Bug 464168 - (CVE-2008-1036) CVE-2008-1036 ICU: Invalid character sequences omission during conversion of some character encodings (XSS attack possible)
CVE-2008-1036 ICU: Invalid character sequences omission during conversion of ...
Status: CLOSED ERRATA
Product: Security Response
Classification: Other
Component: vulnerability (Show other bugs)
unspecified
All Linux
medium Severity medium
: ---
: ---
Assigned To: Red Hat Product Security
source=cve,reported=20080602,public=2...
: Security
Depends On: 467949 467950 467974 467975
Blocks:
  Show dependency treegraph
 
Reported: 2008-09-26 10:53 EDT by Jan Lieskovsky
Modified: 2016-03-04 07:36 EST (History)
4 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2014-01-28 22:43:30 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)
Here's my backport of the patch for reference (23.14 KB, patch)
2008-10-22 07:56 EDT, Caolan McNamara
no flags Details | Diff

  None (edit)
Description Jan Lieskovsky 2008-09-26 10:53:02 EDT
Common Vulnerabilities and Exposures assigned an identifier CVE-2008-1036 to
the following vulnerability:

International Components for Unicode (ICU) in Apple Mac OS X before 10.5.3 omits some invalid character sequences during conversion of some character encodings, which might allow remote attackers to conduct cross-site scripting (XSS) attacks.

References:

http://lists.apple.com/archives/security-announce/2008//May/msg00001.html

Proposed patch (icu part):

http://bugs.icu-project.org/trac/search?q=%22ticket:6175:%22&noquickjump=1&changeset=on

Proposed patch (icu4j part):

http://bugs.icu-project.org/trac/search?q=%22ticket:6198:%22&noquickjump=1&changeset=on
Comment 1 Jan Lieskovsky 2008-09-26 10:58:22 EDT
This issue affects the versions of the ICU package, as shipped with Red Hat
Enterprise Linux 5 (icu-3.6.5-11.1.el5), with Red Hat Directory Server 8.0 (icu-3.6-4.el4dsrv and icu-3.6.1 for DS8.0 sparc), with the Red Hat Enterprise MRG product version 1.0 (icu-3.6.5-12.el4), within the Extra Packages for Enterprise Linux (EPEL) project (icu-3.6.4.el4.20) and as shipped with the
Fedora releases of 8, 9 and 10.
Comment 2 Jan Lieskovsky 2008-09-26 11:14:07 EDT
This issue does NOT affect the versions of the icu4j package, as shipped
with Red Hat Application Stacks version 1 update 3 and version 2 update 1,
with JBOSS Enterprise Application Platform release 4.2.0 and 4.3.0 and
as shipped with Fedora releases of 8 and 9.
Comment 8 Caolan McNamara 2008-10-22 07:56:12 EDT
Created attachment 321139 [details]
Here's my backport of the patch for reference
Comment 11 errata-xmlrpc 2009-03-12 10:13:18 EDT
This issue has been addressed in following products:

  Red Hat Enterprise Linux 5

Via RHSA-2009:0296 http://rhn.redhat.com/errata/RHSA-2009:0296.html
Comment 12 Justin Ross 2011-09-16 15:27:32 EDT
*** Bug 467974 has been marked as a duplicate of this bug. ***

Note You need to log in before you can comment on or make changes to this bug.