Bug#702346: marked as done (icu: CVE-2013-0900)

[Debian Bug Tracking System]

Your message dated Thu, 21 Mar 2013 15:48:20 +0000
with message-id <e1uihj2-0007jj...@franck.debian.org>
and subject line Bug#702346: fixed in icu 4.8.1.1-12
has caused the Debian Bug report #702346,
regarding icu: CVE-2013-0900
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
702346: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=702346
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

--- Begin Message ---

Package: icu
Severity: grave
Tags: security
Justification: user security hole

Hi Jay,

Google fixed a security issue in icu, which is embedded in Chrome:
http://googlechromereleases.blogspot.de/2013/02/stable-channel-update_21.html

| [152442] Medium CVE-2013-0900: Race condition in ICU. Credit to Google Chrome 
Security Team (Inferno).

I contact the Google Chrome Security Team and they pointed me to the following
upstream bug (which is private ATM, but maybe you have access?):
http://bugs.icu-project.org/trac/ticket/9737

They also send me links to the upstream fixes:
http://bugs.icu-project.org/trac/changeset/32865
http://bugs.icu-project.org/trac/changeset/32908

Cheers,
        Moritz

--- End Message ---

--- Begin Message ---

Source: icu
Source-Version: 4.8.1.1-12

We believe that the bug you reported is fixed in the latest version of
icu, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 702...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Jay Berkenbilt <q...@debian.org> (supplier of updated icu package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.8
Date: Thu, 21 Mar 2013 11:29:08 -0400
Source: icu
Binary: libicu48 libicu48-dbg libicu-dev icu-doc
Architecture: source all amd64
Version: 4.8.1.1-12
Distribution: unstable
Urgency: high
Maintainer: Jay Berkenbilt <q...@debian.org>
Changed-By: Jay Berkenbilt <q...@debian.org>
Description: 
 icu-doc    - API documentation for ICU classes and functions
 libicu-dev - Development files for International Components for Unicode
 libicu48   - International Components for Unicode
 libicu48-dbg - International Components for Unicode
Closes: 702346
Changes: 
 icu (4.8.1.1-12) unstable; urgency=high
 .
   * Add patch to address CVE-2013-0900, a threading race condition.
     (Closes: #702346)
Checksums-Sha1: 
 e9ca6ccd45837ed177526c001262043b0737cf02 1895 icu_4.8.1.1-12.dsc
 3e43ec170dcf64cff93b11be4ecfbd97998d6469 22001 icu_4.8.1.1-12.debian.tar.gz
 f84ae5a1206fff74ecb32522c9865d5c8dc6f6ee 1794968 icu-doc_4.8.1.1-12_all.deb
 76b8670231d5d8c84d6e68804167f8bc4e8af657 4733774 libicu48_4.8.1.1-12_amd64.deb
 5504248636830293ae97d6b3c29962bd52d02d29 4851476 
libicu48-dbg_4.8.1.1-12_amd64.deb
 48fdc1d6dd5ca59a5d05a63ac3141ee69acf7cc0 5706406 
libicu-dev_4.8.1.1-12_amd64.deb
Checksums-Sha256: 
 450b76e17339acc20a31023c37d2706c52ad5f204121d99692277e7f76662ae0 1895 
icu_4.8.1.1-12.dsc
 1c3186f5d1200cedfc43dee0cab776485639264e47e4b27df6afa6ed72a32bf1 22001 
icu_4.8.1.1-12.debian.tar.gz
 0d21e6a1912626cb27e142e3c95ef310901506d543e57a69f3e69891af569688 1794968 
icu-doc_4.8.1.1-12_all.deb
 8efb9f087e5625438ae5350dccf19b9ed85842bcc7f43517b2f234a37b34de70 4733774 
libicu48_4.8.1.1-12_amd64.deb
 0363d8601e2345a128f5b73a6b223c161aed0d7ec5e3176e2c0e6dfe573698bc 4851476 
libicu48-dbg_4.8.1.1-12_amd64.deb
 b107c06bfb299a536b617d033e6b7f8abd22d4d18ab3e9b4386357064e7993ea 5706406 
libicu-dev_4.8.1.1-12_amd64.deb
Files: 
 69850d7d28b049ab08036aaa1705046b 1895 libs optional icu_4.8.1.1-12.dsc
 a6b8e696fff50f25d14b2b21d1b67af9 22001 libs optional 
icu_4.8.1.1-12.debian.tar.gz
 672debef0f03095b080fd51fca15a4a7 1794968 doc optional 
icu-doc_4.8.1.1-12_all.deb
 263d2c7f36a841f2662eeeabbaa5ba48 4733774 libs optional 
libicu48_4.8.1.1-12_amd64.deb
 887172857b7ab2111bcfbd5ed4337517 4851476 debug extra 
libicu48-dbg_4.8.1.1-12_amd64.deb
 21639904758a7c98fdfaa2f369ae26a1 5706406 libdevel optional 
libicu-dev_4.8.1.1-12_amd64.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)

iQIcBAEBAgAGBQJRSynxAAoJEIp10QmYASx+ZKsP/iCBvgKOjWlKwqLwyIomoFvp
Qb0/4ukZQdwxxqSbBsEx0Jg214TyVZCrk4GNn7+CjXQmuLCn/1sAa6pIOnoC7bZq
OrfQF2ithHYA6ntyPUzJzBi2H43MMeXZG062VVXG/wPpWmnOwEi0MoKQVSqg30mg
+2YnjyvhjXcM9bFadQnKKgeba/5JzLn5q/fzECMqrLKF6+XJSlHhuIzJT+Kfg2if
G4ojb/YtBzFBpTetCt4OxzlXch88uBv+lcng5nDJqyUt0Knm6p+tHQ4/OoYrdAc9
WakeRHjjrFb/ORhTkCzQx1ICdTysRGsxPkVmmxG2rjH8YHMllf8B23zpPeQIOSIM
NTi5tmjgZTgUhOGAOxNnAyruhGVLllxJXzmgsV5rQaXRmL1/jdman2q1M+RLhVVA
egcWel3g78Lh7doJ5HLdacgt7PtdRLBd+LpFBiW3Icp452rB/E3HagDtl+ngpIBm
vn5SXAhqszog6O4HQlXWbKn6KR78jYcKH9Vl74y0hNRzRUvS9h3Bpo9OHgBx/Zhh
bYiZHdPQJRJ+5cT0wP7NXvvsmGCga2YsTJPcZ2o1cqsluQRczVANpNN7GMJMYd7U
0+0uaurNVfOY2f5rkPydSx3OUDdrU7sOl/lMRUCZI4agZ2FbhmymNv9plc7by5qX
Mu3YEZ6K5a4HnaL1S4fJ
=He9c
-----END PGP SIGNATURE-----

--- End Message ---