[USN-591-1] libicu vulnerabilities
Date: Mon, 24 Mar 2008 15:02:22 -0400
From: Jamie Strandboge <jamie@canonical.com.>
To: [email protected]
Subject: [USN-591-1] libicu vulnerabilities
Message-ID: <20080324190222.GD21639@severus.strandboge.com.>
Reply-To: Jamie Strandboge <jamie@canonical.com.>
MIME-Version: 1.0
Content-Type: multipart/signed; micalg=pgp-sha1;
protocol="application/pgp-signature"; boundary="m51xatjYGsM+13rf"
Content-Disposition: inline
User-Agent: Mutt/1.5.17+20080114 (2008-01-14)
X-Virus-Scanned: antivirus-gw at tyumen.ru
--m51xatjYGsM+13rf
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=20
Ubuntu Security Notice USN-591-1 March 24, 2008
icu vulnerabilities
CVE-2007-4770, CVE-2007-4771
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D
A security issue affects the following Ubuntu releases:
Ubuntu 6.06 LTS
Ubuntu 6.10
Ubuntu 7.04
Ubuntu 7.10
This advisory also applies to the corresponding versions of
Kubuntu, Edubuntu, and Xubuntu.
The problem can be corrected by upgrading your system to the
following package versions:
Ubuntu 6.06 LTS:
libicu34 3.4.1a-1ubuntu1.6.06.1
Ubuntu 6.10:
libicu34 3.4.1a-1ubuntu1.6.10.1
Ubuntu 7.04:
libicu36 3.6-2ubuntu0.1
Ubuntu 7.10:
libicu36 3.6-3ubuntu0.1
After a standard system upgrade you need to restart applications linked
against libicu, such as OpenOffice.org, to effect the necessary changes.
Details follow:
Will Drewry discovered that libicu did not properly handle '\0' when
processing regular expressions. If an application linked against libicu
processed a crafted regular expression, an attacker could execute
arbitrary code with privileges of the user invoking the program.
(CVE-2007-4770)
Will Drewry discovered that libicu did not properly limit its
backtracking stack size. If an application linked against libicu
processed a crafted regular expression, an attacker could cause a denial
of service via resource exhaustion. (CVE-2007-4771)
Updated packages for Ubuntu 6.06 LTS:
Source archives:
http://security.ubuntu.com/ubuntu/pool/main/i/icu/icu_3.4.1a-1ubuntu1.6=
=2E06.1.diff.gz
Size/MD5: 10972 445f415e082f042548258f4c6c232558
http://security.ubuntu.com/ubuntu/pool/main/i/icu/icu_3.4.1a-1ubuntu1.6=
=2E06.1.dsc
Size/MD5: 619 523a7f45138a6053c2603ed6eb480fca
http://security.ubuntu.com/ubuntu/pool/main/i/icu/icu_3.4.1a.orig.tar.gz
Size/MD5: 9039695 d45f59eb03b22cff127173cd3017f2e6
Architecture independent packages:
http://security.ubuntu.com/ubuntu/pool/main/i/icu/icu-doc_3.4.1a-1ubunt=
u1.6.06.1_all.deb
Size/MD5: 2915712 1101422b4eb7e5acdd12acc13336715a
amd64 architecture (Athlon64, Opteron, EM64T Xeon):
http://security.ubuntu.com/ubuntu/pool/main/i/icu/libicu34-dev_3.4.1a-1=
ubuntu1.6.06.1_amd64.deb
Size/MD5: 5875030 1ae964fbf3734b1c00549de786e2bbba
http://security.ubuntu.com/ubuntu/pool/main/i/icu/libicu34_3.4.1a-1ubun=
tu1.6.06.1_amd64.deb
Size/MD5: 4792062 d7a03747efc590dfe4dea95158689d4f
i386 architecture (x86 compatible Intel/AMD):
http://security.ubuntu.com/ubuntu/pool/main/i/icu/libicu34-dev_3.4.1a-1=
ubuntu1.6.06.1_i386.deb
Size/MD5: 5699304 981af70894449430248adf3d9e0db9b6
http://security.ubuntu.com/ubuntu/pool/main/i/icu/libicu34_3.4.1a-1ubun=
tu1.6.06.1_i386.deb
Size/MD5: 4737488 6464d31ea0559635c6198dff1f4bf5bd
powerpc architecture (Apple Macintosh G3/G4/G5):
http://security.ubuntu.com/ubuntu/pool/main/i/icu/libicu34-dev_3.4.1a-1=
