Notifications for a CVE
Stay informed of any changes for a specific CVE.
CVE Descriptions
The resolveImplicitLevels function in common/ubidi.c in the Unicode Bidirectional Algorithm implementation in ICU4C in International Components for Unicode (ICU) before 55.1 uses an integer data type that is inconsistent with a header file, which allows remote attackers to cause a denial of service (incorrect malloc followed by invalid free) or possibly execute arbitrary code via crafted text.
CVE Informations
Related Weaknesses
| Weakness Name | Source | |
|---|---|---|
| Category : Numeric Errors Weaknesses in this category are related to improper calculation or conversion of numbers. |
Metrics
| Metrics | Score | Severity | CVSS Vector | Source |
|---|---|---|---|---|
| V2 | 7.5 | AV:N/AC:L/Au:N/C:P/I:P/A:P | [email protected] |
EPSS
EPSS is a scoring model that predicts the likelihood of a vulnerability being exploited.
EPSS Score
The EPSS model produces a probability score between 0 and 1 (0 and 100%). The higher the score, the greater the probability that a vulnerability will be exploited.
EPSS Percentile
The percentile is used to rank CVE according to their EPSS score. For example, a CVE in the 95th percentile according to its EPSS score is more likely to be exploited than 95% of other CVE. Thus, the percentile is used to compare the EPSS score of a CVE with that of other CVE.
Exploit information
Exploit Database EDB-ID : 43887
Publication date : 2015-06-09 22h00 +00:00
Author : Pedro Ribeiro
EDB Verified : No
>> Heap overflow and integer overflow in ICU library (v52 to v54)
>> Discovered by Pedro Ribeiro ([email protected]), Agile Information Security
=================================================================================
Disclosure: 04/05/2015 / Last updated: 07/05/2015
>> Background on the affected products:
ICU is a mature, widely used set of C/C++ and Java libraries providing Unicode and Globalization support for software applications. ICU is widely portable and gives applications the same results on all platforms and between C/C++ and Java software.
>> Summary:
While fuzzing LibreOffice an integer overflow and a heap overflow were found in the ICU library. This library is used by LibreOffice and hundreds of other software packages.
Proof of concept files can be downloaded from [1]. These files have been tested with LibreOffice 4.3.3.2 and LibreOffice 4.4.0-beta2 and ICU 52.
Note that at this point in time it is unknown whether these vulnerabilities are exploitable.
Thanks to CERT [2] for helping disclose these vulnerabilities.
>> Technical details:
#1
Vulnerability: Heap overflow
CVE-2014-8146
The code to blame is the following (from ubidi.c:2148 in ICU 52):
dirProp=dirProps[limit-1];
if((dirProp==LRI || dirProp==RLI) && limit<pBiDi->length) {
pBiDi->isolateCount++;
pBiDi->isolates[pBiDi->isolateCount].stateImp=stateImp;
pBiDi->isolates[pBiDi->isolateCount].state=levState.state;
pBiDi->isolates[pBiDi->isolateCount].start1=start1;
}
else
processPropertySeq(pBiDi, &levState, eor, limit, limit);
Under certain conditions isolateCount is incremented too many times, which results in several out of bounds writes. See [1] for a more detailed analysis.
#2
Vulnerability: Integer overflow
CVE-2014-8147
The overflow is on the resolveImplicitLevels function (ubidi.c:2248):
pBiDi->isolates[pBiDi->isolateCount].state=levState.state;
pBiDi->isolates[].state is a int16, while levState.state is a int32.
The overflow causes an error when performing a malloc on pBiDi->insertPoints->points because insertPoints is adjacent in memory to isolates[].
The Isolate struct is defined in ubidiimp.h:184
typedef struct Isolate {
int32_t startON;
int32_t start1;
int16_t stateImp;
int16_t state;
} Isolate;
LevState is defined in ubidi.c:1748
typedef struct {
const ImpTab * pImpTab; /* level table pointer */
const ImpAct * pImpAct; /* action map array */
int32_t startON; /* start of ON sequence */
int32_t startL2EN; /* start of level 2 sequence */
int32_t lastStrongRTL; /* index of last found R or AL */
int32_t state; /* current state */
int32_t runStart; /* start position of the run */
UBiDiLevel runLevel; /* run level before implicit solving */
} LevState;
>> Fix:
All ICU releases between 52 and 54 are affected. Upgrade to ICU 55.1 to fix these vulnerabilities.
