Get Gentoo!
gentoo.org sites
gentoo.org Wiki Bugs Forums Packages
Planet Archives Sources
Infra Status
summaryrefslogtreecommitdiff
path: root/glsa-200803-20.xml
blob: 41e16594b4d937982510782473bf375d8dc8184c (plain) 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73

<?xml version="1.0" encoding="utf-8"?>
<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd">
<glsa id="200803-20">
  <title>International Components for Unicode: Multiple vulnerabilities</title>
  <synopsis>
    Two vulnerabilities have been discovered in the International Components
    for Unicode, possibly resulting in the remote execution of arbitrary code
    or a Denial of Service.
  </synopsis>
  <product type="ebuild">icu</product>
  <announced>2008-03-11</announced>
  <revised count="03">2009-05-28</revised>
  <bug>208001</bug>
  <access>remote</access>
  <affected>
    <package name="dev-libs/icu" auto="yes" arch="*">
      <unaffected range="ge">3.8.1-r1</unaffected>
      <unaffected range="rge">3.6-r2</unaffected>
      <vulnerable range="lt">3.8.1-r1</vulnerable>
    </package>
  </affected>
  <background>
    <p>
    International Components for Unicode is a set of C/C++ and Java
    libraries providing Unicode and Globalization support for software
    applications.
    </p>
  </background>
  <description>
    <p>
    Will Drewry (Google Security) reported a vulnerability in the regular
    expression engine when using back references to capture \0 characters
    (CVE-2007-4770). He also found that the backtracking stack size is not
    limited, possibly allowing for a heap-based buffer overflow
    (CVE-2007-4771).
    </p>
  </description>
  <impact type="high">
    <p>
    A remote attacker could submit specially crafted regular expressions to
    an application using the library, possibly resulting in the remote
    execution of arbitrary code with the privileges of the user running the
    application or a Denial of Service.
    </p>
  </impact>
  <workaround>
    <p>
    There is no known workaround at this time.
    </p>
  </workaround>
  <resolution>
    <p>
    All International Components for Unicode users should upgrade to the
    latest version:
    </p>
    <code>
    # emerge --sync
    # emerge --ask --oneshot --verbose "&gt;=dev-libs/icu-3.8.1-r1"</code>
  </resolution>
  <references>
    <uri link="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-4770">CVE-2007-4770</uri>
    <uri link="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-4771">CVE-2007-4771</uri>
  </references>
  <metadata tag="requester" timestamp="2008-02-20T08:30:44Z">
    jaervosz
  </metadata>
  <metadata tag="bugReady" timestamp="2008-02-20T08:30:59Z">
    jaervosz
  </metadata>
  <metadata tag="submitter" timestamp="2008-03-11T12:40:50Z">
    p-y
  </metadata>
</glsa>