Red Hat Bugzilla – Bug 1383569
CVE-2014-9911 icu: stack-based buffer overflow in uloc_getDisplayName
Last modified: 2016-11-29 22:51:01 EST
A locale string of more than 255 characters passed to uloc_getDisplayName() could overflow a buffer on the stack, leading a crash or, potentially, code execution. Upstream patch: http://bugs.icu-project.org/trac/changeset/35699 Upstream issue (private as at 2016-10-11): http://bugs.icu-project.org/trac/ticket/10891
PHP bug (already fixed in bug 1065838): https://bugs.php.net/bug.php?id=67397 Related ICU bug: http://bugs.icu-project.org/trac/ticket/11936
Created mingw-icu tracking bugs for this issue: Affects: fedora-all [bug 1397625] Affects: epel-7 [bug 1397626]
The affected function has only one buffer on the stack, and it is overflowed at the end by copying a null-terminated string with strcpy(). Thus, building with -fstack-protector-strong (as in Red Hat Enterprise Linux and Fedora) provides a reasonable level of defence against this attack achieving anything more than a crash. An attacker would need to discover the stack canary through an information leak elsewhere, and then cause multiple strcpy()s to overwrite the return address as well as the canary. This may not be impossible, but it's certainly extremely difficult.
CVE assignment: http://seclists.org/oss-sec/2016/q4/525
This flaw has manifested in PHP and been worked around there twice, as CVE-2014-9912 and CVE-2016-6294. Fixing this flaw in icu will also mitigate both of those PHP flaws.