ICU Regular Expression Processing Bug May Let Users Execute Arbitrary Code
SecurityTracker Alert ID: 1019269|
SecurityTracker URL: http://securitytracker.com/id/1019269
(Links to External Site)
Date: Jan 25 2008
Denial of service via network, Execution of arbitrary code via network, User access via network|
Fix Available: Yes Vendor Confirmed: Yes |
Version(s): 3.8.1 and prior versions|
Two vulnerabilities were reported in ICU. A user may be able to cause arbitrary code to be executed on the target system.|
A user can create a specially crafted regular expression that, when processed by an application that uses ICU, will trigger a memory corruption error and potentially execute arbitrary code on the target system. The code will run with the privileges of the target application.
If an application allows a remote user to submit arbitrary regular expressions, then a remote user may be able to exploit this flaw.
A regular expression pattern that contains a back reference to capture group zero (\0), which does not exist, may establish references to random memory addresses [CVE-2007-4770].
The doInterval() function in 'regexcmp.cpp' does not properly limit the size of the backtracking stack, allowing a heap overflow to be triggered [CVE-2007-4771].
Will Drewry reported these vulnerabilities.
A user can create a regular expression that, when processed by the target application, may execute arbitrary code on the target system.|
The vendor has issued a source code fix, available via SVN.|
The ICU advisory is available at:
Vendor URL: icu-project.org/ (Links to External Site)
Boundary error, Input validation error|
Linux (Any), UNIX (Any)|
This archive entry has one or more follow-up message(s) listed below.|
Source Message Contents
Date: 2008-01-22 23:38|
Subject: [icu-support] ICU Patch for bugs in Regular Expressions
A patch that addresses two problems with ICU Regular Expressions is now
available. The issues addresed are:
1. A regular expression pattern that contains a back reference to capture
group zero, \0, may cause references to random memory addresses, with
unpredictable results. There is no capture group zero, and an attempt to
reference it will become a pattern compilation error with the patch.
2. The backtracking stack used during matching operations has no upper
limit on its size. Internally to the match engine, the stack implementation
uses heap memory, and unconstrained growth may cause problems with heap
failures, thrashing or exhausted swap space. The patch limits the stack
memory to 32 MB, and stops a matching operation with a failure if the limit
The patch may be obtained directly from the ICU subversion repository with
svn diff -c 23292
The patch can be applied to ICU 3.8 or 3.8.1 sources.
Alternatively, a complete set of ICU 3.8.1 sources, including the patch, can
be obtained with the command
svn export -r 23292
Developers of applications that allow users to enter and run arbitrary
regular expressions on arbitrary data should consider applying these
patches. Questions or comments should be directed to the icu-support
-- Andy Heninger