empty segment fixes

Bug #341834 reported by Kees Cook on 2009-03-12
254
Affects Status Importance Assigned to Milestone
icu (Ubuntu)
Undecided
Marc Deslauriers

Bug Description

International Components for Unicode (ICU) in Apple Mac OS X before 10.5.3 omits some invalid character sequences during conversion of some character encodings, which might allow remote attackers to conduct cross-site scripting (XSS) attacks.

CVE-2008-1036

Attached fix is from upstream, thanks to RedHat

Kees Cook (kees) wrote :
Kees Cook (kees) on 2009-03-25
Changed in icu (Ubuntu):
assignee: nobody → mdeslaur
status: New → In Progress
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package icu - 3.6-3ubuntu0.2

---------------
icu (3.6-3ubuntu0.2) gutsy-security; urgency=low

  * SECURITY UPDATE: Cross-site scripting attack via invalid character
    sequences (LP: #341834)
    - debian/patches/03-cve-2008-1036.patch: Improve parsing logic in
      source/common/{ucnv2022.c,ucnv_bld.*,ucnv.c,ucnvhz.c} to replace
      invalid character sequences. Also, add test case to
      source/test/{cintltst/nucnvtst.c,testdata/conversion.txt}.
    - CVE-2008-1036

 -- Marc Deslauriers <email address hidden> Wed, 25 Mar 2009 10:54:08 -0400

Changed in icu:
status: In Progress → Fix Released
To post a comment you must log in.
This report contains Public Security information  Edit
Everyone can see this security related information.

Other bug subscribers