CVE-2014-8147
published 2015-05-25CVE-2014-8147: The resolveImplicitLevels function in common/ubidi.c in the Unicode Bidirectional Algorithm implementation in ICU4C in International Components for Unicode…
PriorityP357high7.5CVSS 2.0
AVNACLAuNCPIPAP
EXPLOIT
EPSS
23.35%
97.5th percentile
The resolveImplicitLevels function in common/ubidi.c in the Unicode Bidirectional Algorithm implementation in ICU4C in International Components for Unicode (ICU) before 55.1 uses an integer data type that is inconsistent with a header file, which allows remote attackers to cause a denial of service (incorrect malloc followed by invalid free) or possibly execute arbitrary code via crafted text.
Affected
8 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| apple | ios_9 | — | — |
| apple | itunes | — | — |
| apple | mac_os_x | <= 10.10.4 | — |
| apple | os_x_el_capitan_v10.11 | — | — |
| apple | watchos | <= 1.0.1 | — |
| apple | watchos_2 | — | — |
| debian | icu | < icu 52.1-9 (bookworm) | icu 52.1-9 (bookworm) |
| icu-project | international_components_for_unicode | < 55.1 | 55.1 |
Detection & IOCsextracted from sources · hover to see the quote
- →The vulnerability is triggered in the resolveImplicitLevels function in common/ubidi.c at line 2248 (ICU 52), where pBiDi->isolates[].state (int16_t) is assigned from levState.state (int32_t), causing integer truncation. Monitor for crashes or unexpected malloc/free errors in ICU-linked processes when processing bidirectional text. ↗
- →The vulnerability can be triggered via crafted text processed by any application embedding ICU versions 52 through 54. Look for application crashes with 'incorrect malloc followed by invalid free' patterns in ICU-linked software (e.g., LibreOffice, browsers, OS components). ↗
- →The overflow causes an error when performing a malloc on pBiDi->insertPoints->points because insertPoints is adjacent in memory to isolates[]. Heap corruption indicators in memory forensics near the insertPoints structure should be investigated. ↗
- ·All ICU releases between versions 52 and 54 (inclusive) are affected. ICU 55.1 contains the fix. Many software packages embed ICU code and require independent updates. ↗
- ·Red Hat has marked this CVE as 'Will not fix' across multiple products including RHEL 5, 6, 7, Red Hat Directory Server 8, and Red Hat OpenShift Enterprise 2. ↗
CVSS provenance
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
osv7.5HIGH
vendor_debian7.5HIGH
vendor_redhat7.5HIGH
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Ubuntu
ICU vulnerabilities
vendor_ubuntu·2015-05-11
CVE-2014-8146 ICU vulnerabilities
Title: ICU vulnerabilities
Summary: ICU could be made to crash or run programs as your login if it processed
specially crafted data.
Pedro Ribeiro discovered that ICU incorrectly handled certain memory
operations when processing data. If an application using ICU processed
crafted data, an attacker could cause it to crash or potentially execute
arbitrary code with the privileges of the user invoking the program.
Instructions: In general, a standard system update will make all the necessary changes.
Red Hat
icu: integer truncation in the resolveImplicitLevels function
vendor_redhat·2015-05-05·CVSS 7.5
CVE-2014-8147 [HIGH] CWE-190 icu: integer truncation in the resolveImplicitLevels function
icu: integer truncation in the resolveImplicitLevels function
The resolveImplicitLevels function in common/ubidi.c in the Unicode Bidirectional Algorithm implementation in ICU4C in International Components for Unicode (ICU) before 55.1 uses an integer data type that is inconsistent with a header file, which allows remote attackers to cause a denial of service (incorrect malloc followed by invalid free) or possibly execute arbitrary code via crafted text.
Package: icu (Red Hat Directory Server 8) - Will not fix
Package: icu (Red Hat Enterprise Linux 5) - Will not fix
Package: icu (Red Hat Enterprise Linux 6) - Will not fix
Package: icu (Red Hat Enterprise Linux 7) - Will not fix
Package: icu (Red Hat OpenShift Enterprise 2) - Will not fix
Debian
CVE-2014-8147: icu - The resolveImplicitLevels function in common/ubidi.c in the Unicode Bidirectiona...
vendor_debian·2014·CVSS 7.5
CVE-2014-8147 [HIGH] CVE-2014-8147: icu - The resolveImplicitLevels function in common/ubidi.c in the Unicode Bidirectiona...
