Debian Icu vulnerabilities

CVE-2025-5222 [HIGH] CVE-2025-5222: icu - A stack buffer overflow was found in Internationl components for unicode (ICU ).... A stack buffer overflow was found in Internationl components for unicode (ICU ). While running the genrb binary, the 'subtag' struct overflowed at the SRBRoot::addTag function. This issue may lead to memory corruption and local arbitrary code execution. Scope: local bookworm: resolved (fixed in 72.1-3+deb12u1) bullseye: resolved (fixed in 67.1-7+deb11u1) forky: resolved (

CVE-2021-30535 [HIGH] CVE-2021-30535: chromium - Double free in ICU in Google Chrome prior to 91.0.4472.77 allowed a remote attac... Double free in ICU in Google Chrome prior to 91.0.4472.77 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. Scope: local bookworm: resolved (fixed in 93.0.4577.82-1) bullseye: resolved (fixed in 93.0.4577.82-1) forky: resolved (fixed in 93.0.4577.82-1) sid: resolved (fixed in 93.0.4577.82-1) trixie: resolved (fixed in 93.0.45

CVE-2020-10531 [HIGH] CVE-2020-10531: icu - An issue was discovered in International Components for Unicode (ICU) for C/C++ ... An issue was discovered in International Components for Unicode (ICU) for C/C++ through 66.1. An integer overflow, leading to a heap-based buffer overflow, exists in the UnicodeString::doAppend() function in common/unistr.cpp. Scope: local bookworm: resolved (fixed in 63.2-3) bullseye: resolved (fixed in 63.2-3) forky: resolved (fixed in 63.2-3) sid: resolved (fixed in

CVE-2020-21913 [MEDIUM] CVE-2020-21913: icu - International Components for Unicode (ICU-20850) v66.1 was discovered to contain... International Components for Unicode (ICU-20850) v66.1 was discovered to contain a use after free bug in the pkg_createWithAssemblyCode function in the file tools/pkgdata/pkgdata.cpp. Scope: local bookworm: resolved (fixed in 67.1-2) bullseye: resolved (fixed in 67.1-2) forky: resolved (fixed in 67.1-2) sid: resolved (fixed in 67.1-2) trixie: resolved (fixed in 67.1-2

CVE-2018-18928 [CRITICAL] CVE-2018-18928: icu - International Components for Unicode (ICU) for C/C++ 63.1 has an integer overflo... International Components for Unicode (ICU) for C/C++ 63.1 has an integer overflow in number::impl::DecimalQuantity::toScientificString() in i18n/number_decimalquantity.cpp. Scope: local bookworm: resolved (fixed in 63.1-3) bullseye: resolved (fixed in 63.1-3) forky: resolved (fixed in 63.1-3) sid: resolved (fixed in 63.1-3) trixie: resolved (fixed in 63.1-3)

CVE-2017-14952 [CRITICAL] CVE-2017-14952: icu - Double free in i18n/zonemeta.cpp in International Components for Unicode (ICU) f... Double free in i18n/zonemeta.cpp in International Components for Unicode (ICU) for C/C++ through 59.1 allows remote attackers to execute arbitrary code via a crafted string, aka a "redundant UVector entry clean up function call" issue. Scope: local bookworm: resolved (fixed in 57.1-7) bullseye: resolved (fixed in 57.1-7) forky: resolved (fixed in 57.1-7) sid: resolv

CVE-2017-7867 [HIGH] CVE-2017-7867: icu - International Components for Unicode (ICU) for C/C++ before 2017-02-13 has an ou... International Components for Unicode (ICU) for C/C++ before 2017-02-13 has an out-of-bounds write caused by a heap-based buffer overflow related to the utf8TextAccess function in common/utext.cpp and the utext_setNativeIndex* function. Scope: local bookworm: resolved (fixed in 57.1-6) bullseye: resolved (fixed in 57.1-6) forky: resolved (fixed in 57.1-6) sid: resolved (fi

CVE-2017-7868 [HIGH] CVE-2017-7868: icu - International Components for Unicode (ICU) for C/C++ before 2017-02-13 has an ou... International Components for Unicode (ICU) for C/C++ before 2017-02-13 has an out-of-bounds write caused by a heap-based buffer overflow related to the utf8TextAccess function in common/utext.cpp and the utext_moveIndex32* function. Scope: local bookworm: resolved (fixed in 57.1-6) bullseye: resolved (fixed in 57.1-6) forky: resolved (fixed in 57.1-6) sid: resolved (fixed

CVE-2017-15422 [MEDIUM] CVE-2017-15422: icu - Integer overflow in international date handling in International Components for ... Integer overflow in international date handling in International Components for Unicode (ICU) for C/C++ before 60.1, as used in V8 in Google Chrome prior to 63.0.3239.84 and other products, allowed a remote attacker to perform an out of bounds memory read via a crafted HTML page. Scope: local bookworm: resolved (fixed in 57.1-9) bullseye: resolved (fixed in 57.1-9) fo

CVE-2017-17484 [CRITICAL] CVE-2017-17484: icu - The ucnv_UTF8FromUTF8 function in ucnv_u8.cpp in International Components for Un... The ucnv_UTF8FromUTF8 function in ucnv_u8.cpp in International Components for Unicode (ICU) for C/C++ through 60.1 mishandles ucnv_convertEx calls for UTF-8 to UTF-8 conversion, which allows remote attackers to cause a denial of service (stack-based buffer overflow and application crash) or possibly have unspecified other impact via a crafted string, as demonstrated

