[gentoo-commits] gentoo commit in xml/htdocs/security/en/glsa: glsa-200803-20.xml - gentoo-commits

From:	"Pierre-Yves Rofes (py)" <py@g.o>
To:	gentoo-commits@l.g.o
Subject:	[gentoo-commits] gentoo commit in xml/htdocs/security/en/glsa: glsa-200803-20.xml
Date:	Tue, 11 Mar 2008 21:58:29
Message-Id:	`E1JZCUM-0007ow-6I@stork.gentoo.org`

1

py          08/03/11 21:58:26

2

3

  Added:                glsa-200803-20.xml

4

  Log:

5

  GLSA 200803-20

6

7

Revision  Changes    Path

8

1.1                  xml/htdocs/security/en/glsa/glsa-200803-20.xml

9

10

file : http://sources.gentoo.org/viewcvs.py/gentoo/xml/htdocs/security/en/glsa/glsa-200803-20.xml?rev=1.1&view=markup

11

plain: http://sources.gentoo.org/viewcvs.py/gentoo/xml/htdocs/security/en/glsa/glsa-200803-20.xml?rev=1.1&content-type=text/plain

12

13

Index: glsa-200803-20.xml

14

===================================================================

15

<?xml version="1.0" encoding="utf-8"?>

16

<?xml-stylesheet href="/xsl/glsa.xsl" type="text/xsl"?>

17

<?xml-stylesheet href="/xsl/guide.xsl" type="text/xsl"?>

18

<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd">

19

20

<glsa id="200803-20">

21

  <title> International Components for Unicode: Multiple vulnerabilities</title>

22

  <synopsis>

23

    Two vulnerabilities have been discovered in the International Components

24

    for Unicode, possibly resulting in the remote execution of arbitrary code

25

    or a Denial of Service.

26

  </synopsis>

27

  <product type="ebuild">icu</product>

28

  <announced>March 11, 2008</announced>

29

  <revised>March 11, 2008: 01</revised>

30

  <bug>208001</bug>

31

  <access>remote</access>

32

  <affected>

33

    <package name="dev-libs/icu" auto="yes" arch="*">

34

      <unaffected range="ge">3.8.1-r1</unaffected>

35

      <vulnerable range="lt">3.8.1-r1</vulnerable>

36

    </package>

37

  </affected>

38

  <background>

39

<p>

40

    International Components for Unicode is a set of C/C++ and Java

41

    libraries providing Unicode and Globalization support for software

42

    applications.

43

    </p>

44

  </background>

45

  <description>

46

<p>

47

    Will Drewry (Google Security) reported a vulnerability in the regular

48

    expression engine when using back references to capture \0 characters

49

    (CVE-2007-4770). He also found that the backtracking stack size is not

50

    limited, possibly allowing for a heap-based buffer overflow

51

    (CVE-2007-4771).

52

    </p>

53

  </description>

54

  <impact type="high">

55

<p>

56

    A remote attacker could submit specially crafted regular expressions to

57

    an application using the library, possibly resulting in the remote

58

    execution of arbitrary code with the privileges of the user running the

59

    application or a Denial of Service.

60

    </p>

61

  </impact>

62

  <workaround>

63

<p>

64

    There is no known workaround at this time.

65

    </p>

66

  </workaround>

67

  <resolution>

68

<p>

69

    All International Components for Unicode users should upgrade to the

70

    latest version:

71

    </p>

72

    <code>

73

    # emerge --sync

74

    # emerge --ask --oneshot --verbose &quot;&gt;=dev-libs/icu-3.8.1-r1&quot;</code>

75

  </resolution>

76

  <references>

77

    <uri link="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-4770">CVE-2007-4770</uri>

78

    <uri link="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-4771">CVE-2007-4771</uri>

