oss-sec mailing list archives
CVE request: icu: stack-based buffer overflow in uloc_getDisplayName
From: Doran Moppert <dmoppert () redhat com>
Date: Fri, 25 Nov 2016 10:09:09 +1030
A stack overflow in ICU4C (http://icu-project.org/), fixed some 3 years ago in 54.1 but affecting versions back to (at least) 3.6, has just been made public on the ICU tracker. Upstream bug: http://bugs.icu-project.org/trac/ticket/10891 Patch: http://bugs.icu-project.org/trac/changeset/35699 The bug was originally discovered in PHP and a workaround applied there: https://bugs.php.net/bug.php?id=67397 Note that the PHP bug is exactly the same flaw, but they worked around it by limiting the length of strings passed to icu. I don't believe this needs a separate CVE even though it was "fixed" independently. While code execution is theoretically possible, bypassing the stack canary looks extremely difficult. Most likely impact on platforms building with SSP is only a crash. https://bugzilla.redhat.com/show_bug.cgi?id=1383569 -- Doran Moppert Red Hat Product Security
Current thread:
- CVE request: icu: stack-based buffer overflow in uloc_getDisplayName Doran Moppert (Nov 24)
- Re: CVE request: icu: stack-based buffer overflow in uloc_getDisplayName cve-assign (Nov 24)
- Re: Re: CVE request: icu: stack-based buffer overflow in uloc_getDisplayName Steven R. Loomis (Nov 25)
- Re: CVE request: icu: stack-based buffer overflow in uloc_getDisplayName cve-assign (Nov 24)