Debian Bug report logs - #463688
CVE-2007-4770/1: Vulnerabilities in libicu

version graph

Package: icu; Maintainer for icu is Jay Berkenbilt <qjb@debian.org>;

Reported by: Stefan Fritsch <sf@sfritsch.de>

Date: Sat, 2 Feb 2008 12:24:01 UTC

Severity: grave

Tags: security

Fixed in version icu/3.8-6

Done: Jay Berkenbilt <qjb@debian.org>

Bug is archived. No further changes may be made.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox


Report forwarded to debian-bugs-dist@lists.debian.org, Debian Security Team <team@security.debian.org>, Jay Berkenbilt <qjb@debian.org>:
Bug#463688; Package libicu38. Full text and rfc822 format available.

Acknowledgement sent to Stefan Fritsch <sf@sfritsch.de>:
New Bug report received and forwarded. Copy sent to Debian Security Team <team@security.debian.org>, Jay Berkenbilt <qjb@debian.org>. Full text and rfc822 format available.

Message #5 received at submit@bugs.debian.org (full text, mbox):

From: Stefan Fritsch <sf@sfritsch.de>
To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: CVE-2007-4770/1: Vulnerabilities in libicu
Date: Sat, 02 Feb 2008 13:16:45 +0100
Package: libicu38
Version: 3.6-2
Severity: grave
Tags: security

Two vulnerabilities have been found in libicu:

>From CVE-2007-4770:

libicu in International Components for Unicode (ICU) 3.8.1 and earlier
attempts to process backreferences to the nonexistent capture group
zero (aka \0), which might allow context-dependent attackers to read
from, or write to, out-of-bounds memory locations, related to
corruption of REStackFrames.

>From CVE-2007-4771:

Heap-based buffer overflow in the doInterval function in regexcmp.cpp
in libicu in International Components for Unicode (ICU) 3.8.1 and
earlier allows context-dependent attackers to cause a denial of
service (memory consumption) and possibly have unspecified other
impact via a regular expression that writes a large amount of data to
the backtracking stack.  NOTE: some of these details are obtained from
third party information.

A link to a patch is at

[1] http://sourceforge.net/mailarchive/message.php?msg_name=d03a2ffb0801221538x68825e42xb4a4aaf0fcccecbd%40mail.gmail.com

This also affects libicu36 and probably libicu28.

Please mention the CVE ids in the changelog.




Bug reassigned from package `libicu38' to `icu'. Request was from Steve Langasek <vorlon@debian.org> to control@bugs.debian.org. (Sun, 03 Feb 2008 17:27:10 GMT) Full text and rfc822 format available.

Information forwarded to debian-bugs-dist@lists.debian.org:
Bug#463688; Package icu. Full text and rfc822 format available.

Acknowledgement sent to Jay Berkenbilt <qjb@debian.org>:
Extra info received and forwarded to list. Full text and rfc822 format available.

Message #12 received at 463688@bugs.debian.org (full text, mbox):

From: Jay Berkenbilt <qjb@debian.org>
To: 463688@bugs.debian.org
Cc: team@security.debian.org
Subject: acknowledging security vulnerabilities in ICU
Date: Wed, 06 Feb 2008 10:00:04 -0500
I am acknowledging the security vulnerability report against ICU.
This has caught me at an unusually busy time, so I have not been able
to meet my general policy of same-day response to security bugs.  I
will endeavor to upload a new version to unstable with urgency "high"
within the next two or three days.

Security: if you'd like, I can prepare a patch for the stable version
as well.  I'll do that and send it to security unless I hear
otherwise.

As always, I will reference the CVE number in the changelog.

-- 
Jay Berkenbilt <qjb@debian.org>




Reply sent to Jay Berkenbilt <qjb@debian.org>:
You have taken responsibility. Full text and rfc822 format available.

Notification sent to Stefan Fritsch <sf@sfritsch.de>:
Bug acknowledged by developer. Full text and rfc822 format available.

