International Components for Unicode '_canonicalize( )' Memory Corruption Vulnerability
BID:51006
Info
International Components for Unicode '_canonicalize( )' Memory Corruption Vulnerability
| Bugtraq ID: | 51006 |
| Class: | Unknown |
| CVE: |
CVE-2011-4599 |
| Remote: | Yes |
| Local: | No |
| Published: | Dec 09 2011 12:00AM |
| Updated: | Jul 06 2016 02:02PM |
| Credit: | falken |
| Vulnerable: |
Ubuntu Ubuntu Linux 11.10 i386 Ubuntu Ubuntu Linux 11.10 amd64 Ubuntu Ubuntu Linux 11.04 powerpc Ubuntu Ubuntu Linux 11.04 i386 Ubuntu Ubuntu Linux 11.04 ARM Ubuntu Ubuntu Linux 11.04 amd64 Ubuntu Ubuntu Linux 10.10 powerpc Ubuntu Ubuntu Linux 10.10 i386 Ubuntu Ubuntu Linux 10.10 ARM Ubuntu Ubuntu Linux 10.10 amd64 Ubuntu Ubuntu Linux 10.04 sparc Ubuntu Ubuntu Linux 10.04 powerpc Ubuntu Ubuntu Linux 10.04 i386 Ubuntu Ubuntu Linux 10.04 ARM Ubuntu Ubuntu Linux 10.04 amd64 Sun Solaris 11 Sun Solaris 10 RedHat Enterprise Linux Desktop Workstation 5 client Red Hat Enterprise Linux Workstation Optional 6 Red Hat Enterprise Linux Workstation 6 Red Hat Enterprise Linux Server Optional 6 Red Hat Enterprise Linux Server 6 Red Hat Enterprise Linux HPC Node Optional 6 Red Hat Enterprise Linux HPC Node 6 Red Hat Enterprise Linux Desktop Optional 6 Red Hat Enterprise Linux Desktop 6 Red Hat Enterprise Linux Desktop 5 client Red Hat Enterprise Linux 5 Server Oracle Enterprise Linux 5 Mandriva Linux Mandrake 2011 x86_64 Mandriva Linux Mandrake 2011 Mandriva Linux Mandrake 2010.1 x86_64 Mandriva Linux Mandrake 2010.1 MandrakeSoft Enterprise Server 5 x86_64 MandrakeSoft Enterprise Server 5 ICU Project International Components for Unicode 0 Gentoo Linux Debian Linux 6.0 sparc Debian Linux 6.0 s/390 Debian Linux 6.0 powerpc Debian Linux 6.0 mips Debian Linux 6.0 ia-64 Debian Linux 6.0 ia-32 Debian Linux 6.0 arm Debian Linux 6.0 amd64 Avaya IP Office Application Server 8.1 Avaya IP Office Application Server 8.0 Avaya IP Office Application Server 7.0 Avaya IP Office Application Server 6.1 Avaya IP Office Application Server 6.0 Avaya Aura System Manager 6.2 Avaya Aura System Manager 6.1.3 Avaya Aura System Manager 6.1.2 Avaya Aura System Manager 6.1.1 Avaya Aura System Manager 6.1 SP2 Avaya Aura System Manager 6.1 Sp1 Avaya Aura System Manager 6.1 Avaya Aura Session Manager 6.1.3 Avaya Aura Session Manager 6.1.2 Avaya Aura Session Manager 6.1.1 Avaya Aura Session Manager 6.2 Avaya Aura Session Manager 6.1 SP2 Avaya Aura Session Manager 6.1 Sp1 Avaya Aura Session Manager 6.1 Avaya Aura Session Manager 6.0 SP1 Avaya Aura Session Manager 6.0 Avaya Aura Session Manager 5.2 SP2 Avaya Aura Session Manager 5.2 SP1 Avaya Aura Session Manager 5.2 Avaya Aura Session Manager 1.1 Avaya Aura Session Manager 1.0 Apple Mac Os X Server 10.7.3 Apple Mac Os X Server 10.7.2 Apple Mac Os X Server 10.7.1 Apple Mac Os X Server 10.7 Apple Mac Os X Server 10.6.8 Apple Mac Os X 10.7.4 Apple Mac Os X 10.7.3 Apple Mac Os X 10.7.2 Apple Mac Os X 10.7.1 Apple iOS 5.1.1 Apple iOS 5.1 Apple iOS 5.0.1 Apple iOS 5 Apple iOS 4.3.5 Apple iOS 4.3 Apple iOS 4.2 Apple iOS 4.1 Apple iOS 4 Apple iOS 3.2 Apple iOS 3.1 Apple iOS 3.0 Apple iOS 2.1 Apple iOS 2.0 Apple Apple TV 5.0 Apple Apple TV 4.4 |
| Not Vulnerable: |
Avaya Aura Session Manager 6.2.1 |
Discussion
International Components for Unicode '_canonicalize( )' Memory Corruption Vulnerability
International Components for Unicode is prone to a memory-corruption vulnerability.
