Vigil@nce: ICU, incorrect decoding of ISO-2022
April 2009 by Vigil@nce
The ICU library does not correctly decode some ISO-2022 sequences.
– Severity: 2/4
– Consequences: disguisement
– Provenance: document
– Means of attack: 1 attack
– Ability of attacker: technician (2/4)
– Confidence: confirmed by the editor (5/5)
– Diffusion of the vulnerable configuration: high (3/3)
– Creation date: 02/04/2009
IMPACTED PRODUCTS
– Debian Linux
– Red Hat Enterprise Linux
– Unix - plateform
DESCRIPTION OF THE VULNERABILITY
The ICU (International Components for Unicode) library handles
conversions between various Unicode encodings.
The ISO-2022-JP, ISO-2022-KR and ISO-2022-CN character encodings
are used for Japanese, Korean and Chinese.
The RFC 1468 indicates that ISO-2022 emails have to be encoded
using escape sequences ("Escape(" or "Escape$") followed by at
least one character. An escape sequence followed by another escape
sequence is thus invalid. However, ICU handles it as a valid
string.
An attacker can therefore use two escape sequences in order to
bypass security checks done with ICU.
CHARACTERISTICS
– Identifiers: BID-29488, CVE-2008-1036, DSA 1762-1,
RHSA-2009:0296-01, VIGILANCE-VUL-8594
– Url: http://vigilance.fr/vulnerability/ICU-incorrect-decoding-of-ISO-2022-8594
To change your email preferences (frequency, severity threshold, format):
https://vigilance.fr/?action=2041549901&langue=2