Will Drewry has reported some vulnerabilities in International Components for Unicode, which can be exploited by malicious people to cause a DoS (Denial of Service) or potentially compromise an application using the library. 1) A regular expression containing a back reference to capture group zero (\0) may reference random memory areas, which can be exploited to crash an application using the library. 2) The library does not limit the size of the backtracking stack. This can be exploited to cause a heap-based buffer overflow via certain specially crafted regular expressions. The vulnerability is reported in version 3.8.1. Other versions may also be affected. Solution: Apply patch. http://source.icu-project.org/repos/icu/icu/branches/maint/maint-3-8
maintainers - please provide an updated ebuild
*** Bug 207905 has been marked as a duplicate of this bug. ***
ping
I reproduced the 4771 issue on 3.6.1. Caolan McNamara from RedHat backported the patches to 3.6: https://bugzilla.redhat.com/show_bug.cgi?id=429023 This bug also affects OpenOffice, as it currently uses an internal copy of icu. OpenOffice herd, please advise here.
OpenOffice, please try building against the (security patched) libicu 3.8.1-r1 here: http://overlays.gentoo.org/svn/proj/php/migration/dev-libs/icu/ If that does not work, please patch the copy of icu.
(In reply to comment #5) > OpenOffice, please try building against the (security patched) libicu 3.8.1-r1 > here: http://overlays.gentoo.org/svn/proj/php/migration/dev-libs/icu/ > > If that does not work, please patch the copy of icu. > I've added a new revision (-r1) of openoffice-2.3.1 to portage, this uses external icu again (we had to back this out prior to stabilizing 2.3.1 as it was broken in OOo), works fine here on x86, other archs will have to test accordingly
icu-3.8.1-r1 with the patch is in the tree now, thanks to jakub. I did not do any tests except from compiling (I haven't touched that package before anyway). I might try building OOo tomorrow, but certainly not today.
icu-3.6-r2 in the tree as well (with the patch from redhat). You probably want 3.8* stable for OpenOffice anyway, but I don't really know, ask jakub if in doubt. ;)
(In reply to comment #8) > icu-3.6-r2 in the tree as well (with the patch from redhat). You probably want > 3.8* stable for OpenOffice anyway, but I don't really know, ask jakub if in > doubt. ;) Well, yes, definitely. It won't compile with ~icu-3.6. arches, please test and stabilize the following: dev-libs/icu-3.6-r2 (will be hanging around for dev-libs/xerces-c-2.8.0 at least unless someone fixes the messy thing to work w/ icu-3.8.x) dev-libs/icu-3.8.1-r1
ppc and ppc64 done. dertobi123 tested ppc and I committed for his convenience.
Stable for HPPA.
x86 stable
alpha/ia64/sparc stable
amd64 done
(In reply to comment #14) > amd64 done You missed dev-libs/icu-3.6-r2; thanks.
(In reply to comment #15) > (In reply to comment #14) > > amd64 done > > You missed dev-libs/icu-3.6-r2; thanks. > done
Updated in release snapshot.
GLSA 200803-20
