Bug 1360339 (CVE-2016-6293)

Summary: CVE-2016-6293 icu: Out-of-bounds access in uloc_acceptLanguageFromHTTP
Product: [Other] Security Response Reporter: Adam Mariš <amaris>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED WONTFIX QA Contact:
Severity: low Docs Contact:
Priority: low    
Version: unspecifiedCC: abhgupta, caolanm, denis.arnaud_fedora, dmcphers, dmoppert, erack, erik-fedora, jialiu, jokerman, kseifried, lmeyer, mfabian, Michael.Johnson, mmccomas, rmeggins, sardella, slawomir, tiwillia, tuxator
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: icu 58.1 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2016-11-30 03:50:06 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1360340, 1360341, 1360342    
Bug Blocks: 1360344    

Description Adam Mariš 2016-07-26 12:47:47 UTC 
It was found that uloc_acceptLanguageFromHTTP function in common/uloc.cpp does not ensure that there is a '\0' character at the end of a certain temporary array that leads to out of bounds access, possibly causing DoS.

CVE assignment:

http://seclists.org/oss-sec/2016/q3/137
Comment 1 Adam Mariš 2016-07-26 12:50:09 UTC 
Created mingw-icu tracking bugs for this issue:

Affects: fedora-all [bug 1360341]
Affects: epel-7 [bug 1360342]
Comment 2 Adam Mariš 2016-07-26 12:50:20 UTC 
Created icu tracking bugs for this issue:

Affects: fedora-all [bug 1360340]
Comment 3 Eike Rathke 2016-07-26 13:21:02 UTC 
And the patch fixing this is ... where?
Comment 4 Eike Rathke 2016-08-26 09:20:21 UTC 
Any update on this?
Comment 5 Michael K Johnson (@SAS) 2016-08-29 13:50:27 UTC 
I don't even find a bug filed in the icu bug tracker upstream:
http://bugs.icu-project.org/trac/search?q=CVE-2016-6293
However, at https://sourceforge.net/p/icu/mailman/message/35305922/
upstream say they "are tracking this issue"

Maybe they have a private ticket in trac for a publicly-disclosed
vulnerability?
Comment 6 Doran Moppert 2016-09-28 02:40:31 UTC 
It looks like the patch is http://bugs.icu-project.org/trac/changeset/39109 - referenced ticket is private but description, timeline and tests look correct.
Comment 7 Doran Moppert 2016-09-29 03:56:41 UTC 
Impact here looks relatively low:

 - a string of the precise length fails to be null terminated, causing out-of-bounds read in strcmp().  At worst this is a crash.

 - other than php, no packages shipped in Red Hat Enterprise Linux use this function


Third-party code can protect itself in the same way as PHP, by ensuring the httpAcceptLanguage parameter passed to uloc_acceptLanguageFromHTTP is no longer than ULOC_FULLNAME_CAPACITY bytes.  This constant is defined as 157 in libicu-50.1.2, which is more than enough for a legitimate Accept-Language string.

libicu does not make any internal calls to uloc_acceptLanguageFromHTTP, so a simple grep for that entry point is sufficient to determine if client code is vulnerable.
Comment 9 Doran Moppert 2016-11-04 08:36:38 UTC 
Upstream bug (ICU) (private as at 2016-11-04):

http://bugs.icu-project.org/trac/ticket/12652