DSA 1511-1: New libicu packages fix multiple problems
Posted on: 03/03/2008 11:35 PM

The Debian Security Team published a new security update for Debian GNU/Linux. Here the announcement:

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

- ------------------------------------------------------------------------
Debian Security Advisory DSA-1511-1 security@debian.org
http://www.debian.org/security/ Steve Kemp
March 03, 2008 http://www.debian.org/security/faq
- ------------------------------------------------------------------------

Package : libicu
Vulnerability : various
Problem type : local
Debian-specific: no
CVE Id(s) : 2007-4770 2007-4771
Debian Bug : 463688

Several local vulnerabilities have been discovered in libicu,
International Components for Unicode, The Common Vulnerabilities and
Exposures project identifies the following problems:

CVE-2007-4770
libicu in International Components for Unicode (ICU) 3.8.1 and earlier
attempts to process backreferences to the nonexistent capture group
zero (aka \\0), which might allow context-dependent attackers to read
from, or write to, out-of-bounds memory locations, related to
corruption of REStackFrames.

CVE-2007-4771
Heap-based buffer overflow in the doInterval function in regexcmp.cpp
in libicu in International Components for Unicode (ICU) 3.8.1 and
earlier allows context-dependent attackers to cause a denial of
service (memory consumption) and possibly have unspecified other
impact via a regular expression that writes a large amount of data to
the backtracking stack.

For the stable distribution (etch), these problems have been fixed in
version 3.6-2etch1.

For the unstable distribution (sid), these problems have been fixed in
version 3.8-6.

We recommend that you upgrade your libicu package.


Upgrade instructions
- --------------------

wget url
will fetch the file for you
dpkg -i file.deb
will install the referenced file.

If you are using the apt-get package manager, use the line for
sources.list as given below:

apt-get update
will update the internal database
apt-get upgrade
will install corrected packages

You may use an automated update by adding the resources from the
footer to the proper configuration.


Debian GNU/Linux 4.0 alias etch
- -------------------------------

Source archives:

http://security.debian.org/pool/updates/main/i/icu/icu_3.6.orig.tar.gz
Size/MD5 checksum: 9778863 0f1bda1992b4adca62da68a7ad79d830
http://security.debian.org/pool/updates/main/i/icu/icu_3.6-2etch1.dsc
Size/MD5 checksum: 591 13dcea6b1c9a282147b99c4867db6ee8
http://security.debian.org/pool/updates/main/i/icu/icu_3.6-2etch1.diff.gz
Size/MD5 checksum: 9552 82e560098b24b245872b163a522a80b8

Architecture independent packages:

http://security.debian.org/pool/updates/main/i/icu/icu-doc_3.6-2etch1_all.deb
Size/MD5 checksum: 3332194 5da76263265814905245b97daec4c1c3

alpha architecture (DEC Alpha)

http://security.debian.org/pool/updates/main/i/icu/libicu36-dev_3.6-2etch1_alpha.deb
Size/MD5 checksum: 7028746 b6b13d0fa262501923c97a859b400d10
http://security.debian.org/pool/updates/main/i/icu/libicu36_3.6-2etch1_alpha.deb
Size/MD5 checksum: 5581984 0cd37ce9f234b9207accc424dc191f49

amd64 architecture (AMD x86_64 (AMD64))

http://security.debian.org/pool/updates/main/i/icu/libicu36-dev_3.6-2etch1_amd64.deb
Size/MD5 checksum: 6585582 9fe0ee74625a985628c9af096dd13827
http://security.debian.org/pool/updates/main/i/icu/libicu36_3.6-2etch1_amd64.deb
Size/MD5 checksum: 5444228 250851db4a613e9a5d0029d73c1196c0

arm architecture (ARM)

http://security.debian.org/pool/updates/main/i/icu/libicu36-dev_3.6-2etch1_arm.deb
Size/MD5 checksum: 6631114 a73ff442415ca3bc336f1fb49e3aa701
http://security.debian.org/pool/updates/main/i/icu/libicu36_3.6-2etch1_arm.deb
Size/MD5 checksum: 5458358 c6d533fd7c1c51efbac58d2a96a386fb

