Published:2013/10/30  Last Updated:2014/03/31

JVN#85336306
Use-after-free vulnerability in multiple products that use International Components for Unicode (ICU)

Overview

Multiple products that use International Components for Unicode (ICU) contain a use-after-free vulnerability.

Products Affected

Products that use International Components for Unicode (ICU) may be vulnerable.

For more information on vulnerable products, please refer to the "Vendor Status" section.

Description

International Components for Unicode (ICU) is a library for handling Unicode strings. A C version, ICU4C and a Java version, ICU4J are available. Multiple products that use ICU4C contain a use-after-free vulnerability.

ICU released ICU4C version 52.1 that addresses this vulnerability on October 9, 2013.

Impact

Impacts may vary depending on the product. In some cases, a remote attacker may cause a denial-of-service (DoS).

Solution

Apply an Update
Update to the latest version according to the information provided by the developer.

Vendor Status

Vendor Status Last Update Vendor Notes
Cybozu, Inc. Vulnerable 2013/10/30 Cybozu, Inc. website
Vendor Link
ICU - International Components for Unicode ICU Home Page
Changeset 34076
Google Stable Channel Update (Chrome 30.0.1599.66)

References

JPCERT/CC Addendum

Vulnerability Analysis by JPCERT/CC

Credit

Other Information

JPCERT Alert
JPCERT Reports
CERT Advisory
CPNI Advisory
TRnotes
CVE CVE-2013-2924
JVN iPedia JVNDB-2013-004446

Update History

2013/10/30
Information under the section "Vendor Status" was modified.
2014/03/31
Intercom, Inc. update status