Date: Fri, 25 Nov 2016 10:09:09 +1030 From: Doran Moppert <dmoppert@...hat.com> To: oss-security@...ts.openwall.com Subject: CVE request: icu: stack-based buffer overflow in uloc_getDisplayName A stack overflow in ICU4C (http://icu-project.org/), fixed some 3 years ago in 54.1 but affecting versions back to (at least) 3.6, has just been made public on the ICU tracker. Upstream bug: http://bugs.icu-project.org/trac/ticket/10891 Patch: http://bugs.icu-project.org/trac/changeset/35699 The bug was originally discovered in PHP and a workaround applied there: https://bugs.php.net/bug.php?id=67397 Note that the PHP bug is exactly the same flaw, but they worked around it by limiting the length of strings passed to icu. I don't believe this needs a separate CVE even though it was "fixed" independently. While code execution is theoretically possible, bypassing the stack canary looks extremely difficult. Most likely impact on platforms building with SSP is only a crash. https://bugzilla.redhat.com/show_bug.cgi?id=1383569 -- Doran Moppert Red Hat Product Security
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.