A stack-based buffer overflow flaw was found in the way ICU, the tools and utilities for developing with International Components for Unicode, performed variant canonicalization for the given locale identifier. A remote attacker could provide a specially-crafted locale representation, which once opened by an unsuspecting, local user in an application, linked against ICU library, could lead to crash of that application or possibly execute arbitrary code with the permissions of the user running the application. References: [1] http://bugs.icu-project.org/trac/ticket/8984 (upstream ticket) [2] http://crbug.com/106441 (Google Chrome bug, not public) [3] http://codereview.chromium.org/8822005/ (Google Chrome code review entry) [4] http://codereview.chromium.org/8822005/patch/6001/7002 (Google Chrome patch) [5] http://www.openwall.com/lists/oss-security/2011/12/09/2 (CVE Request)
This issue was assigned the name CVE-2011-4599: http://seclists.org/oss-sec/2011/q4/490
This issue affects the version of icu as shipped with Red Hat Enterprise Linux 5 and 6. This issue affects the version of icu as shipped with Fedora release 15 and 16.
Created attachment 545647 [details] stashing RHEL-5 backport of equivalent fix
Created icu tracking bugs for this issue Affects: fedora-all [bug 766542]
This issue has been addressed in following products: Red Hat Enterprise Linux 5 Red Hat Enterprise Linux 6 Via RHSA-2011:1815 https://rhn.redhat.com/errata/RHSA-2011-1815.html
check this issues is there any test case for this issues?
for this issues is there any test case?
The only information available is http://bugs.icu-project.org/trac/ticket/8984 and the patch attached there http://bugs.icu-project.org/trac/attachment/ticket/8984/canonicalize2.patch and the code mentioned http://bugs.icu-project.org/trac/browser/icu/trunk/source/common/uloc.cpp#L1808 From the code it looks like one would have to pass an oversized locale string with a variant set (that if stripped either leaves an empty or still oversized string) to the internal _canonicalize() function with a _ULOC_CANONICALIZE option set.
Is there any existing ICU test sample to verify this fix?