1449928 - Backport CVE-2017-15422 to ESR52

Status: RESOLVED WONTFIX

(Core :: JavaScript: Internationalization API, defect)

Description

[Ryan VanderMeulen [:RyanVM]]

Today, I noticed that Ubuntu updated its copy of ICU 57 to include the fix for CVE-2017-15422. From what I can tell, this was an integer overflow bug which was fixed late last year:
https://ssl.icu-project.org/trac/changeset/40654

Fx59+ are already fixed via the ICU 60.1 update. However, ESR52 is using ICU 58.2 still and is vulnerable from what I can tell.

Comment 1

[Ryan VanderMeulen [:RyanVM]]

Might not be a bad idea to look for any other ICU security backports that might have landed since 58.2 was shipped too.

Comment 2

[André Bargull [:anba]]

(In reply to Ryan VanderMeulen [:RyanVM] from comment #0)
> However, ESR52 is using ICU 58.2 still and is vulnerable from what I can tell.

Do we know any details about the severity of the vulnerability? For example can it be used for remote code execution etc. ?


With ESR52:

js> new Intl.DateTimeFormat("bs-Cyrl-u-ca-persian").format(new Date(178171 + 621, 0, 1))
"24.10.178170."
js> new Intl.DateTimeFormat("bs-Cyrl-u-ca-persian").format(new Date(178171 + 622, 0, 1))
"130129710.4338360.-178169."

ICU-tickets
- Persian calendar: https://ssl.icu-project.org/trac/ticket/13454
- Similar issue for Islamic calendar (bug 914236): https://ssl.icu-project.org/trac/ticket/12661, https://ssl.icu-project.org/trac/ticket/13538

For Islamic calendar (bug 914236):

js> new Intl.DateTimeFormat("en-u-ca-islamicc-nu-latn").format(1123123123123123123123)
"-72796051/28/-52842"


(In reply to Ryan VanderMeulen [:RyanVM] from comment #1)
> Might not be a bad idea to look for any other ICU security backports that
> might have landed since 58.2 was shipped too.

Ubuntu seems to have backported three patches from ICU59 and ICU60 <https://git.launchpad.net/ubuntu/+source/icu/log/?h=ubuntu/artful-devel>:
1. https://git.launchpad.net/ubuntu/+source/icu/commit/?h=ubuntu/artful-devel&id=be6180fd4ec5d1fc4797c2989694923f7ce1dc01
2. bug 1387937 (I don't know why we didn't backport it to ESR2; I don't have access to it): https://git.launchpad.net/ubuntu/+source/icu/commit/?h=ubuntu/artful-devel&id=f5de7ab7107ab2c35ce402bd734a3b6dc682532f
3. bug 1449928 (this bug): https://git.launchpad.net/ubuntu/+source/icu/commit/?h=ubuntu/artful-devel&id=2f7cd7c9e5b388d578368d62ef88f5e4e12f3611

Not sure if there are more patches which should be (or should have been) backported to ESR52.

Comment 3

[Julien Cristau [:jcristau]]

Looking through the 2017 CVEs at https://security-tracker.debian.org/tracker/source-package/icu, as far as I can tell esr52 is not affected by CVE-2017-17484, but we don't seem to have patched CVE-2017-7867, CVE-2017-7868 or CVE-2017-14952.  I don't know if or how badly they affect firefox though.

Comment 4

[Daniel Veditz [:dveditz]]

from comment 2 #1 might be worth fixing if it's reachable. Bug 1387939 and the clock-math original bug here are not.

Comment 5

[Ryan VanderMeulen [:RyanVM]]

André, it sounds like #1 from your comment is worth consideration - can you comment on whether it's reachable or not?

Comment 6

[André Bargull [:anba]]

I don't think the function fixed in #1, that's |utf8TextAccess|, is reachable for us:

utf8TextAccess
- Only used in |utf8TextExtract| and |utf8Funcs|.

utf8TextExtract
- Only used in |utf8Funcs|.

utf8Funcs
- Only used in |utext_openUTF8|.

utext_openUTF8
- Only used in |ucasemap_utf8ToTitle| and |CaseMap::utf8ToTitle(...)|.

ucasemap_utf8ToTitle
- Never used.

CaseMap::utf8ToTitle(...)
- Never used.

Comment 7

[Ryan VanderMeulen [:RyanVM]]

Thanks for the analysis! Sounds like we can wontfix this then.

Comment 8

[David Lawrence [:dkl]]

Removing employee no longer with company from CC list of private bugs.