The resolveImplicitLevels function in common/ubidi.c in the Unicode Bidirectional Algorithm implementation in ICU4C in International Components for Unicode (ICU) before 55.1 uses an integer data type that is inconsistent with a header file, which allows remote attackers to cause a denial of service (incorrect malloc followed by invalid free) or possibly execute arbitrary code via crafted text.
Scope: local
bookworm: resolved (fixed in 52.1-9)
bullseye: resolved (fixed in 52.1-9)
forky: resolved (fixed in 52.1-9)
sid: resolved (fixed in 52.1-9)
trixie: resolved (fixed in 52.1-9)
Apple
CVE-2014-8147: iTunes 12.3
vendor_apple·CVSS 7.5
CVE-2014-8147 [HIGH] CVE-2014-8147: iTunes 12.3
Apple Security Update: About the security content of iTunes 12.3
Product: iTunes
Version: 12.3
CVE: CVE-2014-8147
Component: CVE-ID
Impact: Opening a media file may lead to arbitrary code execution
Description: A security issue existed in Microsoft Foundation Class's handling of library loading. This issue was addressed by updating to the latest version of the Microsoft Visual C++ Redistributable Package.
Apple
CVE-2014-8147: OS X El Capitan v10.11
vendor_apple·CVSS 7.5
CVE-2014-8147 [HIGH] CVE-2014-8147: OS X El Capitan v10.11
Apple Security Update: About the security content of OS X El Capitan v10.11
Product: OS X El Capitan v10.11
CVE: CVE-2014-8147
Component: CVE-ID
Apple
CVE-2014-8147: iOS 9
vendor_apple·CVSS 7.5
CVE-2014-8147 [HIGH] CVE-2014-8147: iOS 9
Apple Security Update: About the security content of iOS 9
Product: iOS 9
CVE: CVE-2014-8147
Component: CVE-ID
Apple
CVE-2014-8147: watchOS 2
vendor_apple·CVSS 7.5
CVE-2014-8147 [HIGH] CVE-2014-8147: watchOS 2
Apple Security Update: About the security content of watchOS 2
Product: watchOS 2
CVE: CVE-2014-8147
Component: CVE-ID
GHSA
GHSA-94pf-226p-r5p9: The resolveImplicitLevels function in common/ubidi
ghsa_unreviewed·2022-05-14
CVE-2014-8147 [HIGH] GHSA-94pf-226p-r5p9: The resolveImplicitLevels function in common/ubidi
The resolveImplicitLevels function in common/ubidi.c in the Unicode Bidirectional Algorithm implementation in ICU4C in International Components for Unicode (ICU) before 55.1 uses an integer data type that is inconsistent with a header file, which allows remote attackers to cause a denial of service (incorrect malloc followed by invalid free) or possibly execute arbitrary code via crafted text.
OSV
CVE-2014-8147: The resolveImplicitLevels function in common/ubidi
osv·2015-05-25·CVSS 7.5
CVE-2014-8147 [HIGH] CVE-2014-8147: The resolveImplicitLevels function in common/ubidi
The resolveImplicitLevels function in common/ubidi.c in the Unicode Bidirectional Algorithm implementation in ICU4C in International Components for Unicode (ICU) before 55.1 uses an integer data type that is inconsistent with a header file, which allows remote attackers to cause a denial of service (incorrect malloc followed by invalid free) or possibly execute arbitrary code via crafted text.
No detection rules found.
Bugzilla
ICU: integer overflow via incorrect state size
bugzilla·2015-05-18·CVSS 7.5
CVE-2014-8147 [HIGH] ICU: integer overflow via incorrect state size
ICU: integer overflow via incorrect state size
An unspecified integer overflow via incorrect state size was fixed in Debian's ICU package:
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=784773
Discussion:
Hi Martin,
(In reply to Martin Prpic from comment #0)
> An unspecified integer overflow via incorrect state size was fixed in
> Debian's ICU package:
>
> https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=784773
Should that be CVE-2014-8147? The bug subject in the Debian BTS referred to CVE-2015-8146 and CVE-2015-8147 but the assigned CVEs seem to be CVE-2014-8146 and CVE-2014-8147.
https://marc.info/?l=oss-security&m=143081399320763&w=2
Regards,
Salvatore
---
Exactly, these do look like CVE id typos (2014 vs. 2015). Can you get the Debian side cleaned-up?
