-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

- ------------------------------------------------------------------------
Debian Security Advisory DSA-1511-1                  security@debian.org
http://www.debian.org/security/                               Steve Kemp
March 03, 2008                        http://www.debian.org/security/faq
- ------------------------------------------------------------------------

Package        : libicu
Vulnerability  : various
Problem type   : local
Debian-specific: no
CVE Id(s)      : 2007-4770 2007-4771
Debian Bug     : 463688

Several local vulnerabilities have been discovered in libicu,
International Components for Unicode, The Common Vulnerabilities and
Exposures project identifies the following problems:

CVE-2007-4770
  libicu in International Components for Unicode (ICU) 3.8.1 and earlier
  attempts to process backreferences to the nonexistent capture group
  zero (aka \0), which might allow context-dependent attackers to read
  from, or write to, out-of-bounds memory locations, related to
  corruption of REStackFrames.

CVE-2007-4771
  Heap-based buffer overflow in the doInterval function in regexcmp.cpp
  in libicu in International Components for Unicode (ICU) 3.8.1 and
  earlier allows context-dependent attackers to cause a denial of
  service (memory consumption) and possibly have unspecified other
  impact via a regular expression that writes a large amount of data to
  the backtracking stack.

For the stable distribution (etch), these problems have been fixed in
version 3.6-2etch1.

For the unstable distribution (sid), these problems have been fixed in
version 3.8-6.

We recommend that you upgrade your libicu package.


Upgrade instructions
- --------------------

wget url
        will fetch the file for you
dpkg -i file.deb
        will install the referenced file.

If you are using the apt-get package manager, use the line for
sources.list as given below:

apt-get update
        will update the internal database
apt-get upgrade
        will install corrected packages

You may use an automated update by adding the resources from the
footer to the proper configuration.


Debian GNU/Linux 4.0 alias etch
- -------------------------------

Source archives:

  http://security.debian.org/pool/updates/main/i/icu/icu_3.6.orig.tar.gz
    Size/MD5 checksum:  9778863 0f1bda1992b4adca62da68a7ad79d830
  http://security.debian.org/pool/updates/main/i/icu/icu_3.6-2etch1.dsc
    Size/MD5 checksum:      591 13dcea6b1c9a282147b99c4867db6ee8
  http://security.debian.org/pool/updates/main/i/icu/icu_3.6-2etch1.diff.gz
    Size/MD5 checksum:     9552 82e560098b24b245872b163a522a80b8

Architecture independent packages:

  http://security.debian.org/pool/updates/main/i/icu/icu-doc_3.6-2etch1_all.deb
    Size/MD5 checksum:  3332194 5da76263265814905245b97daec4c1c3

alpha architecture (DEC Alpha)

  http://security.debian.org/pool/updates/main/i/icu/libicu36-dev_3.6-2etch1_alpha.deb
    Size/MD5 checksum:  7028746 b6b13d0fa262501923c97a859b400d10
  http://security.debian.org/pool/updates/main/i/icu/libicu36_3.6-2etch1_alpha.deb
    Size/MD5 checksum:  5581984 0cd37ce9f234b9207accc424dc191f49

amd64 architecture (AMD x86_64 (AMD64))

  http://security.debian.org/pool/updates/main/i/icu/libicu36-dev_3.6-2etch1_amd64.deb
    Size/MD5 checksum:  6585582 9fe0ee74625a985628c9af096dd13827
  http://security.debian.org/pool/updates/main/i/icu/libicu36_3.6-2etch1_amd64.deb
    Size/MD5 checksum:  5444228 250851db4a613e9a5d0029d73c1196c0

arm architecture (ARM)

  http://security.debian.org/pool/updates/main/i/icu/libicu36-dev_3.6-2etch1_arm.deb
    Size/MD5 checksum:  6631114 a73ff442415ca3bc336f1fb49e3aa701
  http://security.debian.org/pool/updates/main/i/icu/libicu36_3.6-2etch1_arm.deb
    Size/MD5 checksum:  5458358 c6d533fd7c1c51efbac58d2a96a386fb

