CVE-2014-9654
published 2017-04-24CVE-2014-9654: The Regular Expressions package in International Components for Unicode (ICU) for C/C++ before 2014-12-03, as used in Google Chrome before 40.0.2214.91…
PriorityP337critical9.8CVSS 3.0
AVNACLPRNUINSUCHIHAH
EPSS
2.42%
82.1th percentile
The Regular Expressions package in International Components for Unicode (ICU) for C/C++ before 2014-12-03, as used in Google Chrome before 40.0.2214.91, calculates certain values without ensuring that they can be represented in a 24-bit field, which allows remote attackers to cause a denial of service (memory corruption) or possibly have unspecified other impact via a crafted string, a related issue to CVE-2014-7923.
Affected
3 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| debian | icu | < icu 52.1-7.1 (bookworm) | icu 52.1-7.1 (bookworm) |
| chrome | <= 40.0.2214.85 | — | |
| icu-project | international_components_for_unicode | < 55.1 | 55.1 |
CVSS provenance
nvdv3.09.8CRITICALCVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
osv10.0CRITICAL
vendor_ubuntu10.0CRITICAL
vendor_debian7.5HIGH
vendor_redhat7.5HIGH
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-7p8r-35pv-r5w2: The Regular Expressions package in International Components for Unicode (ICU) for C/C++ before 2014-12-03, as used in Google Chrome before 40
ghsa_unreviewed·2022-05-14·CVSS 7.5
CVE-2014-9654 [HIGH] CWE-119 GHSA-7p8r-35pv-r5w2: The Regular Expressions package in International Components for Unicode (ICU) for C/C++ before 2014-12-03, as used in Google Chrome before 40
The Regular Expressions package in International Components for Unicode (ICU) for C/C++ before 2014-12-03, as used in Google Chrome before 40.0.2214.91, calculates certain values without ensuring that they can be represented in a 24-bit field, which allows remote attackers to cause a denial of service (memory corruption) or possibly have unspecified other impact via a crafted string, a related issue to CVE-2014-7923.
OSV
CVE-2014-9654: The Regular Expressions package in International Components for Unicode (ICU) for C/C++ before 2014-12-03, as used in Google Chrome before 40
osv·2017-04-24·CVSS 7.5
CVE-2014-9654 [HIGH] CVE-2014-9654: The Regular Expressions package in International Components for Unicode (ICU) for C/C++ before 2014-12-03, as used in Google Chrome before 40
The Regular Expressions package in International Components for Unicode (ICU) for C/C++ before 2014-12-03, as used in Google Chrome before 40.0.2214.91, calculates certain values without ensuring that they can be represented in a 24-bit field, which allows remote attackers to cause a denial of service (memory corruption) or possibly have unspecified other impact via a crafted string, a related issue to CVE-2014-7923.
OSV
icu vulnerabilities
osv·2015-03-05·CVSS 10.0
CVE-2013-1569 [CRITICAL] icu vulnerabilities
icu vulnerabilities
It was discovered that ICU incorrectly handled memory operations when
processing fonts. If an application using ICU processed crafted data, an
attacker could cause it to crash or potentially execute arbitrary code with
the privileges of the user invoking the program. This issue only affected
Ubuntu 12.04 LTS. (CVE-2013-1569, CVE-2013-2383, CVE-2013-2384,
CVE-2013-2419)
It was discovered that ICU incorrectly handled memory operations when
processing fonts. If an application using ICU processed crafted data, an
attacker could cause it to crash or potentially execute arbitrary code with
the privileges of the user invoking the program. (CVE-2014-6585,
CVE-2014-6591)
It was discovered that ICU incorrectly handled memory operations when
processing regular expressions. If a
Ubuntu
ICU vulnerabilities
vendor_ubuntu·2015-03-10·CVSS 10.0
CVE-2013-1569 [CRITICAL] ICU vulnerabilities
Title: ICU vulnerabilities
Summary: ICU could be made to crash or run programs as your login if it processed
specially crafted data.
USN-2522-1 fixed vulnerabilities in ICU. On Ubuntu 12.04 LTS, the font
patches caused a regression when using LibreOffice Calc. The patches have
now been updated to fix the regression.
We apologize for the inconvenience.
Original advisory details:
It was discovered that ICU incorrectly handled memory operations when
processing fonts. If an application using ICU processed crafted data, an
attacker could cause it to crash or potentially execute arbitrary code with
the privileges of the user invoking the program. This issue only affected
Ubuntu 12.04 LTS. (CVE-2013-1569, CVE-2013-2383, CVE-2013-2384,
CVE-2013-2419)
It was discovered that ICU incorrectly ha
Ubuntu
ICU regression
vendor_ubuntu·2015-03-06·CVSS 10.0
[CRITICAL] ICU regression
Title: ICU regression
Summary: USN-2522-1 introduced a regression in ICU.
USN-2522-1 fixed vulnerabilities in ICU. On Ubuntu 12.04 LTS, the font
patches caused a regression when using LibreOffice Calc. The patches have
been temporarily backed out until the regression is investigated.
