SUSE-SU-2018:1602-1

See a problem?
Please try reporting it to the source first.
Source
https://www.suse.com/support/update/announcement/2018/suse-su-20181602-1/
Import Source
https://ftp.suse.com/pub/projects/security/osv/SUSE-SU-2018:1602-1.json
JSON Data
https://api.osv.dev/v1/vulns/SUSE-SU-2018:1602-1
Related
Published
2018-06-08T09:39:04Z
Modified
2018-06-08T09:39:04Z
Summary
Security update for icu
Details

This update for icu fixes the following issues:

  • CVE-2016-6293: The uloc_acceptLanguageFromHTTP function in common/uloc.cpp did not ensure that there is a '\0' character at the end of a certain temporary array, which allows remote attackers to cause a denial of service (out-of-bounds read) or possibly have unspecified other impact via a call with a long httpAcceptLanguage argument. (bsc#990636)
  • CVE-2017-7868: ICU had an out-of-bounds write caused by a heap-based buffer overflow related to the utf8TextAccess function in common/utext.cpp and the utext_moveIndex32* function. (bsc#1034674)
  • CVE-2017-7867: ICU had an out-of-bounds write caused by a heap-based buffer overflow related to the utf8TextAccess function in common/utext.cpp and the utext_setNativeIndex* function. (bsc#1034678)
  • CVE-2017-14952: Double free in i18n/zonemeta.cpp allowed remote attackers to execute arbitrary code via a crafted string, aka a 'redundant UVector entry clean up function call' issue. (bsc#1067203)
  • CVE-2017-17484:The ucnvUTF8FromUTF8 function in ucnvu8.cpp mishandled ucnv_convertEx calls for UTF-8 to UTF-8 conversion, which allows remote attackers to cause a denial of service (stack-based buffer overflow and application crash) or possibly have unspecified other impact via a crafted string, as demonstrated by ZNC. (bsc#1072193)
  • CVE-2017-15422: An integer overflow in persian calendar calculation was fixed, which could show wrong years. (bsc#1077999)
References

Affected packages

SUSE:Linux Enterprise Software Development Kit 11 SP4 / icu

Package

Name
icu
Purl
purl:rpm/suse/icu&distro=SUSE%20Linux%20Enterprise%20Software%20Development%20Kit%2011%20SP4

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
4.0-47.6.1

Ecosystem specific 

{
    "binaries": [
        {
            "libicu-devel": "4.0-47.6.1",
            "icu": "4.0-47.6.1",
            "libicu-32bit": "4.0-47.6.1",
            "libicu-devel-32bit": "4.0-47.6.1"
        }
    ]
}

SUSE:Linux Enterprise Server 11 SP4 / icu

Package

Name
icu
Purl
purl:rpm/suse/icu&distro=SUSE%20Linux%20Enterprise%20Server%2011%20SP4

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
4.0-47.6.1

Ecosystem specific 

{
    "binaries": [
        {
            "libicu-doc": "4.0-47.6.1",
            "libicu-x86": "4.0-47.6.1",
            "libicu-32bit": "4.0-47.6.1",
            "libicu": "4.0-47.6.1"
        }
    ]
}

SUSE:Linux Enterprise Server for SAP Applications 11 SP4 / icu

Package

Name
icu
Purl
purl:rpm/suse/icu&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2011%20SP4

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
4.0-47.6.1

Ecosystem specific 

{
    "binaries": [
        {
            "libicu-doc": "4.0-47.6.1",
            "libicu-x86": "4.0-47.6.1",
            "libicu-32bit": "4.0-47.6.1",
            "libicu": "4.0-47.6.1"
        }
    ]
}