|Description||The ucnv_UTF8FromUTF8 function in ucnv_u8.cpp in International Components for Unicode (ICU) for C/C++ through 60.1 mishandles ucnv_convertEx calls for UTF-8 to UTF-8 conversion, which allows remote attackers to cause a denial of service (stack-based buffer overflow and application crash) or possibly have unspecified other impact via a crafted string, as demonstrated by ZNC.|
|Source||CVE (at NVD; CERT, LWN, oss-sec, fulldisc, bugtraq, EDB, Metasploit, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, Mageia, GitHub code/issues, web search, more)|
|NVD severity||high (attack range: remote)|
Vulnerable and fixed packages
The table below lists information on source packages.
|icu (PTS)||jessie (security), jessie||52.1-8+deb8u7||fixed|
|stretch (security), stretch||57.1-6+deb9u2||fixed|
The information below is based on the following data on fixed versions.
|Package||Type||Release||Fixed Version||Urgency||Origin||Debian Bugs|
- icu <not-affected> (Vulnerable code not present, only experimental was ever affected and fixed in 60.2-1)
Fixed by: https://ssl.icu-project.org/trac/changeset/40714
Introduced by https://ssl.icu-project.org/trac/changeset/40455/