hppa architecture (HP PA RISC)

  http://security.debian.org/pool/updates/main/i/icu/libicu36-dev_3.6-2etch1_hppa.deb
    Size/MD5 checksum:  7090294 aadca0bc8fb9307ea7fe293406a10e5f
  http://security.debian.org/pool/updates/main/i/icu/libicu36_3.6-2etch1_hppa.deb
    Size/MD5 checksum:  5909956 07bd8e6c733072fca8b96cc10e210a68

i386 architecture (Intel ia32)

  http://security.debian.org/pool/updates/main/i/icu/libicu36_3.6-2etch1_i386.deb
    Size/MD5 checksum:  5468656 532aa02d6d67d4b6527ac8c29c9d110e
  http://security.debian.org/pool/updates/main/i/icu/libicu36-dev_3.6-2etch1_i386.deb
    Size/MD5 checksum:  6465540 bfd4d908b552bba2d871771f86369ec7

ia64 architecture (Intel ia64)

  http://security.debian.org/pool/updates/main/i/icu/libicu36-dev_3.6-2etch1_ia64.deb
    Size/MD5 checksum:  7238880 10b410fcd460e47c3619de88167b74f5
  http://security.debian.org/pool/updates/main/i/icu/libicu36_3.6-2etch1_ia64.deb
    Size/MD5 checksum:  5865536 dbc0ec913f08682cec4f1b75d35e0531

mips architecture (MIPS (Big Endian))

  http://security.debian.org/pool/updates/main/i/icu/libicu36-dev_3.6-2etch1_mips.deb
    Size/MD5 checksum:  7047506 c0b327e8229d1d4d33131453cdac6508
  http://security.debian.org/pool/updates/main/i/icu/libicu36_3.6-2etch1_mips.deb
    Size/MD5 checksum:  5748172 126a2f0bb4b61cc54d70edb882191576

powerpc architecture (PowerPC)

  http://security.debian.org/pool/updates/main/i/icu/libicu36_3.6-2etch1_powerpc.deb
    Size/MD5 checksum:  5747754 8bc631ad394a86e11c24c5b9ffd76f1d
  http://security.debian.org/pool/updates/main/i/icu/libicu36-dev_3.6-2etch1_powerpc.deb
    Size/MD5 checksum:  6888906 c5542d6d957327fd6f540029f4195772

s390 architecture (IBM S/390)

  http://security.debian.org/pool/updates/main/i/icu/libicu36_3.6-2etch1_s390.deb
    Size/MD5 checksum:  5776762 16a114247a39201f3966ff4f22b80342
  http://security.debian.org/pool/updates/main/i/icu/libicu36-dev_3.6-2etch1_s390.deb
    Size/MD5 checksum:  6895102 15624240d20d2e0aa7a29bbc90895908

sparc architecture (Sun SPARC/UltraSPARC)

  http://security.debian.org/pool/updates/main/i/icu/libicu36_3.6-2etch1_sparc.deb
    Size/MD5 checksum:  5671256 2c7a50b1fe50dbe4b3ef8995d91e5946
  http://security.debian.org/pool/updates/main/i/icu/libicu36-dev_3.6-2etch1_sparc.deb
    Size/MD5 checksum:  6771832 84a95a10934106c8cfc409032191de98


  These files will probably be moved into the stable distribution on
  its next update.

- ---------------------------------------------------------------------------------
For apt-get: deb http://security.debian.org/ stable/updates main
For dpkg-ftp: ftp://security.debian.org/debian-security dists/stable/updates/main
Mailing list: debian-security-announce@lists.debian.org
Package info: `apt-cache show <pkg>' and http://packages.debian.org/<pkg>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)

iD8DBQFHzGoFwM/Gs81MDZ0RApgrAJ9Jd4cpLRAJ7WTQAnnpd8d4K3/mvwCeNusV
OLKQ6zeO2ePgNnldMI08TRU=
=ay/5
-----END PGP SIGNATURE-----