We apologize for the inconvenience.
Original advisory details:
It was discovered that ICU incorrectly handled memory operations when
processing fonts. If an application using ICU processed crafted data, an
attacker could cause it to crash or potentially execute arbitrary code with
the privileges of the user invoking the program. This issue only affected
Ubuntu 12.04 LTS. (CVE-2013-1569, CVE-2013-2383, CVE-2013-2384,
CVE-2013-2419)
It was discovered that ICU incorrectly handled memory operations when
proc
Ubuntu
ICU vulnerabilities
vendor_ubuntu·2015-03-05·CVSS 10.0
CVE-2013-1569 [CRITICAL] ICU vulnerabilities
Title: ICU vulnerabilities
Summary: ICU could be made to crash or run programs as your login if it processed
specially crafted data.
It was discovered that ICU incorrectly handled memory operations when
processing fonts. If an application using ICU processed crafted data, an
attacker could cause it to crash or potentially execute arbitrary code with
the privileges of the user invoking the program. This issue only affected
Ubuntu 12.04 LTS. (CVE-2013-1569, CVE-2013-2383, CVE-2013-2384,
CVE-2013-2419)
It was discovered that ICU incorrectly handled memory operations when
processing fonts. If an application using ICU processed crafted data, an
attacker could cause it to crash or potentially execute arbitrary code with
the privileges of the user invoking the program. (CVE-2014-6585,
CVE-2014
Red Hat
icu: insufficient size limit checks in regular expression compiler
vendor_redhat·2015-01-21·CVSS 7.5
CVE-2014-9654 [HIGH] icu: insufficient size limit checks in regular expression compiler
icu: insufficient size limit checks in regular expression compiler
The Regular Expressions package in International Components for Unicode (ICU) for C/C++ before 2014-12-03, as used in Google Chrome before 40.0.2214.91, calculates certain values without ensuring that they can be represented in a 24-bit field, which allows remote attackers to cause a denial of service (memory corruption) or possibly have unspecified other impact via a crafted string, a related issue to CVE-2014-7923.
Package: icu (Red Hat Enterprise Linux 5) - Under investigation
Package: icu (Red Hat Enterprise Linux 6) - Will not fix
Package: icu (Red Hat Enterprise Linux 7) - Will not fix
Debian
CVE-2014-9654: icu - The Regular Expressions package in International Components for Unicode (ICU) fo...
vendor_debian·2014·CVSS 7.5
CVE-2014-9654 [HIGH] CVE-2014-9654: icu - The Regular Expressions package in International Components for Unicode (ICU) fo...
The Regular Expressions package in International Components for Unicode (ICU) for C/C++ before 2014-12-03, as used in Google Chrome before 40.0.2214.91, calculates certain values without ensuring that they can be represented in a 24-bit field, which allows remote attackers to cause a denial of service (memory corruption) or possibly have unspecified other impact via a crafted string, a related issue to CVE-2014-7923.
Scope: local
bookworm: resolved (fixed in 52.1-7.1)
bullseye: resolved (fixed in 52.1-7.1)
forky: resolved (fixed in 52.1-7.1)
sid: resolved (fixed in 52.1-7.1)
trixie: resolved (fixed in 52.1-7.1)
No detection rules found.
No public exploits indexed.
Bugzilla
CVE-2014-9654 icu: insufficient size limit checks in regular expression compiler
bugzilla·2015-02-06·CVSS 9.8
CVE-2014-9654 [CRITICAL] CVE-2014-9654 icu: insufficient size limit checks in regular expression compiler
CVE-2014-9654 icu: insufficient size limit checks in regular expression compiler
An unspecified overlow vulnerability was fixed in ICU [1] and Chrome browser [2][3].
[1]: http://bugs.icu-project.org/trac/changeset/36801
[2]: https://code.google.com/p/chromium/issues/detail?id=432209
[3]: https://chromium.googlesource.com/chromium/deps/icu/+/dd727641e190d60e4593bcb3a35c7f51eb4925c5
Discussion:
Created mingw-icu tracking bugs for this issue:
Affects: fedora-all [bug 1190132]
Affects: epel-7 [bug 1190133]
---
Created icu tracking bugs for this issue:
Affects: fedora-all [bug 1190131]
---
This issue was previously grouped with other Chrome issues under the Google Chrome CVE-2015-1205. Bug 1185282 comment 1 lists information that is currently public about this flaw:
Chrome upstream b
Bugzilla
CVE-2014-7926 CVE-2014-9654 CVE-2014-7923 mingw-icu: various flaws [epel-7]
bugzilla·2015-02-06·CVSS 7.5
CVE-2014-7926 [HIGH] CVE-2014-7926 CVE-2014-9654 CVE-2014-7923 mingw-icu: various flaws [epel-7]
CVE-2014-7926 CVE-2014-9654 CVE-2014-7923 mingw-icu: various flaws [epel-7]
This is an automatically created tracking bug! It was created to ensure
that one or more security vulnerabilities are fixed in affected versions
of Fedora EPEL.
