CVE-2007-4770/1: Vulnerabilities in libicu

Debian Bug report logs - #463688
CVE-2007-4770/1: Vulnerabilities in libicu

Toggle useless messages

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Stefan Fritsch <sf@sfritsch.de>

To: Debian Bug Tracking System <submit@bugs.debian.org>

Subject: CVE-2007-4770/1: Vulnerabilities in libicu

Date: Sat, 02 Feb 2008 13:16:45 +0100

Package: libicu38
Version: 3.6-2
Severity: grave
Tags: security

Two vulnerabilities have been found in libicu:

>From CVE-2007-4770:

libicu in International Components for Unicode (ICU) 3.8.1 and earlier
attempts to process backreferences to the nonexistent capture group
zero (aka \0), which might allow context-dependent attackers to read
from, or write to, out-of-bounds memory locations, related to
corruption of REStackFrames.

>From CVE-2007-4771:

Heap-based buffer overflow in the doInterval function in regexcmp.cpp
in libicu in International Components for Unicode (ICU) 3.8.1 and
earlier allows context-dependent attackers to cause a denial of
service (memory consumption) and possibly have unspecified other
impact via a regular expression that writes a large amount of data to
the backtracking stack.  NOTE: some of these details are obtained from
third party information.

A link to a patch is at

[1] http://sourceforge.net/mailarchive/message.php?msg_name=d03a2ffb0801221538x68825e42xb4a4aaf0fcccecbd%40mail.gmail.com

This also affects libicu36 and probably libicu28.

Please mention the CVE ids in the changelog.

Message #12 received at 463688@bugs.debian.org (full text, mbox, reply):

From: Jay Berkenbilt <qjb@debian.org>

To: 463688@bugs.debian.org

Cc: team@security.debian.org

Subject: acknowledging security vulnerabilities in ICU

Date: Wed, 06 Feb 2008 10:00:04 -0500

I am acknowledging the security vulnerability report against ICU.
This has caught me at an unusually busy time, so I have not been able
to meet my general policy of same-day response to security bugs.  I
will endeavor to upload a new version to unstable with urgency "high"
within the next two or three days.

Security: if you'd like, I can prepare a patch for the stable version
as well.  I'll do that and send it to security unless I hear
otherwise.

As always, I will reference the CVE number in the changelog.

-- 
Jay Berkenbilt <qjb@debian.org>

Message #17 received at 463688-close@bugs.debian.org (full text, mbox, reply):

From: Jay Berkenbilt <qjb@debian.org>

To: 463688-close@bugs.debian.org

Subject: Bug#463688: fixed in icu 3.8-6

Date: Thu, 07 Feb 2008 19:32:05 +0000

Source: icu
Source-Version: 3.8-6

We believe that the bug you reported is fixed in the latest version of
icu, which is due to be installed in the Debian FTP archive:

icu-doc_3.8-6_all.deb
  to pool/main/i/icu/icu-doc_3.8-6_all.deb
icu_3.8-6.diff.gz
  to pool/main/i/icu/icu_3.8-6.diff.gz
icu_3.8-6.dsc
  to pool/main/i/icu/icu_3.8-6.dsc
libicu-dev_3.8-6_i386.deb
  to pool/main/i/icu/libicu-dev_3.8-6_i386.deb
libicu38-dbg_3.8-6_i386.deb
  to pool/main/i/icu/libicu38-dbg_3.8-6_i386.deb
libicu38_3.8-6_i386.deb
  to pool/main/i/icu/libicu38_3.8-6_i386.deb



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 463688@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Jay Berkenbilt <qjb@debian.org> (supplier of updated icu package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.7
Date: Thu, 07 Feb 2008 12:58:34 -0500
Source: icu
Binary: libicu38 libicu38-dbg libicu-dev lib32icu38 lib32icu-dev icu-doc
Architecture: source all i386
Version: 3.8-6
Distribution: unstable
Urgency: high
Maintainer: Jay Berkenbilt <qjb@debian.org>
Changed-By: Jay Berkenbilt <qjb@debian.org>
Description: 
 icu-doc    - API documentation for ICU classes and functions
 libicu-dev - Development files for International Components for Unicode
 libicu38   - International Components for Unicode
 libicu38-dbg - International Components for Unicode
Closes: 463688
Changes: 
 icu (3.8-6) unstable; urgency=high
 .
   * Add debian/patches/00-cve-2007-4770-4771.patch created from with
     svn diff -c 23292 \
     http://source.icu-project.org/repos/icu/icu/branches/maint/maint-3-8
     to address the following security vulnerablilities:
      - CVE-2007-4770: reference to non-existent capture group may
        cause access to invalid memory
      - CVE-2007-4771: buffer overflow in regexcmp.cpp
     (Closes: #463688)
   * Updated standards version to 3.7.3: no changes required.
Files: 
 33af53f873f321b6e209bfff05c1e424 889 libs optional icu_3.8-6.dsc
 072afed03a6c137388a0fa9c632cfe4f 11860 libs optional icu_3.8-6.diff.gz
 644ba9a944f610f89337e3963591a7a8 3645860 doc optional icu-doc_3.8-6_all.deb
 39ce4f1c9acf7d5802db62c388b47ef3 5862768 libs optional libicu38_3.8-6_i386.deb
 aca51dba423f8b92a2c806760a587335 2247986 libs extra libicu38-dbg_3.8-6_i386.deb
 225a45a65a08f6933313a38e06e52479 6897616 libdevel optional libicu-dev_3.8-6_i386.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)

iD8DBQFHq1ngEBVk6taI4KcRAu/RAJ0aMcP+0vAr9LTfxRwlZChpr0b9zACePMn3
y7FL3DcRY19TxL8RNAPqo7g=
=RzAd
-----END PGP SIGNATURE-----

Message #22 received at 463688@bugs.debian.org (full text, mbox, reply):

From: Moritz Muehlenhoff <jmm@inutil.org>

To: Jay Berkenbilt <qjb@debian.org>

Cc: 463688@bugs.debian.org, team@security.debian.org

Subject: Re: acknowledging security vulnerabilities in ICU

Date: Thu, 7 Feb 2008 23:38:35 +0100

Jay Berkenbilt wrote:
 
> Security: if you'd like, I can prepare a patch for the stable version
> as well.  I'll do that and send it to security unless I hear
> otherwise.

Thanks, please go ahead.

Cheers,
        Moritz

Send a report that this bug log contains spam.