ubuntu1.6.06.1_powerpc.deb
Size/MD5: 6048294 ca2d43737af359f7eacd578e25e079ce
http://security.ubuntu.com/ubuntu/pool/main/i/icu/libicu34_3.4.1a-1ubun=
tu1.6.06.1_powerpc.deb
Size/MD5: 4941578 6cd24bc1bded8547014b75e34216ec4d
sparc architecture (Sun SPARC/UltraSPARC):
http://security.ubuntu.com/ubuntu/pool/main/i/icu/libicu34-dev_3.4.1a-1=
ubuntu1.6.06.1_sparc.deb
Size/MD5: 5943896 cf5fbe8f8aae07d732d96729647f174e
http://security.ubuntu.com/ubuntu/pool/main/i/icu/libicu34_3.4.1a-1ubun=
tu1.6.06.1_sparc.deb
Size/MD5: 4869890 71f8ee63a63ace3f17e77432cae0b4e7
Updated packages for Ubuntu 6.10:
Source archives:
http://security.ubuntu.com/ubuntu/pool/main/i/icu/icu_3.4.1a-1ubuntu1.6=
=2E10.1.diff.gz
Size/MD5: 10981 810042a363ce70adbd4804b1e35ede3c
http://security.ubuntu.com/ubuntu/pool/main/i/icu/icu_3.4.1a-1ubuntu1.6=
=2E10.1.dsc
Size/MD5: 619 7ba7b3d16d5293cd6917d023a9978f6e
http://security.ubuntu.com/ubuntu/pool/main/i/icu/icu_3.4.1a.orig.tar.gz
Size/MD5: 9039695 d45f59eb03b22cff127173cd3017f2e6
Architecture independent packages:
http://security.ubuntu.com/ubuntu/pool/main/i/icu/icu-doc_3.4.1a-1ubunt=
u1.6.10.1_all.deb
Size/MD5: 2909022 aa55332464e3d391f414afaa8093f37f
amd64 architecture (Athlon64, Opteron, EM64T Xeon):
http://security.ubuntu.com/ubuntu/pool/main/i/icu/libicu34-dev_3.4.1a-1=
ubuntu1.6.10.1_amd64.deb
Size/MD5: 5871754 160edb49c21f746f207e2b6d8f151067
http://security.ubuntu.com/ubuntu/pool/main/i/icu/libicu34_3.4.1a-1ubun=
tu1.6.10.1_amd64.deb
Size/MD5: 4786816 afd1356e6b85cab7d2f75747f8aa7d03
i386 architecture (x86 compatible Intel/AMD):
http://security.ubuntu.com/ubuntu/pool/main/i/icu/libicu34-dev_3.4.1a-1=
ubuntu1.6.10.1_i386.deb
Size/MD5: 5750086 f3742740fef98eaaafc5145c7e895a2e
http://security.ubuntu.com/ubuntu/pool/main/i/icu/libicu34_3.4.1a-1ubun=
tu1.6.10.1_i386.deb
Size/MD5: 4778408 51fd4d3cf2022aa3937076f7306f3085
powerpc architecture (Apple Macintosh G3/G4/G5):
http://security.ubuntu.com/ubuntu/pool/main/i/icu/libicu34-dev_3.4.1a-1=
ubuntu1.6.10.1_powerpc.deb
Size/MD5: 6060132 0c186f814c29f4d4ad5297ec59531a7e
http://security.ubuntu.com/ubuntu/pool/main/i/icu/libicu34_3.4.1a-1ubun=
tu1.6.10.1_powerpc.deb
Size/MD5: 4945796 b95c4837ec0172ebc50b2596151bb127
sparc architecture (Sun SPARC/UltraSPARC):
http://security.ubuntu.com/ubuntu/pool/main/i/icu/libicu34-dev_3.4.1a-1=
ubuntu1.6.10.1_sparc.deb
Size/MD5: 5950430 a912d9ab99e4f564346048ad014a689e
http://security.ubuntu.com/ubuntu/pool/main/i/icu/libicu34_3.4.1a-1ubun=
tu1.6.10.1_sparc.deb
Size/MD5: 4870650 939584895a0acc1fb47643c57551ae53
Updated packages for Ubuntu 7.04:
Source archives:
http://security.ubuntu.com/ubuntu/pool/main/i/icu/icu_3.6-2ubuntu0.1.di=
ff.gz
Size/MD5: 9568 992a805cfdf2bef53375bb692fade0ae
http://security.ubuntu.com/ubuntu/pool/main/i/icu/icu_3.6-2ubuntu0.1.dsc
Size/MD5: 683 811a2836307eb6b553a47234455782c8
http://security.ubuntu.com/ubuntu/pool/main/i/icu/icu_3.6.orig.tar.gz
Size/MD5: 9778863 0f1bda1992b4adca62da68a7ad79d830
Architecture independent packages:
http://security.ubuntu.com/ubuntu/pool/main/i/icu/icu-doc_3.6-2ubuntu0.=
1_all.deb
Size/MD5: 3239258 59e41f56b3e9b0967586f601fc786686
amd64 architecture (Athlon64, Opteron, EM64T Xeon):
http://security.ubuntu.com/ubuntu/pool/main/i/icu/libicu36-dev_3.6-2ubu=
ntu0.1_amd64.deb
Size/MD5: 6582372 05738b95cbea7e71f1c7389acea343c0
