Vulnerabilities > CVE-2007-4771 - Resource Management Errors vulnerability in Icu-Project International Components for Unicode

047910
CVSS 9.3 - CRITICAL
Attack vector
NETWORK
Attack complexity
MEDIUM
Privileges required
NONE
Confidentiality impact
COMPLETE
Integrity impact
COMPLETE
Availability impact
COMPLETE
network
icu-project
CWE-399
critical
nessus

Summary

Heap-based buffer overflow in the doInterval function in regexcmp.cpp in libicu in International Components for Unicode (ICU) 3.8.1 and earlier allows context-dependent attackers to cause a denial of service (memory consumption) and possibly have unspecified other impact via a regular expression that writes a large amount of data to the backtracking stack. NOTE: some of these details are obtained from third party information.

Vulnerable Configurations

Part Description Count
Application
Icu-Project
28

Common Weakness Enumeration (CWE)

Nessus

  • NASL familyMandriva Local Security Checks
    NASL idMANDRIVA_MDVSA-2008-026.NASL
    descriptionWill Drewry reported multiple flaws in how libicu processed certain malformed regular expressions. If an application linked against libicu, such as OpenOffice.org, processed a carefully-crafted regular expression, it could potentially cause the execution of arbitrary code with the privileges of the user running the application. The updated packages have been patched to correct these issues.
    last seen2020-06-01
    modified2020-06-02
    plugin id37215
    published2009-04-23
    reporterThis script is Copyright (C) 2009-2019 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/37215
    titleMandriva Linux Security Advisory : icu (MDVSA-2008:026)
    code
    #%NASL_MIN_LEVEL 80502
    
    #
    # (C) Tenable Network Security, Inc.
    #
    # The descriptive text and package checks in this plugin were  
    # extracted from Mandriva Linux Security Advisory MDVSA-2008:026. 
    # The text itself is copyright (C) Mandriva S.A.
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(37215);
      script_version ("1.13");
      script_cvs_date("Date: 2019/08/02 13:32:50");
    
      script_cve_id("CVE-2007-4770", "CVE-2007-4771");
      script_xref(name:"MDVSA", value:"2008:026");
    
      script_name(english:"Mandriva Linux Security Advisory : icu (MDVSA-2008:026)");
      script_summary(english:"Checks rpm output for the updated packages");
    
      script_set_attribute(
        attribute:"synopsis", 
        value:
    "The remote Mandriva Linux host is missing one or more security
    updates."
      );
      script_set_attribute(
        attribute:"description", 
        value:
    "Will Drewry reported multiple flaws in how libicu processed certain
    malformed regular expressions. If an application linked against
    libicu, such as OpenOffice.org, processed a carefully-crafted regular
    expression, it could potentially cause the execution of arbitrary code
    with the privileges of the user running the application.
    
    The updated packages have been patched to correct these issues."
      );
      script_set_attribute(attribute:"solution", value:"Update the affected packages.");
      script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C");
      script_cwe_id(399);
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:icu");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:icu-doc");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:lib64icu-devel");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:lib64icu36");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:libicu-devel");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:libicu36");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:mandriva:linux:2008.0");
    
      script_set_attribute(attribute:"patch_publication_date", value:"2008/01/25");
      script_set_attribute(attribute:"plugin_publication_date", value:"2009/04/23");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_copyright(english:"This script is Copyright (C) 2009-2019 Tenable Network Security, Inc.");
      script_family(english:"Mandriva Local Security Checks");
    
      script_dependencies("ssh_get_info.nasl");
      script_require_keys("Host/local_checks_enabled", "Host/cpu", "Host/Mandrake/release", "Host/Mandrake/rpm-list");
    
      exit(0);
    }
    
    
    include("audit.inc");
    include("global_settings.inc");
    include("rpm.inc");
    
    
    if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
    if (!get_kb_item("Host/Mandrake/release")) audit(AUDIT_OS_NOT, "Mandriva / Mandake Linux");
    if (!get_kb_item("Host/Mandrake/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING);
    
    cpu = get_kb_item("Host/cpu");
    if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
    if (cpu !~ "^(amd64|i[3-6]86|x86_64)$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Mandriva / Mandrake Linux", cpu);
    
