SecurityTracker.com
Keep Track of the Latest Vulnerabilities
with SecurityTracker!
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 
Sign Up
Sign Up for Your FREE Weekly SecurityTracker E-mail Alert Summary
Instant Alerts
Buy our Premium Vulnerability Notification Service to receive customized, instant alerts
Affiliates
Put SecurityTracker Vulnerability Alerts on Your Web Site -- It's Free!
Partners
Become a Partner and License Our Database or Notification Service
Report a Bug
Report a vulnerability that you have found to SecurityTracker
bugs
@
securitytracker.com






Category:   Application (Generic)  >   ICU Vendors:   icu-project.org
ICU Regular Expression Processing Bug May Let Users Execute Arbitrary Code
SecurityTracker Alert ID:  1019269
SecurityTracker URL:  http://securitytracker.com/id/1019269
CVE Reference:   CVE-2007-4770, CVE-2007-4771   (Links to External Site)
Date:  Jan 25 2008
Impact:   Denial of service via network, Execution of arbitrary code via network, User access via network
Fix Available:  Yes  Vendor Confirmed:  Yes  
Version(s): 3.8.1 and prior versions
Description:   Two vulnerabilities were reported in ICU. A user may be able to cause arbitrary code to be executed on the target system.

A user can create a specially crafted regular expression that, when processed by an application that uses ICU, will trigger a memory corruption error and potentially execute arbitrary code on the target system. The code will run with the privileges of the target application.

If an application allows a remote user to submit arbitrary regular expressions, then a remote user may be able to exploit this flaw.

A regular expression pattern that contains a back reference to capture group zero (\0), which does not exist, may establish references to random memory addresses [CVE-2007-4770].

The doInterval() function in 'regexcmp.cpp' does not properly limit the size of the backtracking stack, allowing a heap overflow to be triggered [CVE-2007-4771].

Will Drewry reported these vulnerabilities.

Impact:   A user can create a regular expression that, when processed by the target application, may execute arbitrary code on the target system.
Solution:   The vendor has issued a source code fix, available via SVN.

The ICU advisory is available at:

http://sourceforge.net/mailarchive/message.php?msg_name=d03a2ffb0801221538x68825e42xb4a4aaf0fcccecbd%40mail.gmail.com

Vendor URL:  icu-project.org/ (Links to External Site)
Cause:   Boundary error, Input validation error
Underlying OS:   Linux (Any), UNIX (Any)

Message History:   This archive entry has one or more follow-up message(s) listed below.
Jan 25 2008 (Red Hat Issues Fix) ICU Regular Expression Processing Bug May Let Users Execute Arbitrary Code   (bugzilla@redhat.com)
Red Hat has released a fix for Red Hat Enterprise Linux 5.
Mar 11 2008 (Sun Issues Fix) ICU Regular Expression Processing Bug May Let Users Execute Arbitrary Code
Sun has issued a fix for Solaris 9 and 10.
Apr 18 2008 (OpenOffice Issues Fix) ICU Regular Expression Processing Bug May Let Users Execute Arbitrary Code
OpenOffice.org has issued a fix for OpenOffice



 Source Message Contents

Date:  2008-01-22 23:38
Subject:  [icu-support] ICU Patch for bugs in Regular Expressions

A patch that addresses two problems with ICU Regular Expressions is now
available. The issues addresed are:

1. A regular expression pattern that contains a back reference to capture
group zero, \0, may cause references to random memory addresses, with
unpredictable results. There is no capture group zero, and an attempt to
reference it will become a pattern compilation error with the patch.

2. The backtracking stack used during matching operations has no upper
limit on its size. Internally to the match engine, the stack implementation
uses heap memory, and unconstrained growth may cause problems with heap
failures, thrashing or exhausted swap space. The patch limits the stack
memory to 32 MB, and stops a matching operation with a failure if the limit
is exceeded.

The patch may be obtained directly from the ICU subversion repository with
the command
svn diff -c 23292
http://source.icu-project.org/repos/icu/icu/branches/maint/maint-3-8
The patch can be applied to ICU 3.8 or 3.8.1 sources.

Alternatively, a complete set of ICU 3.8.1 sources, including the patch, can
be obtained with the command
svn export -r 23292
http://source.icu-project.org/repos/icu/icu/branches/maint/maint-3-8/icu-3-8

Developers of applications that allow users to enter and run arbitrary
regular expressions on arbitrary data should consider applying these
patches. Questions or comments should be directed to the icu-support
mailing list.

-- Andy Heninger

 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

Copyright 2014, SecurityGlobal.net LLC