USN-591-1: libicu vulnerabilities

Ubuntu Security Notice USN-591-1

24th March, 2008

icu vulnerabilities

A security issue affects these releases of Ubuntu and its derivatives:

  • Ubuntu 7.10
  • Ubuntu 7.04
  • Ubuntu 6.10
  • Ubuntu 6.06 LTS

Software description

  • icu

Details

Will Drewry discovered that libicu did not properly handle '\0' when
processing regular expressions. If an application linked against libicu
processed a crafted regular expression, an attacker could execute
arbitrary code with privileges of the user invoking the program.
(CVE-2007-4770)

Will Drewry discovered that libicu did not properly limit its
backtracking stack size. If an application linked against libicu
processed a crafted regular expression, an attacker could cause a denial
of service via resource exhaustion. (CVE-2007-4771)

Update instructions

The problem can be corrected by updating your system to the following package version:

Ubuntu 7.10:
libicu36 3.6-3ubuntu0.1
Ubuntu 7.04:
libicu36 3.6-2ubuntu0.1
Ubuntu 6.10:
libicu34 3.4.1a-1ubuntu1.6.10.1
Ubuntu 6.06 LTS:
libicu34 3.4.1a-1ubuntu1.6.06.1

To update your system, please follow these instructions: https://wiki.ubuntu.com/Security/Upgrades.

After a standard system upgrade you need to restart applications linked
against libicu, such as OpenOffice.org, to effect the necessary changes.

References

CVE-2007-4770, CVE-2007-4771