Debian Security Advisory
DSA-3725-1 icu -- security update
- Date Reported:
- 27 Nov 2016
- Affected Packages:
- icu
- Vulnerable:
- Yes
- Security database references:
- In the Debian bugtracking system: Bug 838694.
In Mitre's CVE dictionary: CVE-2014-9911, CVE-2015-2632, CVE-2015-4844, CVE-2016-0494, CVE-2016-6293, CVE-2016-7415. - More information:
-
Several vulnerabilities were discovered in the International Components for Unicode (ICU) library.
- CVE-2014-9911
Michele Spagnuolo discovered a buffer overflow vulnerability which might allow remote attackers to cause a denial of service or possibly execute arbitrary code via crafted text.
- CVE-2015-2632
An integer overflow vulnerability might lead into a denial of service or disclosure of portion of application memory if an attacker has control on the input file.
- CVE-2015-4844
Buffer overflow vulnerabilities might allow an attacker with control on the font file to perform a denial of service or, possibly, execute arbitrary code.
- CVE-2016-0494
Integer signedness issues were introduced as part of the CVE-2015-4844 fix.
- CVE-2016-6293
A buffer overflow might allow an attacker to perform a denial of service or disclosure of portion of application memory.
- CVE-2016-7415
A stack-based buffer overflow might allow an attacker with control on the locale string to perform a denial of service and, possibly, execute arbitrary code.
For the stable distribution (jessie), these problems have been fixed in version 52.1-8+deb8u4.
For the unstable distribution (sid), these problems have been fixed in version 57.1-5.
We recommend that you upgrade your icu packages.
- CVE-2014-9911