There are many other software packages which embed the ICU code and will need to be updated.
Patches that fix these vulnerabilities can be obtained from the ICU project in [3] and [4].
>> References:
[1] https://github.com/pedrib/PoC/raw/master/generic/i-c-u-fail.7z (EDB Mirror: https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/43887.zip)
[2] https://www.kb.cert.org/vuls/id/602540
[3] http://bugs.icu-project.org/trac/changeset/37080
[4] http://bugs.icu-project.org/trac/changeset/37162
================
Agile Information Security Limited
http://www.agileinfosec.co.uk/
>> Enabling secure digital business >>
Products Mentioned
Configuraton 0
Apple>>Mac_os_x >> Version To (including) 10.10.4
- Apple>>Mac_os_x >> Version - (Open CPE detail)
- Apple>>Mac_os_x >> Version 10.0 (Open CPE detail)
- Apple>>Mac_os_x >> Version 10.0.0 (Open CPE detail)
- Apple>>Mac_os_x >> Version 10.0.1 (Open CPE detail)
- Apple>>Mac_os_x >> Version 10.0.2 (Open CPE detail)
- Apple>>Mac_os_x >> Version 10.0.3 (Open CPE detail)
- Apple>>Mac_os_x >> Version 10.0.4 (Open CPE detail)
- Apple>>Mac_os_x >> Version 10.1 (Open CPE detail)
- Apple>>Mac_os_x >> Version 10.1.0 (Open CPE detail)
- Apple>>Mac_os_x >> Version 10.1.1 (Open CPE detail)
- Apple>>Mac_os_x >> Version 10.1.2 (Open CPE detail)
- Apple>>Mac_os_x >> Version 10.1.3 (Open CPE detail)
- Apple>>Mac_os_x >> Version 10.1.4 (Open CPE detail)
- Apple>>Mac_os_x >> Version 10.1.5 (Open CPE detail)
- Apple>>Mac_os_x >> Version 10.2 (Open CPE detail)
- Apple>>Mac_os_x >> Version 10.2.0 (Open CPE detail)
- Apple>>Mac_os_x >> Version 10.2.1 (Open CPE detail)
- Apple>>Mac_os_x >> Version 10.2.2 (Open CPE detail)
- Apple>>Mac_os_x >> Version 10.2.3 (Open CPE detail)
- Apple>>Mac_os_x >> Version 10.2.4 (Open CPE detail)
- Apple>>Mac_os_x >> Version 10.2.5 (Open CPE detail)
- Apple>>Mac_os_x >> Version 10.2.6 (Open CPE detail)
- Apple>>Mac_os_x >> Version 10.2.7 (Open CPE detail)
- Apple>>Mac_os_x >> Version 10.2.8 (Open CPE detail)
- Apple>>Mac_os_x >> Version 10.3 (Open CPE detail)
- Apple>>Mac_os_x >> Version 10.3.0 (Open CPE detail)
- Apple>>Mac_os_x >> Version 10.3.1 (Open CPE detail)
- Apple>>Mac_os_x >> Version 10.3.2 (Open CPE detail)
- Apple>>Mac_os_x >> Version 10.3.3 (Open CPE detail)
- Apple>>Mac_os_x >> Version 10.3.4 (Open CPE detail)
- Apple>>Mac_os_x >> Version 10.3.5 (Open CPE detail)
- Apple>>Mac_os_x >> Version 10.3.6 (Open CPE detail)
- Apple>>Mac_os_x >> Version 10.3.7 (Open CPE detail)
- Apple>>Mac_os_x >> Version 10.3.8 (Open CPE detail)
- Apple>>Mac_os_x >> Version 10.3.9 (Open CPE detail)
- Apple>>Mac_os_x >> Version 10.4 (Open CPE detail)
- Apple>>Mac_os_x >> Version 10.4.0 (Open CPE detail)
- Apple>>Mac_os_x >> Version 10.4.1 (Open CPE detail)
- Apple>>Mac_os_x >> Version 10.4.2 (Open CPE detail)
- Apple>>Mac_os_x >> Version 10.4.3 (Open CPE detail)
- Apple>>Mac_os_x >> Version 10.4.4 (Open CPE detail)
- Apple>>Mac_os_x >> Version 10.4.5 (Open CPE detail)
- Apple>>Mac_os_x >> Version 10.4.6 (Open CPE detail)
- Apple>>Mac_os_x >> Version 10.4.7 (Open CPE detail)
