Bugzilla – Bug 990636
VUL-1: CVE-2016-6293: icu: locale_accept_from_http out-of-bounds access
Last modified: 2019-06-07 11:41:40 UTC
http://seclists.org/oss-sec/2016/q3/137 https://bugs.php.net/72533 (locale_accept_from_http out-of-bounds access). (Stas) This bug is inside libicu PHP remediation: http://git.php.net/?p=php-src.git;a=commit;h=aa82e99ed8003c01f1ef4f0940e56b85c5b032d4 The related upstream code can be found in the http://source.icu-project.org/repos/icu/icu/trunk/source/common/uloc.cpp file. What we will do for now is assign one CVE ID for the "ICU for C/C++" product and a separate CVE ID for PHP. In other words, the bug #72533 discoverer has indicated that it is a bug in that ICU product. However, it is a bug at a different level within the PHP distribution, because aa82e99ed8003c01f1ef4f0940e56b85c5b032d4 implies that PHP is intended to operate safely even with an unpatched copy of the ICU library. Use CVE-2016-6293 for ICU for C/C++. Use CVE-2016-6294 for PHP. (If there happens to be further information indicating that uloc_acceptLanguageFromHTTP was supposed to be using the tmp array as originally written, then we can reject CVE-2016-6293.) References: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-6293 http://seclists.org/oss-sec/2016/q3/137 http://people.canonical.com/~ubuntu-security/cve/2016/CVE-2016-6293.html http://www.cvedetails.com/cve/CVE-2016-6293/
No upstream patch
bugbot adjusting priority
Reassign to our current icu maintainer.
can you please submit fixed pakcages
There are some changes in the situation, These issue's priority has been raised. I'm switching to deal with it now. Thank you so much for your patience!
(In reply to Andreas Stieger from comment #1) > No upstream patch Andreas: In this case, How can we fix this problem? for I'm not a security specialist. Additionally, you said that: "The related upstream code can be found in the http://source.icu-project.org/repos/icu/icu/trunk/source/common/uloc.cpp file." The above link could not be accessed.
From http://site.icu-project.org/repository http://source.icu-project.org/repos/icu/trunk/icu4c http://bugs.icu-project.org/trac/changeset/39109 r39109 | srl | 2016-08-31 16:53:53 +0200 (Wed, 31 Aug 2016) | 2 lines ticket:12652: fix for null termination in uloc_acceptLanguageFromHTTP http://bugs.icu-project.org/trac/changeset/39115 r39115 | srl | 2016-09-01 01:37:29 +0200 (Thu, 01 Sep 2016) | 1 line ticket:12652: better fix, see r39114 http://bugs.icu-project.org/trac/changeset/39126 r39126 | srl | 2016-09-02 23:01:19 +0200 (Fri, 02 Sep 2016) | 1 line ticket:12652: tab -> space http://bugs.icu-project.org/trac/changeset/39142 r39142 | heninger | 2016-09-07 01:10:27 +0200 (Wed, 07 Sep 2016) | 1 line ticket:12652 add 'using namespace icu' to fix build failure from use of MaybeStackArray<>
SUSE-SU-2018:1401-1: An update that fixes 8 vulnerabilities is now available. Category: security (moderate) Bug References: 1034674,1034678,1067203,1072193,1077999,1087932,929629,990636 CVE References: CVE-2014-8146,CVE-2014-8147,CVE-2016-6293,CVE-2017-14952,CVE-2017-15422,CVE-2017-17484,CVE-2017-7867,CVE-2017-7868 Sources used: SUSE OpenStack Cloud 7 (src): icu-52.1-8.7.1 SUSE Linux Enterprise Workstation Extension 12-SP3 (src): icu-52.1-8.7.1 SUSE Linux Enterprise Software Development Kit 12-SP3 (src): icu-52.1-8.7.1 SUSE Linux Enterprise Server for SAP 12-SP2 (src): icu-52.1-8.7.1 SUSE Linux Enterprise Server for SAP 12-SP1 (src): icu-52.1-8.7.1 SUSE Linux Enterprise Server 12-SP3 (src): icu-52.1-8.7.1 SUSE Linux Enterprise Server 12-SP2-LTSS (src): icu-52.1-8.7.1 SUSE Linux Enterprise Server 12-SP1-LTSS (src): icu-52.1-8.7.1 SUSE Linux Enterprise Server 12-LTSS (src): icu-52.1-8.7.1 SUSE Linux Enterprise Desktop 12-SP3 (src): icu-52.1-8.7.1 SUSE Enterprise Storage 4 (src): icu-52.1-8.7.1 SUSE CaaS Platform ALL (src): icu-52.1-8.7.1 OpenStack Cloud Magnum Orchestration 7 (src): icu-52.1-8.7.1
openSUSE-SU-2018:1422-1: An update that fixes 8 vulnerabilities is now available. Category: security (moderate) Bug References: 1034674,1034678,1067203,1072193,1077999,1087932,929629,990636 CVE References: CVE-2014-8146,CVE-2014-8147,CVE-2016-6293,CVE-2017-14952,CVE-2017-15422,CVE-2017-17484,CVE-2017-7867,CVE-2017-7868 Sources used: openSUSE Leap 42.3 (src): icu-52.1-18.1
SUSE-SU-2018:1602-1: An update that fixes 6 vulnerabilities is now available. Category: security (important) Bug References: 1034674,1034678,1067203,1072193,1077999,990636 CVE References: CVE-2016-6293,CVE-2017-14952,CVE-2017-15422,CVE-2017-17484,CVE-2017-7867,CVE-2017-7868 Sources used: SUSE Linux Enterprise Software Development Kit 11-SP4 (src): icu-4.0-47.6.1 SUSE Linux Enterprise Server 11-SP4 (src): icu-4.0-47.6.1 SUSE Linux Enterprise Debuginfo 11-SP4 (src): icu-4.0-47.6.1
SUSE-SU-2018:1401-2: An update that fixes 8 vulnerabilities is now available. Category: security (moderate) Bug References: 1034674,1034678,1067203,1072193,1077999,1087932,929629,990636 CVE References: CVE-2014-8146,CVE-2014-8147,CVE-2016-6293,CVE-2017-14952,CVE-2017-15422,CVE-2017-17484,CVE-2017-7867,CVE-2017-7868 Sources used: SUSE Linux Enterprise Server 12-SP2-BCL (src): icu-52.1-8.7.1
released