-
Notifications
You must be signed in to change notification settings - Fork 3.3k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Update icu4j to resolve CVEs #2295
Conversation
@@ -44,7 +44,7 @@ | |||
<dependency> | |||
<groupId>com.ibm.icu</groupId> | |||
<artifactId>icu4j</artifactId> | |||
<version>58.2</version> | |||
<version>61.1</version> | |||
</dependency> |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
💡 Ideally before this line you'd have the following:
<scope>provided</scope>
Then the other packaging exclusion could be completely removed:
Lines 117 to 121 in e05a6a6
<artifactSet> | |
<excludes> | |
<exclude>com.ibm.icu:*</exclude> | |
</excludes> | |
</artifactSet> |
The current update is fine, but this pair of changes would further isolate downstream dependencies from issues like the CVEs that led to this pull request.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks for the tip. Any idea when 4.7.2 will be released?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Release scheduling is outside by area of influence 😄
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Is that @parrt's call?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Yep! 😄
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Hi guys. So is this ready or do we need the scope
thing @sharwell mentioned?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
What are the issues potentially with changing the version to 61.1?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I couldn't find any. I ran it through all the tests my machine was set up to run. We've been running with the changed dependency in our production use since this was submitted. The CI build passed.
There are 4 CVEs against the current version of icu4j used by ANTLR. This PR updates to the latest version, which resolves all of the CVEs.
These were identified with the OWASP Dependency Check.
To the extent my environment is configured, all tests pass. For configurations I don't have (e.g., Python 3.5), the tests fail identically between versions.
Details:
Published Vulnerabilities
CVE-2017-14952 suppress
Severity:High
CVSS Score: 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P)
CWE: CWE-415 Double Free
Double free in i18n/zonemeta.cpp in International Components for Unicode (ICU) for C/C++ through 59.1 allows remote attackers to execute arbitrary code via a crafted string, aka a "redundant UVector entry clean up function call" issue.
CONFIRM - http://bugs.icu-project.org/trac/changeset/40324/trunk/icu4c/source/i18n/zonemeta.cpp
MISC - http://www.sourcebrella.com/blog/double-free-vulnerability-international-components-unicode-icu/
Vulnerable Software & Versions:
cpe:/a:icu-project:international_components_for_unicode:59.1::~~~c%2fc%2b%2b~~ and all previous versions
CVE-2017-17484 suppress
Severity:High
CVSS Score: 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P)
CWE: CWE-119 Improper Restriction of Operations within the Bounds of a Memory Buffer
The ucnv_UTF8FromUTF8 function in ucnv_u8.cpp in International Components for Unicode (ICU) for C/C++ through 60.1 mishandles ucnv_convertEx calls for UTF-8 to UTF-8 conversion, which allows remote attackers to cause a denial of service (stack-based buffer overflow and application crash) or possibly have unspecified other impact via a crafted string, as demonstrated by ZNC.
MISC - znc/znc#1459
MISC - https://ssl.icu-project.org/trac/attachment/ticket/13490/poc.cpp
MISC - https://ssl.icu-project.org/trac/changeset/40714
MISC - https://ssl.icu-project.org/trac/changeset/40715
MISC - https://ssl.icu-project.org/trac/ticket/13490
MISC - https://ssl.icu-project.org/trac/ticket/13510
Vulnerable Software & Versions:
cpe:/a:icu-project:international_components_for_unicode:60.1::~~~c%2fc%2b%2b~~ and all previous versions
CVE-2017-7867 suppress
Severity:Medium
CVSS Score: 5.0 (AV:N/AC:L/Au:N/C:N/I:N/A:P)
CWE: CWE-787 Out-of-bounds Write
International Components for Unicode (ICU) for C/C++ before 2017-02-13 has an out-of-bounds write caused by a heap-based buffer overflow related to the utf8TextAccess function in common/utext.cpp and the utext_setNativeIndex* function.
BID - 97672
DEBIAN - DSA-3830
GENTOO - GLSA-201710-03
MISC - http://bugs.icu-project.org/trac/changeset/39671
MISC - https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=213
Vulnerable Software & Versions:
cpe:/a:icu-project:international_components_for_unicode:58.2::~~~c%2fc%2b%2b~~ and all previous versions
CVE-2017-7868 suppress
Severity:Medium
CVSS Score: 5.0 (AV:N/AC:L/Au:N/C:N/I:N/A:P)
CWE: CWE-787 Out-of-bounds Write
International Components for Unicode (ICU) for C/C++ before 2017-02-13 has an out-of-bounds write caused by a heap-based buffer overflow related to the utf8TextAccess function in common/utext.cpp and the utext_moveIndex32* function.
BID - 97674
DEBIAN - DSA-3830
GENTOO - GLSA-201710-03
MISC - http://bugs.icu-project.org/trac/changeset/39671
MISC - https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=437
Vulnerable Software & Versions:
cpe:/a:icu-project:international_components_for_unicode:58.2::~~~c%2fc%2b%2b~~ and all previous versions