    
    flag = 0;
    if (rpm_check(release:"MDK2008.0", reference:"icu-3.6-4.1mdv2008.0", yank:"mdv")) flag++;
    if (rpm_check(release:"MDK2008.0", reference:"icu-doc-3.6-4.1mdv2008.0", yank:"mdv")) flag++;
    if (rpm_check(release:"MDK2008.0", cpu:"x86_64", reference:"lib64icu-devel-3.6-4.1mdv2008.0", yank:"mdv")) flag++;
    if (rpm_check(release:"MDK2008.0", cpu:"x86_64", reference:"lib64icu36-3.6-4.1mdv2008.0", yank:"mdv")) flag++;
    if (rpm_check(release:"MDK2008.0", cpu:"i386", reference:"libicu-devel-3.6-4.1mdv2008.0", yank:"mdv")) flag++;
    if (rpm_check(release:"MDK2008.0", cpu:"i386", reference:"libicu36-3.6-4.1mdv2008.0", yank:"mdv")) flag++;
    
    
    if (flag)
    {
      if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get());
      else security_hole(0);
      exit(0);
    }
    else audit(AUDIT_HOST_NOT, "affected");
    
  • NASL familyFedora Local Security Checks
    NASL idFEDORA_2008-1076.NASL
    descriptionCVE-2007-4770 & CVE-2007-4771 Flaws in icu regexp handling. Technical details can be found at http://sourceforge.net/mailarchive/message.php?msg_name= d03a2ffb0801221538x68825e42xb4a4aaf0fcccecbd%2540mail.gmail.com Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen2020-06-01
    modified2020-06-02
    plugin id30087
    published2008-01-27
    reporterThis script is Copyright (C) 2008-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/30087
    titleFedora 7 : icu-3.6-20.fc7 (2008-1076)
    code
    #%NASL_MIN_LEVEL 80502
    #
    # (C) Tenable Network Security, Inc.
    #
    # The descriptive text and package checks in this plugin were  
    # extracted from Fedora Security Advisory 2008-1076.
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(30087);
      script_version ("1.15");
      script_cvs_date("Date: 2019/08/02 13:32:26");
    
      script_cve_id("CVE-2007-4770", "CVE-2007-4771");
      script_bugtraq_id(27455);
      script_xref(name:"FEDORA", value:"2008-1076");
    
      script_name(english:"Fedora 7 : icu-3.6-20.fc7 (2008-1076)");
      script_summary(english:"Checks rpm output for the updated package.");
    
      script_set_attribute(
        attribute:"synopsis", 
        value:"The remote Fedora host is missing a security update."
      );
      script_set_attribute(
        attribute:"description", 
        value:
    "CVE-2007-4770 & CVE-2007-4771 Flaws in icu regexp handling. Technical
    details can be found at
    http://sourceforge.net/mailarchive/message.php?msg_name=
    d03a2ffb0801221538x68825e42xb4a4aaf0fcccecbd%2540mail.gmail.com
    
    Note that Tenable Network Security has extracted the preceding
    description block directly from the Fedora security advisory. Tenable
    has attempted to automatically clean and format it as much as possible
    without introducing additional issues."
      );
      # http://sourceforge.net/mailarchive/message.php?msg_name=
      script_set_attribute(
        attribute:"see_also",
        value:"https://sourceforge.net/p/legacy_/mailarchive/message.php?msg_name="
      );
      # https://lists.fedoraproject.org/pipermail/package-announce/2008-January/007274.html
      script_set_attribute(
        attribute:"see_also",
        value:"http://www.nessus.org/u?80f6f24f"
      );
      script_set_attribute(attribute:"solution", value:"Update the affected icu package.");
      script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C");
      script_set_cvss_temporal_vector("CVSS2#E:ND/RL:OF/RC:C");
      script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
      script_set_attribute(attribute:"exploit_available", value:"false");
      script_cwe_id(399);
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:fedoraproject:fedora:icu");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:fedoraproject:fedora:7");
    
      script_set_attribute(attribute:"patch_publication_date", value:"2008/01/27");
      script_set_attribute(attribute:"plugin_publication_date", value:"2008/01/27");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_copyright(english:"This script is Copyright (C) 2008-2019 and is owned by Tenable, Inc. or an Affiliate thereof.");
      script_family(english:"Fedora Local Security Checks");
    
