Bugzilla – Bug 917129
VUL-0: CVE-2014-9654 icu: insufficient size limit checks in regular expression compiler
Last modified: 2015-11-27 15:47:42 UTC
Regular expression pattern size limits weren't checked. Change: http://bugs.icu-project.org/trac/changeset/36801 SLE 12 needs the patch, SLE 11 SP3 is probably also affected. References: https://bugzilla.redhat.com/show_bug.cgi?id=1190129 http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-9654 http://people.canonical.com/~ubuntu-security/cve/2014/CVE-2014-9654.html
bugbot adjusting priority
An update workflow for this issue was started. This issue was rated as moderate. Please submit fixed packages until 2015-02-26. When done, reassign the bug to security-team@suse.de. https://swamp.suse.de/webswamp/wf/60661
I don't maintain SLE12 packages.
SLE 11 is affected and you're still listed as the maintainer. Do you know who took this package?
Ok, sorry, I also don't maintain SLE11 packages, and no, I have no idea who is maintaining those packages these days.
Seems like this is your package.
The original maintaining team was bnc-team-gnome ... can the Desktop team do that?
SUSE-SU-2015:0458-1: An update that fixes one vulnerability is now available. Category: security (moderate) Bug References: 917129 CVE References: CVE-2014-9654 Sources used: SUSE Linux Enterprise Workstation Extension 12 (src): icu-52.1-7.1 SUSE Linux Enterprise Software Development Kit 12 (src): icu-52.1-7.1 SUSE Linux Enterprise Server 12 (src): icu-52.1-7.1 SUSE Linux Enterprise Desktop 12 (src): icu-52.1-7.1
I have backported the changeset to SLE11-SP3 at https://build.suse.de/package/show/home:zhangxiaofei:branches:SUSE:SLE-11-SP3:Update:Test/icu However I must admit I'm not familiar to icu either. So it would be great if somebody could review or test the patch.
(In reply to Felix Zhang from comment #22) I'm also not familiar but I gave it a try. To my not-ICU-expert eyes your submission looks fine, although it is tempting to insert all the missing calls to fixLiterals(), but it's not like the patch isn't already big enough. Testing will need to be done by QA, but this one looks promising
could we also have a fix for sles10 sp3? SUSE:SLE-10-SP3:Update:Test icu
(In reply to Marcus Meissner from comment #29) > could we also have a fix for sles10 sp3? > > SUSE:SLE-10-SP3:Update:Test icu Yes. I have backported it here: https://build.suse.de/package/show/home:zhangxiaofei:branches:SUSE:SLE-10-SP3:Update:Test/icu
SUSE-SU-2015:1144-1: An update that fixes one vulnerability is now available. Category: security (moderate) Bug References: 917129 CVE References: CVE-2014-9654 Sources used: SUSE Linux Enterprise Software Development Kit 11 SP3 (src): icu-4.0-7.28.1 SUSE Linux Enterprise Server 11 SP3 for VMware (src): icu-4.0-7.28.1 SUSE Linux Enterprise Server 11 SP3 (src): icu-4.0-7.28.1 SUSE Linux Enterprise Desktop 11 SP3 (src): icu-4.0-7.28.1
Closing as fixed as the changes are checked in.
SUSE-SU-2015:1790-1: An update that fixes one vulnerability is now available. Category: security (moderate) Bug References: 917129 CVE References: CVE-2014-9654 Sources used: SUSE Linux Enterprise Software Development Kit 11-SP4 (src): icu-4.0-7.30.2 SUSE Linux Enterprise Server 11-SP4 (src): icu-4.0-7.30.2 SUSE Linux Enterprise Desktop 11-SP4 (src): icu-4.0-7.30.2 SUSE Linux Enterprise Debuginfo 11-SP4 (src): icu-4.0-7.30.2
probably all done now
This caused a regression , see bug 952260