CVE-2017-17484
published 2017-12-10CVE-2017-17484: The ucnv_UTF8FromUTF8 function in ucnv_u8.cpp in International Components for Unicode (ICU) for C/C++ through 60.1 mishandles ucnv_convertEx calls for UTF-8 to…
PriorityP340critical9.8CVSS 3.0
AVNACLPRNUINSUCHIHAH
EPSS
4.61%
90.5th percentile
The ucnv_UTF8FromUTF8 function in ucnv_u8.cpp in International Components for Unicode (ICU) for C/C++ through 60.1 mishandles ucnv_convertEx calls for UTF-8 to UTF-8 conversion, which allows remote attackers to cause a denial of service (stack-based buffer overflow and application crash) or possibly have unspecified other impact via a crafted string, as demonstrated by ZNC.
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| debian | icu | — | — |
| icu-project | international_components_for_unicode | <= 60.1 | — |
CVSS provenance
nvdv3.09.8CRITICALCVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
vendor_debian9.8LOW
vendor_redhat9.8CRITICAL
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-84mq-mqjx-rfmc: The ucnv_UTF8FromUTF8 function in ucnv_u8
ghsa_unreviewed·2022-05-14
CVE-2017-17484 [CRITICAL] CWE-119 GHSA-84mq-mqjx-rfmc: The ucnv_UTF8FromUTF8 function in ucnv_u8
The ucnv_UTF8FromUTF8 function in ucnv_u8.cpp in International Components for Unicode (ICU) for C/C++ through 60.1 mishandles ucnv_convertEx calls for UTF-8 to UTF-8 conversion, which allows remote attackers to cause a denial of service (stack-based buffer overflow and application crash) or possibly have unspecified other impact via a crafted string, as demonstrated by ZNC.
Red Hat
icu: stack-based buffer overflow in ucnv_u8.cpp:ucnv_UTF8FromUTF8 can lead to denial of service
vendor_redhat·2017-11-21·CVSS 9.8
CVE-2017-17484 [CRITICAL] CWE-121 icu: stack-based buffer overflow in ucnv_u8.cpp:ucnv_UTF8FromUTF8 can lead to denial of service
icu: stack-based buffer overflow in ucnv_u8.cpp:ucnv_UTF8FromUTF8 can lead to denial of service
The ucnv_UTF8FromUTF8 function in ucnv_u8.cpp in International Components for Unicode (ICU) for C/C++ through 60.1 mishandles ucnv_convertEx calls for UTF-8 to UTF-8 conversion, which allows remote attackers to cause a denial of service (stack-based buffer overflow and application crash) or possibly have unspecified other impact via a crafted string, as demonstrated by ZNC.
Statement: This issue did not affect the versions of icu as shipped with Red Hat Enterprise Linux 5, 6, and 7.
Package: icu (Red Hat Enterprise Linux 5) - Not affected
Package: icu (Red Hat Enterprise Linux 6) - Not affected
Package: icu (Red Hat Enterprise Linux 7) - Not affected
Debian
CVE-2017-17484: icu - The ucnv_UTF8FromUTF8 function in ucnv_u8.cpp in International Components for Un...
vendor_debian·2017·CVSS 9.8
CVE-2017-17484 [CRITICAL] CVE-2017-17484: icu - The ucnv_UTF8FromUTF8 function in ucnv_u8.cpp in International Components for Un...
The ucnv_UTF8FromUTF8 function in ucnv_u8.cpp in International Components for Unicode (ICU) for C/C++ through 60.1 mishandles ucnv_convertEx calls for UTF-8 to UTF-8 conversion, which allows remote attackers to cause a denial of service (stack-based buffer overflow and application crash) or possibly have unspecified other impact via a crafted string, as demonstrated by ZNC.
Scope: local
bookworm: resolved
bullseye: resolved
forky: resolved
sid: resolved
trixie: resolved
No detection rules found.
No public exploits indexed.
