LinuxSecurity.com
Share your story
The central voice for Linux and Open Source security news
Home News Topics Advisories HOWTOs Features Newsletters About Register

Welcome!
Sign up!
EnGarde Community
Login
Polls
What is the most important Linux security technology?
 
Advisories
Community
Linux Events
Linux User Groups
Link to Us
Security Center
Book Reviews
Security Dictionary
Security Tips
SELinux
White Papers
Featured Blogs
All About Linux
DanWalsh LiveJournal
Securitydistro
Latest Newsletters
Linux Security Week: April 7th, 2014
Linux Advisory Watch: April 4th, 2014
Subscribe
LinuxSecurity Newsletters
E-mail:
Choose Lists:
About our Newsletters
RSS Feeds
Get the LinuxSecurity news you want faster with RSS
Powered By

  
Ubuntu: libicu vulnerabilities Print E-mail
User Rating:      How can I rate this item?
Posted by Benjamin D. Thomas   
Ubuntu Will Drewry discovered that libicu did not properly handle '\0' when processing regular expressions. If an application linked against libicu processed a crafted regular expression, an attacker could execute arbitrary code with privileges of the user invoking the program.
=========================================================== 
Ubuntu Security Notice USN-591-1             March 24, 2008
icu vulnerabilities
CVE-2007-4770, CVE-2007-4771
===========================================================

A security issue affects the following Ubuntu releases:

Ubuntu 6.06 LTS
Ubuntu 6.10
Ubuntu 7.04
Ubuntu 7.10

This advisory also applies to the corresponding versions of
Kubuntu, Edubuntu, and Xubuntu.

The problem can be corrected by upgrading your system to the
following package versions:

Ubuntu 6.06 LTS:
  libicu34                        3.4.1a-1ubuntu1.6.06.1

Ubuntu 6.10:
  libicu34                        3.4.1a-1ubuntu1.6.10.1

Ubuntu 7.04:
  libicu36                        3.6-2ubuntu0.1

Ubuntu 7.10:
  libicu36                        3.6-3ubuntu0.1

After a standard system upgrade you need to restart applications linked
against libicu, such as OpenOffice.org, to effect the necessary changes.

Details follow:

Will Drewry discovered that libicu did not properly handle '\0' when
processing regular expressions. If an application linked against libicu
processed a crafted regular expression, an attacker could execute
arbitrary code with privileges of the user invoking the program.
(CVE-2007-4770)

Will Drewry discovered that libicu did not properly limit its
backtracking stack size. If an application linked against libicu
processed a crafted regular expression, an attacker could cause a denial
of service via resource exhaustion. (CVE-2007-4771)


Updated packages for Ubuntu 6.06 LTS:

  Source archives:

    http://security.ubuntu.com/ubuntu/pool/main/i/icu/icu_3.4.1a-1ubuntu1.6.06.1.diff.gz
      Size/MD5:    10972 445f415e082f042548258f4c6c232558
    http://security.ubuntu.com/ubuntu/pool/main/i/icu/icu_3.4.1a-1ubuntu1.6.06.1.dsc
      Size/MD5:      619 523a7f45138a6053c2603ed6eb480fca
    http://security.ubuntu.com/ubuntu/pool/main/i/icu/icu_3.4.1a.orig.tar.gz
      Size/MD5:  9039695 d45f59eb03b22cff127173cd3017f2e6

  Architecture independent packages:

    http://security.ubuntu.com/ubuntu/pool/main/i/icu/icu-doc_3.4.1a-1ubuntu1.6.06.1_all.deb
      Size/MD5:  2915712 1101422b4eb7e5acdd12acc13336715a

  amd64 architecture (Athlon64, Opteron, EM64T Xeon):

    http://security.ubuntu.com/ubuntu/pool/main/i/icu/libicu34-dev_3.4.1a-1ubuntu1.6.06.1_amd64.deb
      Size/MD5:  5875030 1ae964fbf3734b1c00549de786e2bbba
    http://security.ubuntu.com/ubuntu/pool/main/i/icu/libicu34_3.4.1a-1ubuntu1.6.06.1_amd64.deb
      Size/MD5:  4792062 d7a03747efc590dfe4dea95158689d4f