For comments that are specific to the vulnerability please use bugs filed
against the "Security Response" product referenced in the "Blocks" field.
For more information see:
http://fedoraproject.org/wiki/Security/TrackingBugs
When submitting as an update, use the fedpkg template provided in the next
comment(s). This will include the bug IDs of this tracking bug as well as
the relevant top-level CVE bugs.
Please also mention the CVE IDs being fixed in the RPM changelog and the
fedpkg commit message.
epel-7 tracking bug for mingw-icu: see blocks bug lis
Bugzilla
CVE-2014-7926 CVE-2014-9654 CVE-2014-7923 icu: various flaws [fedora-all]
bugzilla·2015-02-06·CVSS 7.5
CVE-2014-7926 [HIGH] CVE-2014-7926 CVE-2014-9654 CVE-2014-7923 icu: various flaws [fedora-all]
CVE-2014-7926 CVE-2014-9654 CVE-2014-7923 icu: various flaws [fedora-all]
This is an automatically created tracking bug! It was created to ensure
that one or more security vulnerabilities are fixed in affected versions
of Fedora.
For comments that are specific to the vulnerability please use bugs filed
against the "Security Response" product referenced in the "Blocks" field.
For more information see:
http://fedoraproject.org/wiki/Security/TrackingBugs
When submitting as an update, use the fedpkg template provided in the next
comment(s). This will include the bug IDs of this tracking bug as well as
the relevant top-level CVE bugs.
Please also mention the CVE IDs being fixed in the RPM changelog and the
fedpkg commit message.
NOTE: this issue affects multiple supported versions of Fedo
Bugzilla
CVE-2014-7926 CVE-2014-9654 CVE-2014-7923 mingw-icu: various flaws [fedora-all]
bugzilla·2015-02-06·CVSS 7.5
CVE-2014-7926 [HIGH] CVE-2014-7926 CVE-2014-9654 CVE-2014-7923 mingw-icu: various flaws [fedora-all]
CVE-2014-7926 CVE-2014-9654 CVE-2014-7923 mingw-icu: various flaws [fedora-all]
This is an automatically created tracking bug! It was created to ensure
that one or more security vulnerabilities are fixed in affected versions
of Fedora.
For comments that are specific to the vulnerability please use bugs filed
against the "Security Response" product referenced in the "Blocks" field.
For more information see:
http://fedoraproject.org/wiki/Security/TrackingBugs
When submitting as an update, use the fedpkg template provided in the next
comment(s). This will include the bug IDs of this tracking bug as well as
the relevant top-level CVE bugs.
Please also mention the CVE IDs being fixed in the RPM changelog and the
fedpkg commit message.
NOTE: this issue affects multiple supported versions o
Bugzilla
CVE-2015-1205 chromium-browser: multiple unspecified vulnerabilities
bugzilla·2015-01-23·CVSS 9.8
CVE-2015-1205 [CRITICAL] CVE-2015-1205 chromium-browser: multiple unspecified vulnerabilities
CVE-2015-1205 chromium-browser: multiple unspecified vulnerabilities
Common Vulnerabilities and Exposures assigned an identifier CVE-2015-1205 to
the following vulnerability:
Name: CVE-2015-1205
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-1205
Assigned: 20150121
Reference: https://code.google.com/p/chromium/issues/detail?id=449894
Multiple unspecified vulnerabilities in Google Chrome before
40.0.2214.91 allow attackers to cause a denial of service or possibly
have other impact via unknown vectors.
Discussion:
Upstream bug linked in comment 0 contains long list of other upstream bugs for random fixes applied in this Chrome update. One of the issues is:
https://code.google.com/p/chromium/issues/detail?id=432209
This bug is currently non-public, but it can be tracked to
http://bugs.icu-project.org/trac/changeset/36801http://bugs.icu-project.org/trac/ticket/11371http://openwall.com/lists/oss-security/2015/02/05/15http://www.oracle.com/technetwork/topics/security/bulletinapr2015-2511959.htmlhttp://www.securitytracker.com/id/1035410https://chromium.googlesource.com/chromium/deps/icu/+/dd727641e190d60e4593bcb3a35c7f51eb4925c5https://code.google.com/p/chromium/issues/detail?id=432209https://security.gentoo.org/glsa/201503-06https://www.oracle.com/technetwork/security-advisory/cpuapr2019-5072813.htmlhttp://bugs.icu-project.org/trac/changeset/36801http://bugs.icu-project.org/trac/ticket/11371http://openwall.com/lists/oss-security/2015/02/05/15http://www.oracle.com/technetwork/topics/security/bulletinapr2015-2511959.htmlhttp://www.securitytracker.com/id/1035410https://chromium.googlesource.com/chromium/deps/icu/+/dd727641e190d60e4593bcb3a35c7f51eb4925c5https://code.google.com/p/chromium/issues/detail?id=432209https://security.gentoo.org/glsa/201503-06https://www.oracle.com/technetwork/security-advisory/cpuapr2019-5072813.html
2017-04-24
Published