CVE-2014-7940
published 2015-01-22CVE-2014-7940: The collator implementation in i18n/ucol.cpp in International Components for Unicode (ICU) 52 through SVN revision 293126, as used in Google Chrome before…
PriorityP432high7.5CVSS 2.0
AVNACLAuNCPIPAP
EPSS
2.07%
79.0th percentile
The collator implementation in i18n/ucol.cpp in International Components for Unicode (ICU) 52 through SVN revision 293126, as used in Google Chrome before 40.0.2214.91, does not initialize memory for a data structure, which allows remote attackers to cause a denial of service or possibly have unspecified other impact via a crafted character sequence.
Affected
3 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| debian | icu | < icu 52.1-7.1 (bookworm) | icu 52.1-7.1 (bookworm) |
| chrome | <= 40.0.2214.85 | — | |
| icu-project | international_components_for_unicode | <= 52.1 | — |
CVSS provenance
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
osv10.0CRITICAL
vendor_ubuntu10.0CRITICAL
vendor_debian7.5HIGH
vendor_redhat7.5HIGH
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-68vq-gw26-p643: The collator implementation in i18n/ucol
ghsa_unreviewed·2022-05-14
CVE-2014-7940 [HIGH] GHSA-68vq-gw26-p643: The collator implementation in i18n/ucol
The collator implementation in i18n/ucol.cpp in International Components for Unicode (ICU) 52 through SVN revision 293126, as used in Google Chrome before 40.0.2214.91, does not initialize memory for a data structure, which allows remote attackers to cause a denial of service or possibly have unspecified other impact via a crafted character sequence.
OSV
icu vulnerabilities
osv·2015-03-05·CVSS 10.0
CVE-2013-1569 [CRITICAL] icu vulnerabilities
icu vulnerabilities
It was discovered that ICU incorrectly handled memory operations when
processing fonts. If an application using ICU processed crafted data, an
attacker could cause it to crash or potentially execute arbitrary code with
the privileges of the user invoking the program. This issue only affected
Ubuntu 12.04 LTS. (CVE-2013-1569, CVE-2013-2383, CVE-2013-2384,
CVE-2013-2419)
It was discovered that ICU incorrectly handled memory operations when
processing fonts. If an application using ICU processed crafted data, an
attacker could cause it to crash or potentially execute arbitrary code with
the privileges of the user invoking the program. (CVE-2014-6585,
CVE-2014-6591)
It was discovered that ICU incorrectly handled memory operations when
processing regular expressions. If a
OSV
oxide-qt vulnerabilities
osv·2015-01-26·CVSS 7.5
CVE-2014-7923 [HIGH] oxide-qt vulnerabilities
oxide-qt vulnerabilities
Several memory corruption bugs were discovered in ICU. If a user were
tricked in to opening a specially crafted website, an attacker could
potentially exploit these to cause a denial of service via renderer crash
or execute arbitrary code with the privileges of the sandboxed render
process. (CVE-2014-7923, CVE-2014-7926)
A use-after-free was discovered in the IndexedDB implementation. If a user
were tricked in to opening a specially crafted website, an attacker could
potentially exploit this to cause a denial of service via application
crash or execute arbitrary code with the privileges of the user invoking
the program. (CVE-2014-7924)
A use-after free was discovered in the WebAudio implementation in Blink.
If a user were tricked in to opening a specially crafte
OSV
CVE-2014-7940: The collator implementation in i18n/ucol
osv·2015-01-22·CVSS 7.5
CVE-2014-7940 [HIGH] CVE-2014-7940: The collator implementation in i18n/ucol
The collator implementation in i18n/ucol.cpp in International Components for Unicode (ICU) 52 through SVN revision 293126, as used in Google Chrome before 40.0.2214.91, does not initialize memory for a data structure, which allows remote attackers to cause a denial of service or possibly have unspecified other impact via a crafted character sequence.
