CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:P/I:P/A:P
EPSS
Percentile
92.4%
The collator implementation in i18n/ucol.cpp in International Components
for Unicode (ICU) 52 through SVN revision 293126, as used in Google Chrome
before 40.0.2214.91, does not initialize memory for a data structure, which
allows remote attackers to cause a denial of service or possibly have
unspecified other impact via a crafted character sequence.
Author | Note |
---|---|
mdeslaur | code in icu has changed, so no equivalent commit in icu tree first google patch is buggy, as prevPos is getting set after the getNextNormalizedChar second google patch is buggy as source->endp is being checked without checking the UCOL_ITER_HASLEN flag |
OS | Version | Architecture | Package | Version | Filename |
---|---|---|---|---|---|
ubuntu | 14.04 | noarch | chromium-browser | < 40.0.2214.94-0ubuntu0.14.04.1.1068 | UNKNOWN |
ubuntu | 14.10 | noarch | chromium-browser | < 40.0.2214.94-0ubuntu0.14.10.1.1110 | UNKNOWN |
ubuntu | 15.04 | noarch | chromium-browser | < 40.0.2214.94-0ubuntu1.1120 | UNKNOWN |
ubuntu | 15.10 | noarch | chromium-browser | < 40.0.2214.94-0ubuntu1.1120 | UNKNOWN |
ubuntu | 12.04 | noarch | icu | < 4.8.1.1-3ubuntu0.3 | UNKNOWN |
ubuntu | 14.04 | noarch | icu | < 52.1-3ubuntu0.2 | UNKNOWN |
ubuntu | 14.10 | noarch | icu | < 52.1-6ubuntu0.2 | UNKNOWN |
ubuntu | 14.04 | noarch | oxide-qt | < 1.4.2-0ubuntu0.14.04.1 | UNKNOWN |
ubuntu | 14.10 | noarch | oxide-qt | < 1.4.2-0ubuntu0.14.10.1 | UNKNOWN |
ubuntu | 15.04 | noarch | oxide-qt | < 1.4.2-0ubuntu1 | UNKNOWN |
googlechromereleases.blogspot.com/2015/01/stable-update.html
chromium.googlesource.com/chromium/deps/icu/+/866ff696e9022a6000afbab516fba62cfa306075
chromium.googlesource.com/chromium/src.git/+/87feb77547781a22b31c423bc0d57b7dca32d5b8
launchpad.net/bugs/cve/CVE-2014-7940
nvd.nist.gov/vuln/detail/CVE-2014-7940
security-tracker.debian.org/tracker/CVE-2014-7940
ubuntu.com/security/notices/USN-2476-1
ubuntu.com/security/notices/USN-2522-1
www.cve.org/CVERecord?id=CVE-2014-7940