Bug 1383569 (CVE-2014-9911)
Summary: | CVE-2014-9911 icu: stack-based buffer overflow in uloc_getDisplayName | ||
---|---|---|---|
Product: | [Other] Security Response | Reporter: | Doran Moppert <dmoppert> |
Component: | vulnerability | Assignee: | Red Hat Product Security <security-response-team> |
Status: | CLOSED WONTFIX | QA Contact: | |
Severity: | medium | Docs Contact: | |
Priority: | medium | ||
Version: | unspecified | CC: | abhgupta, carnil, denis.arnaud_fedora, erack, erik-fedora, kseifried, mfabian, security-response-team, slawomir, tiwillia, tuxator |
Target Milestone: | --- | Keywords: | Security |
Target Release: | --- | ||
Hardware: | All | ||
OS: | Linux | ||
Whiteboard: | |||
Fixed In Version: | icu 54.1 | Doc Type: | If docs needed, set a value |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2016-11-30 03:51:01 UTC | Type: | --- |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: | |||
Bug Depends On: | 1397625, 1397626 | ||
Bug Blocks: | 1360344 |
Description
Doran Moppert
2016-10-11 05:48:29 UTC
PHP bug (already fixed in bug 1065838): https://bugs.php.net/bug.php?id=67397 Related ICU bug: http://bugs.icu-project.org/trac/ticket/11936 Created mingw-icu tracking bugs for this issue: Affects: fedora-all [bug 1397625] Affects: epel-7 [bug 1397626] The affected function has only one buffer on the stack, and it is overflowed at the end by copying a null-terminated string with strcpy(). Thus, building with -fstack-protector-strong (as in Red Hat Enterprise Linux and Fedora) provides a reasonable level of defence against this attack achieving anything more than a crash. An attacker would need to discover the stack canary through an information leak elsewhere, and then cause multiple strcpy()s to overwrite the return address as well as the canary. This may not be impossible, but it's certainly extremely difficult. CVE assignment: http://seclists.org/oss-sec/2016/q4/525 This flaw has manifested in PHP and been worked around there twice, as CVE-2014-9912 and CVE-2016-6294. Fixing this flaw in icu will also mitigate both of those PHP flaws. |