---
Duplicate of b
Bugzilla
CVE-2014-8147 CVE-2014-8146 icu: various flaws [fedora-all]
bugzilla·2015-05-06·CVSS 7.5
CVE-2014-8147 [HIGH] CVE-2014-8147 CVE-2014-8146 icu: various flaws [fedora-all]
CVE-2014-8147 CVE-2014-8146 icu: various flaws [fedora-all]
This is an automatically created tracking bug! It was created to ensure
that one or more security vulnerabilities are fixed in affected versions
of Fedora.
For comments that are specific to the vulnerability please use bugs filed
against the "Security Response" product referenced in the "Blocks" field.
For more information see:
http://fedoraproject.org/wiki/Security/TrackingBugs
When submitting as an update, use the fedpkg template provided in the next
comment(s). This will include the bug IDs of this tracking bug as well as
the relevant top-level CVE bugs.
Please also mention the CVE IDs being fixed in the RPM changelog and the
fedpkg commit message.
NOTE: this issue affects multiple supported versions of Fedora. While only
Bugzilla
CVE-2014-8147 icu: integer truncation in the resolveImplicitLevels function
bugzilla·2014-12-19·CVSS 7.5
CVE-2014-8147 [HIGH] CVE-2014-8147 icu: integer truncation in the resolveImplicitLevels function
CVE-2014-8147 icu: integer truncation in the resolveImplicitLevels function
An integer overflow was found in ICU's resolveImplicitLevels function. The overflow causes an error when performing a malloc on pBiDi->insertPoints->points because insertPoints is adjacent in memory to isolates[].
Additional details:
https://raw.githubusercontent.com/pedrib/PoC/master/generic/i-c-u-fail.txt
Discussion:
Created icu tracking bugs for this issue:
Affects: fedora-all [bug 1218901]
---
Upstream commit:
http://bugs.icu-project.org/trac/changeset/37080
---
*** Bug 1222455 has been marked as a duplicate of this bug. ***
http://bugs.icu-project.org/trac/changeset/37080http://lists.apple.com/archives/security-announce/2015/Sep/msg00005.htmlhttp://lists.apple.com/archives/security-announce/2015/Sep/msg00008.htmlhttp://openwall.com/lists/oss-security/2015/05/05/6http://seclists.org/fulldisclosure/2015/May/14http://www.debian.org/security/2015/dsa-3323http://www.kb.cert.org/vuls/id/602540http://www.oracle.com/technetwork/topics/security/bulletinoct2015-2511968.htmlhttp://www.oracle.com/technetwork/topics/security/cpuoct2015-2367953.htmlhttp://www.securityfocus.com/bid/74457https://lists.apache.org/thread.html/9317fd092b257a0815434b116a8af8daea6e920b6673f4fd5583d5fe%40%3Ccommits.druid.apache.org%3Ehttps://raw.githubusercontent.com/pedrib/PoC/master/generic/i-c-u-fail.txthttps://security.gentoo.org/glsa/201507-04https://support.apple.com/HT205213https://support.apple.com/HT205267https://www.oracle.com/technetwork/security-advisory/cpuapr2019-5072813.htmlhttp://bugs.icu-project.org/trac/changeset/37080http://lists.apple.com/archives/security-announce/2015/Sep/msg00005.htmlhttp://lists.apple.com/archives/security-announce/2015/Sep/msg00008.htmlhttp://openwall.com/lists/oss-security/2015/05/05/6http://seclists.org/fulldisclosure/2015/May/14http://www.debian.org/security/2015/dsa-3323http://www.kb.cert.org/vuls/id/602540http://www.oracle.com/technetwork/topics/security/bulletinoct2015-2511968.htmlhttp://www.oracle.com/technetwork/topics/security/cpuoct2015-2367953.htmlhttp://www.securityfocus.com/bid/74457https://lists.apache.org/thread.html/9317fd092b257a0815434b116a8af8daea6e920b6673f4fd5583d5fe%40%3Ccommits.druid.apache.org%3Ehttps://raw.githubusercontent.com/pedrib/PoC/master/generic/i-c-u-fail.txthttps://security.gentoo.org/glsa/201507-04https://support.apple.com/HT205213https://support.apple.com/HT205267https://www.oracle.com/technetwork/security-advisory/cpuapr2019-5072813.html
2015-05-25
Published