Message #17 received at 463688-close@bugs.debian.org (full text, mbox):

From: Jay Berkenbilt <qjb@debian.org>
To: 463688-close@bugs.debian.org
Subject: Bug#463688: fixed in icu 3.8-6
Date: Thu, 07 Feb 2008 19:32:05 +0000
Source: icu
Source-Version: 3.8-6

We believe that the bug you reported is fixed in the latest version of
icu, which is due to be installed in the Debian FTP archive:

icu-doc_3.8-6_all.deb
  to pool/main/i/icu/icu-doc_3.8-6_all.deb
icu_3.8-6.diff.gz
  to pool/main/i/icu/icu_3.8-6.diff.gz
icu_3.8-6.dsc
  to pool/main/i/icu/icu_3.8-6.dsc
libicu-dev_3.8-6_i386.deb
  to pool/main/i/icu/libicu-dev_3.8-6_i386.deb
libicu38-dbg_3.8-6_i386.deb
  to pool/main/i/icu/libicu38-dbg_3.8-6_i386.deb
libicu38_3.8-6_i386.deb
  to pool/main/i/icu/libicu38_3.8-6_i386.deb



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 463688@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Jay Berkenbilt <qjb@debian.org> (supplier of updated icu package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.7
Date: Thu, 07 Feb 2008 12:58:34 -0500
Source: icu
Binary: libicu38 libicu38-dbg libicu-dev lib32icu38 lib32icu-dev icu-doc
Architecture: source all i386
Version: 3.8-6
Distribution: unstable
Urgency: high
Maintainer: Jay Berkenbilt <qjb@debian.org>
Changed-By: Jay Berkenbilt <qjb@debian.org>
Description: 
 icu-doc    - API documentation for ICU classes and functions
 libicu-dev - Development files for International Components for Unicode
 libicu38   - International Components for Unicode
 libicu38-dbg - International Components for Unicode
Closes: 463688
Changes: 
 icu (3.8-6) unstable; urgency=high
 .
   * Add debian/patches/00-cve-2007-4770-4771.patch created from with
     svn diff -c 23292 \
     http://source.icu-project.org/repos/icu/icu/branches/maint/maint-3-8
     to address the following security vulnerablilities:
      - CVE-2007-4770: reference to non-existent capture group may
        cause access to invalid memory
      - CVE-2007-4771: buffer overflow in regexcmp.cpp
     (Closes: #463688)
   * Updated standards version to 3.7.3: no changes required.
Files: 
 33af53f873f321b6e209bfff05c1e424 889 libs optional icu_3.8-6.dsc
 072afed03a6c137388a0fa9c632cfe4f 11860 libs optional icu_3.8-6.diff.gz
 644ba9a944f610f89337e3963591a7a8 3645860 doc optional icu-doc_3.8-6_all.deb
 39ce4f1c9acf7d5802db62c388b47ef3 5862768 libs optional libicu38_3.8-6_i386.deb
 aca51dba423f8b92a2c806760a587335 2247986 libs extra libicu38-dbg_3.8-6_i386.deb
 225a45a65a08f6933313a38e06e52479 6897616 libdevel optional libicu-dev_3.8-6_i386.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)

iD8DBQFHq1ngEBVk6taI4KcRAu/RAJ0aMcP+0vAr9LTfxRwlZChpr0b9zACePMn3
y7FL3DcRY19TxL8RNAPqo7g=
=RzAd
-----END PGP SIGNATURE-----





Information forwarded to debian-bugs-dist@lists.debian.org, Jay Berkenbilt <qjb@debian.org>:
Bug#463688; Package icu. Full text and rfc822 format available.

Acknowledgement sent to Moritz Muehlenhoff <jmm@inutil.org>:
Extra info received and forwarded to list. Copy sent to Jay Berkenbilt <qjb@debian.org>. Full text and rfc822 format available.

Message #22 received at 463688@bugs.debian.org (full text, mbox):

From: Moritz Muehlenhoff <jmm@inutil.org>
To: Jay Berkenbilt <qjb@debian.org>
Cc: 463688@bugs.debian.org, team@security.debian.org
Subject: Re: acknowledging security vulnerabilities in ICU
Date: Thu, 7 Feb 2008 23:38:35 +0100
Jay Berkenbilt wrote:
 
> Security: if you'd like, I can prepare a patch for the stable version
> as well.  I'll do that and send it to security unless I hear
> otherwise.

Thanks, please go ahead.

Cheers,
        Moritz




Bug archived. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Sun, 27 Jul 2008 07:34:46 GMT) Full text and rfc822 format available.

Send a report that this bug log contains spam.


Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Thu Apr 17 05:09:37 2014; Machine Name: buxtehude.debian.org

Debian Bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.