[libicu] [CVE-2007-4770] [CVE-2007-4771] potential execution of arbitrary code via malformed regular expressions

Will Drewry reported a flaw in the way libicu processes certain regular
expressions. He reports:

    On regular expression compilation, illegal backreferences may refer to the
    non-existent capture group '0'. When these are builts, they will result
    in corrupt REStackFrames which will be used at a later point. Crashes may
    result in out of band reads or writes depending on the regular expression
    being executed.

Created attachment 291973
An example of icu pattern matching in OOo

I figured out how to get OOo to match patterns with the icu regexp stuff.
Attached is a test-case which just tries to match "I am a pattern"

Created attachment 292114
Patch agains ICU 3.8 proposed by Andy Heninger

Created attachment 292482
backported patch

I can't commit to RHEL icu without approved bugzilla ids.

This is now public:
http://sourceforge.net/mailarchive/message.php?msg_name=d03a2ffb0801221538x68825e42xb4a4aaf0fcccecbd%40mail.gmail.com

icu-3.8-5.fc8 has been pushed to the Fedora 8 stable repository. If problems still persist, please make note of it in this bug report.

icu-3.6-20.fc7 has been pushed to the Fedora 7 stable repository. If problems still persist, please make note of it in this bug report.

This issue was addressed in:

Red Hat Enterprise Linux:
  http://rhn.redhat.com/errata/RHSA-2008-0090.html

Fedora:
  https://admin.fedoraproject.org/updates/F7/FEDORA-2008-1076
  https://admin.fedoraproject.org/updates/F8/FEDORA-2008-1036

Will Drewry has reported some vulnerabilities in International Components for Unicode, which can be exploited by malicious people to cause a DoS (Denial of Service) or potentially compromise an application using the library.

1) A regular expression containing a back reference to capture group zero (\0) may reference random memory areas, which can be exploited to crash an application using the library.

2) The library does not limit the size of the backtracking stack. This can be exploited to cause a heap-based buffer overflow via certain specially crafted regular expressions.

The vulnerability is reported in version 3.8.1. Other versions may also be affected.

Solution:
Apply patch.
http://source.icu-project.org/repos/icu/icu/branches/maint/maint-3-8

maintainers - please provide an updated ebuild

*** Bug 207905 has been marked as a duplicate of this bug. ***

ping

I reproduced the 4771 issue on 3.6.1.
Caolan McNamara from RedHat backported the patches to 3.6:
  https://bugzilla.redhat.com/show_bug.cgi?id=429023

This bug also affects OpenOffice, as it currently uses an internal copy of icu.
OpenOffice herd, please advise here.

OpenOffice, please try building against the (security patched) libicu 3.8.1-r1 here: http://overlays.gentoo.org/svn/proj/php/migration/dev-libs/icu/

If that does not work, please patch the copy of icu.

(In reply to comment #5)
> OpenOffice, please try building against the (security patched) libicu 3.8.1-r1
> here: http://overlays.gentoo.org/svn/proj/php/migration/dev-libs/icu/
>
> If that does not work, please patch the copy of icu.
>

I've added a new revision (-r1) of openoffice-2.3.1 to portage, this uses external icu again (we had to back this out prior to stabilizing 2.3.1 as it was broken in OOo), works fine here on x86, other archs will have to test accordingly

icu-3.8.1-r1 with the patch is in the tree now, thanks to jakub. I did not do any tests except from compiling (I haven't touched that package before anyway). I might try building OOo tomorrow, but certainly not today.

icu-3.6-r2 in the tree as well (with the patch from redhat). You probably want 3.8* stable for OpenOffice anyway, but I don't really know, ask jakub if in doubt. ;)

(In reply to comment #8)
> icu-3.6-r2 in the tree as well (with the patch from redhat). You probably want
> 3.8* stable for OpenOffice anyway, but I don't really know, ask jakub if in
> doubt. ;)

Well, yes, definitely. It won't compile with ~icu-3.6. arches, please test and stabilize the following:

dev-libs/icu-3.6-r2 (will be hanging around for dev-libs/xerces-c-2.8.0 at least unless someone fixes the messy thing to work w/ icu-3.8.x)

dev-libs/icu-3.8.1-r1

ppc and ppc64 done.

dertobi123 tested ppc and I committed for his convenience.

Stable for HPPA.

x86 stable

alpha/ia64/sparc stable

amd64 done

(In reply to comment #14)
> amd64 done

You missed dev-libs/icu-3.6-r2; thanks.

(In reply to comment #15)
> (In reply to comment #14)
> > amd64 done
>
> You missed dev-libs/icu-3.6-r2; thanks.
>

done

Updated in release snapshot.

GLSA 200803-20