http://security.ubuntu.com/ubuntu/pool/main/i/icu/libicu36_3.6-2ubuntu0=
=2E1_amd64.deb
Size/MD5: 5494132 3b37f4197509a3815a588837377926ab
i386 architecture (x86 compatible Intel/AMD):
http://security.ubuntu.com/ubuntu/pool/main/i/icu/libicu36-dev_3.6-2ubu=
ntu0.1_i386.deb
Size/MD5: 6455976 6131cb6505978764cfa87cc00f3bde55
http://security.ubuntu.com/ubuntu/pool/main/i/icu/libicu36_3.6-2ubuntu0=
=2E1_i386.deb
Size/MD5: 5502928 cc171e6c651af8798679d670317aecb4
powerpc architecture (Apple Macintosh G3/G4/G5):
http://security.ubuntu.com/ubuntu/pool/main/i/icu/libicu36-dev_3.6-2ubu=
ntu0.1_powerpc.deb
Size/MD5: 6914678 3fc12666b60c32e1e766940458e86f8b
http://security.ubuntu.com/ubuntu/pool/main/i/icu/libicu36_3.6-2ubuntu0=
=2E1_powerpc.deb
Size/MD5: 5847506 3e87c31f56a17142293819375fb9b055
sparc architecture (Sun SPARC/UltraSPARC):
http://security.ubuntu.com/ubuntu/pool/main/i/icu/libicu36-dev_3.6-2ubu=
ntu0.1_sparc.deb
Size/MD5: 6782112 abe3146ed84e2bf73a406d031c07bb1b
http://security.ubuntu.com/ubuntu/pool/main/i/icu/libicu36_3.6-2ubuntu0=
=2E1_sparc.deb
Size/MD5: 5722818 6a81975ae3038438ce649b104524c66c
Updated packages for Ubuntu 7.10:
Source archives:
http://security.ubuntu.com/ubuntu/pool/main/i/icu/icu_3.6-3ubuntu0.1.di=
ff.gz
Size/MD5: 10669 c9fc07570c6cadd992b3e7c5967d675c
http://security.ubuntu.com/ubuntu/pool/main/i/icu/icu_3.6-3ubuntu0.1.dsc
Size/MD5: 684 7ff1ab80feb3886e98be54ea84c743fa
http://security.ubuntu.com/ubuntu/pool/main/i/icu/icu_3.6.orig.tar.gz
Size/MD5: 9778863 0f1bda1992b4adca62da68a7ad79d830
Architecture independent packages:
http://security.ubuntu.com/ubuntu/pool/main/i/icu/icu-doc_3.6-3ubuntu0.=
1_all.deb
Size/MD5: 3577326 864f4915d072d28288646ccfe3fcf564
amd64 architecture (Athlon64, Opteron, EM64T Xeon):
http://security.ubuntu.com/ubuntu/pool/main/i/icu/libicu36-dev_3.6-3ubu=
ntu0.1_amd64.deb
Size/MD5: 6588894 3c3c78d3f960c6b461e5de948e1ad36f
http://security.ubuntu.com/ubuntu/pool/main/i/icu/libicu36_3.6-3ubuntu0=
=2E1_amd64.deb
Size/MD5: 5497318 c65272d6afba5a3cd299757cd24e4311
i386 architecture (x86 compatible Intel/AMD):
http://security.ubuntu.com/ubuntu/pool/main/i/icu/libicu36-dev_3.6-3ubu=
ntu0.1_i386.deb
Size/MD5: 6460842 1b5ddf800807d301b81c9079e52bb886
http://security.ubuntu.com/ubuntu/pool/main/i/icu/libicu36_3.6-3ubuntu0=
=2E1_i386.deb
Size/MD5: 5507380 7e4d0bd96a552c06640a32687b7aebee
powerpc architecture (Apple Macintosh G3/G4/G5):
http://security.ubuntu.com/ubuntu/pool/main/i/icu/libicu36-dev_3.6-3ubu=
ntu0.1_powerpc.deb
Size/MD5: 6918592 74498356923f4a2388c15576f93f98f4
http://security.ubuntu.com/ubuntu/pool/main/i/icu/libicu36_3.6-3ubuntu0=
=2E1_powerpc.deb
Size/MD5: 5850296 6461c9debe8d2b6811cdca0c00209658
sparc architecture (Sun SPARC/UltraSPARC):
http://security.ubuntu.com/ubuntu/pool/main/i/icu/libicu36-dev_3.6-3ubu=
ntu0.1_sparc.deb
Size/MD5: 6784336 548e4edca27774f28ffc26b5c721ab8d
http://security.ubuntu.com/ubuntu/pool/main/i/icu/libicu36_3.6-3ubuntu0=
=2E1_sparc.deb
Size/MD5: 5723102 a8f6a5a8bf0868a06b54beed61dd6853
--m51xatjYGsM+13rf
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: Digital signature
Content-Disposition: inline
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)
iD8DBQFH5/q+W0JvuRdL8BoRArCeAJ9NM7VjReh5xni3SazZ5R9iOrK9zgCfcso5
ttldoqarHg6N4RU52Jy7DD4=
=+Dgw
-----END PGP SIGNATURE-----
--m51xatjYGsM+13rf--