Bug#953747: marked as done (icu: CVE-2020-10531)

[Debian Bug Tracking System]

Your message dated Mon, 30 Mar 2020 21:32:33 +0000
with message-id <e1jj21j-000ayl...@fasolo.debian.org>
and subject line Bug#953747: fixed in icu 57.1-6+deb9u4
has caused the Debian Bug report #953747,
regarding icu: CVE-2020-10531
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
953747: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=953747
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

--- Begin Message ---

Source: icu
Version: 63.2-2
Severity: grave
Tags: security upstream
Justification: user security hole
Forwarded: https://github.com/unicode-org/icu/pull/971

Hi,

The following vulnerability was published for icu.

CVE-2020-10531[0]:
| An issue was discovered in International Components for Unicode (ICU)
| for C/C++ through 66.1. An integer overflow, leading to a heap-based
| buffer overflow, exists in the UnicodeString::doAppend() function in
| common/unistr.cpp.


If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2020-10531
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-10531
[1] https://bugs.chromium.org/p/chromium/issues/detail?id=1044570 (not public)
[2] https://unicode-org.atlassian.net/browse/ICU-20958 (private)
[3] https://github.com/unicode-org/icu/pull/971
[4] 
https://github.com/unicode-org/icu/commit/b7d08bc04a4296982fcef8b6b8a354a9e4e7afca

Please adjust the affected versions in the BTS as needed.

Regards,
Salvatore

--- End Message ---

--- Begin Message ---

Source: icu
Source-Version: 57.1-6+deb9u4
Done: Laszlo Boszormenyi (GCS) <g...@debian.org>

We believe that the bug you reported is fixed in the latest version of
icu, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 953...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Laszlo Boszormenyi (GCS) <g...@debian.org> (supplier of updated icu package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Sat, 14 Mar 2020 19:34:22 +0000
Source: icu
Binary: libicu57 libicu57-dbg libicu-dev icu-devtools icu-devtools-dbg icu-doc
Architecture: source amd64 all
Version: 57.1-6+deb9u4
Distribution: stretch-security
Urgency: high
Maintainer: Laszlo Boszormenyi (GCS) <g...@debian.org>
Changed-By: Laszlo Boszormenyi (GCS) <g...@debian.org>
Description:
 icu-devtools - Development utilities for International Components for Unicode
 icu-devtools-dbg - Development utilities for International Components for 
Unicode (d
 icu-doc    - API documentation for ICU classes and functions
 libicu-dev - Development files for International Components for Unicode
 libicu57   - International Components for Unicode
 libicu57-dbg - International Components for Unicode (debug symbols)
Closes: 953747
Changes:
 icu (57.1-6+deb9u4) stretch-security; urgency=high
 .
   * Backport upstream security fix for CVE-2020-10531: SEGV_MAPERR in
     UnicodeString::doAppend() (closes: #953747).
Checksums-Sha1:
 ad8bb633ee33b11206c05c84e554855f10e1c8e3 2133 icu_57.1-6+deb9u4.dsc
 5622b6175d2336d738b3becde49bae95e8219d96 36404 icu_57.1-6+deb9u4.debian.tar.xz
 e6777b5681684ccfe27cca221a88ca89afea5f3a 643000 
icu-devtools-dbg_57.1-6+deb9u4_amd64.deb
 4a04f7725a92db84fdf51b61b6029bc3d0bbf0d1 177818 
icu-devtools_57.1-6+deb9u4_amd64.deb
 aee2ab7750617217ef46cd28846be3cafce9a72e 2397226 icu-doc_57.1-6+deb9u4_all.deb
 be66ee49a23a23504ed2e8c7c37333f82ca095b6 7698 icu_57.1-6+deb9u4_amd64.buildinfo
 b1269fd8c9a396401748358191b4da8061f90a6d 16489294 
libicu-dev_57.1-6+deb9u4_amd64.deb
 7c763566a6cdbb0eb1d29c06f41859dc09de351f 7372704 
libicu57-dbg_57.1-6+deb9u4_amd64.deb
 98388448b3b07dbbc94cb9028ebb2e1895a9fe05 7698670 
libicu57_57.1-6+deb9u4_amd64.deb
Checksums-Sha256:
 80b9e9f411f713e7ba475959f083ba600cead528ab2c097448564f3ad9c0ffb5 2133 
icu_57.1-6+deb9u4.dsc
 37674a98793c0048ad8f7f8dc21d9ab14fd01b182c5ea764da3bae111f8afd63 36404 
icu_57.1-6+deb9u4.debian.tar.xz
 cac15bf399ed715741e8bbedde97887d086207be68b609ccafb38d0f19ca913d 643000 
icu-devtools-dbg_57.1-6+deb9u4_amd64.deb
 937a8fafa36dc1e3f24b98fd8b10490b6de7e13e7224330b7fb77251215b0653 177818 
icu-devtools_57.1-6+deb9u4_amd64.deb
 3d11d4fa9fb2c7235d11324f04b23c0b9eefae60cb0b397a00809955763dea46 2397226 
icu-doc_57.1-6+deb9u4_all.deb
 6004871b489fd7beac07c7487177a92620ceb5e7068329223c78e27b684343d1 7698 
icu_57.1-6+deb9u4_amd64.buildinfo
 a2a2b9754d732be2288919b6f0da3008e8bcd44747e268b69af6494b40458c61 16489294 
libicu-dev_57.1-6+deb9u4_amd64.deb
 b38ef60a51cc8938463ea1a44ec2ac8b59b1ea708a313f120feea48e3d16b915 7372704 
libicu57-dbg_57.1-6+deb9u4_amd64.deb
 11152f642bef2c9ee5386a9a4573fc00bafb62cafe1ec1e925974ac1a58d5296 7698670 
libicu57_57.1-6+deb9u4_amd64.deb
Files:
 af11d2f911ac6273b24330f6f5a243ce 2133 libs optional icu_57.1-6+deb9u4.dsc
 b2ebe96e36a497e7a4e795aedcf8dbaa 36404 libs optional 
icu_57.1-6+deb9u4.debian.tar.xz
 95704858bba225bdcaa579e1f6e50043 643000 debug extra 
icu-devtools-dbg_57.1-6+deb9u4_amd64.deb
 63c7493419dfe6138c4f477dc25b57ef 177818 libdevel optional 
icu-devtools_57.1-6+deb9u4_amd64.deb
 2f3ed9381c9236c95986aabc240e9a1e 2397226 doc optional 
icu-doc_57.1-6+deb9u4_all.deb
 c9c13adec48c714e5067dc8d11618ef1 7698 libs optional 
icu_57.1-6+deb9u4_amd64.buildinfo
 179ec1e23febdee1f4728a93c9065d68 16489294 libdevel optional 
libicu-dev_57.1-6+deb9u4_amd64.deb
 8ed14b1b8881affc90e55ba5648b60b5 7372704 debug extra 
libicu57-dbg_57.1-6+deb9u4_amd64.deb
 c7a388aa99b6d4cbbcf03ed341f486f2 7698670 libs optional 
libicu57_57.1-6+deb9u4_amd64.deb

