Merge ~rodrigo-zaiden/ubuntu-cve-tracker:feature/triage-cve-icu into ubuntu-cve-tracker:master
Status: | Merged |
---|---|
Merge reported by: | Rodrigo Figueiredo Zaiden |
Merged at revision: | 78dc2be46a2b40a0c2f5435f9204ee83a74aa28a |
Proposed branch: | ~rodrigo-zaiden/ubuntu-cve-tracker:feature/triage-cve-icu |
Merge into: | ubuntu-cve-tracker:master |
Diff against target: |
28 lines (+6/-3) 1 file modified
active/CVE-2021-30535 (+6/-3) |
Related bugs: |
Reviewer | Review Type | Date Requested | Status |
---|---|---|---|
Seth Arnold | Approve | ||
Review via email: mp+410628@code.launchpad.net |
Commit message
CVE-2021-30535: icu: triage update
code that caused the issue was added in 66.1
so, bionic/
Description of the change
hi there, would you, please, help to review this?
I'm proposing to change bionic/
code-not-affect because from my analysis, the vuln
was inserted in release 66.1, mainly in the following
commit:
https:/
From my analysis, the double free is triggered from
the setKeywordValue method when:
// if full Name is already on the heap, need to free it.
uprv_
after this free, if baseName shares same address as fullName
it should be re-assigned before freed.
for reference, the fix is in the commit:
https:/
so, as the commit 596647c0 is not present in releases
prior to 66.1, those releases would not be affected.
additional comments:
- I have tried to backport only the unit test from commit
e450fa50 to validate releases before 66.1 but it was not
possible due to the many different ways code has evolved
over time (should I put more effort in this?)
- The commit that I'm blaming (596647c0) does a bug fix,
and it seems hard to decide whether it should be added
and fixed. My opinion is that by reading the ticket,
not adding the bugfix is betther than adding the bug
+ the security fix, can someone please check if my thoughts
are correct?
the bug being fixed and causing the vuln:
https:/
any other idea and approaches to this analyses are appreciated.
besides the analyses, please let me know if the comments are
appropriated.
thanks a lot,
Rodrigo
Your analysis looks right to me; I gave a quick look in icu_52.1-3ubuntu0.8 to pick a random old version that we shipped and double-checked that uloc_setKeyword Value() was prepared to return U_BUFFER_ OVERFLOW_ ERROR on over-long inputs, to make sure that wasn't a recent addition, too.
I think your note about "introduced in" would be nice to have directly in the CVE file itself -- that way it'd be exposed in the web interface. Our commit messages aren't usually useful / interesting enough to look through them in any real detail when solving problems.
Thanks