Your submission was sent successfully! Close

CVE-2015-1270

Published: 22 July 2015

The ucnv_io_getConverterName function in common/ucnv_io.cpp in International Components for Unicode (ICU), as used in Google Chrome before 44.0.2403.89, mishandles converter names with initial x- substrings, which allows remote attackers to cause a denial of service (read of uninitialized memory) or possibly have unspecified other impact via a crafted file.

Notes

AuthorNote
mdeslaur
patch is mis-applied in icu 55.1-4
Priority

Medium

Status

Package Release Status
chromium-browser
Launchpad, Ubuntu, Debian
precise Ignored

trusty Does not exist
(trusty was released [44.0.2403.89-0ubuntu0.14.04.1.1095])
upstream
Released (44.0.2403.89)
utopic Needed

vivid
Released (44.0.2403.89-0ubuntu0.15.04.1.1177)
wily
Released (44.0.2403.89-0ubuntu1.1195)
Patches:
upstream: https://chromium.googlesource.com/chromium/deps/icu/+/f1ad7f9ba957571dc692ea3e187612c685615e19

icu
Launchpad, Ubuntu, Debian
precise Not vulnerable
(code not present)
trusty
Released (52.1-3ubuntu0.4)
upstream Needed

vivid
Released (52.1-8ubuntu0.2)
wily
Released (55.1-4ubuntu1)
Patches:

upstream: http://bugs.icu-project.org/trac/changeset/37486
oxide-qt
Launchpad, Ubuntu, Debian
precise Does not exist

trusty Does not exist
(trusty was released [1.8.4-0ubuntu0.14.04.1])
upstream
Released (1.8.4)
utopic Needed

vivid
Released (1.8.4-0ubuntu0.15.04.1)
wily
Released (1.8.4-0ubuntu1)