CVE-2016-6293

Published: 25 July 2016

The uloc_acceptLanguageFromHTTP function in common/uloc.cpp in International Components for Unicode (ICU) through 57.1 for C/C++ does not ensure that there is a '\0' character at the end of a certain temporary array, which allows remote attackers to cause a denial of service (out-of-bounds read) or possibly have unspecified other impact via a call with a long httpAcceptLanguage argument.

Priority

Medium

CVSS 3 base score: 9.8

Status

Package Release Status
icu
Launchpad, Ubuntu, Debian
Upstream
Released (57.1-4)
Ubuntu 16.04 ESM (Xenial Xerus)
Released (55.1-7ubuntu0.1)
Ubuntu 14.04 ESM (Trusty Tahr)
Released (52.1-3ubuntu0.5)
Patches:
Upstream: https://ssl.icu-project.org/trac/changeset/39109