  i386 architecture (x86 compatible Intel/AMD):

    http://security.ubuntu.com/ubuntu/pool/main/i/icu/libicu34-dev_3.4.1a-1ubuntu1.6.06.1_i386.deb
      Size/MD5:  5699304 981af70894449430248adf3d9e0db9b6
    http://security.ubuntu.com/ubuntu/pool/main/i/icu/libicu34_3.4.1a-1ubuntu1.6.06.1_i386.deb
      Size/MD5:  4737488 6464d31ea0559635c6198dff1f4bf5bd

  powerpc architecture (Apple Macintosh G3/G4/G5):

    http://security.ubuntu.com/ubuntu/pool/main/i/icu/libicu34-dev_3.4.1a-1ubuntu1.6.06.1_powerpc.deb
      Size/MD5:  6048294 ca2d43737af359f7eacd578e25e079ce
    http://security.ubuntu.com/ubuntu/pool/main/i/icu/libicu34_3.4.1a-1ubuntu1.6.06.1_powerpc.deb
      Size/MD5:  4941578 6cd24bc1bded8547014b75e34216ec4d

  sparc architecture (Sun SPARC/UltraSPARC):

    http://security.ubuntu.com/ubuntu/pool/main/i/icu/libicu34-dev_3.4.1a-1ubuntu1.6.06.1_sparc.deb
      Size/MD5:  5943896 cf5fbe8f8aae07d732d96729647f174e
    http://security.ubuntu.com/ubuntu/pool/main/i/icu/libicu34_3.4.1a-1ubuntu1.6.06.1_sparc.deb
      Size/MD5:  4869890 71f8ee63a63ace3f17e77432cae0b4e7

Updated packages for Ubuntu 6.10:

  Source archives:

    http://security.ubuntu.com/ubuntu/pool/main/i/icu/icu_3.4.1a-1ubuntu1.6.10.1.diff.gz
      Size/MD5:    10981 810042a363ce70adbd4804b1e35ede3c
    http://security.ubuntu.com/ubuntu/pool/main/i/icu/icu_3.4.1a-1ubuntu1.6.10.1.dsc
      Size/MD5:      619 7ba7b3d16d5293cd6917d023a9978f6e
    http://security.ubuntu.com/ubuntu/pool/main/i/icu/icu_3.4.1a.orig.tar.gz
      Size/MD5:  9039695 d45f59eb03b22cff127173cd3017f2e6

  Architecture independent packages:

    http://security.ubuntu.com/ubuntu/pool/main/i/icu/icu-doc_3.4.1a-1ubuntu1.6.10.1_all.deb
      Size/MD5:  2909022 aa55332464e3d391f414afaa8093f37f

  amd64 architecture (Athlon64, Opteron, EM64T Xeon):

    http://security.ubuntu.com/ubuntu/pool/main/i/icu/libicu34-dev_3.4.1a-1ubuntu1.6.10.1_amd64.deb
      Size/MD5:  5871754 160edb49c21f746f207e2b6d8f151067
    http://security.ubuntu.com/ubuntu/pool/main/i/icu/libicu34_3.4.1a-1ubuntu1.6.10.1_amd64.deb
      Size/MD5:  4786816 afd1356e6b85cab7d2f75747f8aa7d03

  i386 architecture (x86 compatible Intel/AMD):

    http://security.ubuntu.com/ubuntu/pool/main/i/icu/libicu34-dev_3.4.1a-1ubuntu1.6.10.1_i386.deb
      Size/MD5:  5750086 f3742740fef98eaaafc5145c7e895a2e
    http://security.ubuntu.com/ubuntu/pool/main/i/icu/libicu34_3.4.1a-1ubuntu1.6.10.1_i386.deb
      Size/MD5:  4778408 51fd4d3cf2022aa3937076f7306f3085

  powerpc architecture (Apple Macintosh G3/G4/G5):

    http://security.ubuntu.com/ubuntu/pool/main/i/icu/libicu34-dev_3.4.1a-1ubuntu1.6.10.1_powerpc.deb
      Size/MD5:  6060132 0c186f814c29f4d4ad5297ec59531a7e
    http://security.ubuntu.com/ubuntu/pool/main/i/icu/libicu34_3.4.1a-1ubuntu1.6.10.1_powerpc.deb
      Size/MD5:  4945796 b95c4837ec0172ebc50b2596151bb127

