lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <20080324190222.GD21639@severus.strandboge.com>
Date: Mon, 24 Mar 2008 15:02:22 -0400
From: Jamie Strandboge <jamie@...onical.com>
To: ubuntu-security-announce@...ts.ubuntu.com
Cc: full-disclosure@...ts.grok.org.uk, bugtraq@...urityfocus.com
Subject: [USN-591-1] libicu vulnerabilities

=========================================================== 
Ubuntu Security Notice USN-591-1             March 24, 2008
icu vulnerabilities
CVE-2007-4770, CVE-2007-4771
===========================================================

A security issue affects the following Ubuntu releases:

Ubuntu 6.06 LTS
Ubuntu 6.10
Ubuntu 7.04
Ubuntu 7.10

This advisory also applies to the corresponding versions of
Kubuntu, Edubuntu, and Xubuntu.

The problem can be corrected by upgrading your system to the
following package versions:

Ubuntu 6.06 LTS:
  libicu34                        3.4.1a-1ubuntu1.6.06.1

Ubuntu 6.10:
  libicu34                        3.4.1a-1ubuntu1.6.10.1

Ubuntu 7.04:
  libicu36                        3.6-2ubuntu0.1

Ubuntu 7.10:
  libicu36                        3.6-3ubuntu0.1

After a standard system upgrade you need to restart applications linked
against libicu, such as OpenOffice.org, to effect the necessary changes.

Details follow:

Will Drewry discovered that libicu did not properly handle '\0' when
processing regular expressions. If an application linked against libicu
processed a crafted regular expression, an attacker could execute
arbitrary code with privileges of the user invoking the program.
(CVE-2007-4770)

Will Drewry discovered that libicu did not properly limit its
backtracking stack size. If an application linked against libicu
processed a crafted regular expression, an attacker could cause a denial
of service via resource exhaustion. (CVE-2007-4771)


Updated packages for Ubuntu 6.06 LTS:

  Source archives:

    http://security.ubuntu.com/ubuntu/pool/main/i/icu/icu_3.4.1a-1ubuntu1.6.06.1.diff.gz
      Size/MD5:    10972 445f415e082f042548258f4c6c232558
    http://security.ubuntu.com/ubuntu/pool/main/i/icu/icu_3.4.1a-1ubuntu1.6.06.1.dsc
      Size/MD5:      619 523a7f45138a6053c2603ed6eb480fca
    http://security.ubuntu.com/ubuntu/pool/main/i/icu/icu_3.4.1a.orig.tar.gz
      Size/MD5:  9039695 d45f59eb03b22cff127173cd3017f2e6

  Architecture independent packages:

    http://security.ubuntu.com/ubuntu/pool/main/i/icu/icu-doc_3.4.1a-1ubuntu1.6.06.1_all.deb
      Size/MD5:  2915712 1101422b4eb7e5acdd12acc13336715a

  amd64 architecture (Athlon64, Opteron, EM64T Xeon):

    http://security.ubuntu.com/ubuntu/pool/main/i/icu/libicu34-dev_3.4.1a-1ubuntu1.6.06.1_amd64.deb
      Size/MD5:  5875030 1ae964fbf3734b1c00549de786e2bbba
    http://security.ubuntu.com/ubuntu/pool/main/i/icu/libicu34_3.4.1a-1ubuntu1.6.06.1_amd64.deb
      Size/MD5:  4792062 d7a03747efc590dfe4dea95158689d4f

  i386 architecture (x86 compatible Intel/AMD):

    http://security.ubuntu.com/ubuntu/pool/main/i/icu/libicu34-dev_3.4.1a-1ubuntu1.6.06.1_i386.deb
      Size/MD5:  5699304 981af70894449430248adf3d9e0db9b6
    http://security.ubuntu.com/ubuntu/pool/main/i/icu/libicu34_3.4.1a-1ubuntu1.6.06.1_i386.deb
      Size/MD5:  4737488 6464d31ea0559635c6198dff1f4bf5bd

  powerpc architecture (Apple Macintosh G3/G4/G5):

    http://security.ubuntu.com/ubuntu/pool/main/i/icu/libicu34-dev_3.4.1a-1ubuntu1.6.06.1_powerpc.deb
      Size/MD5:  6048294 ca2d43737af359f7eacd578e25e079ce
    http://security.ubuntu.com/ubuntu/pool/main/i/icu/libicu34_3.4.1a-1ubuntu1.6.06.1_powerpc.deb
      Size/MD5:  4941578 6cd24bc1bded8547014b75e34216ec4d

  sparc architecture (Sun SPARC/UltraSPARC):

    http://security.ubuntu.com/ubuntu/pool/main/i/icu/libicu34-dev_3.4.1a-1ubuntu1.6.06.1_sparc.deb
      Size/MD5:  5943896 cf5fbe8f8aae07d732d96729647f174e
    http://security.ubuntu.com/ubuntu/pool/main/i/icu/libicu34_3.4.1a-1ubuntu1.6.06.1_sparc.deb
      Size/MD5:  4869890 71f8ee63a63ace3f17e77432cae0b4e7

