icu: CVE-2014-8146-CVE-2014-8147

CVE-2014-8146 icu: heap overflow via incorrect isolateCount CVE-2014-8147 icu: integer truncation in the resolveImplicitLevels function References: [1] https://github.com/pedrib/PoC/raw/master/generic/i-c-u-fail.7z [2] https://www.kb.cert.org/vuls/id/602540 [3] http://bugs.icu-project.org/trac/changeset/37080 [4] http://bugs.icu-project.org/trac/changeset/37162 (From OE-Core rev: 1bc6391f65dec41ff0360b625b7a85a161e43955) Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com> Signed-off-by: Armin Kuster <akuster808@gmail.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
2026-01-01 13:58:04 +00:00 · 2015-09-04 12:51:00 +02:00 · 2015-09-04 12:51:00 +02:00 · a01280b7ab
commit a01280b7ab
parent 800a3dc9b0
2 changed files with 50 additions and 0 deletions
--- a/meta/recipes-support/icu/icu/icu-CVE-2014-8146-CVE-2014-8147.patch
+++ b/meta/recipes-support/icu/icu/icu-CVE-2014-8146-CVE-2014-8147.patch
@ -0,0 +1,49 @@
+icu: CVE-2014-8146-CVE-2014-8147
+
+CVE-2014-8146 icu: heap overflow via incorrect isolateCount
+CVE-2014-8147 icu: integer truncation in the resolveImplicitLevels function
+
+References:
+[1] https://github.com/pedrib/PoC/raw/master/generic/i-c-u-fail.7z
+[2] https://www.kb.cert.org/vuls/id/602540
+[3] http://bugs.icu-project.org/trac/changeset/37080
+[4] http://bugs.icu-project.org/trac/changeset/37162
+
+Upstream-Status: Backport
+
+Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com>
+---
+diff -ruN a/common/ubidi.c b/common/ubidi.c
+--- a/common/ubidi.c	2014-10-03 18:11:20.000000000 +0200
+++ b/common/ubidi.c	2015-08-28 08:22:39.455906194 +0200
+@@ -2138,7 +2138,7 @@
+     /* The isolates[] entries contain enough information to
+        resume the bidi algorithm in the same state as it was
+        when it was interrupted by an isolate sequence. */
+-    if(dirProps[start]==PDI) {
+    if(dirProps[start]==PDI  && pBiDi->isolateCount >= 0) {
+         levState.startON=pBiDi->isolates[pBiDi->isolateCount].startON;
+         start1=pBiDi->isolates[pBiDi->isolateCount].start1;
+         stateImp=pBiDi->isolates[pBiDi->isolateCount].stateImp;
+diff -ruN a/common/ubidiimp.h b/common/ubidiimp.h
+--- a/common/ubidiimp.h	2014-10-03 18:11:16.000000000 +0200
+++ b/common/ubidiimp.h	2015-08-28 08:28:24.069163845 +0200
+@@ -1,7 +1,7 @@
+ /*
+ ******************************************************************************
+ *
+-*   Copyright (C) 1999-2014, International Business Machines
+*   Copyright (C) 1999-2015, International Business Machines
+ *   Corporation and others.  All Rights Reserved.
+ *
+ ******************************************************************************
+@@ -184,8 +184,8 @@
+ typedef struct Isolate {
+     int32_t startON;
+     int32_t start1;
+    int32_t state;
+     int16_t stateImp;
+-    int16_t state;
+ } Isolate;
+
+ typedef struct Run {
--- a/meta/recipes-support/icu/icu_53.1.bb
+++ b/meta/recipes-support/icu/icu_53.1.bb
@ -11,6 +11,7 @@ ICU_PV = "${@icu_download_version(d)}"
 BASE_SRC_URI = "http://download.icu-project.org/files/icu4c/${PV}/icu4c-${ICU_PV}-src.tgz"
 SRC_URI = "${BASE_SRC_URI} \
           file://icu-pkgdata-large-cmd.patch \
+           file://icu-CVE-2014-8146-CVE-2014-8147.patch \
          "

 SRC_URI_append_class-target = "\