Bug 1524819 – CVE-2017-17484 icu: stack-based buffer overflow in ucnv_u8.cpp:ucnv_UTF8FromUTF8 can lead to denial of service

Bugzilla will be upgraded to version 5.0 on a still to be determined date in the near future. The original upgrade date has been delayed.

Bug 1524819 - (CVE-2017-17484) CVE-2017-17484 icu: stack-based buffer overflow in ucnv_u8.cpp:ucnv_UTF8FromUTF8 can lead to denial of service

Summary:	CVE-2017-17484 icu: stack-based buffer overflow in ucnv_u8.cpp:ucnv_UTF8FromU...

Status:	CLOSED NOTABUG

Aliases:	CVE-2017-17484

Product:	Security Response
Classification:	Other
Component:	vulnerability (Show other bugs)
Sub Component:
Version:	unspecified
Hardware:	All Linux

Priority	medium Severity medium
Target Milestone:	---
Target Release:	---
Assigned To:	Red Hat Product Security
QA Contact:
Docs Contact:

URL:
Whiteboard:	impact=moderate,public=20171121,repor...
Keywords:	Security

Depends On:	1524820
Blocks:	1524823
	Show dependency tree / graph

Reported:	2017-12-12 02:50 EST by Sam Fowler
Modified:	2017-12-15 08:46 EST (History)
CC List:	12 users (show)

See Also:
Fixed In Version:	icu 60.1
Doc Type:	If docs needed, set a value
Doc Text:
Story Points:	---
Clone Of:
Environment:
Last Closed:	2017-12-12 08:37:21 EST
Type:	---
Regression:	---
Mount Type:	---
Documentation:	---
CRM:
Verified Versions:
Category:	---
oVirt Team:	---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team:	---

Attachments	(Terms of Use)
Add an attachment (proposed patch, testcase, etc.)

Groups: None (edit)

Description Sam Fowler 2017-12-12 02:50:10 EST

The ucnv_UTF8FromUTF8 function in ucnv_u8.cpp in International Components for Unicode (ICU) for C/C++ through 60.1 mishandles ucnv_convertEx calls for UTF-8 to UTF-8 conversion, which allows remote attackers to cause a denial of service (stack-based buffer overflow and application crash) or possibly have unspecified other impact via a crafted string, as demonstrated by ZNC.

References:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-17484
http://www.cvedetails.com/cve/CVE-2017-17484/
https://ssl.icu-project.org/trac/ticket/13490
https://ssl.icu-project.org/trac/attachment/ticket/13490/poc.cpp
https://ssl.icu-project.org/trac/ticket/13510
https://ssl.icu-project.org/trac/changeset/40715
https://ssl.icu-project.org/trac/changeset/40714
https://github.com/znc/znc/issues/1459

Comment 1 Sam Fowler 2017-12-12 02:51:19 EST

Created icu tracking bugs for this issue:

Affects: fedora-all [bug 1524820]

Comment 2 Stefan Cornelius 2017-12-12 08:29:46 EST

I think this was introduced by https://ssl.icu-project.org/trac/changeset/40455/trunk/icu4c/source/common/ucnv_u8.cpp

The fixed version passes the testcase, but revision 40455 fails, then https://ssl.icu-project.org/trac/browser/trunk/icu4c/source/common/ucnv_u8.cpp?rev=39745 passes again.

The poc has showed no symptoms when testing on RHEL.

Comment 3 Stefan Cornelius 2017-12-12 08:29:56 EST

Statement:

This issue did not affect the versions of icu as shipped with Red Hat Enterprise Linux 5, 6, and 7.

Note You need to log in before you can comment on or make changes to this bug.