  sparc architecture (Sun SPARC/UltraSPARC):

    http://security.ubuntu.com/ubuntu/pool/main/i/icu/libicu34-dev_3.4.1a-1ubuntu1.6.10.1_sparc.deb
      Size/MD5:  5950430 a912d9ab99e4f564346048ad014a689e
    http://security.ubuntu.com/ubuntu/pool/main/i/icu/libicu34_3.4.1a-1ubuntu1.6.10.1_sparc.deb
      Size/MD5:  4870650 939584895a0acc1fb47643c57551ae53

Updated packages for Ubuntu 7.04:

  Source archives:

    http://security.ubuntu.com/ubuntu/pool/main/i/icu/icu_3.6-2ubuntu0.1.diff.gz
      Size/MD5:     9568 992a805cfdf2bef53375bb692fade0ae
    http://security.ubuntu.com/ubuntu/pool/main/i/icu/icu_3.6-2ubuntu0.1.dsc
      Size/MD5:      683 811a2836307eb6b553a47234455782c8
    http://security.ubuntu.com/ubuntu/pool/main/i/icu/icu_3.6.orig.tar.gz
      Size/MD5:  9778863 0f1bda1992b4adca62da68a7ad79d830

  Architecture independent packages:

    http://security.ubuntu.com/ubuntu/pool/main/i/icu/icu-doc_3.6-2ubuntu0.1_all.deb
      Size/MD5:  3239258 59e41f56b3e9b0967586f601fc786686

  amd64 architecture (Athlon64, Opteron, EM64T Xeon):

    http://security.ubuntu.com/ubuntu/pool/main/i/icu/libicu36-dev_3.6-2ubuntu0.1_amd64.deb
      Size/MD5:  6582372 05738b95cbea7e71f1c7389acea343c0
    http://security.ubuntu.com/ubuntu/pool/main/i/icu/libicu36_3.6-2ubuntu0.1_amd64.deb
      Size/MD5:  5494132 3b37f4197509a3815a588837377926ab

  i386 architecture (x86 compatible Intel/AMD):

    http://security.ubuntu.com/ubuntu/pool/main/i/icu/libicu36-dev_3.6-2ubuntu0.1_i386.deb
      Size/MD5:  6455976 6131cb6505978764cfa87cc00f3bde55
    http://security.ubuntu.com/ubuntu/pool/main/i/icu/libicu36_3.6-2ubuntu0.1_i386.deb
      Size/MD5:  5502928 cc171e6c651af8798679d670317aecb4

  powerpc architecture (Apple Macintosh G3/G4/G5):

    http://security.ubuntu.com/ubuntu/pool/main/i/icu/libicu36-dev_3.6-2ubuntu0.1_powerpc.deb
      Size/MD5:  6914678 3fc12666b60c32e1e766940458e86f8b
    http://security.ubuntu.com/ubuntu/pool/main/i/icu/libicu36_3.6-2ubuntu0.1_powerpc.deb
      Size/MD5:  5847506 3e87c31f56a17142293819375fb9b055

  sparc architecture (Sun SPARC/UltraSPARC):

    http://security.ubuntu.com/ubuntu/pool/main/i/icu/libicu36-dev_3.6-2ubuntu0.1_sparc.deb
      Size/MD5:  6782112 abe3146ed84e2bf73a406d031c07bb1b
    http://security.ubuntu.com/ubuntu/pool/main/i/icu/libicu36_3.6-2ubuntu0.1_sparc.deb
      Size/MD5:  5722818 6a81975ae3038438ce649b104524c66c

Updated packages for Ubuntu 7.10:

  Source archives:

    http://security.ubuntu.com/ubuntu/pool/main/i/icu/icu_3.6-3ubuntu0.1.diff.gz
      Size/MD5:    10669 c9fc07570c6cadd992b3e7c5967d675c
    http://security.ubuntu.com/ubuntu/pool/main/i/icu/icu_3.6-3ubuntu0.1.dsc
      Size/MD5:      684 7ff1ab80feb3886e98be54ea84c743fa
    http://security.ubuntu.com/ubuntu/pool/main/i/icu/icu_3.6.orig.tar.gz
      Size/MD5:  9778863 0f1bda1992b4adca62da68a7ad79d830

