CVE-2017-14952

Publication date 16 October 2017

Last updated 24 July 2024

Ubuntu priority

Cvss 3 Severity Score

Double free in i18n/zonemeta.cpp in International Components for Unicode (ICU) for C/C++ through 59.1 allows remote attackers to execute arbitrary code via a crafted string, aka a "redundant UVector entry clean up function call" issue.

Status

Show unmaintained releases

Package	Ubuntu Release	Status
icu	17.10 artful	Fixed 57.1-6ubuntu0.2
	17.04 zesty	Fixed 57.1-5ubuntu0.2
	16.04 LTS xenial	Fixed 55.1-7ubuntu0.3
	14.04 LTS trusty	Fixed 52.1-3ubuntu0.7

How can I get the fixes?
What do statuses mean?

Severity score breakdown

Parameter	Value
Base score	9.8 · Critical
Attack vector	Network
Attack complexity	Low
Privileges required	None
User interaction	None
Scope	Unchanged
Confidentiality	High
Integrity impact	High
Availability impact	High
Vector	CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

References

MITRE
NVD
Launchpad
Debian

Related Ubuntu Security Notices (USN)

USN-3458-1
ICU vulnerability
23 October 2017

USN-3458-2
ICU vulnerability
23 October 2017

Other references

http://bugs.icu-project.org/trac/changeset/40324/trunk/icu4c/source/i18n/zonemeta.cpp
http://www.sourcebrella.com/blog/double-free-vulnerability-international-components-unicode-icu/
https://www.cve.org/CVERecord?id=CVE-2017-14952