Updated icu package fixes security vulnerabilities
Publication date: 27 Jul 2015Modification date: 27 Jul 2015
Type: security
Affected Mageia releases : 4
CVE: CVE-2014-8146 , CVE-2014-8147 , CVE-2015-1270
Description
The ICU Project's ICU4C library, before 55.1, contains a heap-based buffer overflow in the resolveImplicitLevels function of ubidi.c (CVE-2014-8146). The ICU Project's ICU4C library, before 55.1, contains an integer overflow in the resolveImplicitLevels function of ubidi.c due to the assignment of an int32 value to an int16 type (CVE-2014-8147). The ucnv_io_getConverterName function in common/ucnv_io.cpp in International Components for Unicode (ICU) mishandles converter names with initial x- substrings, which allows remote attackers to cause a denial of service (read of uninitialized memory) or possibly have unspecified other impact via a crafted file (CVE-2015-1270).
References
- https://bugs.mageia.org/show_bug.cgi?id=16478
- https://www.kb.cert.org/vuls/id/602540
- http://googlechromereleases.blogspot.cz/2015/07/stable-channel-update_21.html
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-8146
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-8147
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-1270
SRPMS
4/core
- icu-52.1-2.4.mga4