Home / mailingsPDF  

[USN-2522-3] ICU vulnerabilities

Posted on 10 March 2015
Ubuntu Security

==========================
==========================
========================
Ubuntu Security Notice USN-2522-3
March 10, 2015

icu vulnerabilities
==========================
==========================
========================

A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 12.04 LTS

Summary:

ICU could be made to crash or run programs as your login if it processed
specially crafted data.

Software Description:
- icu: International Components for Unicode library

Details:

USN-2522-1 fixed vulnerabilities in ICU. On Ubuntu 12.04 LTS, the font
patches caused a regression when using LibreOffice Calc. The patches have=

now been updated to fix the regression.

We apologize for the inconvenience.

Original advisory details:

It was discovered that ICU incorrectly handled memory operations when
processing fonts. If an application using ICU processed crafted data, an=

attacker could cause it to crash or potentially execute arbitrary code w=
ith
the privileges of the user invoking the program. This issue only affecte=
d
Ubuntu 12.04 LTS. (CVE-2013-1569, CVE-2013-2383, CVE-2013-2384,
CVE-2013-2419)
It was discovered that ICU incorrectly handled memory operations when
processing fonts. If an application using ICU processed crafted data, an=

attacker could cause it to crash or potentially execute arbitrary code w=
ith
the privileges of the user invoking the program. (CVE-2014-6585,
CVE-2014-6591)
It was discovered that ICU incorrectly handled memory operations when
processing regular expressions. If an application using ICU processed
crafted data, an attacker could cause it to crash or potentially execute=

arbitrary code with the privileges of the user invoking the program.
(CVE-2014-7923, CVE-2014-7926, CVE-2014-9654)
It was discovered that ICU collator implementation incorrectly handled
memory operations. If an application using ICU processed crafted data, a=
n
attacker could cause it to crash or potentially execute arbitrary code w=
ith
the privileges of the user invoking the program. (CVE-2014-7940)

Update instructions:

The problem can be corrected by updating your system to the following
package versions:

Ubuntu 12.04 LTS:
libicu48 4.8.1.1-3ubuntu0.5

In general, a standard system update will make all the necessary changes.=


References:
http://www.ubuntu.com/usn/usn-2522-3
http://www.ubuntu.com/usn/usn-2522-1
CVE-2013-1569, CVE-2013-2383, CVE-2013-2384, CVE-2013-2419,
CVE-2014-6585, CVE-2014-6591

Package Information:
https://launchpad.net/ubuntu/+source/icu/4.8.1.1-3ubuntu0.5

 

TOP

Mailings :

Exploits :