- Apple>>Mac_os_x >> Version 10.4.8 (Open CPE detail)
- Apple>>Mac_os_x >> Version 10.4.9 (Open CPE detail)
- Apple>>Mac_os_x >> Version 10.4.10 (Open CPE detail)
- Apple>>Mac_os_x >> Version 10.4.11 (Open CPE detail)
- Apple>>Mac_os_x >> Version 10.5 (Open CPE detail)
- Apple>>Mac_os_x >> Version 10.5.0 (Open CPE detail)
- Apple>>Mac_os_x >> Version 10.5.1 (Open CPE detail)
- Apple>>Mac_os_x >> Version 10.5.2 (Open CPE detail)
- Apple>>Mac_os_x >> Version 10.5.3 (Open CPE detail)
- Apple>>Mac_os_x >> Version 10.5.4 (Open CPE detail)
- Apple>>Mac_os_x >> Version 10.5.5 (Open CPE detail)
- Apple>>Mac_os_x >> Version 10.5.6 (Open CPE detail)
- Apple>>Mac_os_x >> Version 10.5.7 (Open CPE detail)
- Apple>>Mac_os_x >> Version 10.5.8 (Open CPE detail)
- Apple>>Mac_os_x >> Version 10.6.0 (Open CPE detail)
- Apple>>Mac_os_x >> Version 10.6.1 (Open CPE detail)
- Apple>>Mac_os_x >> Version 10.6.2 (Open CPE detail)
- Apple>>Mac_os_x >> Version 10.6.3 (Open CPE detail)
- Apple>>Mac_os_x >> Version 10.6.4 (Open CPE detail)
- Apple>>Mac_os_x >> Version 10.6.5 (Open CPE detail)
- Apple>>Mac_os_x >> Version 10.6.6 (Open CPE detail)
- Apple>>Mac_os_x >> Version 10.6.7 (Open CPE detail)
- Apple>>Mac_os_x >> Version 10.6.8 (Open CPE detail)
- Apple>>Mac_os_x >> Version 10.7.0 (Open CPE detail)
- Apple>>Mac_os_x >> Version 10.7.1 (Open CPE detail)
- Apple>>Mac_os_x >> Version 10.7.2 (Open CPE detail)
- Apple>>Mac_os_x >> Version 10.7.3 (Open CPE detail)
- Apple>>Mac_os_x >> Version 10.7.4 (Open CPE detail)
- Apple>>Mac_os_x >> Version 10.7.5 (Open CPE detail)
- Apple>>Mac_os_x >> Version 10.8.0 (Open CPE detail)
- Apple>>Mac_os_x >> Version 10.8.1 (Open CPE detail)
- Apple>>Mac_os_x >> Version 10.8.2 (Open CPE detail)
- Apple>>Mac_os_x >> Version 10.8.3 (Open CPE detail)
- Apple>>Mac_os_x >> Version 10.8.4 (Open CPE detail)
- Apple>>Mac_os_x >> Version 10.8.5 (Open CPE detail)
- Apple>>Mac_os_x >> Version 10.8.5 (Open CPE detail)
- Apple>>Mac_os_x >> Version 10.9 (Open CPE detail)
- Apple>>Mac_os_x >> Version 10.9.1 (Open CPE detail)
- Apple>>Mac_os_x >> Version 10.9.2 (Open CPE detail)
- Apple>>Mac_os_x >> Version 10.9.3 (Open CPE detail)
- Apple>>Mac_os_x >> Version 10.9.4 (Open CPE detail)
- Apple>>Mac_os_x >> Version 10.9.5 (Open CPE detail)
- Apple>>Mac_os_x >> Version 10.9.5 (Open CPE detail)
- Apple>>Mac_os_x >> Version 10.10.0 (Open CPE detail)
- Apple>>Mac_os_x >> Version 10.10.1 (Open CPE detail)
- Apple>>Mac_os_x >> Version 10.10.2 (Open CPE detail)
- Apple>>Mac_os_x >> Version 10.10.3 (Open CPE detail)
- Apple>>Mac_os_x >> Version 10.10.4 (Open CPE detail)
Apple>>Watchos >> Version To (including) 1.0.1
- Apple>>Watchos >> Version - (Open CPE detail)
- Apple>>Watchos >> Version 1.0 (Open CPE detail)
- Apple>>Watchos >> Version 1.0.1 (Open CPE detail)
Configuraton 0
Icu-project>>International_components_for_unicode >> Version To (excluding) 55.1
- Icu-project>>International_components_for_unicode >> Version 1.4 (Open CPE detail)
- Icu-project>>International_components_for_unicode >> Version 1.4.1 (Open CPE detail)