      script_dependencies("ssh_get_info.nasl");
      script_require_keys("Host/local_checks_enabled", "Host/RedHat/release", "Host/RedHat/rpm-list");
    
      exit(0);
    }
    
    
    include("audit.inc");
    include("global_settings.inc");
    include("rpm.inc");
    
    if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
    release = get_kb_item("Host/RedHat/release");
    if (isnull(release) || "Fedora" >!< release) audit(AUDIT_OS_NOT, "Fedora");
    os_ver = eregmatch(pattern: "Fedora.*release ([0-9]+)", string:release);
    if (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, "Fedora");
    os_ver = os_ver[1];
    if (! ereg(pattern:"^7([^0-9]|$)", string:os_ver)) audit(AUDIT_OS_NOT, "Fedora 7.x", "Fedora " + os_ver);
    
    if (!get_kb_item("Host/RedHat/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING);
    
    cpu = get_kb_item("Host/cpu");
    if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
    if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Fedora", cpu);
    
    flag = 0;
    if (rpm_check(release:"FC7", reference:"icu-3.6-20.fc7")) flag++;
    
    
    if (flag)
    {
      if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get());
      else security_hole(0);
      exit(0);
    }
    else
    {
      tested = pkg_tests_get();
      if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
      else audit(AUDIT_PACKAGE_NOT_INSTALLED, "icu");
    }
    
  • NASL familyGentoo Local Security Checks
    NASL idGENTOO_GLSA-200805-16.NASL
    descriptionThe remote host is affected by the vulnerability described in GLSA-200805-16 (OpenOffice.org: Multiple vulnerabilities) iDefense Labs reported multiple vulnerabilities in OpenOffice.org: multiple heap-based buffer overflows when parsing the
    last seen2020-06-01
    modified2020-06-02
    plugin id32353
    published2008-05-16
    reporterThis script is Copyright (C) 2008-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/32353
    titleGLSA-200805-16 : OpenOffice.org: Multiple vulnerabilities
    code
    #%NASL_MIN_LEVEL 80502
    #
    # (C) Tenable Network Security, Inc.
    #
    # The descriptive text and package checks in this plugin were
    # extracted from Gentoo Linux Security Advisory GLSA 200805-16.
    #
    # The advisory text is Copyright (C) 2001-2018 Gentoo Foundation, Inc.
    # and licensed under the Creative Commons - Attribution / Share Alike 
    # license. See http://creativecommons.org/licenses/by-sa/3.0/
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(32353);
      script_version("1.23");
      script_cvs_date("Date: 2019/08/02 13:32:45");
    
      script_cve_id("CVE-2007-4770", "CVE-2007-4771", "CVE-2007-5745", "CVE-2007-5746", "CVE-2007-5747", "CVE-2008-0320");
      script_xref(name:"GLSA", value:"200805-16");
    
      script_name(english:"GLSA-200805-16 : OpenOffice.org: Multiple vulnerabilities");
      script_summary(english:"Checks for updated package(s) in /var/db/pkg");
    
      script_set_attribute(
        attribute:"synopsis", 
        value:
    "The remote Gentoo host is missing one or more security-related
    patches."
      );
      script_set_attribute(
        attribute:"description", 
        value:
    "The remote host is affected by the vulnerability described in GLSA-200805-16
    (OpenOffice.org: Multiple vulnerabilities)
    
        iDefense Labs reported multiple vulnerabilities in OpenOffice.org:
        multiple heap-based buffer overflows when parsing the 'Attribute' and
        'Font' Description records of Quattro Pro (QPRO) files
        (CVE-2007-5745),
        an integer overflow when parsing the EMR_STRETCHBLT record of an EMF
        file, resulting in a heap-based buffer overflow (CVE-2007-5746),
        an integer underflow when parsing Quattro Pro (QPRO) files, resulting
        in an excessive loop and a stack-based buffer overflow
        (CVE-2007-5747),
        and a heap-based buffer overflow when parsing the
        'DocumentSummaryInformation' stream in an OLE file (CVE-2008-0320).
        Furthermore, Will Drewry (Google Security) reported vulnerabilities in
        the memory management of the International Components for Unicode
        (CVE-2007-4770, CVE-2007-4771), which was resolved with GLSA 200803-20.
        However, the binary version of OpenOffice.org uses an internal copy of
        said library.
      
