateCount
> +CVE-2014-8147 icu: integer truncation in the resolveImplicitLevels function
> +
> +References:
> +[1] https://github.com/pedrib/PoC/raw/master/generic/i-c-u-fail.7z
> +[2] https://www.kb.cert.org/vuls/id/602540
> +[3] http://bugs.icu-project.org/trac/changeset/37080
> +[4] http://bugs.icu-project.org/trac/changeset/37162
> +
> +Upstream-Status: Backport
> +
> +Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com>
> +---
> +diff -ruN a/common/ubidi.c b/common/ubidi.c
> +--- a/common/ubidi.c 2014-10-03 18:11:20.000000000 +0200
> ++++ b/common/ubidi.c 2015-08-28 08:22:39.455906194 +0200
> +@@ -2138,7 +2138,7 @@
> + /* The isolates[] entries contain enough information to
> + resume the bidi algorithm in the same state as it was
> + when it was interrupted by an isolate sequence. */
> +- if(dirProps[start]==PDI) {
> ++ if(dirProps[start]==PDI && pBiDi->isolateCount >= 0) {
> + levState.startON=pBiDi->isolates[pBiDi->isolateCount].startON;
> + start1=pBiDi->isolates[pBiDi->isolateCount].start1;
> + stateImp=pBiDi->isolates[pBiDi->isolateCount].stateImp;
> +diff -ruN a/common/ubidiimp.h b/common/ubidiimp.h
> +--- a/common/ubidiimp.h 2014-10-03 18:11:16.000000000 +0200
> ++++ b/common/ubidiimp.h 2015-08-28 08:28:24.069163845 +0200
> +@@ -1,7 +1,7 @@
> + /*
> + ******************************************************************************
> + *
> +-* Copyright (C) 1999-2014, International Business Machines
> ++* Copyright (C) 1999-2015, International Business Machines
> + * Corporation and others. All Rights Reserved.
> + *
> + ******************************************************************************
> +@@ -184,8 +184,8 @@
> + typedef struct Isolate {
> + int32_t startON;
> + int32_t start1;
> ++ int32_t state;
> + int16_t stateImp;
> +- int16_t state;
> + } Isolate;
> +
> + typedef struct Run {
> diff --git a/meta/recipes-support/icu/icu_53.1.bb b/meta/recipes-support/icu/icu_53.1.bb
> index d93af68..2906e8f 100644
> --- a/meta/recipes-support/icu/icu_53.1.bb
> +++ b/meta/recipes-support/icu/icu_53.1.bb
> @@ -11,6 +11,7 @@ ICU_PV = "${@icu_download_version(d)}"
> BASE_SRC_URI = "http://download.icu-project.org/files/icu4c/${PV}/icu4c-${ICU_PV}-src.tgz"
> SRC_URI = "${BASE_SRC_URI} \
> file://icu-pkgdata-large-cmd.patch \
> + file://icu-CVE-2014-8146-CVE-2014-8147.patch \
> "
>
> SRC_URI_append_class-target = "\
>
prev parent reply other threads:[~2015-09-04 23:48 UTC|newest]
Thread overview: 2+ messages / expand[flat|nested] mbox.gz Atom feed top
2015-09-04 10:51 [PATCH][dizzy] icu: CVE-2014-8146-CVE-2014-8147 Sona Sarmadi
2015-09-04 23:47 ` akuster808 [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=55EA2DAE.40606@gmail.com \
--to=akuster808@gmail.com \
--cc=openembedded-core@lists.openembedded.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.