Date: Tue, 19 May 2015 07:33:19 -0400 From: Marc Deslauriers <marc.deslauriers@...onical.com> To: oss-security@...ts.openwall.com, cve-assign@...re.org CC: Pedro Ribeiro <pedrib@...il.com> Subject: Re: CVE reject request CVE-2015-8146/8147 On 2015-05-19 03:05 AM, Tomas Hoger wrote: > On Tue, 5 May 2015 09:19:20 +0100 Pedro Ribeiro wrote: > >> tl;dr heap and integer overflows in ICU, many packages affected, >> unknown if these can be exploited or not - everyone names vulns >> nowadays, so I name these I-C-U-FAIL. > > ... > >> #1 Vulnerability: Heap overflow >> CVE-2014-8146 > > ... > >> #2 Vulnerability: Integer overflow >> CVE-2014-8147 > > Apparently a typo was made when fixing these issues in Ubuntu and > subsequently in Debian when ids with year 2015 were used instead of > 2014. Incorrect ids are used in patch names and changelogs, but e.g. > USN-2605-1 was released with correct ids. I assume it's still prudent > to consider 2015 ids for rejection, it's likely they have not been > allocated yet. > > http://www.ubuntu.com/usn/usn-2605-1/ > https://launchpad.net/ubuntu/+source/icu/52.1-3ubuntu0.3 > https://launchpad.net/ubuntu/+source/icu/52.1-6ubuntu0.3 > https://launchpad.net/ubuntu/+source/icu/52.1-8ubuntu0.1 > > https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=784773 > Ah, crud. Sorry about that. Marc.
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Powered by Openwall GNU/*/Linux - Powered by OpenVZ