[Bug 186578] Re: [libicu] [CVE-2007-4770] [CVE-2007-4771] potential execution of arbitrary code via malformed regular expressions

Sat Apr 4 14:42:37 UTC 2020

Launchpad has imported 19 comments from the remote bug at
https://bugs.gentoo.org/show_bug.cgi?id=208001.

If you reply to an imported comment from within Launchpad, your comment
will be sent to the remote bug automatically. Read more about
Launchpad's inter-bugtracker facilities at
https://help.launchpad.net/InterBugTracking.

------------------------------------------------------------------------
On 2008-01-29T07:34:24+00:00 lars wrote:

Will Drewry has reported some vulnerabilities in International
Components for Unicode, which can be exploited by malicious people to
cause a DoS (Denial of Service) or potentially compromise an application
using the library.

1) A regular expression containing a back reference to capture group
zero (\0) may reference random memory areas, which can be exploited to
crash an application using the library.

2) The library does not limit the size of the backtracking stack. This
can be exploited to cause a heap-based buffer overflow via certain
specially crafted regular expressions.

The vulnerability is reported in version 3.8.1. Other versions may also
be affected.

Solution:
Apply patch.
http://source.icu-project.org/repos/icu/icu/branches/maint/maint-3-8

Reply at:
https://bugs.launchpad.net/ubuntu/+source/icu/+bug/186578/comments/9

------------------------------------------------------------------------
On 2008-01-29T07:37:00+00:00 lars wrote:

maintainers - please provide an updated ebuild

Reply at:
https://bugs.launchpad.net/ubuntu/+source/icu/+bug/186578/comments/10

------------------------------------------------------------------------
On 2008-01-29T08:17:50+00:00 jakub wrote:

*** Bug 207905 has been marked as a duplicate of this bug. ***

Reply at:
https://bugs.launchpad.net/ubuntu/+source/icu/+bug/186578/comments/11

------------------------------------------------------------------------
On 2008-02-01T22:51:47+00:00 rbu wrote:

ping

Reply at:
https://bugs.launchpad.net/ubuntu/+source/icu/+bug/186578/comments/12

------------------------------------------------------------------------
On 2008-02-01T23:35:32+00:00 rbu wrote:

I reproduced the 4771 issue on 3.6.1.
Caolan McNamara from RedHat backported the patches to 3.6:
  https://bugzilla.redhat.com/show_bug.cgi?id=429023

This bug also affects OpenOffice, as it currently uses an internal copy of icu.
OpenOffice herd, please advise here.

Reply at:
https://bugs.launchpad.net/ubuntu/+source/icu/+bug/186578/comments/13

------------------------------------------------------------------------
On 2008-02-02T00:06:31+00:00 rbu wrote:

OpenOffice, please try building against the (security patched) libicu
3.8.1-r1 here:  http://overlays.gentoo.org/svn/proj/php/migration/dev-
libs/icu/

If that does not work, please patch the copy of icu.

Reply at:
https://bugs.launchpad.net/ubuntu/+source/icu/+bug/186578/comments/14

------------------------------------------------------------------------
On 2008-02-02T18:27:58+00:00 suka wrote:

(In reply to comment #5)
> OpenOffice, please try building against the (security patched) libicu 3.8.1-r1
> here:  http://overlays.gentoo.org/svn/proj/php/migration/dev-libs/icu/
> 
> If that does not work, please patch the copy of icu.
> 

I've added a new revision (-r1) of openoffice-2.3.1 to portage, this
uses external icu again (we had to back this out prior to stabilizing
2.3.1 as it was broken in OOo), works fine here on x86, other archs will
have to test accordingly

Reply at:
https://bugs.launchpad.net/ubuntu/+source/icu/+bug/186578/comments/15

------------------------------------------------------------------------
On 2008-02-02T21:56:35+00:00 hoffie wrote:

icu-3.8.1-r1 with the patch is in the tree now, thanks to jakub. I did
not do any tests except from compiling (I haven't touched that package
before anyway). I might try building OOo tomorrow, but certainly not
today.