79

  </references>

80

  <metadata tag="requester" timestamp="Wed, 20 Feb 2008 08:30:44 +0000">

81

    jaervosz

82

  </metadata>

83

  <metadata tag="bugReady" timestamp="Wed, 20 Feb 2008 08:30:59 +0000">

84

    jaervosz

85

  </metadata>

86

  <metadata tag="submitter" timestamp="Tue, 11 Mar 2008 12:40:50 +0000">

87

p-y

88

  </metadata>

89

</glsa>

--

94

gentoo-commits@l.g.o mailing list

1	py 08/03/11 21:58:26
2
3	Added: glsa-200803-20.xml
4	Log:
5	GLSA 200803-20
6
7	Revision Changes Path
8	1.1 xml/htdocs/security/en/glsa/glsa-200803-20.xml
9
10	file : http://sources.gentoo.org/viewcvs.py/gentoo/xml/htdocs/security/en/glsa/glsa-200803-20.xml?rev=1.1&view=markup
11	plain: http://sources.gentoo.org/viewcvs.py/gentoo/xml/htdocs/security/en/glsa/glsa-200803-20.xml?rev=1.1&content-type=text/plain
12
13	Index: glsa-200803-20.xml
14	===================================================================
15	<?xml version="1.0" encoding="utf-8"?>
16	<?xml-stylesheet href="/xsl/glsa.xsl" type="text/xsl"?>
17	<?xml-stylesheet href="/xsl/guide.xsl" type="text/xsl"?>
18	<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd">
19
20	<glsa id="200803-20">
21	<title> International Components for Unicode: Multiple vulnerabilities</title>
22	<synopsis>
23	Two vulnerabilities have been discovered in the International Components
24	for Unicode, possibly resulting in the remote execution of arbitrary code
25	or a Denial of Service.
26	</synopsis>
27	<product type="ebuild">icu</product>
28	<announced>March 11, 2008</announced>
29	<revised>March 11, 2008: 01</revised>
30	<bug>208001</bug>
31	<access>remote</access>
32	<affected>
33	<package name="dev-libs/icu" auto="yes" arch="*">
34	<unaffected range="ge">3.8.1-r1</unaffected>
35	<vulnerable range="lt">3.8.1-r1</vulnerable>
36	</package>
37	</affected>
38	<background>
39	<p>
40	International Components for Unicode is a set of C/C++ and Java
41	libraries providing Unicode and Globalization support for software
42	applications.
43	</p>
44	</background>
45	<description>
46	<p>
47	Will Drewry (Google Security) reported a vulnerability in the regular
48	expression engine when using back references to capture \0 characters
49	(CVE-2007-4770). He also found that the backtracking stack size is not
50	limited, possibly allowing for a heap-based buffer overflow
51	(CVE-2007-4771).
52	</p>
53	</description>
54	<impact type="high">
55	<p>
56	A remote attacker could submit specially crafted regular expressions to
57	an application using the library, possibly resulting in the remote
58	execution of arbitrary code with the privileges of the user running the
59	application or a Denial of Service.
60	</p>
61	</impact>
62	<workaround>
63	<p>
64	There is no known workaround at this time.
65	</p>
66	</workaround>
67	<resolution>
68	<p>
69	All International Components for Unicode users should upgrade to the
70	latest version:
71	</p>
72	<code>
73	# emerge --sync
74	# emerge --ask --oneshot --verbose ">=dev-libs/icu-3.8.1-r1"</code>
75	</resolution>
76	<references>
77	<uri link="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-4770">CVE-2007-4770</uri>
78	<uri link="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-4771">CVE-2007-4771</uri>
79	</references>
80	<metadata tag="requester" timestamp="Wed, 20 Feb 2008 08:30:44 +0000">
81	jaervosz
82	</metadata>
83	<metadata tag="bugReady" timestamp="Wed, 20 Feb 2008 08:30:59 +0000">
84	jaervosz
85	</metadata>
86	<metadata tag="submitter" timestamp="Tue, 11 Mar 2008 12:40:50 +0000">
87	p-y
88	</metadata>
89	</glsa>
90
91
92
93	--
94	gentoo-commits@l.g.o mailing list

Gentoo Archives: gentoo-commits