search menu icon-carat-right cmu-wordmark

CERT Coordination Center

ICU Project ICU4C library contains multiple overflow vulnerabilities

Vulnerability Note VU#602540

Original Release Date: 2015-05-04 | Last Revised: 2015-08-03

Overview

ICU Project ICU4C library, versions 52 through 54, contains a heap-based buffer overflow and an integer overflow.

Description

The ICU Project describes ICU as "a mature, widely used set of C/C++ and Java libraries providing Unicode and Globalization support for software applications."

CWE-122: Heap-based Buffer Overflow - CVE-2014-8146

Multiple out-of-bounds writes may occur in the resolveImplicitLevels function of ubidi.c in affected versions of ICU4C.

CWE-190: Integer Overflow or Wraparound - CVE-2014-8147

An integer overflow may occur in the resolveImplicitLevels function of ubidi.c in affected versions of ICU4C due to the assignment of an int32 value to an int16 type.

Both issues may lead to denial of service and the possibility of code execution. For more details, refer to Pedro Ribeiro's disclosure.

Impact

An attacker may be able to provide input that triggers one or both overflow vulnerabilities, leading to denial of service and the possibility of code execution.

Solution

Apply an update

These issues have been addressed in ICU4C version 55.1. Developers are encouraged to update applications that make use of affected versions of ICU4C. Users of affected products should check with product vendors for updates that utilize a patched version of ICU4C.

Vendor Information

602540
 
Affected   Unknown   Unaffected

Debian GNU/Linux

Notified:  April 30, 2015 Updated:  August 03, 2015

Status

  Affected

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Vendor References

FreeBSD Project

Notified:  April 30, 2015 Updated:  May 01, 2015

Statement Date:   April 30, 2015

Status

  Affected

Vendor Statement

Thanks for the notification.  We believe this have been already
addressed in FreeBSD about a week ago:

https://svnweb.freebsd.org/ports?view=revision&revision=384614

Prior to that we are affected as the previous icu version was 53.1.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Vendor References

ICU Project

Notified:  April 24, 2015 Updated:  May 04, 2015

Status

  Affected

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Vendor References

Addendum

ICU4C versions 52 through 54 are affected by these vulnerabilities.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

SAP

Notified:  April 30, 2015 Updated:  May 07, 2015

Statement Date:   May 06, 2015

Status

  Not Affected

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Adobe

Notified:  April 30, 2015 Updated:  April 30, 2015

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor References

    Amazon

    Notified:  April 30, 2015 Updated:  April 30, 2015

    Status

      Unknown

    Vendor Statement

    No statement is currently available from the vendor regarding this vulnerability.

    Vendor References

      Apache HTTP Server Project

      Notified:  April 30, 2015 Updated:  April 30, 2015

      Status

        Unknown

      Vendor Statement

      No statement is currently available from the vendor regarding this vulnerability.

      Vendor References

        Apple

        Notified:  April 30, 2015 Updated:  April 30, 2015

        Status

          Unknown

        Vendor Statement

        No statement is currently available from the vendor regarding this vulnerability.

        Vendor References

          Avaya, Inc.

          Notified:  April 30, 2015 Updated:  April 30, 2015

          Status

            Unknown

          Vendor Statement

          No statement is currently available from the vendor regarding this vulnerability.

          Vendor References

            BAE Systems

            Notified:  April 30, 2015 Updated:  April 30, 2015

            Status

              Unknown

            Vendor Statement

            No statement is currently available from the vendor regarding this vulnerability.

            Vendor References

              Business Objects

              Notified:  April 30, 2015 Updated:  April 30, 2015

              Status

                Unknown

              Vendor Statement

              No statement is currently available from the vendor regarding this vulnerability.

              Vendor References

                Dell Computer Corporation, Inc.

                Notified:  April 30, 2015 Updated:  April 30, 2015

                Status

                  Unknown

                Vendor Statement

                No statement is currently available from the vendor regarding this vulnerability.

                Vendor References

                  EMC Corporation

                  Notified:  April 30, 2015 Updated:  April 30, 2015

                  Status

                    Unknown

                  Vendor Statement

                  No statement is currently available from the vendor regarding this vulnerability.

                  Vendor References

                    Eclipse Foundation Inc

                    Notified:  April 30, 2015 Updated:  April 30, 2015

                    Status

                      Unknown

                    Vendor Statement

                    No statement is currently available from the vendor regarding this vulnerability.

                    Vendor References

                      Environmental Systems Research Institute Inc

                      Notified:  April 30, 2015 Updated:  April 30, 2015

                      Status

                        Unknown

                      Vendor Statement

                      No statement is currently available from the vendor regarding this vulnerability.

                      Vendor References

                        Gentoo Linux

                        Notified:  April 30, 2015 Updated:  April 30, 2015

                        Status

                          Unknown

                        Vendor Statement

                        No statement is currently available from the vendor regarding this vulnerability.

