search menu icon-carat-right cmu-wordmark

CERT Coordination Center

ICU Project ICU4C library contains multiple overflow vulnerabilities

Vulnerability Note VU#602540

Original Release Date: 2015-05-04 | Last Revised: 2015-08-03

Overview

ICU Project ICU4C library, versions 52 through 54, contains a heap-based buffer overflow and an integer overflow.

Description

The ICU Project describes ICU as "a mature, widely used set of C/C++ and Java libraries providing Unicode and Globalization support for software applications."

CWE-122: Heap-based Buffer Overflow - CVE-2014-8146

Multiple out-of-bounds writes may occur in the resolveImplicitLevels function of ubidi.c in affected versions of ICU4C.

CWE-190: Integer Overflow or Wraparound - CVE-2014-8147

An integer overflow may occur in the resolveImplicitLevels function of ubidi.c in affected versions of ICU4C due to the assignment of an int32 value to an int16 type.

Both issues may lead to denial of service and the possibility of code execution. For more details, refer to Pedro Ribeiro's disclosure.

Impact

An attacker may be able to provide input that triggers one or both overflow vulnerabilities, leading to denial of service and the possibility of code execution.

Solution

Apply an update

These issues have been addressed in ICU4C version 55.1. Developers are encouraged to update applications that make use of affected versions of ICU4C. Users of affected products should check with product vendors for updates that utilize a patched version of ICU4C.

Vendor Information

602540
 
Affected   Unknown   Unaffected

Debian GNU/Linux

Notified:  April 30, 2015 Updated:  August 03, 2015

Status

  Affected

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Vendor References

https://www.debian.org/security/2015/dsa-3323

FreeBSD Project

Notified:  April 30, 2015 Updated:  May 01, 2015

Statement Date:   April 30, 2015

Status

  Affected

Vendor Statement

Thanks for the notification.  We believe this have been already
addressed in FreeBSD about a week ago:

https://svnweb.freebsd.org/ports?view=revision&revision=384614

Prior to that we are affected as the previous icu version was 53.1.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Vendor References

https://svnweb.freebsd.org/ports?view=revision&revision=384614

ICU Project

Notified:  April 24, 2015 Updated:  May 04, 2015

Status

  Affected

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Vendor References

http://site.icu-project.org/download

Addendum

ICU4C versions 52 through 54 are affected by these vulnerabilities.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

SAP

Notified:  April 30, 2015 Updated:  May 07, 2015

Statement Date:   May 06, 2015

Status

  Not Affected

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Adobe

Notified:  April 30, 2015 Updated:  April 30, 2015

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Amazon

Notified:  April 30, 2015 Updated:  April 30, 2015

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Apache HTTP Server Project

Notified:  April 30, 2015 Updated:  April 30, 2015

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Apple

Notified:  April 30, 2015 Updated:  April 30, 2015

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Avaya, Inc.

Notified:  April 30, 2015 Updated:  April 30, 2015

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

BAE Systems

Notified:  April 30, 2015 Updated:  April 30, 2015

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Business Objects

Notified:  April 30, 2015 Updated:  April 30, 2015

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Dell Computer Corporation, Inc.

Notified:  April 30, 2015 Updated:  April 30, 2015

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

EMC Corporation

Notified:  April 30, 2015 Updated:  April 30, 2015

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Eclipse Foundation Inc

Notified:  April 30, 2015 Updated:  April 30, 2015

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Environmental Systems Research Institute Inc

Notified:  April 30, 2015 Updated:  April 30, 2015

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Gentoo Linux

Notified:  April 30, 2015 Updated:  April 30, 2015

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Google

Notified:  April 30, 2015 Updated:  April 30, 2015

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Hewlett-Packard Company

Notified:  April 30, 2015 Updated:  April 30, 2015

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

IBM Corporation

Notified:  April 30, 2015 Updated:  April 30, 2015

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Intel Corporation

Notified:  April 30, 2015 Updated:  April 30, 2015

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Mandriva S. A.

Notified:  April 30, 2015 Updated:  April 30, 2015

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Mozilla

Notified:  April 30, 2015 Updated:  April 30, 2015

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

OpenOffice.org

Notified:  April 30, 2015 Updated:  April 30, 2015

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Progress Software, Inc.

Notified:  April 30, 2015 Updated:  April 30, 2015

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

QNX Software Systems Inc.

Notified:  April 30, 2015 Updated:  April 30, 2015

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

SUSE Linux

Notified:  April 30, 2015 Updated:  April 30, 2015

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Sybase

Notified:  April 30, 2015 Updated:  April 30, 2015

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Symantec

Notified:  April 30, 2015 Updated:  April 30, 2015

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Trend Micro

Notified:  April 30, 2015 Updated:  April 30, 2015

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Yahoo, Inc.

Notified:  April 30, 2015 Updated:  April 30, 2015

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

eBay

Notified:  April 30, 2015 Updated:  April 30, 2015

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

View all 31 vendors View less vendors


CVSS Metrics

Group Score Vector
Base 4.4 AV:L/AC:M/Au:N/C:P/I:P/A:P
Temporal 3.4 E:POC/RL:OF/RC:C
Environmental 3.4 CDP:N/TD:H/CR:ND/IR:ND/AR:ND

References

Credit

Thanks to Pedro Ribeiro (pedrib@gmail.com) of Agile Information Security for reporting this vulnerability.

This document was written by Joel Land.

Other Information

CVE IDs: CVE-2014-8146, CVE-2014-8147
Date Public: 2015-05-04
Date First Published: 2015-05-04
Date Last Updated: 2015-08-03 14:03 UTC
Document Revision: 24

Sponsored by the Department of Homeland Security Office of Cybersecurity and Communications.