Bug 1222455

Summary: ICU: integer overflow via incorrect state size
Product: [Other] Security Response Reporter: Martin Prpič <mprpic>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED DUPLICATE QA Contact:
Severity: high Docs Contact:
Priority: high    
Version: unspecifiedCC: caolanm, carnil, denis.arnaud_fedora, erack, erik-fedora, tpopela, tuxator
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2015-05-19 06:40:33 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 1222456    

Description Martin Prpič 2015-05-18 09:14:49 UTC
An unspecified integer overflow via incorrect state size was fixed in Debian's ICU package:

https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=784773

Comment 1 Salvatore Bonaccorso 2015-05-19 06:25:39 UTC
Hi Martin,

(In reply to Martin Prpic from comment #0)
> An unspecified integer overflow via incorrect state size was fixed in
> Debian's ICU package:
> 
> https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=784773

Should that be CVE-2014-8147? The bug subject in the Debian BTS referred to CVE-2015-8146 and CVE-2015-8147 but the assigned CVEs seem to be CVE-2014-8146 and CVE-2014-8147.

https://marc.info/?l=oss-security&m=143081399320763&w=2

Regards,
Salvatore

Comment 2 Tomas Hoger 2015-05-19 06:30:37 UTC
Exactly, these do look like CVE id typos (2014 vs. 2015).  Can you get the Debian side cleaned-up?

Comment 3 Tomas Hoger 2015-05-19 06:40:33 UTC
Duplicate of bug 1176200 caused by typo in CVE id.

*** This bug has been marked as a duplicate of bug 1176200 ***

Comment 4 Salvatore Bonaccorso 2015-05-19 06:58:54 UTC
Hi Tomas,

(In reply to Tomas Hoger from comment #2)
> Exactly, these do look like CVE id typos (2014 vs. 2015).  Can you get the
> Debian side cleaned-up?

Yes. They waere already right in the tracker, but the subject was wrong, so fixed that now.

Comment 5 Tomas Hoger 2015-05-19 07:19:58 UTC
I posted request to reject 2015 ids:

http://seclists.org/oss-sec/2015/q2/490
http://www.openwall.com/lists/oss-security/2015/05/19/3