                        Vendor References

                          Google

                          Notified:  April 30, 2015 Updated:  April 30, 2015

                          Status

                            Unknown

                          Vendor Statement

                          No statement is currently available from the vendor regarding this vulnerability.

                          Vendor References

                            Hewlett-Packard Company

                            Notified:  April 30, 2015 Updated:  April 30, 2015

                            Status

                              Unknown

                            Vendor Statement

                            No statement is currently available from the vendor regarding this vulnerability.

                            Vendor References

                              IBM Corporation

                              Notified:  April 30, 2015 Updated:  April 30, 2015

                              Status

                                Unknown

                              Vendor Statement

                              No statement is currently available from the vendor regarding this vulnerability.

                              Vendor References

                                Intel Corporation

                                Notified:  April 30, 2015 Updated:  April 30, 2015

                                Status

                                  Unknown

                                Vendor Statement

                                No statement is currently available from the vendor regarding this vulnerability.

                                Vendor References

                                  Mandriva S. A.

                                  Notified:  April 30, 2015 Updated:  April 30, 2015

                                  Status

                                    Unknown

                                  Vendor Statement

                                  No statement is currently available from the vendor regarding this vulnerability.

                                  Vendor References

                                    Mozilla

                                    Notified:  April 30, 2015 Updated:  April 30, 2015

                                    Status

                                      Unknown

                                    Vendor Statement

                                    No statement is currently available from the vendor regarding this vulnerability.

                                    Vendor References

                                      OpenOffice.org

                                      Notified:  April 30, 2015 Updated:  April 30, 2015

                                      Status

                                        Unknown

                                      Vendor Statement

                                      No statement is currently available from the vendor regarding this vulnerability.

                                      Vendor References

                                        Progress Software, Inc.

                                        Notified:  April 30, 2015 Updated:  April 30, 2015

                                        Status

                                          Unknown

                                        Vendor Statement

                                        No statement is currently available from the vendor regarding this vulnerability.

                                        Vendor References

                                          QNX Software Systems Inc.

                                          Notified:  April 30, 2015 Updated:  April 30, 2015

                                          Status

                                            Unknown

                                          Vendor Statement

                                          No statement is currently available from the vendor regarding this vulnerability.

                                          Vendor References

                                            SUSE Linux

                                            Notified:  April 30, 2015 Updated:  April 30, 2015

                                            Status

                                              Unknown

                                            Vendor Statement

                                            No statement is currently available from the vendor regarding this vulnerability.

                                            Vendor References

                                              Sybase

                                              Notified:  April 30, 2015 Updated:  April 30, 2015

                                              Status

                                                Unknown

                                              Vendor Statement

                                              No statement is currently available from the vendor regarding this vulnerability.

                                              Vendor References

                                                Symantec

                                                Notified:  April 30, 2015 Updated:  April 30, 2015

                                                Status

                                                  Unknown

                                                Vendor Statement

                                                No statement is currently available from the vendor regarding this vulnerability.

                                                Vendor References

                                                  Trend Micro

                                                  Notified:  April 30, 2015 Updated:  April 30, 2015

                                                  Status

                                                    Unknown

                                                  Vendor Statement

                                                  No statement is currently available from the vendor regarding this vulnerability.

                                                  Vendor References

                                                    Yahoo, Inc.

                                                    Notified:  April 30, 2015 Updated:  April 30, 2015

                                                    Status

                                                      Unknown

                                                    Vendor Statement

                                                    No statement is currently available from the vendor regarding this vulnerability.

                                                    Vendor References

                                                      eBay

                                                      Notified:  April 30, 2015 Updated:  April 30, 2015

                                                      Status

                                                        Unknown

                                                      Vendor Statement

                                                      No statement is currently available from the vendor regarding this vulnerability.

                                                      Vendor References

                                                        View all 31 vendors View less vendors


                                                        CVSS Metrics

                                                        Group Score Vector
                                                        Base 4.4 AV:L/AC:M/Au:N/C:P/I:P/A:P
                                                        Temporal 3.4 E:POC/RL:OF/RC:C
                                                        Environmental 3.4 CDP:N/TD:H/CR:ND/IR:ND/AR:ND

                                                        References

                                                        Acknowledgements

                                                        Thanks to Pedro Ribeiro (pedrib@gmail.com) of Agile Information Security for reporting this vulnerability.

                                                        This document was written by Joel Land.

                                                        Other Information

                                                        CVE IDs: CVE-2014-8146, CVE-2014-8147
                                                        Date Public: 2015-05-04
                                                        Date First Published: 2015-05-04
                                                        Date Last Updated: 2015-08-03 14:03 UTC
                                                        Document Revision: 24

                                                        Sponsored by the Department of Homeland Security Office of Cybersecurity and Communications.