- Icu-project>>International_components_for_unicode >> Version 1.4.1.1 (Open CPE detail)
- Icu-project>>International_components_for_unicode >> Version 1.4.1.2 (Open CPE detail)
- Icu-project>>International_components_for_unicode >> Version 1.4.2 (Open CPE detail)
- Icu-project>>International_components_for_unicode >> Version 1.5 (Open CPE detail)
- Icu-project>>International_components_for_unicode >> Version 1.6 (Open CPE detail)
- Icu-project>>International_components_for_unicode >> Version 1.7 (Open CPE detail)
- Icu-project>>International_components_for_unicode >> Version 1.8 (Open CPE detail)
- Icu-project>>International_components_for_unicode >> Version 1.8.1 (Open CPE detail)
- Icu-project>>International_components_for_unicode >> Version 2.0 (Open CPE detail)
- Icu-project>>International_components_for_unicode >> Version 2.0.1 (Open CPE detail)
- Icu-project>>International_components_for_unicode >> Version 2.0.2 (Open CPE detail)
- Icu-project>>International_components_for_unicode >> Version 2.1 (Open CPE detail)
- Icu-project>>International_components_for_unicode >> Version 2.2 (Open CPE detail)
- Icu-project>>International_components_for_unicode >> Version 2.4 (Open CPE detail)
- Icu-project>>International_components_for_unicode >> Version 2.6 (Open CPE detail)
- Icu-project>>International_components_for_unicode >> Version 2.6.1 (Open CPE detail)
- Icu-project>>International_components_for_unicode >> Version 2.6.2 (Open CPE detail)
- Icu-project>>International_components_for_unicode >> Version 2.8 (Open CPE detail)
- Icu-project>>International_components_for_unicode >> Version 3.0 (Open CPE detail)
- Icu-project>>International_components_for_unicode >> Version 3.2 (Open CPE detail)
- Icu-project>>International_components_for_unicode >> Version 3.2.1 (Open CPE detail)
- Icu-project>>International_components_for_unicode >> Version 3.4 (Open CPE detail)
- Icu-project>>International_components_for_unicode >> Version 3.4.1 (Open CPE detail)
- Icu-project>>International_components_for_unicode >> Version 3.6 (Open CPE detail)
- Icu-project>>International_components_for_unicode >> Version 3.8 (Open CPE detail)
- Icu-project>>International_components_for_unicode >> Version 3.8.1 (Open CPE detail)
- Icu-project>>International_components_for_unicode >> Version 4.0 (Open CPE detail)
- Icu-project>>International_components_for_unicode >> Version 4.0.1 (Open CPE detail)
- Icu-project>>International_components_for_unicode >> Version 4.2 (Open CPE detail)
- Icu-project>>International_components_for_unicode >> Version 4.2.0.1 (Open CPE detail)
- Icu-project>>International_components_for_unicode >> Version 4.4.1 (Open CPE detail)
- Icu-project>>International_components_for_unicode >> Version 4.4.2 (Open CPE detail)
- Icu-project>>International_components_for_unicode >> Version 4.4.2.1 (Open CPE detail)
- Icu-project>>International_components_for_unicode >> Version 4.6 (Open CPE detail)
- Icu-project>>International_components_for_unicode >> Version 4.6.1 (Open CPE detail)
- Icu-project>>International_components_for_unicode >> Version 4.8 (Open CPE detail)