An attacker can exploit this issue to execute arbitrary code within the context of the affected application that uses the affected library. Failed exploit attempts will likely result in denial-of-service conditions.
International Components for Unicode is prone to a memory-corruption vulnerability.
An attacker can exploit this issue to execute arbitrary code within the context of the affected application that uses the affected library. Failed exploit attempts will likely result in denial-of-service conditions.
Exploit / POC
International Components for Unicode '_canonicalize( )' Memory Corruption Vulnerability
Currently, we are not aware of any working exploits. If you feel we are in error or if you are aware of more recent information, please mail us at: [email protected].
Currently, we are not aware of any working exploits. If you feel we are in error or if you are aware of more recent information, please mail us at: [email protected].
Solution / Fix
International Components for Unicode '_canonicalize( )' Memory Corruption Vulnerability
Solution:
Updates are available. Please see the references for more information.
Apple Mac OS X Server 10.6.8
Mandriva Linux Mandrake 2010.1 x86_64
Apple Mac OS X 10.6.8
Apple Mac OS X 10.7.3
MandrakeSoft Enterprise Server 5 x86_64
MandrakeSoft Enterprise Server 5
Apple Mac OS X Server 10.7.3
Solution:
Updates are available. Please see the references for more information.
Apple Mac OS X Server 10.6.8
-
Apple SecUpdSrvr2012-004.dmg
For Mac OS X Server v10.6.8
http://www.apple.com/support/downloads/
Mandriva Linux Mandrake 2010.1 x86_64
-
Mandriva icu-4.4-2.1mdv2010.2.x86_64.rpm
http://www.mandriva.com/en/downloads/ -
Mandriva icu-doc-4.4-2.1mdv2010.2.x86_64.rpm
http://www.mandriva.com/en/downloads/ -
Mandriva lib64icu-devel-4.4-2.1mdv2010.2.x86_64.rpm
http://www.mandriva.com/en/downloads/ -
Mandriva lib64icu44-4.4-2.1mdv2010.2.x86_64.rpm
http://www.mandriva.com/en/downloads/
Apple Mac OS X 10.6.8
-
Apple SecUpd2012-004.dmg
For Mac OS X v10.6.8
http://www.apple.com/support/downloads/
Apple Mac OS X 10.7.3
-
Apple MacOSXUpdCombo10.7.5.dmg
For OS X Lion v10.7 and v10.7.3
http://www.apple.com/support/downloads/
MandrakeSoft Enterprise Server 5 x86_64
-
Mandriva icu-4.0-2.2mdvmes5.2.x86_64.rpm
http://www.mandriva.com/en/downloads/ -
Mandriva icu-doc-4.0-2.2mdvmes5.2.x86_64.rpm
http://www.mandriva.com/en/downloads/ -
Mandriva lib64icu-devel-4.0-2.2mdvmes5.2.x86_64.rpm
http://www.mandriva.com/en/downloads/ -
Mandriva lib64icu40-4.0-2.2mdvmes5.2.x86_64.rpm
http://www.mandriva.com/en/downloads/
MandrakeSoft Enterprise Server 5
-
Mandriva icu-4.0-2.2mdvmes5.2.i586.rpm
http://www.mandriva.com/en/downloads/ -
Mandriva icu-doc-4.0-2.2mdvmes5.2.i586.rpm
http://www.mandriva.com/en/downloads/ -
Mandriva libicu-devel-4.0-2.2mdvmes5.2.i586.rpm
http://www.mandriva.com/en/downloads/ -
Mandriva libicu40-4.0-2.2mdvmes5.2.i586.rpm
http://www.mandriva.com/en/downloads/
Apple Mac OS X Server 10.7.3
-
Apple MacOSXServerUpdCombo10.7.5.dmg
For OS X Lion Server v10.7 and v10.7.3
http://www.apple.com/support/downloads/
References
International Components for Unicode '_canonicalize( )' Memory Corruption Vulnerability
References:
References:
- About the security content of Apple TV 5.1 (Apple)
- CVE Request: icu out of bounds access (Ludwig Nussel)
- ICU Project Home Page (ICU Project)
- Multiple vulnerabilities in International Components for Unicode (ICU) (Oracle)
- ASA-2011-429 icu security update (RHSA-2011-1815) (Avaya)
- swg21975091: ICU4C overflow vulnerability affects IBM WebSphere MQ (CVE-2011-459 (IBM)