Bug 429025 (CVE-2007-4771)
| Summary: | CVE-2007-4771 libicu incomplete interval handling | ||
|---|---|---|---|
| Product: | [Other] Security Response | Reporter: | Josh Bressers <bressers> |
| Component: | vulnerability | Assignee: | Red Hat Product Security <security-response-team> |
| Status: | CLOSED ERRATA | QA Contact: | |
| Severity: | high | Docs Contact: | |
| Priority: | medium | ||
| Version: | unspecified | CC: | caolanm, kreilly, security-response-team |
| Target Milestone: | --- | Keywords: | Reopened, Security |
| Target Release: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | 3.8-5.fc8 | Doc Type: | Bug Fix |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2008-01-28 14:06:56 UTC | Type: | --- |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
| Bug Depends On: | 429706, 429707, 430232, 430233 | ||
| Bug Blocks: | |||
This is now public: http://sourceforge.net/mailarchive/message.php?msg_name=d03a2ffb0801221538x68825e42xb4a4aaf0fcccecbd%40mail.gmail.com icu-3.8-5.fc8 has been pushed to the Fedora 8 stable repository. If problems still persist, please make note of it in this bug report. icu-3.6-20.fc7 has been pushed to the Fedora 7 stable repository. If problems still persist, please make note of it in this bug report. This issue was addressed in: Red Hat Enterprise Linux: http://rhn.redhat.com/errata/RHSA-2008-0090.html Fedora: https://admin.fedoraproject.org/updates/F7/FEDORA-2008-1076 https://admin.fedoraproject.org/updates/F8/FEDORA-2008-1036 |
Will Drewry reported a flaw in the way libicu processes certain regular expressions. He reports: In the function doInterval, regexcmp.cpp:976, there isno check to ensure than the upper interval is not -1. This is intentional as unbounded upper limits are allowed, however the remainder of the code does not gracefully handle this case. For instance, a heap overflow is possible due to the doubling of memory as RegexMatcher::StateSave continues to backtrack.