Advisories ยป MGASA-2015-0286

Updated icu package fixes security vulnerabilities

Publication date: 27 Jul 2015
Type: security
Affected Mageia releases : 4
CVE: CVE-2014-8146 , CVE-2014-8147 , CVE-2015-1270

Description

The ICU Project's ICU4C library, before 55.1, contains a heap-based buffer
overflow in the resolveImplicitLevels function of ubidi.c (CVE-2014-8146).

The ICU Project's ICU4C library, before 55.1, contains an integer overflow
in the resolveImplicitLevels function of ubidi.c due to the assignment of
an int32 value to an int16 type (CVE-2014-8147).

The ucnv_io_getConverterName function in common/ucnv_io.cpp in
International Components for Unicode (ICU) mishandles converter names with
initial x- substrings, which allows remote attackers to cause a denial of
service (read of uninitialized memory) or possibly have unspecified other
impact via a crafted file (CVE-2015-1270).
                

References

SRPMS

4/core