Bug 1383569 (CVE-2014-9911) - CVE-2014-9911 icu: stack-based buffer overflow in uloc_getDisplayName
Summary: CVE-2014-9911 icu: stack-based buffer overflow in uloc_getDisplayName
Keywords:
Status: CLOSED WONTFIX
Alias: CVE-2014-9911
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard: impact=moderate,public=20161122,repor...
Depends On: 1397625 1397626
Blocks: 1360344
TreeView+ depends on / blocked
 
Reported: 2016-10-11 05:48 UTC by Doran Moppert
Modified: 2019-06-08 21:30 UTC (History)
11 users (show)

Fixed In Version: icu 54.1
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2016-11-30 03:51:01 UTC


Attachments (Terms of Use)

Description Doran Moppert 2016-10-11 05:48:29 UTC
A locale string of more than 255 characters passed to uloc_getDisplayName() could overflow a buffer on the stack, leading a crash or, potentially, code execution.

Upstream patch:

http://bugs.icu-project.org/trac/changeset/35699

Upstream issue (private as at 2016-10-11):

http://bugs.icu-project.org/trac/ticket/10891

Comment 1 Doran Moppert 2016-10-11 05:52:45 UTC
PHP bug (already fixed in bug 1065838):

https://bugs.php.net/bug.php?id=67397

Related ICU bug:

http://bugs.icu-project.org/trac/ticket/11936

Comment 4 Doran Moppert 2016-11-23 01:36:02 UTC
Created mingw-icu tracking bugs for this issue:

Affects: fedora-all [bug 1397625]
Affects: epel-7 [bug 1397626]

Comment 5 Doran Moppert 2016-11-23 06:15:53 UTC
The affected function has only one buffer on the stack, and it is overflowed at the end by copying a null-terminated string with strcpy().

Thus, building with -fstack-protector-strong (as in Red Hat Enterprise Linux and Fedora) provides a reasonable level of defence against this attack achieving anything more than a crash.  An attacker would need to discover the stack canary through an information leak elsewhere, and then cause multiple strcpy()s to overwrite the return address as well as the canary.  This may not be impossible, but it's certainly extremely difficult.

Comment 6 Doran Moppert 2016-11-25 01:04:54 UTC
CVE assignment:

http://seclists.org/oss-sec/2016/q4/525

Comment 7 Doran Moppert 2016-11-29 05:03:57 UTC
This flaw has manifested in PHP and been worked around there twice, as CVE-2014-9912 and CVE-2016-6294.  Fixing this flaw in icu will also mitigate both of those PHP flaws.


Note You need to log in before you can comment on or make changes to this bug.