ESB-2018.0931 - [Ubuntu] libicu57: Execute arbitrary code/commands - Remote with user interaction 2018-03-29

Printable version
PGP/GPG verifiable version

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

===========================================================================
             AUSCERT External Security Bulletin Redistribution

                               ESB-2018.0931
                             ICU vulnerability
                               29 March 2018

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:           libicu57
Publisher:         Ubuntu
Operating System:  Ubuntu
Impact/Access:     Execute Arbitrary Code/Commands -- Remote with User Interaction
                   Denial of Service               -- Remote with User Interaction
Resolution:        Patch/Upgrade
CVE Names:         CVE-2017-15422  

Reference:         ESB-2018.0840
                   ESB-2017.3137

Original Bulletin: 
   http://www.ubuntu.com/usn/usn-3610-1

- --------------------------BEGIN INCLUDED TEXT--------------------

==========================================================================
Ubuntu Security Notice USN-3610-1
March 28, 2018

icu vulnerability
==========================================================================

A security issue affects these releases of Ubuntu and its derivatives:

- - Ubuntu 17.10
- - Ubuntu 16.04 LTS
- - Ubuntu 14.04 LTS

Summary:

ICU could be made to crash if it received specially crafted input.

Software Description:
- - icu: International Components for Unicode library

Details:

It was discovered that ICU incorrectly handled certain calendars. If an
application using ICU processed crafted data, a remote attacker could
possibly cause it to crash, leading to a denial of service.

Update instructions:

The problem can be corrected by updating your system to the following
package versions:

Ubuntu 17.10:
  libicu57                        57.1-6ubuntu0.3

Ubuntu 16.04 LTS:
  libicu55                        55.1-7ubuntu0.4

Ubuntu 14.04 LTS:
  libicu52                        52.1-3ubuntu0.8

In general, a standard system update will make all the necessary changes.

References:
  https://usn.ubuntu.com/usn/usn-3610-1
  CVE-2017-15422

Package Information:
  https://launchpad.net/ubuntu/+source/icu/57.1-6ubuntu0.3
  https://launchpad.net/ubuntu/+source/icu/55.1-7ubuntu0.4
  https://launchpad.net/ubuntu/+source/icu/52.1-3ubuntu0.8

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        https://www.auscert.org.au/bulletins/

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQIUAwUBWrxwBYx+lLeg9Ub1AQi1VA/4vuRBBoo/deA+IbqRql3AIX5urCBChhOp
wzKofIhr6XZiUOYDbl2clxS3jHBkSeLS3SpPwUc30JDmX4BKDG19vcrnwLEthkAl
3s0/BlMyKgPBYZyN8VAKA4+fcWx3v6oMt8eYC0uLu0jP0F+jsE6dv3H4CfVK1zV7
luII0PBhYXCixzEfl8a0R+PdOx0gkWh3QlmkPnnLfyKZKCM6YDfUZn6en/QuWm5k
qcf8cN66wWZlekpB9GQHa06ovU7/O2Y0EY5hIQx5u+ApfB0AwbGifLuYI371DmCJ
cRMX7kV4SKeD3euRUVl72Ih5EZ6h5LjVnywYx62kZfbaiq1RwsE6fZijeR46VCL2
Aw+DIke8xVu4T306T8yCc8CXkgHiAppZKI2lnyyIM39ix/2fz1BpBLxAtaQ5m2Em
n5xGp4FXdmy8VL092TGT1WHHFGrdZX8sMP5W80GjEb7M+qtGI5PlVFy/+kw48Q7H
MitNbgUfXbZOHkDf5LW5nC6xJDh78UCSFe4c3lWOJ2pem9d9WZ60Je9vQkqejHZw
ar9OsjfzrMTJQ/hzyX2oCPtU9jcw0WmBgK43z6uUyRHW+N8IgldY/+v/cYWpwN9f
RGi+aqeHl46TCD0hF0PF+2uxaQIB5jY+K2dxNz//03ZsL1IcxQ8SaShC5mf9phMC
DcueGrXs6A==
=zzjl
-----END PGP SIGNATURE-----

« Back to bulletins