208001 CVE-2007-4770 2008-01-29 07:34 0000 dev-libs/icu <= 3.8.1 Regular Expressions Vulnerabilities (CVE-2007-(4770|4771)) 2008-03-11 22:16:52 0000 1 1 1 Unclassified Gentoo Security Vulnerabilities unspecified All Linux RESOLVED FIXED http://secunia.com/advisories/28575 B1 [glsa] P2 major --- 206889 1 lars@chaotika.org security@gentoo.org arm@gentoo.org h.mth@web.de openoffice@gentoo.org php-bugs@gentoo.org s390@gentoo.org sh@gentoo.org lars@chaotika.org 2008-01-29 07:34:24 0000 Will Drewry has reported some vulnerabilities in International Components for Unicode, which can be exploited by malicious people to cause a DoS (Denial of Service) or potentially compromise an application using the library. 1) A regular expression containing a back reference to capture group zero (\0) may reference random memory areas, which can be exploited to crash an application using the library. 2) The library does not limit the size of the backtracking stack. This can be exploited to cause a heap-based buffer overflow via certain specially crafted regular expressions. The vulnerability is reported in version 3.8.1. Other versions may also be affected. Solution: Apply patch. http://source.icu-project.org/repos/icu/icu/branches/maint/maint-3-8 lars@chaotika.org 2008-01-29 07:37:00 0000 maintainers - please provide an updated ebuild jakub@gentoo.org 2008-01-29 08:17:50 0000 *** Bug 207905 has been marked as a duplicate of this bug. *** rbu@gentoo.org 2008-02-01 22:51:47 0000 ping rbu@gentoo.org 2008-02-01 23:35:32 0000 I reproduced the 4771 issue on 3.6.1. Caolan McNamara from RedHat backported the patches to 3.6: https://bugzilla.redhat.com/show_bug.cgi?id=429023 This bug also affects OpenOffice, as it currently uses an internal copy of icu. OpenOffice herd, please advise here. rbu@gentoo.org 2008-02-02 00:06:31 0000 OpenOffice, please try building against the (security patched) libicu 3.8.1-r1 here: http://overlays.gentoo.org/svn/proj/php/migration/dev-libs/icu/ If that does not work, please patch the copy of icu. suka@gentoo.org 2008-02-02 18:27:58 0000 (In reply to comment #5) > OpenOffice, please try building against the (security patched) libicu 3.8.1-r1 > here: http://overlays.gentoo.org/svn/proj/php/migration/dev-libs/icu/ > > If that does not work, please patch the copy of icu. > I've added a new revision (-r1) of openoffice-2.3.1 to portage, this uses external icu again (we had to back this out prior to stabilizing 2.3.1 as it was broken in OOo), works fine here on x86, other archs will have to test accordingly hoffie@gentoo.org 2008-02-02 21:56:35 0000 icu-3.8.1-r1 with the patch is in the tree now, thanks to jakub. I did not do any tests except from compiling (I haven't touched that package before anyway). I might try building OOo tomorrow, but certainly not today. hoffie@gentoo.org 2008-02-02 22:24:27 0000 icu-3.6-r2 in the tree as well (with the patch from redhat). You probably want 3.8* stable for OpenOffice anyway, but I don't really know, ask jakub if in doubt. ;) jakub@gentoo.org 2008-02-03 08:54:55 0000 (In reply to comment #8) > icu-3.6-r2 in the tree as well (with the patch from redhat). You probably want > 3.8* stable for OpenOffice anyway, but I don't really know, ask jakub if in > doubt. ;) Well, yes, definitely. It won't compile with ~icu-3.6. arches, please test and stabilize the following: dev-libs/icu-3.6-r2 (will be hanging around for dev-libs/xerces-c-2.8.0 at least unless someone fixes the messy thing to work w/ icu-3.8.x) dev-libs/icu-3.8.1-r1 ranger@gentoo.org 2008-02-03 18:51:14 0000 ppc and ppc64 done. dertobi123 tested ppc and I committed for his convenience. jer@gentoo.org 2008-02-03 23:24:37 0000 Stable for HPPA. fauli@gentoo.org 2008-02-04 14:37:16 0000 x86 stable armin76@gentoo.org 2008-02-07 10:39:53 0000 alpha/ia64/sparc stable tester@gentoo.org 2008-02-10 22:51:08 0000 amd64 done jakub@gentoo.org 2008-02-11 09:56:15 0000 (In reply to comment #14) > amd64 done You missed dev-libs/icu-3.6-r2; thanks. beandog@gentoo.org 2008-02-20 04:17:22 0000 (In reply to comment #15) > (In reply to comment #14) > > amd64 done > > You missed dev-libs/icu-3.6-r2; thanks. > done pva@gentoo.org 2008-02-23 17:54:38 0000 Updated in release snapshot. py@gentoo.org 2008-03-11 22:16:52 0000 GLSA 200803-20