- Icu-project>>International_components_for_unicode >> Version 4.8.1 (Open CPE detail)
- Icu-project>>International_components_for_unicode >> Version 4.8.1.1 (Open CPE detail)
- Icu-project>>International_components_for_unicode >> Version 49.1 (Open CPE detail)
- Icu-project>>International_components_for_unicode >> Version 49.1.1 (Open CPE detail)
- Icu-project>>International_components_for_unicode >> Version 49.1.2 (Open CPE detail)
- Icu-project>>International_components_for_unicode >> Version 50.1 (Open CPE detail)
- Icu-project>>International_components_for_unicode >> Version 50.1.1 (Open CPE detail)
- Icu-project>>International_components_for_unicode >> Version 50.1.2 (Open CPE detail)
- Icu-project>>International_components_for_unicode >> Version 50.1.2 (Open CPE detail)
- Icu-project>>International_components_for_unicode >> Version 50.2 (Open CPE detail)
- Icu-project>>International_components_for_unicode >> Version 51.1 (Open CPE detail)
- Icu-project>>International_components_for_unicode >> Version 51.2 (Open CPE detail)
- Icu-project>>International_components_for_unicode >> Version 51.2 (Open CPE detail)
- Icu-project>>International_components_for_unicode >> Version 51.3 (Open CPE detail)
- Icu-project>>International_components_for_unicode >> Version 52.1 (Open CPE detail)
- Icu-project>>International_components_for_unicode >> Version 52.1 (Open CPE detail)
- Icu-project>>International_components_for_unicode >> Version 52.1.1 (Open CPE detail)
- Icu-project>>International_components_for_unicode >> Version 52.2 (Open CPE detail)
- Icu-project>>International_components_for_unicode >> Version 53.1 (Open CPE detail)
- Icu-project>>International_components_for_unicode >> Version 53.1 (Open CPE detail)
- Icu-project>>International_components_for_unicode >> Version 53.2 (Open CPE detail)
- Icu-project>>International_components_for_unicode >> Version 54.1 (Open CPE detail)
- Icu-project>>International_components_for_unicode >> Version 54.1 (Open CPE detail)
- Icu-project>>International_components_for_unicode >> Version 54.1.1 (Open CPE detail)
- Icu-project>>International_components_for_unicode >> Version 54.2 (Open CPE detail)
References
http://lists.apple.com/archives/security-announce/2015/Sep/msg00008.html
Tags : vendor-advisory, x_refsource_APPLE
Tags : vendor-advisory, x_refsource_APPLE
http://www.oracle.com/technetwork/topics/security/cpuoct2015-2367953.html
Tags : x_refsource_CONFIRM
Tags : x_refsource_CONFIRM
http://lists.apple.com/archives/security-announce/2015/Sep/msg00005.html
Tags : vendor-advisory, x_refsource_APPLE
Tags : vendor-advisory, x_refsource_APPLE
http://www.oracle.com/technetwork/topics/security/bulletinoct2015-2511968.html
Tags : x_refsource_CONFIRM
Tags : x_refsource_CONFIRM
https://www.oracle.com/technetwork/security-advisory/cpuapr2019-5072813.html
Tags : x_refsource_MISC
Tags : x_refsource_MISC
https://lists.apache.org/thread.html/9317fd092b257a0815434b116a8af8daea6e920b6673f4fd5583d5fe%40%3Ccommits.druid.apache.org%3E
Tags : mailing-list, x_refsource_MLIST
Tags : mailing-list, x_refsource_MLIST
2025©
tesweb SA