Bugzilla
Backport CVE-2017-15422 to ESR52
bugzilla·2018-03-29·CVSS 6.5
CVE-2017-15422 [MEDIUM] Backport CVE-2017-15422 to ESR52
Backport CVE-2017-15422 to ESR52
Today, I noticed that Ubuntu updated its copy of ICU 57 to include the fix for CVE-2017-15422. From what I can tell, this was an integer overflow bug which was fixed late last year:
https://ssl.icu-project.org/trac/changeset/40654
Fx59+ are already fixed via the ICU 60.1 update. However, ESR52 is using ICU 58.2 still and is vulnerable from what I can tell.
Discussion:
Might not be a bad idea to look for any other ICU security backports that might have landed since 58.2 was shipped too.
---
(In reply to Ryan VanderMeulen [:RyanVM] from comment #0)
> However, ESR52 is using ICU 58.2 still and is vulnerable from what I can tell.
Do we know any details about the severity of the vulnerability? For example can it be used for remote code execution etc. ?
Bugzilla
CVE-2017-17484 icu: stack-based buffer overflow in ucnv_u8.cpp:ucnv_UTF8FromUTF8 can lead to denial of service [fedora-all]
bugzilla·2017-12-12·CVSS 9.8
CVE-2017-17484 [CRITICAL] CVE-2017-17484 icu: stack-based buffer overflow in ucnv_u8.cpp:ucnv_UTF8FromUTF8 can lead to denial of service [fedora-all]
CVE-2017-17484 icu: stack-based buffer overflow in ucnv_u8.cpp:ucnv_UTF8FromUTF8 can lead to denial of service [fedora-all]
This is an automatically created tracking bug! It was created to ensure
that one or more security vulnerabilities are fixed in affected versions
of fedora-all.
For comments that are specific to the vulnerability please use bugs filed
against the "Security Response" product referenced in the "Blocks" field.
For more information see:
http://fedoraproject.org/wiki/Security/TrackingBugs
When submitting as an update, use the fedpkg template provided in the next
comment(s). This will include the bug IDs of this tracking bug as well as
the relevant top-level CVE bugs.
Please also mention the CVE IDs being fixed in the RPM changelog and the
fedpkg commit message.
NOTE:
Bugzilla
CVE-2017-17484 icu: stack-based buffer overflow in ucnv_u8.cpp:ucnv_UTF8FromUTF8 can lead to denial of service
bugzilla·2017-12-12·CVSS 9.8
CVE-2017-17484 [CRITICAL] CVE-2017-17484 icu: stack-based buffer overflow in ucnv_u8.cpp:ucnv_UTF8FromUTF8 can lead to denial of service
CVE-2017-17484 icu: stack-based buffer overflow in ucnv_u8.cpp:ucnv_UTF8FromUTF8 can lead to denial of service
The ucnv_UTF8FromUTF8 function in ucnv_u8.cpp in International Components for Unicode (ICU) for C/C++ through 60.1 mishandles ucnv_convertEx calls for UTF-8 to UTF-8 conversion, which allows remote attackers to cause a denial of service (stack-based buffer overflow and application crash) or possibly have unspecified other impact via a crafted string, as demonstrated by ZNC.
References:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-17484
http://www.cvedetails.com/cve/CVE-2017-17484/
https://ssl.icu-project.org/trac/ticket/13490
https://ssl.icu-project.org/trac/attachment/ticket/13490/poc.cpp
https://ssl.icu-project.org/trac/ticket/13510
https://ssl.icu-project.org/trac
https://github.com/znc/znc/issues/1459https://ssl.icu-project.org/trac/attachment/ticket/13490/poc.cpphttps://ssl.icu-project.org/trac/changeset/40714https://ssl.icu-project.org/trac/changeset/40715https://ssl.icu-project.org/trac/ticket/13490https://ssl.icu-project.org/trac/ticket/13510https://www.oracle.com/technetwork/security-advisory/cpuapr2019-5072813.htmlhttps://github.com/znc/znc/issues/1459https://ssl.icu-project.org/trac/attachment/ticket/13490/poc.cpphttps://ssl.icu-project.org/trac/changeset/40714https://ssl.icu-project.org/trac/changeset/40715https://ssl.icu-project.org/trac/ticket/13490https://ssl.icu-project.org/trac/ticket/13510https://www.oracle.com/technetwork/security-advisory/cpuapr2019-5072813.html
2017-12-10
Published