Ubuntu
ICU vulnerabilities
vendor_ubuntu·2015-03-10·CVSS 10.0
CVE-2013-1569 [CRITICAL] ICU vulnerabilities
Title: ICU vulnerabilities
Summary: ICU could be made to crash or run programs as your login if it processed
specially crafted data.
USN-2522-1 fixed vulnerabilities in ICU. On Ubuntu 12.04 LTS, the font
patches caused a regression when using LibreOffice Calc. The patches have
now been updated to fix the regression.
We apologize for the inconvenience.
Original advisory details:
It was discovered that ICU incorrectly handled memory operations when
processing fonts. If an application using ICU processed crafted data, an
attacker could cause it to crash or potentially execute arbitrary code with
the privileges of the user invoking the program. This issue only affected
Ubuntu 12.04 LTS. (CVE-2013-1569, CVE-2013-2383, CVE-2013-2384,
CVE-2013-2419)
It was discovered that ICU incorrectly ha
Ubuntu
ICU regression
vendor_ubuntu·2015-03-06·CVSS 10.0
[CRITICAL] ICU regression
Title: ICU regression
Summary: USN-2522-1 introduced a regression in ICU.
USN-2522-1 fixed vulnerabilities in ICU. On Ubuntu 12.04 LTS, the font
patches caused a regression when using LibreOffice Calc. The patches have
been temporarily backed out until the regression is investigated.
We apologize for the inconvenience.
Original advisory details:
It was discovered that ICU incorrectly handled memory operations when
processing fonts. If an application using ICU processed crafted data, an
attacker could cause it to crash or potentially execute arbitrary code with
the privileges of the user invoking the program. This issue only affected
Ubuntu 12.04 LTS. (CVE-2013-1569, CVE-2013-2383, CVE-2013-2384,
CVE-2013-2419)
It was discovered that ICU incorrectly handled memory operations when
proc
Ubuntu
ICU vulnerabilities
vendor_ubuntu·2015-03-05·CVSS 10.0
CVE-2013-1569 [CRITICAL] ICU vulnerabilities
Title: ICU vulnerabilities
Summary: ICU could be made to crash or run programs as your login if it processed
specially crafted data.
It was discovered that ICU incorrectly handled memory operations when
processing fonts. If an application using ICU processed crafted data, an
attacker could cause it to crash or potentially execute arbitrary code with
the privileges of the user invoking the program. This issue only affected
Ubuntu 12.04 LTS. (CVE-2013-1569, CVE-2013-2383, CVE-2013-2384,
CVE-2013-2419)
It was discovered that ICU incorrectly handled memory operations when
processing fonts. If an application using ICU processed crafted data, an
attacker could cause it to crash or potentially execute arbitrary code with
the privileges of the user invoking the program. (CVE-2014-6585,
CVE-2014
Ubuntu
Oxide vulnerabilities
vendor_ubuntu·2015-01-26·CVSS 7.5
CVE-2014-7923 [HIGH] Oxide vulnerabilities
Title: Oxide vulnerabilities
Summary: Several security issues were fixed in Oxide.
Several memory corruption bugs were discovered in ICU. If a user were
tricked in to opening a specially crafted website, an attacker could
potentially exploit these to cause a denial of service via renderer crash
or execute arbitrary code with the privileges of the sandboxed render
process. (CVE-2014-7923, CVE-2014-7926)
A use-after-free was discovered in the IndexedDB implementation. If a user
were tricked in to opening a specially crafted website, an attacker could
potentially exploit this to cause a denial of service via application
crash or execute arbitrary code with the privileges of the user invoking
the program. (CVE-2014-7924)
A use-after free was discovered in the WebAudio implementation in Bli
Red Hat
ICU: uninitialized value use in the collation component
vendor_redhat·2015-01-21·CVSS 7.5
CVE-2014-7940 [HIGH] ICU: uninitialized value use in the collation component
ICU: uninitialized value use in the collation component
The collator implementation in i18n/ucol.cpp in International Components for Unicode (ICU) 52 through SVN revision 293126, as used in Google Chrome before 40.0.2214.91, does not initialize memory for a data structure, which allows remote attackers to cause a denial of service or possibly have unspecified other impact via a crafted character sequence.
