Hi, I have spent some time trying to untangle the patches for the `icu` package which has been noted as a priority package by LTS sponsors here. Two issues are pending in the package:
https://security-tracker.debian.org/tracker/CVE-2015-4844 https://security-tracker.debian.org/tracker/CVE-2016-0494 CVE-2016-0494 was *introduced* through the fix for CVE-2015-4844, which was itself never applied to icu. So in effect, icu is currently only vulnerable to CVE-2015-4844. the CVE-2015-4844 patch didn't completely apply cleanly, one chunk failing. i don't believe that chunk is necessary, since subtableHeader.addOffset() is called at the end of the loop, without any extra statement after. The next loop iteration will do the check directly, so no extra break is necessary. the CVE-2016-0494 patch then applies cleanly. also, as recommended in the upstream ticket 12020, i have added the -fno-strict-overflow flag to CFLAGS, both in the debian/rules file and in the upstream runConfigure script (which we don't use, but that is probably the right thing to do for upstream). I have sent the two patches upstream here, reviews would be appreciated: https://ssl.icu-project.org/trac/ticket/12020#comment:5 Note that it seems the patches were assigned backwards in the security tracker: dbb4e2bdfa9e was assigned to CVE-2016-0494 and f556d4c82ef1 was assigned to CVE-2015-4844. Not sure how that happened, but it made untangling this stuff pretty hard. I am also basically trusting the folks at Redhat and on the upstream Trac for the patches: I haven't audited the code myself. Oracle hasn't disclosed the exact scope of the vulnerability, so it is unfortunately impossible to test if the fix is correct. i am also not very familiar with the ICU library so I would like users here to test the packages if they can: deb https://people.debian.org/~anarcat/debian squeeze-lts/ deb-src https://people.debian.org/~anarcat/debian squeeze-lts/ I am still building the amd64 library here, I will put it online there shortly. Finally, please note that the CVE-2016-0494 patch still has to be backported to the OpenJDK 6 that lives in squeeze. CVE-2015-4844 has already been fixed in OpenJDK 6. A. -- VBscript: la simplicité du C, la puissance du BASIC - Mathieu Petit-Clair