Updated packages for Ubuntu 6.10:

  Source archives:

    http://security.ubuntu.com/ubuntu/pool/main/i/icu/icu_3.4.1a-1ubuntu1.6.10.1.diff.gz
      Size/MD5:    10981 810042a363ce70adbd4804b1e35ede3c
    http://security.ubuntu.com/ubuntu/pool/main/i/icu/icu_3.4.1a-1ubuntu1.6.10.1.dsc
      Size/MD5:      619 7ba7b3d16d5293cd6917d023a9978f6e
    http://security.ubuntu.com/ubuntu/pool/main/i/icu/icu_3.4.1a.orig.tar.gz
      Size/MD5:  9039695 d45f59eb03b22cff127173cd3017f2e6

  Architecture independent packages:

    http://security.ubuntu.com/ubuntu/pool/main/i/icu/icu-doc_3.4.1a-1ubuntu1.6.10.1_all.deb
      Size/MD5:  2909022 aa55332464e3d391f414afaa8093f37f

  amd64 architecture (Athlon64, Opteron, EM64T Xeon):

    http://security.ubuntu.com/ubuntu/pool/main/i/icu/libicu34-dev_3.4.1a-1ubuntu1.6.10.1_amd64.deb
      Size/MD5:  5871754 160edb49c21f746f207e2b6d8f151067
    http://security.ubuntu.com/ubuntu/pool/main/i/icu/libicu34_3.4.1a-1ubuntu1.6.10.1_amd64.deb
      Size/MD5:  4786816 afd1356e6b85cab7d2f75747f8aa7d03

  i386 architecture (x86 compatible Intel/AMD):

    http://security.ubuntu.com/ubuntu/pool/main/i/icu/libicu34-dev_3.4.1a-1ubuntu1.6.10.1_i386.deb
      Size/MD5:  5750086 f3742740fef98eaaafc5145c7e895a2e
    http://security.ubuntu.com/ubuntu/pool/main/i/icu/libicu34_3.4.1a-1ubuntu1.6.10.1_i386.deb
      Size/MD5:  4778408 51fd4d3cf2022aa3937076f7306f3085

  powerpc architecture (Apple Macintosh G3/G4/G5):

    http://security.ubuntu.com/ubuntu/pool/main/i/icu/libicu34-dev_3.4.1a-1ubuntu1.6.10.1_powerpc.deb
      Size/MD5:  6060132 0c186f814c29f4d4ad5297ec59531a7e
    http://security.ubuntu.com/ubuntu/pool/main/i/icu/libicu34_3.4.1a-1ubuntu1.6.10.1_powerpc.deb
      Size/MD5:  4945796 b95c4837ec0172ebc50b2596151bb127

  sparc architecture (Sun SPARC/UltraSPARC):

    http://security.ubuntu.com/ubuntu/pool/main/i/icu/libicu34-dev_3.4.1a-1ubuntu1.6.10.1_sparc.deb
      Size/MD5:  5950430 a912d9ab99e4f564346048ad014a689e
    http://security.ubuntu.com/ubuntu/pool/main/i/icu/libicu34_3.4.1a-1ubuntu1.6.10.1_sparc.deb
      Size/MD5:  4870650 939584895a0acc1fb47643c57551ae53

Updated packages for Ubuntu 7.04:

  Source archives:

    http://security.ubuntu.com/ubuntu/pool/main/i/icu/icu_3.6-2ubuntu0.1.diff.gz
      Size/MD5:     9568 992a805cfdf2bef53375bb692fade0ae
    http://security.ubuntu.com/ubuntu/pool/main/i/icu/icu_3.6-2ubuntu0.1.dsc
      Size/MD5:      683 811a2836307eb6b553a47234455782c8
    http://security.ubuntu.com/ubuntu/pool/main/i/icu/icu_3.6.orig.tar.gz
      Size/MD5:  9778863 0f1bda1992b4adca62da68a7ad79d830