hppa architecture (HP PA RISC)

http://security.debian.org/pool/updates/main/i/icu/libicu36-dev_3.6-2etch1_hppa.deb
Size/MD5 checksum: 7090294 aadca0bc8fb9307ea7fe293406a10e5f
http://security.debian.org/pool/updates/main/i/icu/libicu36_3.6-2etch1_hppa.deb
Size/MD5 checksum: 5909956 07bd8e6c733072fca8b96cc10e210a68

i386 architecture (Intel ia32)

http://security.debian.org/pool/updates/main/i/icu/libicu36_3.6-2etch1_i386.deb
Size/MD5 checksum: 5468656 532aa02d6d67d4b6527ac8c29c9d110e
http://security.debian.org/pool/updates/main/i/icu/libicu36-dev_3.6-2etch1_i386.deb
Size/MD5 checksum: 6465540 bfd4d908b552bba2d871771f86369ec7

ia64 architecture (Intel ia64)

http://security.debian.org/pool/updates/main/i/icu/libicu36-dev_3.6-2etch1_ia64.deb
Size/MD5 checksum: 7238880 10b410fcd460e47c3619de88167b74f5
http://security.debian.org/pool/updates/main/i/icu/libicu36_3.6-2etch1_ia64.deb
Size/MD5 checksum: 5865536 dbc0ec913f08682cec4f1b75d35e0531

mips architecture (MIPS (Big Endian))

http://security.debian.org/pool/updates/main/i/icu/libicu36-dev_3.6-2etch1_mips.deb
Size/MD5 checksum: 7047506 c0b327e8229d1d4d33131453cdac6508
http://security.debian.org/pool/updates/main/i/icu/libicu36_3.6-2etch1_mips.deb
Size/MD5 checksum: 5748172 126a2f0bb4b61cc54d70edb882191576

powerpc architecture (PowerPC)

http://security.debian.org/pool/updates/main/i/icu/libicu36_3.6-2etch1_powerpc.deb
Size/MD5 checksum: 5747754 8bc631ad394a86e11c24c5b9ffd76f1d
http://security.debian.org/pool/updates/main/i/icu/libicu36-dev_3.6-2etch1_powerpc.deb
Size/MD5 checksum: 6888906 c5542d6d957327fd6f540029f4195772

s390 architecture (IBM S/390)

http://security.debian.org/pool/updates/main/i/icu/libicu36_3.6-2etch1_s390.deb
Size/MD5 checksum: 5776762 16a114247a39201f3966ff4f22b80342
http://security.debian.org/pool/updates/main/i/icu/libicu36-dev_3.6-2etch1_s390.deb
Size/MD5 checksum: 6895102 15624240d20d2e0aa7a29bbc90895908

sparc architecture (Sun SPARC/UltraSPARC)

http://security.debian.org/pool/updates/main/i/icu/libicu36_3.6-2etch1_sparc.deb
Size/MD5 checksum: 5671256 2c7a50b1fe50dbe4b3ef8995d91e5946
http://security.debian.org/pool/updates/main/i/icu/libicu36-dev_3.6-2etch1_sparc.deb
Size/MD5 checksum: 6771832 84a95a10934106c8cfc409032191de98


These files will probably be moved into the stable distribution on
its next update.

- ---------------------------------------------------------------------------------
For apt-get: deb http://security.debian.org/ stable/updates main
For dpkg-ftp: ftp://security.debian.org/debian-security dists/stable/updates/main
Mailing list: debian-security-announce@lists.debian.org
Package info: `apt-cache show lt;pkggt;' and http://packages.debian.org/lt;pkggt;
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)

iD8DBQFHzGoFwM/Gs81MDZ0RApgrAJ9Jd4cpLRAJ7WTQAnnpd8d4K3/mvwCeNusV
OLKQ6zeO2ePgNnldMI08TRU=
=ay/5
-----END PGP SIGNATURE-----



Printed from Linux Compatible (http://www.linuxcompatible.org/news/story/dsa_1511_1_new_libicu_packages_fix_multiple_problems.html)