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEEfYh9yLp7u6e4NeO63OMQ54ZMyL8FAl55tsYACgkQ3OMQ54ZM
yL/9nxAAsONIrXC3uv/G22Xq5i71YUSBdXy9uxKvzR5CJciIbSKFfRJQb295vvs9
8+0qzi2qBqtq6n6BXdoIdk84BdnjoLWCNK/4zB/K/y6dKUTJLAMJ5LEDzWakuKC/
PB/yaQT+787SgdVQ4xbIVO+i4AurvZEjsaaeVUoUZOGev91yiGGjHSx4Xw53MMre
Oz6Xcf69Q0G64Cwy2mk8fUSzzsi/L46CzuDCHE1r09lA4TaUYfFZj7MvIlyD2Oe/
rb82zKZbnpe+96MgYpoy/ufxnBsWbWv9EpwSDMrFHiwe+KvdHGG2T58mMMFE8EBf
CZ460ONWReWv+CN7cfpqoYEJlQD2rONVAUCTNRRqDjJKWGWIsoPNbp3qsmGNqM0q
PdUMj8Mwf14lxW7eSCPYWbQBT6FTHfJ6atU9qgN6g7sWGSlywEtqYmHCFwPc7kHv
tvoRGEyAfH8acXzNZ6HkMHbyjbbAsm+rrHP6znLgumzV74zkGKxOzTq2A+T9Tsor
CmX4rrus8WodBu9PtjdNYFDTC/vEX4boD4J4rncT6Ga2nU6N0WTtQhwLiSN718ND
lgemKurscCGrNBnv46VqNJhSX6Uxq4Kjos11y8q1BUzUOGVaIePfNuNtaG0xc/hG
g6wVMc9TmLwtjwBt4A5WcYtiGCANSJnWcnus3ixSGmcSulpNYS8=
=tKX8
-----END PGP SIGNATURE-----

--- End Message ---