Ubuntu Security Notice USN-591-1
24th March, 2008
icu vulnerabilities
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 7.10
- Ubuntu 7.04
- Ubuntu 6.10
- Ubuntu 6.06 LTS
Software description
- icu
Details
Will Drewry discovered that libicu did not properly handle '\0' when
processing regular expressions. If an application linked against libicu
processed a crafted regular expression, an attacker could execute
arbitrary code with privileges of the user invoking the program.
(CVE-2007-4770)
Will Drewry discovered that libicu did not properly limit its
backtracking stack size. If an application linked against libicu
processed a crafted regular expression, an attacker could cause a denial
of service via resource exhaustion. (CVE-2007-4771)
Update instructions
The problem can be corrected by updating your system to the following package version:
- Ubuntu 7.10:
- libicu36 3.6-3ubuntu0.1
- Ubuntu 7.04:
- libicu36 3.6-2ubuntu0.1
- Ubuntu 6.10:
- libicu34 3.4.1a-1ubuntu1.6.10.1
- Ubuntu 6.06 LTS:
- libicu34 3.4.1a-1ubuntu1.6.06.1
To update your system, please follow these instructions: https://wiki.ubuntu.com/Security/Upgrades.
After a standard system upgrade you need to restart applications linked
against libicu, such as OpenOffice.org, to effect the necessary changes.