Package: icu (Red Hat Enterprise Linux 5) - Will not fix
Package: icu (Red Hat Enterprise Linux 6) - Will not fix
Package: icu (Red Hat Enterprise Linux 7) - Will not fix
Debian
CVE-2014-7940: icu - The collator implementation in i18n/ucol.cpp in International Components for Uni...
vendor_debian·2014·CVSS 7.5
CVE-2014-7940 [HIGH] CVE-2014-7940: icu - The collator implementation in i18n/ucol.cpp in International Components for Uni...
The collator implementation in i18n/ucol.cpp in International Components for Unicode (ICU) 52 through SVN revision 293126, as used in Google Chrome before 40.0.2214.91, does not initialize memory for a data structure, which allows remote attackers to cause a denial of service or possibly have unspecified other impact via a crafted character sequence.
Scope: local
bookworm: resolved (fixed in 52.1-7.1)
bullseye: resolved (fixed in 52.1-7.1)
forky: resolved (fixed in 52.1-7.1)
sid: resolved (fixed in 52.1-7.1)
trixie: resolved (fixed in 52.1-7.1)
No detection rules found.
No public exploits indexed.
http://advisories.mageia.org/MGASA-2015-0047.htmlhttp://googlechromereleases.blogspot.com/2015/01/stable-update.htmlhttp://lists.opensuse.org/opensuse-security-announce/2015-03/msg00005.htmlhttp://rhn.redhat.com/errata/RHSA-2015-0093.htmlhttp://secunia.com/advisories/62383http://secunia.com/advisories/62575http://secunia.com/advisories/62665http://security.gentoo.org/glsa/glsa-201502-13.xmlhttp://www.oracle.com/technetwork/topics/security/bulletinapr2015-2511959.htmlhttp://www.oracle.com/technetwork/topics/security/cpuoct2015-2367953.htmlhttp://www.securityfocus.com/bid/72288http://www.securitytracker.com/id/1031623http://www.ubuntu.com/usn/USN-2476-1https://chromium.googlesource.com/chromium/deps/icu/+/866ff696e9022a6000afbab516fba62cfa306075https://chromium.googlesource.com/chromium/src.git/+/87feb77547781a22b31c423bc0d57b7dca32d5b8https://code.google.com/p/chromium/issues/detail?id=433866https://security.gentoo.org/glsa/201503-06https://www.oracle.com/technetwork/security-advisory/cpuapr2019-5072813.htmlhttp://advisories.mageia.org/MGASA-2015-0047.htmlhttp://googlechromereleases.blogspot.com/2015/01/stable-update.htmlhttp://lists.opensuse.org/opensuse-security-announce/2015-03/msg00005.htmlhttp://rhn.redhat.com/errata/RHSA-2015-0093.htmlhttp://secunia.com/advisories/62383http://secunia.com/advisories/62575http://secunia.com/advisories/62665http://security.gentoo.org/glsa/glsa-201502-13.xmlhttp://www.oracle.com/technetwork/topics/security/bulletinapr2015-2511959.htmlhttp://www.oracle.com/technetwork/topics/security/cpuoct2015-2367953.htmlhttp://www.securityfocus.com/bid/72288http://www.securitytracker.com/id/1031623http://www.ubuntu.com/usn/USN-2476-1https://chromium.googlesource.com/chromium/deps/icu/+/866ff696e9022a6000afbab516fba62cfa306075https://chromium.googlesource.com/chromium/src.git/+/87feb77547781a22b31c423bc0d57b7dca32d5b8https://code.google.com/p/chromium/issues/detail?id=433866https://security.gentoo.org/glsa/201503-06https://www.oracle.com/technetwork/security-advisory/cpuapr2019-5072813.html
2015-01-22
Published