    Impact :
    
        A remote attacker could entice a user to open a specially crafted
        document, possibly resulting in the remote execution of arbitrary code
        with the privileges of the user running OpenOffice.org.
      
    Workaround :
    
        There is no known workaround at this time."
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://security.gentoo.org/glsa/200803-20"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://security.gentoo.org/glsa/200805-16"
      );
      script_set_attribute(
        attribute:"solution", 
        value:
    "All OpenOffice.org users should upgrade to the latest version:
        # emerge --sync
        # emerge --ask --oneshot --verbose '>=app-office/openoffice-2.4.0'
        All OpenOffice.org binary users should upgrade to the latest version:
        # emerge --sync
        # emerge --ask --oneshot --verbose '>=app-office/openoffice-bin-2.4.0'"
      );
      script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C");
      script_set_cvss_temporal_vector("CVSS2#E:H/RL:OF/RC:C");
      script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
      script_set_attribute(attribute:"exploit_available", value:"true");
      script_set_attribute(attribute:"exploit_framework_core", value:"true");
      script_set_attribute(attribute:"exploited_by_malware", value:"true");
      script_set_attribute(attribute:"metasploit_name", value:'OpenOffice OLE Importer DocumentSummaryInformation Stream Handling Overflow');
      script_set_attribute(attribute:"exploit_framework_metasploit", value:"true");
      script_cwe_id(119, 189, 399);
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:gentoo:linux:openoffice");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:gentoo:linux:openoffice-bin");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:gentoo:linux");
    
      script_set_attribute(attribute:"patch_publication_date", value:"2008/05/14");
      script_set_attribute(attribute:"plugin_publication_date", value:"2008/05/16");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_copyright(english:"This script is Copyright (C) 2008-2019 and is owned by Tenable, Inc. or an Affiliate thereof.");
      script_family(english:"Gentoo Local Security Checks");
    
      script_dependencies("ssh_get_info.nasl");
      script_require_keys("Host/local_checks_enabled", "Host/Gentoo/release", "Host/Gentoo/qpkg-list");
    
      exit(0);
    }
    
    
    include("audit.inc");
    include("global_settings.inc");
    include("qpkg.inc");
    
    if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
    if (!get_kb_item("Host/Gentoo/release")) audit(AUDIT_OS_NOT, "Gentoo");
    if (!get_kb_item("Host/Gentoo/qpkg-list")) audit(AUDIT_PACKAGE_LIST_MISSING);
    
    
    flag = 0;
    
    if (qpkg_check(package:"app-office/openoffice-bin", unaffected:make_list("ge 2.4.0"), vulnerable:make_list("lt 2.4.0"))) flag++;
    if (qpkg_check(package:"app-office/openoffice", unaffected:make_list("ge 2.4.0"), vulnerable:make_list("lt 2.4.0"))) flag++;
    
    if (flag)
    {
      if (report_verbosity > 0) security_hole(port:0, extra:qpkg_report_get());
      else security_hole(0);
      exit(0);
    }
    else
    {
      tested = qpkg_tests_get();
      if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
      else audit(AUDIT_PACKAGE_NOT_INSTALLED, "OpenOffice.org");
    }
    
  • NASL familyRed Hat Local Security Checks
    NASL idREDHAT-RHSA-2008-0090.NASL
    descriptionUpdated icu packages that fix two security issues are now available for Red Hat Enterprise Linux 5. This update has been rated as having important security impact by the Red Hat Security Response Team. The International Components for Unicode (ICU) library provides robust and full-featured Unicode services. Will Drewry reported multiple flaws in the way libicu processed certain malformed regular expressions. If an application linked against ICU, such as OpenOffice.org, processed a carefully crafted regular expression, it may be possible to execute arbitrary code as the user running the application. (CVE-2007-4770, CVE-2007-4771) All users of icu should upgrade to these updated packages, which contain backported patches to resolve these issues.
    last seen2020-06-01
    modified2020-06-02
    plugin id30091
    published2008-01-27
    reporterThis script is Copyright (C) 2008-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/30091
    titleRHEL 5 : icu (RHSA-2008:0090)
    code
    #%NASL_MIN_LEVEL 80502
    #
    # (C) Tenable Network Security, Inc.
    #
    # The descriptive text and package checks in this plugin were  
    # extracted from Red Hat Security Advisory RHSA-2008:0090. The text 
    # itself is copyright (C) Red Hat, Inc.
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(30091);
      script_version ("1.24");
      script_cvs_date("Date: 2019/10/25 13:36:13");
    
