Ubuntu CVE Tracker

Merge ~rodrigo-zaiden/ubuntu-cve-tracker:feature/triage-cve-icu into ubuntu-cve-tracker:master

  1. Git
  2. lp:~rodrigo-zaiden/ubuntu-cve-tracker
  3. feature/triage-cve-icu
  4. Merge into master
Proposed by Rodrigo Figueiredo Zaiden
Status: Merged
Merge reported by: Rodrigo Figueiredo Zaiden
Merged at revision: 78dc2be46a2b40a0c2f5435f9204ee83a74aa28a
Proposed branch: ~rodrigo-zaiden/ubuntu-cve-tracker:feature/triage-cve-icu
Merge into: ubuntu-cve-tracker:master
Diff against target: 28 lines (+6/-3)
1 file modified
active/CVE-2021-30535 (+6/-3)
Reviewer Review Type Date Requested Status
Seth Arnold Approve
Review via email: mp+410628@code.launchpad.net

Commit message

CVE-2021-30535: icu: triage update

code that caused the issue was added in 66.1
so, bionic/xenial/trusty is not affected

Description of the change

hi there, would you, please, help to review this?

I'm proposing to change bionic/xenial/trusty to
code-not-affect because from my analysis, the vuln
was inserted in release 66.1, mainly in the following
commit:
https://github.com/unicode-org/icu/commit/596647c0

From my analysis, the double free is triggered from
the setKeywordValue method when:

  // if full Name is already on the heap, need to free it.
  uprv_free(fullName);

after this free, if baseName shares same address as fullName
it should be re-assigned before freed.
for reference, the fix is in the commit:
https://github.com/unicode-org/icu/commit/e450fa50

so, as the commit 596647c0 is not present in releases
prior to 66.1, those releases would not be affected.

additional comments:
- I have tried to backport only the unit test from commit
e450fa50 to validate releases before 66.1 but it was not
possible due to the many different ways code has evolved
over time (should I put more effort in this?)

- The commit that I'm blaming (596647c0) does a bug fix,
and it seems hard to decide whether it should be added
and fixed. My opinion is that by reading the ticket,
not adding the bugfix is betther than adding the bug
+ the security fix, can someone please check if my thoughts
are correct?
the bug being fixed and causing the vuln:
  https://unicode-org.atlassian.net/browse/ICU-20862

any other idea and approaches to this analyses are appreciated.
besides the analyses, please let me know if the comments are
appropriated.

thanks a lot,
Rodrigo

To post a comment you must log in.
Revision history for this message
Seth Arnold (seth-arnold) wrote :

Your analysis looks right to me; I gave a quick look in icu_52.1-3ubuntu0.8 to pick a random old version that we shipped and double-checked that uloc_setKeywordValue() was prepared to return U_BUFFER_OVERFLOW_ERROR on over-long inputs, to make sure that wasn't a recent addition, too.

I think your note about "introduced in" would be nice to have directly in the CVE file itself -- that way it'd be exposed in the web interface. Our commit messages aren't usually useful / interesting enough to look through them in any real detail when solving problems.

Thanks

~rodrigo-zaiden/ubuntu-cve-tracker:feature/triage-cve-icu updated
78dc2be... by Rodrigo Figueiredo Zaiden

    CVE-2021-30535: icu: triage update

    code that caused the issue was added from 66.1
    bionic/xenial/trusty is not affected.
    adding more info the notes

Revision history for this message
Rodrigo Figueiredo Zaiden (rodrigo-zaiden) wrote :

> Your analysis looks right to me; I gave a quick look in icu_52.1-3ubuntu0.8 to
> pick a random old version that we shipped and double-checked that
> uloc_setKeywordValue() was prepared to return U_BUFFER_OVERFLOW_ERROR on over-
> long inputs, to make sure that wasn't a recent addition, too.
>
> I think your note about "introduced in" would be nice to have directly in the
> CVE file itself -- that way it'd be exposed in the web interface. Our commit
> messages aren't usually useful / interesting enough to look through them in
> any real detail when solving problems.
>
> Thanks

hi Seth,

thanks a lot for your review.
I update the notes with more information, it does make sense.

would you, please, verify if they are appropriated?

thanks!

Revision history for this message
Seth Arnold (seth-arnold) wrote :

Looks good to me :) thanks!

review: Approve

Preview Diff

[H/L] Next/Prev Comment, [J/K] Next/Prev File, [N/P] Next/Prev Hunk
1diff --git a/active/CVE-2021-30535 b/active/CVE-2021-30535
2index c6e0e39..b590204 100644
3--- a/active/CVE-2021-30535
4+++ b/active/CVE-2021-30535
5@@ -12,6 +12,9 @@ Notes:
6 Ubuntu
7 mdeslaur> starting with Ubuntu 19.10, the chromium-browser package is just
8 a script that installs the Chromium snap
9+ rodrigo-zaiden> ICU issue was introduced in commit
10+ https://github.com/unicode-org/icu/commit/596647c0, released in version
11+ 66.1. So, trusty, xenial and bionic are not affected
12 Mitigation:
13 Bugs:
14 https://bugs.chromium.org/p/chromium/issues/detail?id=1194899
15@@ -37,10 +40,10 @@ Patches_icu:
16 upstream: https://github.com/unicode-org/icu/commit/e450fa50fc242282551f56b941dc93b9a8a0bcbb
17 upstream_icu: released (70-rc)
18 trusty_icu: ignored (out of standard support)
19-trusty/esm_icu: needed
20+trusty/esm_icu: not-affected (code not present)
21 xenial_icu: ignored (out of standard support)
22-esm-infra/xenial_icu: needed
23-bionic_icu: needed
24+esm-infra/xenial_icu: not-affected (code not present)
25+bionic_icu: not-affected (code not present)
26 focal_icu: needed
27 hirsute_icu: needed
28 impish_icu: not-affected (67.1-7ubuntu1)

Subscribers

People subscribed via source and target branches