Reply at:
https://bugs.launchpad.net/ubuntu/+source/icu/+bug/186578/comments/16

------------------------------------------------------------------------
On 2008-02-02T22:24:27+00:00 hoffie wrote:

icu-3.6-r2 in the tree as well (with the patch from redhat). You
probably want 3.8* stable for OpenOffice anyway, but I don't really
know, ask jakub if in doubt. ;)

Reply at:
https://bugs.launchpad.net/ubuntu/+source/icu/+bug/186578/comments/17

------------------------------------------------------------------------
On 2008-02-03T08:54:55+00:00 jakub wrote:

(In reply to comment #8)
> icu-3.6-r2 in the tree as well (with the patch from redhat). You probably want
> 3.8* stable for OpenOffice anyway, but I don't really know, ask jakub if in
> doubt. ;)

Well, yes, definitely. It won't compile with ~icu-3.6. arches, please
test and stabilize the following:

dev-libs/icu-3.6-r2 (will be hanging around for dev-libs/xerces-c-2.8.0
at least unless someone fixes the messy thing to work w/ icu-3.8.x)

dev-libs/icu-3.8.1-r1

Reply at:
https://bugs.launchpad.net/ubuntu/+source/icu/+bug/186578/comments/18

------------------------------------------------------------------------
On 2008-02-03T18:51:14+00:00 ranger wrote:

ppc and ppc64 done.

dertobi123 tested ppc and I committed for his convenience.

Reply at:
https://bugs.launchpad.net/ubuntu/+source/icu/+bug/186578/comments/19

------------------------------------------------------------------------
On 2008-02-03T23:24:37+00:00 jer wrote:

Stable for HPPA.

Reply at:
https://bugs.launchpad.net/ubuntu/+source/icu/+bug/186578/comments/20

------------------------------------------------------------------------
On 2008-02-04T14:37:16+00:00 fauli wrote:

x86 stable

Reply at:
https://bugs.launchpad.net/ubuntu/+source/icu/+bug/186578/comments/21

------------------------------------------------------------------------
On 2008-02-07T10:39:53+00:00 armin76 wrote:

alpha/ia64/sparc stable

Reply at:
https://bugs.launchpad.net/ubuntu/+source/icu/+bug/186578/comments/22

------------------------------------------------------------------------
On 2008-02-10T22:51:08+00:00 tester wrote:

amd64 done

Reply at:
https://bugs.launchpad.net/ubuntu/+source/icu/+bug/186578/comments/26

------------------------------------------------------------------------
On 2008-02-11T09:56:15+00:00 jakub wrote:

(In reply to comment #14)
> amd64 done

You missed dev-libs/icu-3.6-r2; thanks.

Reply at:
https://bugs.launchpad.net/ubuntu/+source/icu/+bug/186578/comments/27

------------------------------------------------------------------------
On 2008-02-20T04:17:22+00:00 beandog wrote:

(In reply to comment #15)
> (In reply to comment #14)
> > amd64 done
> 
> You missed dev-libs/icu-3.6-r2; thanks.
> 

done

Reply at:
https://bugs.launchpad.net/ubuntu/+source/icu/+bug/186578/comments/28

------------------------------------------------------------------------
On 2008-02-23T17:54:38+00:00 pva wrote:

Updated in release snapshot.

Reply at:
https://bugs.launchpad.net/ubuntu/+source/icu/+bug/186578/comments/29

------------------------------------------------------------------------
On 2008-03-11T22:16:52+00:00 py wrote:

GLSA 200803-20

Reply at:
https://bugs.launchpad.net/ubuntu/+source/icu/+bug/186578/comments/31

-- 
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to icu in Ubuntu.
https://bugs.launchpad.net/bugs/186578

Title:
  [libicu] [CVE-2007-4770] [CVE-2007-4771] potential execution of
  arbitrary code via malformed regular expressions

Status in icu package in Ubuntu:
  Fix Released
Status in icu source package in Dapper:
  Fix Released
Status in icu source package in Edgy:
  Fix Released
Status in icu source package in Feisty:
  Fix Released
Status in icu source package in Gutsy:
  Fix Released
Status in icu source package in Hardy:
  Fix Released
Status in icu package in Debian:
  Fix Released
Status in icu package in Fedora:
  Fix Released
Status in icu package in Gentoo Linux:
  Fix Released

Bug description:
  Binary package hint: libicu36

  References:
  MDVSA-2008:026 (http://www.mandriva.com/en/security/advisories?name=MDVSA-2008:026)

  Quoting:
  "Will Drewry reported multiple flaws in how libicu processed certain
  malformed regular expressions. If an application linked against
  libicu, such as OpenOffice.org, processed a carefully-crafted regular
  expression, it could potentially cause the execution of arbitrary
  code with the privileges of the user running the application."

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/icu/+bug/186578/+subscriptions