  Architecture independent packages:

    http://security.ubuntu.com/ubuntu/pool/main/i/icu/icu-doc_3.6-2ubuntu0.1_all.deb
      Size/MD5:  3239258 59e41f56b3e9b0967586f601fc786686

  amd64 architecture (Athlon64, Opteron, EM64T Xeon):

    http://security.ubuntu.com/ubuntu/pool/main/i/icu/libicu36-dev_3.6-2ubuntu0.1_amd64.deb
      Size/MD5:  6582372 05738b95cbea7e71f1c7389acea343c0
    http://security.ubuntu.com/ubuntu/pool/main/i/icu/libicu36_3.6-2ubuntu0.1_amd64.deb
      Size/MD5:  5494132 3b37f4197509a3815a588837377926ab

  i386 architecture (x86 compatible Intel/AMD):

    http://security.ubuntu.com/ubuntu/pool/main/i/icu/libicu36-dev_3.6-2ubuntu0.1_i386.deb
      Size/MD5:  6455976 6131cb6505978764cfa87cc00f3bde55
    http://security.ubuntu.com/ubuntu/pool/main/i/icu/libicu36_3.6-2ubuntu0.1_i386.deb
      Size/MD5:  5502928 cc171e6c651af8798679d670317aecb4

  powerpc architecture (Apple Macintosh G3/G4/G5):

    http://security.ubuntu.com/ubuntu/pool/main/i/icu/libicu36-dev_3.6-2ubuntu0.1_powerpc.deb
      Size/MD5:  6914678 3fc12666b60c32e1e766940458e86f8b
    http://security.ubuntu.com/ubuntu/pool/main/i/icu/libicu36_3.6-2ubuntu0.1_powerpc.deb
      Size/MD5:  5847506 3e87c31f56a17142293819375fb9b055

  sparc architecture (Sun SPARC/UltraSPARC):

    http://security.ubuntu.com/ubuntu/pool/main/i/icu/libicu36-dev_3.6-2ubuntu0.1_sparc.deb
      Size/MD5:  6782112 abe3146ed84e2bf73a406d031c07bb1b
    http://security.ubuntu.com/ubuntu/pool/main/i/icu/libicu36_3.6-2ubuntu0.1_sparc.deb
      Size/MD5:  5722818 6a81975ae3038438ce649b104524c66c

Updated packages for Ubuntu 7.10:

  Source archives:

    http://security.ubuntu.com/ubuntu/pool/main/i/icu/icu_3.6-3ubuntu0.1.diff.gz
      Size/MD5:    10669 c9fc07570c6cadd992b3e7c5967d675c
    http://security.ubuntu.com/ubuntu/pool/main/i/icu/icu_3.6-3ubuntu0.1.dsc
      Size/MD5:      684 7ff1ab80feb3886e98be54ea84c743fa
    http://security.ubuntu.com/ubuntu/pool/main/i/icu/icu_3.6.orig.tar.gz
      Size/MD5:  9778863 0f1bda1992b4adca62da68a7ad79d830

  Architecture independent packages:

    http://security.ubuntu.com/ubuntu/pool/main/i/icu/icu-doc_3.6-3ubuntu0.1_all.deb
      Size/MD5:  3577326 864f4915d072d28288646ccfe3fcf564

  amd64 architecture (Athlon64, Opteron, EM64T Xeon):

    http://security.ubuntu.com/ubuntu/pool/main/i/icu/libicu36-dev_3.6-3ubuntu0.1_amd64.deb
      Size/MD5:  6588894 3c3c78d3f960c6b461e5de948e1ad36f
    http://security.ubuntu.com/ubuntu/pool/main/i/icu/libicu36_3.6-3ubuntu0.1_amd64.deb
      Size/MD5:  5497318 c65272d6afba5a3cd299757cd24e4311

  i386 architecture (x86 compatible Intel/AMD):

    http://security.ubuntu.com/ubuntu/pool/main/i/icu/libicu36-dev_3.6-3ubuntu0.1_i386.deb
      Size/MD5:  6460842 1b5ddf800807d301b81c9079e52bb886
    http://security.ubuntu.com/ubuntu/pool/main/i/icu/libicu36_3.6-3ubuntu0.1_i386.deb
      Size/MD5:  5507380 7e4d0bd96a552c06640a32687b7aebee

  powerpc architecture (Apple Macintosh G3/G4/G5):

    http://security.ubuntu.com/ubuntu/pool/main/i/icu/libicu36-dev_3.6-3ubuntu0.1_powerpc.deb
      Size/MD5:  6918592 74498356923f4a2388c15576f93f98f4
    http://security.ubuntu.com/ubuntu/pool/main/i/icu/libicu36_3.6-3ubuntu0.1_powerpc.deb
      Size/MD5:  5850296 6461c9debe8d2b6811cdca0c00209658

  sparc architecture (Sun SPARC/UltraSPARC):

    http://security.ubuntu.com/ubuntu/pool/main/i/icu/libicu36-dev_3.6-3ubuntu0.1_sparc.deb
      Size/MD5:  6784336 548e4edca27774f28ffc26b5c721ab8d
    http://security.ubuntu.com/ubuntu/pool/main/i/icu/libicu36_3.6-3ubuntu0.1_sparc.deb
      Size/MD5:  5723102 a8f6a5a8bf0868a06b54beed61dd6853



Download attachment "signature.asc" of type "application/pgp-signature" (190 bytes)

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