  Architecture independent packages:

    http://security.ubuntu.com/ubuntu/pool/main/i/icu/icu-doc_3.6-3ubuntu0.1_all.deb
      Size/MD5:  3577326 864f4915d072d28288646ccfe3fcf564

  amd64 architecture (Athlon64, Opteron, EM64T Xeon):

    http://security.ubuntu.com/ubuntu/pool/main/i/icu/libicu36-dev_3.6-3ubuntu0.1_amd64.deb
      Size/MD5:  6588894 3c3c78d3f960c6b461e5de948e1ad36f
    http://security.ubuntu.com/ubuntu/pool/main/i/icu/libicu36_3.6-3ubuntu0.1_amd64.deb
      Size/MD5:  5497318 c65272d6afba5a3cd299757cd24e4311

  i386 architecture (x86 compatible Intel/AMD):

    http://security.ubuntu.com/ubuntu/pool/main/i/icu/libicu36-dev_3.6-3ubuntu0.1_i386.deb
      Size/MD5:  6460842 1b5ddf800807d301b81c9079e52bb886
    http://security.ubuntu.com/ubuntu/pool/main/i/icu/libicu36_3.6-3ubuntu0.1_i386.deb
      Size/MD5:  5507380 7e4d0bd96a552c06640a32687b7aebee

  powerpc architecture (Apple Macintosh G3/G4/G5):

    http://security.ubuntu.com/ubuntu/pool/main/i/icu/libicu36-dev_3.6-3ubuntu0.1_powerpc.deb
      Size/MD5:  6918592 74498356923f4a2388c15576f93f98f4
    http://security.ubuntu.com/ubuntu/pool/main/i/icu/libicu36_3.6-3ubuntu0.1_powerpc.deb
      Size/MD5:  5850296 6461c9debe8d2b6811cdca0c00209658

  sparc architecture (Sun SPARC/UltraSPARC):

    http://security.ubuntu.com/ubuntu/pool/main/i/icu/libicu36-dev_3.6-3ubuntu0.1_sparc.deb
      Size/MD5:  6784336 548e4edca27774f28ffc26b5c721ab8d
    http://security.ubuntu.com/ubuntu/pool/main/i/icu/libicu36_3.6-3ubuntu0.1_sparc.deb
      Size/MD5:  5723102 a8f6a5a8bf0868a06b54beed61dd6853



--m51xatjYGsM+13rf
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: Digital signature
Content-Disposition: inline

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)

iD8DBQFH5/q+W0JvuRdL8BoRArCeAJ9NM7VjReh5xni3SazZ5R9iOrK9zgCfcso5
ttldoqarHg6N4RU52Jy7DD4=+Dgw
-----END PGP SIGNATURE-----

--m51xatjYGsM+13rf--


--==============A12531339933264544=Content-Type: text/plain; charset="us-ascii"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Content-Disposition: inline

--
ubuntu-security-announce mailing list
ubuntu-security-announce@lists.ubuntu.com
Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-security-announce

--==============A12531339933264544==--
 
< Prev   Next >
    
Partner

 

Latest Features
Peter Smith Releases Linux Network Security Online
Securing a Linux Web Server
Password guessing with Medusa 2.0
Password guessing as an attack vector
Squid and Digest Authentication
Squid and Basic Authentication
Demystifying the Chinese Hacking Industry: Earning 6 Million a Night
Free Online security course (LearnSIA) - A Call for Help
What You Need to Know About Linux Rootkits
Review: A Practical Guide to Fedora and Red Hat Enterprise Linux - Fifth Edition
Yesterday's Edition
Partner Sponsor

Community | HOWTOs | Blogs | Features | Book Reviews | Networking
 Security Projects |  Latest News |  Newsletters |  SELinux |  Privacy |  Home
 Hardening |   About Us |   Advertise |   Legal Notice |   RSS |   Guardian Digital
(c)Copyright 2014 Guardian Digital, Inc. All rights reserved.