[gentoo-announce] [ GLSA 200803-20 ] International Components for Unicode: Multiple vulnerabilities - gentoo-announce

From:	Pierre-Yves Rofes <py@g.o>
To:	gentoo-announce@l.g.o
Cc:	full-disclosure@××××××××××××××.uk, bugtraq@×××××××××××××.com, security-alerts@×××××××××××××.com
Subject:	[gentoo-announce] [ GLSA 200803-20 ] International Components for Unicode: Multiple vulnerabilities
Date:	Tue, 11 Mar 2008 22:03:45
Message-Id:	`47D70F34.3090603@gentoo.org`

1

-----BEGIN PGP SIGNED MESSAGE-----

2

Hash: SHA1

3

4

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

5

Gentoo Linux Security Advisory                           GLSA 200803-20

6

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

7

                                            http://security.gentoo.org/

8

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

9

10

  Severity: High

11

     Title:  International Components for Unicode: Multiple

12

            vulnerabilities

13

      Date: March 11, 2008

14

      Bugs: #208001

15

        ID: 200803-20

16

17

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

18

19

Synopsis

20

========

21

22

Two vulnerabilities have been discovered in the International

23

Components for Unicode, possibly resulting in the remote execution of

24

arbitrary code or a Denial of Service.

25

26

Background

27

==========

28

29

International Components for Unicode is a set of C/C++ and Java

30

libraries providing Unicode and Globalization support for software

31

applications.

32

33

Affected packages

34

=================

35

36

    -------------------------------------------------------------------

37

     Package       /  Vulnerable  /                         Unaffected

38

    -------------------------------------------------------------------

39

  1  dev-libs/icu     < 3.8.1-r1                           >= 3.8.1-r1

40

41

Description

42

===========

43

44

Will Drewry (Google Security) reported a vulnerability in the regular

45

expression engine when using back references to capture \0 characters

46

(CVE-2007-4770). He also found that the backtracking stack size is not

47

limited, possibly allowing for a heap-based buffer overflow

48

(CVE-2007-4771).

49

50

Impact

51

======

52

53

A remote attacker could submit specially crafted regular expressions to

54

an application using the library, possibly resulting in the remote

55

execution of arbitrary code with the privileges of the user running the

56

application or a Denial of Service.

57

58

Workaround

59

==========

60

61

There is no known workaround at this time.

62

63

Resolution

64

==========

65

66

All International Components for Unicode users should upgrade to the

67

latest version:

68

69

    # emerge --sync

70

    # emerge --ask --oneshot --verbose ">=dev-libs/icu-3.8.1-r1"

71

72

References

73

==========

74

75

  [ 1 ] CVE-2007-4770

76

        http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-4770

77

  [ 2 ] CVE-2007-4771

78

        http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-4771

79

80

Availability

81

============

82

83

This GLSA and any updates to it are available for viewing at

84

the Gentoo Security Website:

85

86

  http://security.gentoo.org/glsa/glsa-200803-20.xml

87

88

Concerns?

89

=========

90

91

Security is a primary focus of Gentoo Linux and ensuring the

92

confidentiality and security of our users machines is of utmost

93

importance to us. Any security concerns should be addressed to

94

security@g.o or alternatively, you may file a bug at

95

http://bugs.gentoo.org.

96

97

License

98

=======

99

100

Copyright 2008 Gentoo Foundation, Inc; referenced text

101

belongs to its owner(s).

102

103

The contents of this document are licensed under the

104

Creative Commons - Attribution / Share Alike license.

105

106

http://creativecommons.org/licenses/by-sa/2.5

107

-----BEGIN PGP SIGNATURE-----

108

Version: GnuPG v2.0.7 (GNU/Linux)

109

Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

110

111

iD8DBQFH1w80uhJ+ozIKI5gRAiaRAJwOh+Em/Zszc6ICpgQQ185ZrX5R9wCfcaMN

112

3EkI7r7NPSKsDcgXSq4CORs=

113

=EWYp

114

-----END PGP SIGNATURE-----

115

--

116

gentoo-announce@l.g.o mailing list

1	-----BEGIN PGP SIGNED MESSAGE-----
2	Hash: SHA1
3
4	- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
5	Gentoo Linux Security Advisory GLSA 200803-20
6	- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
7	http://security.gentoo.org/
8	- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
9
10	Severity: High
11	Title: International Components for Unicode: Multiple
12	vulnerabilities
13	Date: March 11, 2008
14	Bugs: #208001
15	ID: 200803-20
16
17	- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
18
19	Synopsis
20	========
21
22	Two vulnerabilities have been discovered in the International
23	Components for Unicode, possibly resulting in the remote execution of
24	arbitrary code or a Denial of Service.
25
26	Background
27	==========
28
29	International Components for Unicode is a set of C/C++ and Java
30	libraries providing Unicode and Globalization support for software
31	applications.
32
33	Affected packages
34	=================
35
36	-------------------------------------------------------------------
37	Package / Vulnerable / Unaffected
38	-------------------------------------------------------------------
39	1 dev-libs/icu < 3.8.1-r1 >= 3.8.1-r1
40
41	Description
42	===========
43
44	Will Drewry (Google Security) reported a vulnerability in the regular
45	expression engine when using back references to capture \0 characters
46	(CVE-2007-4770). He also found that the backtracking stack size is not
47	limited, possibly allowing for a heap-based buffer overflow
48	(CVE-2007-4771).
49
50	Impact
51	======
52
53	A remote attacker could submit specially crafted regular expressions to
54	an application using the library, possibly resulting in the remote
55	execution of arbitrary code with the privileges of the user running the
56	application or a Denial of Service.
57
58	Workaround
59	==========
60
61	There is no known workaround at this time.
62
63	Resolution
64	==========
65
66	All International Components for Unicode users should upgrade to the
67	latest version:
68
69	# emerge --sync
70	# emerge --ask --oneshot --verbose ">=dev-libs/icu-3.8.1-r1"
71
72	References
73	==========
74
75	[ 1 ] CVE-2007-4770
76	http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-4770
77	[ 2 ] CVE-2007-4771
78	http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-4771
79
80	Availability
81	============
82
83	This GLSA and any updates to it are available for viewing at
84	the Gentoo Security Website:
85
86	http://security.gentoo.org/glsa/glsa-200803-20.xml
87
88	Concerns?
89	=========
90
91	Security is a primary focus of Gentoo Linux and ensuring the
92	confidentiality and security of our users machines is of utmost
93	importance to us. Any security concerns should be addressed to
94	security@g.o or alternatively, you may file a bug at
95	http://bugs.gentoo.org.
96
97	License
98	=======
99
100	Copyright 2008 Gentoo Foundation, Inc; referenced text
101	belongs to its owner(s).
102
103	The contents of this document are licensed under the
104	Creative Commons - Attribution / Share Alike license.
105
106	http://creativecommons.org/licenses/by-sa/2.5
107	-----BEGIN PGP SIGNATURE-----
108	Version: GnuPG v2.0.7 (GNU/Linux)
109	Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
110
111	iD8DBQFH1w80uhJ+ozIKI5gRAiaRAJwOh+Em/Zszc6ICpgQQ185ZrX5R9wCfcaMN
112	3EkI7r7NPSKsDcgXSq4CORs=
113	=EWYp
114	-----END PGP SIGNATURE-----
115	--
116	gentoo-announce@l.g.o mailing list

Gentoo Archives: gentoo-announce