CVE-2016-0494 [CRITICAL] CVE-2016-0494: icu - Unspecified vulnerability in the Java SE and Java SE Embedded components in Orac... Unspecified vulnerability in the Java SE and Java SE Embedded components in Oracle Java SE 6u105, 7u91, and 8u66 and Java SE Embedded 8u65 allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors related to 2D. Scope: local bookworm: resolved (fixed in 57.1-4) bullseye: resolved (fixed in 57.1-4) forky: resolved (fixed in 57.1

CVE-2016-6293 [CRITICAL] CVE-2016-6293: icu - The uloc_acceptLanguageFromHTTP function in common/uloc.cpp in International Com... The uloc_acceptLanguageFromHTTP function in common/uloc.cpp in International Components for Unicode (ICU) through 57.1 for C/C++ does not ensure that there is a '\0' character at the end of a certain temporary array, which allows remote attackers to cause a denial of service (out-of-bounds read) or possibly have unspecified other impact via a call with a long httpAcce

CVE-2016-7415 [CRITICAL] CVE-2016-7415: icu - Stack-based buffer overflow in the Locale class in common/locid.cpp in Internati... Stack-based buffer overflow in the Locale class in common/locid.cpp in International Components for Unicode (ICU) through 57.1 for C/C++ allows remote attackers to cause a denial of service (application crash) or possibly have unspecified other impact via a long locale string. Scope: local bookworm: resolved (fixed in 57.1-5) bullseye: resolved (fixed in 57.1-5) forky

CVE-2015-4760 [CRITICAL] CVE-2015-4760: icu - Unspecified vulnerability in Oracle Java SE 6u95, 7u80, and 8u45 allows remote a... Unspecified vulnerability in Oracle Java SE 6u95, 7u80, and 8u45 allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors related to 2D. Scope: local bookworm: resolved (fixed in 52.1-10) bullseye: resolved (fixed in 52.1-10) forky: resolved (fixed in 52.1-10) sid: resolved (fixed in 52.1-10) trixie: resolved (fixed in 52.1-10

CVE-2015-4844 [CRITICAL] CVE-2015-4844: icu - Unspecified vulnerability in Oracle Java SE 6u101, 7u85, and 8u60, and Java SE E... Unspecified vulnerability in Oracle Java SE 6u101, 7u85, and 8u60, and Java SE Embedded 8u51, allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors related to 2D. Scope: local bookworm: resolved (fixed in 57.1-1.1) bullseye: resolved (fixed in 57.1-1.1) forky: resolved (fixed in 57.1-1.1) sid: resolved (fixed in 57.1-1.1) t

CVE-2015-1270 [MEDIUM] CVE-2015-1270: icu - The ucnv_io_getConverterName function in common/ucnv_io.cpp in International Com... The ucnv_io_getConverterName function in common/ucnv_io.cpp in International Components for Unicode (ICU), as used in Google Chrome before 44.0.2403.89, mishandles converter names with initial x- substrings, which allows remote attackers to cause a denial of service (read of uninitialized memory) or possibly have unspecified other impact via a crafted file. Scope: local

CVE-2015-2632 [MEDIUM] CVE-2015-2632: icu - Unspecified vulnerability in Oracle Java SE 6u95, 7u80, and 8u45 allows remote a... Unspecified vulnerability in Oracle Java SE 6u95, 7u80, and 8u45 allows remote attackers to affect confidentiality via unknown vectors related to 2D. Scope: local bookworm: resolved (fixed in 55.1-7) bullseye: resolved (fixed in 55.1-7) forky: resolved (fixed in 55.1-7) sid: resolved (fixed in 55.1-7) trixie: resolved (fixed in 55.1-7)

CVE-2014-9911 [CRITICAL] CVE-2014-9911: icu - Stack-based buffer overflow in the ures_getByKeyWithFallback function in common/... Stack-based buffer overflow in the ures_getByKeyWithFallback function in common/uresbund.cpp in International Components for Unicode (ICU) before 54.1 for C/C++ allows remote attackers to cause a denial of service or possibly have unspecified other impact via a crafted uloc_getDisplayName call. Scope: local bookworm: resolved (fixed in 55.1-3) bullseye: resolved (fixe

CVE-2014-8147 [HIGH] CVE-2014-8147: icu - The resolveImplicitLevels function in common/ubidi.c in the Unicode Bidirectiona... The resolveImplicitLevels function in common/ubidi.c in the Unicode Bidirectional Algorithm implementation in ICU4C in International Components for Unicode (ICU) before 55.1 uses an integer data type that is inconsistent with a header file, which allows remote attackers to cause a denial of service (incorrect malloc followed by invalid free) or possibly execute arbitrary

CVE-2014-7923 [HIGH] CVE-2014-7923: icu - The Regular Expressions package in International Components for Unicode (ICU) 52... The Regular Expressions package in International Components for Unicode (ICU) 52 before SVN revision 292944, as used in Google Chrome before 40.0.2214.91, allows remote attackers to cause a denial of service (memory corruption) or possibly have unspecified other impact via vectors related to a look-behind expression. Scope: local bookworm: resolved (fixed in 52.1-7.1) bul