Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Tue, 19 May 2015 07:33:19 -0400
From: Marc Deslauriers <marc.deslauriers@...onical.com>
To: oss-security@...ts.openwall.com, cve-assign@...re.org
CC: Pedro Ribeiro <pedrib@...il.com>
Subject: Re: CVE reject request CVE-2015-8146/8147

On 2015-05-19 03:05 AM, Tomas Hoger wrote:
> On Tue, 5 May 2015 09:19:20 +0100 Pedro Ribeiro wrote:
> 
>> tl;dr heap and integer overflows in ICU, many packages affected,
>> unknown if these can be exploited or not - everyone names vulns
>> nowadays, so I name these I-C-U-FAIL.
> 
> ...
> 
>> #1 Vulnerability: Heap overflow
>> CVE-2014-8146
> 
> ...
> 
>> #2 Vulnerability: Integer overflow
>> CVE-2014-8147
> 
> Apparently a typo was made when fixing these issues in Ubuntu and
> subsequently in Debian when ids with year 2015 were used instead of
> 2014.  Incorrect ids are used in patch names and changelogs, but e.g.
> USN-2605-1 was released with correct ids.  I assume it's still prudent
> to consider 2015 ids for rejection, it's likely they have not been
> allocated yet.
> 
> http://www.ubuntu.com/usn/usn-2605-1/
> https://launchpad.net/ubuntu/+source/icu/52.1-3ubuntu0.3
> https://launchpad.net/ubuntu/+source/icu/52.1-6ubuntu0.3
> https://launchpad.net/ubuntu/+source/icu/52.1-8ubuntu0.1
> 
> https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=784773
> 

Ah, crud. Sorry about that.

Marc.

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