CVE-2020-10531

Priority
Description
An issue was discovered in International Components for Unicode (ICU) for
C/C++ through 66.1. An integer overflow, leading to a heap-based buffer
overflow, exists in the UnicodeString::doAppend() function in
common/unistr.cpp.
Notes
leosilvaAccording with debian versions bellow 52.1.8 are not affected
because code is not present, though, it needs further confirmation.
keep precise/trusty as needs-triage.
mdeslaurin xenial and older releases, vulnerable code looks to be in
UnicodeString::doReplace, need to investigate
leosilvadoAppend was write based on doReplace, that originally shipped the vul code
more info, check commit 3d77fc18b8b. Marking precise/trusty as needed.
Package
Upstream:released (80.0.3987.122)
Ubuntu 12.04 ESM (Precise Pangolin):DNE
Ubuntu 14.04 ESM (Trusty Tahr):DNE
Ubuntu 16.04 LTS (Xenial Xerus):released (80.0.3987.149-0ubuntu0.16.04.1)
Ubuntu 18.04 LTS (Bionic Beaver):released (80.0.3987.149-0ubuntu0.18.04.1)
Ubuntu 19.10 (Eoan Ermine):not-affected (code not present)
Ubuntu 20.04 (Focal Fossa):not-affected (code not present)
Patches:
Upstream:https://chromium.googlesource.com/chromium/deps/icu/+/9f4020916eb1f28f3666f018fdcbe6c9a37f0e08
Package
Source: icu (LP Ubuntu Debian)
Upstream:needed
Ubuntu 12.04 ESM (Precise Pangolin):released (4.8.1.1-3ubuntu0.10)
Ubuntu 14.04 ESM (Trusty Tahr):released (52.1-3ubuntu0.8+esm1)
Ubuntu 16.04 LTS (Xenial Xerus):released (55.1-7ubuntu0.5)
Ubuntu 18.04 LTS (Bionic Beaver):released (60.2-3ubuntu3.1)
Ubuntu 19.10 (Eoan Ermine):released (63.2-2ubuntu0.1)
Ubuntu 20.04 (Focal Fossa):released (66.1-2ubuntu2)
Patches:
Upstream:https://github.com/unicode-org/icu/commit/b7d08bc04a4296982fcef8b6b8a354a9e4e7afca
More Information

Updated: 2020-04-01 20:23:03 UTC (commit 761c9b20c2d9bb4657222b46491480d1b7f4f6b9)