Bug 1383569 (CVE-2014-9911)

Summary: CVE-2014-9911 icu: stack-based buffer overflow in uloc_getDisplayName
Product: [Other] Security Response Reporter: Doran Moppert <dmoppert>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED WONTFIX QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: abhgupta, carnil, denis.arnaud_fedora, erack, erik-fedora, kseifried, mfabian, security-response-team, slawomir, tiwillia, tuxator
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: icu 54.1 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2016-11-30 03:51:01 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1397625, 1397626    
Bug Blocks: 1360344    

Description Doran Moppert 2016-10-11 05:48:29 UTC 
A locale string of more than 255 characters passed to uloc_getDisplayName() could overflow a buffer on the stack, leading a crash or, potentially, code execution.

Upstream patch:

http://bugs.icu-project.org/trac/changeset/35699

Upstream issue (private as at 2016-10-11):

http://bugs.icu-project.org/trac/ticket/10891
Comment 1 Doran Moppert 2016-10-11 05:52:45 UTC 
PHP bug (already fixed in bug 1065838):

https://bugs.php.net/bug.php?id=67397

Related ICU bug:

http://bugs.icu-project.org/trac/ticket/11936
Comment 4 Doran Moppert 2016-11-23 01:36:02 UTC 
Created mingw-icu tracking bugs for this issue:

Affects: fedora-all [bug 1397625]
Affects: epel-7 [bug 1397626]
Comment 5 Doran Moppert 2016-11-23 06:15:53 UTC 
The affected function has only one buffer on the stack, and it is overflowed at the end by copying a null-terminated string with strcpy().

Thus, building with -fstack-protector-strong (as in Red Hat Enterprise Linux and Fedora) provides a reasonable level of defence against this attack achieving anything more than a crash.  An attacker would need to discover the stack canary through an information leak elsewhere, and then cause multiple strcpy()s to overwrite the return address as well as the canary.  This may not be impossible, but it's certainly extremely difficult.
Comment 6 Doran Moppert 2016-11-25 01:04:54 UTC 
CVE assignment:

http://seclists.org/oss-sec/2016/q4/525
Comment 7 Doran Moppert 2016-11-29 05:03:57 UTC 
This flaw has manifested in PHP and been worked around there twice, as CVE-2014-9912 and CVE-2016-6294.  Fixing this flaw in icu will also mitigate both of those PHP flaws.