Debian DSA-3187-1 : icu - security update

Critical Nessus Plugin ID 81831

Synopsis

The remote Debian host is missing a security-related update.

Description

Several vulnerabilities were discovered in the International Components for Unicode (ICU) library.

- CVE-2013-1569 Glyph table issue.

- CVE-2013-2383 Glyph table issue.

- CVE-2013-2384 Font layout issue.

- CVE-2013-2419 Font processing issue.

- CVE-2014-6585 Out-of-bounds read.

- CVE-2014-6591 Additional out-of-bounds reads.

- CVE-2014-7923 Memory corruption in regular expression comparison.

- CVE-2014-7926 Memory corruption in regular expression comparison.

- CVE-2014-7940 Uninitialized memory.

- CVE-2014-9654 More regular expression flaws.

Solution

Upgrade the icu packages.

For the stable distribution (wheezy), these problems have been fixed in version 4.8.1.1-12+deb7u2.

For the upcoming stable (jessie) and unstable (sid) distributions, these problems have been fixed in version 52.1-7.1.

See Also

https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=775884

https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=776264

https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=776265

https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=776719

https://security-tracker.debian.org/tracker/CVE-2013-1569

https://security-tracker.debian.org/tracker/CVE-2013-2383

https://security-tracker.debian.org/tracker/CVE-2013-2384

https://security-tracker.debian.org/tracker/CVE-2013-2419

https://security-tracker.debian.org/tracker/CVE-2014-6585

https://security-tracker.debian.org/tracker/CVE-2014-6591

https://security-tracker.debian.org/tracker/CVE-2014-7923

https://security-tracker.debian.org/tracker/CVE-2014-7926

https://security-tracker.debian.org/tracker/CVE-2014-7940

https://security-tracker.debian.org/tracker/CVE-2014-9654

https://packages.debian.org/source/wheezy/icu

https://www.debian.org/security/2015/dsa-3187

Plugin Details

Severity: Critical

ID: 81831

File Name: debian_DSA-3187.nasl

Version: 1.16

Type: local

Agent: unix

Published: 2015/03/17

Updated: 2018/11/10

Dependencies: 12634

Risk Information

Risk Factor: Critical

CVSS v2.0

Base Score: 10

Temporal Score: 7.8

Vector: CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C

Temporal Vector: CVSS2#E:POC/RL:OF/RC:C

CVSS v3.0

Base Score: 9.8

Temporal Score: 8.8

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Temporal Vector: CVSS:3.0/E:P/RL:O/RC:C

Vulnerability Information

CPE: p-cpe:/a:debian:debian_linux:icu, cpe:/o:debian:debian_linux:7.0

Required KB Items: Host/local_checks_enabled, Host/Debian/release, Host/Debian/dpkg-l

Exploit Available: true

Exploit Ease: Exploits are available

Patch Publication Date: 2015/03/15

Reference Information

CVE: CVE-2013-1569, CVE-2013-2383, CVE-2013-2384, CVE-2013-2419, CVE-2014-6585, CVE-2014-6591, CVE-2014-7923, CVE-2014-7926, CVE-2014-7940, CVE-2014-9654

BID: 59131, 59166, 59179, 59190, 72173, 72175

DSA: 3187