Bug 1360339 (CVE-2016-6293)
Summary: | CVE-2016-6293 icu: Out-of-bounds access in uloc_acceptLanguageFromHTTP | ||
---|---|---|---|
Product: | [Other] Security Response | Reporter: | Adam Mariš <amaris> |
Component: | vulnerability | Assignee: | Red Hat Product Security <security-response-team> |
Status: | CLOSED WONTFIX | QA Contact: | |
Severity: | low | Docs Contact: | |
Priority: | low | ||
Version: | unspecified | CC: | abhgupta, caolanm, denis.arnaud_fedora, dmcphers, dmoppert, erack, erik-fedora, jialiu, jokerman, kseifried, lmeyer, mfabian, Michael.Johnson, mmccomas, rmeggins, sardella, slawomir, tiwillia, tuxator |
Target Milestone: | --- | Keywords: | Security |
Target Release: | --- | ||
Hardware: | All | ||
OS: | Linux | ||
Whiteboard: | |||
Fixed In Version: | icu 58.1 | Doc Type: | If docs needed, set a value |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2016-11-30 03:50:06 UTC | Type: | --- |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: | |||
Bug Depends On: | 1360340, 1360341, 1360342 | ||
Bug Blocks: | 1360344 |
Description
Adam Mariš
2016-07-26 12:47:47 UTC
Created mingw-icu tracking bugs for this issue: Affects: fedora-all [bug 1360341] Affects: epel-7 [bug 1360342] Created icu tracking bugs for this issue: Affects: fedora-all [bug 1360340] And the patch fixing this is ... where? Any update on this? I don't even find a bug filed in the icu bug tracker upstream: http://bugs.icu-project.org/trac/search?q=CVE-2016-6293 However, at https://sourceforge.net/p/icu/mailman/message/35305922/ upstream say they "are tracking this issue" Maybe they have a private ticket in trac for a publicly-disclosed vulnerability? It looks like the patch is http://bugs.icu-project.org/trac/changeset/39109 - referenced ticket is private but description, timeline and tests look correct. Impact here looks relatively low: - a string of the precise length fails to be null terminated, causing out-of-bounds read in strcmp(). At worst this is a crash. - other than php, no packages shipped in Red Hat Enterprise Linux use this function Third-party code can protect itself in the same way as PHP, by ensuring the httpAcceptLanguage parameter passed to uloc_acceptLanguageFromHTTP is no longer than ULOC_FULLNAME_CAPACITY bytes. This constant is defined as 157 in libicu-50.1.2, which is more than enough for a legitimate Accept-Language string. libicu does not make any internal calls to uloc_acceptLanguageFromHTTP, so a simple grep for that entry point is sufficient to determine if client code is vulnerable. Upstream bug (ICU) (private as at 2016-11-04): http://bugs.icu-project.org/trac/ticket/12652 |