Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Message-ID: <20161124233908.GA20286@sin.redhat.com>
Date: Fri, 25 Nov 2016 10:09:09 +1030
From: Doran Moppert <dmoppert@...hat.com>
To: oss-security@...ts.openwall.com
Subject: CVE request: icu: stack-based buffer overflow in uloc_getDisplayName


A stack overflow in ICU4C (http://icu-project.org/), fixed some 3 years
ago in 54.1 but affecting versions back to (at least) 3.6, has just been
made public on the ICU tracker.

Upstream bug:

http://bugs.icu-project.org/trac/ticket/10891

Patch:

http://bugs.icu-project.org/trac/changeset/35699

The bug was originally discovered in PHP and a workaround applied there:

https://bugs.php.net/bug.php?id=67397

Note that the PHP bug is exactly the same flaw, but they worked around
it by limiting the length of strings passed to icu.  I don't believe
this needs a separate CVE even though it was "fixed" independently.

While code execution is theoretically possible, bypassing the stack
canary looks extremely difficult.  Most likely impact on platforms
building with SSP is only a crash.

https://bugzilla.redhat.com/show_bug.cgi?id=1383569

-- 
Doran Moppert
Red Hat Product Security

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.