Your message dated Thu, 07 Feb 2008 19:32:05 +0000
with message-id <[EMAIL PROTECTED]>
and subject line Bug#463688: fixed in icu 3.8-6
has caused the attached Bug report to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what I am
talking about this indicates a serious mail system misconfiguration
somewhere. Please contact me immediately.)
Debian bug tracking system administrator
(administrator, Debian Bugs database)
--- Begin Message ---
Package: libicu38
Version: 3.6-2
Severity: grave
Tags: security
Two vulnerabilities have been found in libicu:
>From CVE-2007-4770:
libicu in International Components for Unicode (ICU) 3.8.1 and earlier
attempts to process backreferences to the nonexistent capture group
zero (aka \0), which might allow context-dependent attackers to read
from, or write to, out-of-bounds memory locations, related to
corruption of REStackFrames.
>From CVE-2007-4771:
Heap-based buffer overflow in the doInterval function in regexcmp.cpp
in libicu in International Components for Unicode (ICU) 3.8.1 and
earlier allows context-dependent attackers to cause a denial of
service (memory consumption) and possibly have unspecified other
impact via a regular expression that writes a large amount of data to
the backtracking stack. NOTE: some of these details are obtained from
third party information.
A link to a patch is at
[1]
http://sourceforge.net/mailarchive/message.php?msg_name=d03a2ffb0801221538x68825e42xb4a4aaf0fcccecbd%40mail.gmail.com
This also affects libicu36 and probably libicu28.
Please mention the CVE ids in the changelog.
--- End Message ---
--- Begin Message ---
Source: icu
Source-Version: 3.8-6
We believe that the bug you reported is fixed in the latest version of
icu, which is due to be installed in the Debian FTP archive:
icu-doc_3.8-6_all.deb
to pool/main/i/icu/icu-doc_3.8-6_all.deb
icu_3.8-6.diff.gz
to pool/main/i/icu/icu_3.8-6.diff.gz
icu_3.8-6.dsc
to pool/main/i/icu/icu_3.8-6.dsc
libicu-dev_3.8-6_i386.deb
to pool/main/i/icu/libicu-dev_3.8-6_i386.deb
libicu38-dbg_3.8-6_i386.deb
to pool/main/i/icu/libicu38-dbg_3.8-6_i386.deb
libicu38_3.8-6_i386.deb
to pool/main/i/icu/libicu38_3.8-6_i386.deb
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [EMAIL PROTECTED],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Jay Berkenbilt <[EMAIL PROTECTED]> (supplier of updated icu package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [EMAIL PROTECTED])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.7
Date: Thu, 07 Feb 2008 12:58:34 -0500
Source: icu
Binary: libicu38 libicu38-dbg libicu-dev lib32icu38 lib32icu-dev icu-doc
Architecture: source all i386
Version: 3.8-6
Distribution: unstable
Urgency: high
Maintainer: Jay Berkenbilt <[EMAIL PROTECTED]>
Changed-By: Jay Berkenbilt <[EMAIL PROTECTED]>
Description:
icu-doc - API documentation for ICU classes and functions
libicu-dev - Development files for International Components for Unicode
libicu38 - International Components for Unicode
libicu38-dbg - International Components for Unicode
Closes: 463688
Changes:
icu (3.8-6) unstable; urgency=high
.
* Add debian/patches/00-cve-2007-4770-4771.patch created from with
svn diff -c 23292 \
http://source.icu-project.org/repos/icu/icu/branches/maint/maint-3-8
to address the following security vulnerablilities:
- CVE-2007-4770: reference to non-existent capture group may
cause access to invalid memory
- CVE-2007-4771: buffer overflow in regexcmp.cpp
(Closes: #463688)
* Updated standards version to 3.7.3: no changes required.
Files:
33af53f873f321b6e209bfff05c1e424 889 libs optional icu_3.8-6.dsc
072afed03a6c137388a0fa9c632cfe4f 11860 libs optional icu_3.8-6.diff.gz
644ba9a944f610f89337e3963591a7a8 3645860 doc optional icu-doc_3.8-6_all.deb
39ce4f1c9acf7d5802db62c388b47ef3 5862768 libs optional libicu38_3.8-6_i386.deb
aca51dba423f8b92a2c806760a587335 2247986 libs extra libicu38-dbg_3.8-6_i386.deb
225a45a65a08f6933313a38e06e52479 6897616 libdevel optional
libicu-dev_3.8-6_i386.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)
iD8DBQFHq1ngEBVk6taI4KcRAu/RAJ0aMcP+0vAr9LTfxRwlZChpr0b9zACePMn3
y7FL3DcRY19TxL8RNAPqo7g=
=RzAd
-----END PGP SIGNATURE-----
--- End Message ---
