Bug 1360339 (CVE-2016-6293)

Summary: CVE-2016-6293 icu: Out-of-bounds access in uloc_acceptLanguageFromHTTP
Product: [Other] Security Response Reporter: Adam Mariš <amaris>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED WONTFIX QA Contact:
Severity: low Docs Contact:
Priority: low    
Version: unspecifiedCC: abhgupta, caolanm, denis.arnaud_fedora, dmcphers, dmoppert, erack, erik-fedora, jialiu, jokerman, kseifried, lmeyer, mfabian, Michael.Johnson, mmccomas, rmeggins, sardella, slawomir, tiwillia, tuxator
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard: impact=low,public=20160703,reported=20160721,source=oss-security,cvss2=4.3/AV:N/AC:M/Au:N/C:N/I:N/A:P,cvss3=3.3/CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L,cwe=CWE-125,rhel-5/icu=wontfix,rhel-6/icu=wontfix,rhel-7/icu=wontfix,directory_server_8/icu=wontfix,openshift-enterprise-2/icu=wontfix,fedora-all/icu=affected,fedora-all/mingw-icu=affected,epel-7/mingw-icu=affected
Fixed In Version: icu 58.1 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2016-11-30 03:50:06 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---
Bug Depends On: 1360341, 1360342, 1360340    
Bug Blocks: 1360344    

Description Adam Mariš 2016-07-26 12:47:47 UTC
It was found that uloc_acceptLanguageFromHTTP function in common/uloc.cpp does not ensure that there is a '\0' character at the end of a certain temporary array that leads to out of bounds access, possibly causing DoS.

CVE assignment:

http://seclists.org/oss-sec/2016/q3/137

Comment 1 Adam Mariš 2016-07-26 12:50:09 UTC
Created mingw-icu tracking bugs for this issue:

Affects: fedora-all [bug 1360341]
Affects: epel-7 [bug 1360342]

Comment 2 Adam Mariš 2016-07-26 12:50:20 UTC
Created icu tracking bugs for this issue:

Affects: fedora-all [bug 1360340]

Comment 3 Eike Rathke 2016-07-26 13:21:02 UTC
And the patch fixing this is ... where?

Comment 4 Eike Rathke 2016-08-26 09:20:21 UTC
Any update on this?

Comment 5 Michael K Johnson (@SAS) 2016-08-29 13:50:27 UTC
I don't even find a bug filed in the icu bug tracker upstream:
http://bugs.icu-project.org/trac/search?q=CVE-2016-6293
However, at https://sourceforge.net/p/icu/mailman/message/35305922/
upstream say they "are tracking this issue"

Maybe they have a private ticket in trac for a publicly-disclosed
vulnerability?

Comment 6 Doran Moppert 2016-09-28 02:40:31 UTC
It looks like the patch is http://bugs.icu-project.org/trac/changeset/39109 - referenced ticket is private but description, timeline and tests look correct.

Comment 7 Doran Moppert 2016-09-29 03:56:41 UTC
Impact here looks relatively low:

 - a string of the precise length fails to be null terminated, causing out-of-bounds read in strcmp().  At worst this is a crash.

 - other than php, no packages shipped in Red Hat Enterprise Linux use this function


Third-party code can protect itself in the same way as PHP, by ensuring the httpAcceptLanguage parameter passed to uloc_acceptLanguageFromHTTP is no longer than ULOC_FULLNAME_CAPACITY bytes.  This constant is defined as 157 in libicu-50.1.2, which is more than enough for a legitimate Accept-Language string.

libicu does not make any internal calls to uloc_acceptLanguageFromHTTP, so a simple grep for that entry point is sufficient to determine if client code is vulnerable.

Comment 9 Doran Moppert 2016-11-04 08:36:38 UTC
Upstream bug (ICU) (private as at 2016-11-04):

http://bugs.icu-project.org/trac/ticket/12652