      script_cve_id("CVE-2007-4770", "CVE-2007-4771");
      script_bugtraq_id(27455);
      script_xref(name:"RHSA", value:"2008:0090");
    
      script_name(english:"RHEL 5 : icu (RHSA-2008:0090)");
      script_summary(english:"Checks the rpm output for the updated packages");
    
      script_set_attribute(
        attribute:"synopsis", 
        value:"The remote Red Hat host is missing one or more security updates."
      );
      script_set_attribute(
        attribute:"description", 
        value:
    "Updated icu packages that fix two security issues are now available
    for Red Hat Enterprise Linux 5.
    
    This update has been rated as having important security impact by the
    Red Hat Security Response Team.
    
    The International Components for Unicode (ICU) library provides robust
    and full-featured Unicode services.
    
    Will Drewry reported multiple flaws in the way libicu processed
    certain malformed regular expressions. If an application linked
    against ICU, such as OpenOffice.org, processed a carefully crafted
    regular expression, it may be possible to execute arbitrary code as
    the user running the application. (CVE-2007-4770, CVE-2007-4771)
    
    All users of icu should upgrade to these updated packages, which
    contain backported patches to resolve these issues."
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://access.redhat.com/security/cve/cve-2007-4770"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://access.redhat.com/security/cve/cve-2007-4771"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://access.redhat.com/errata/RHSA-2008:0090"
      );
      script_set_attribute(attribute:"solution", value:"Update the affected packages.");
      script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C");
      script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
      script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
      script_set_attribute(attribute:"exploit_available", value:"false");
      script_cwe_id(399);
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:icu");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:libicu");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:libicu-devel");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:libicu-doc");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:redhat:enterprise_linux:5");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:redhat:enterprise_linux:5.1");
    
      script_set_attribute(attribute:"vuln_publication_date", value:"2008/01/28");
      script_set_attribute(attribute:"patch_publication_date", value:"2008/01/25");
      script_set_attribute(attribute:"plugin_publication_date", value:"2008/01/27");
      script_set_attribute(attribute:"generated_plugin", value:"current");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_copyright(english:"This script is Copyright (C) 2008-2019 and is owned by Tenable, Inc. or an Affiliate thereof.");
      script_family(english:"Red Hat Local Security Checks");
    
      script_dependencies("ssh_get_info.nasl");
      script_require_keys("Host/local_checks_enabled", "Host/RedHat/release", "Host/RedHat/rpm-list", "Host/cpu");
    
      exit(0);
    }
    
    
    include("audit.inc");
    include("global_settings.inc");
    include("misc_func.inc");
    include("rpm.inc");
    
    if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
    release = get_kb_item("Host/RedHat/release");
    if (isnull(release) || "Red Hat" >!< release) audit(AUDIT_OS_NOT, "Red Hat");
    os_ver = pregmatch(pattern: "Red Hat Enterprise Linux.*release ([0-9]+(\.[0-9]+)?)", string:release);
    if (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, "Red Hat");
    os_ver = os_ver[1];
    if (! preg(pattern:"^5([^0-9]|$)", string:os_ver)) audit(AUDIT_OS_NOT, "Red Hat 5.x", "Red Hat " + os_ver);
    
    if (!get_kb_item("Host/RedHat/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING);
    
    cpu = get_kb_item("Host/cpu");
    if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
    if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$" && "s390" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Red Hat", cpu);
    
    yum_updateinfo = get_kb_item("Host/RedHat/yum-updateinfo");
    if (!empty_or_null(yum_updateinfo)) 
    {
      rhsa = "RHSA-2008:0090";
      yum_report = redhat_generate_yum_updateinfo_report(rhsa:rhsa);
      if (!empty_or_null(yum_report))
      {
        security_report_v4(
          port       : 0,
          severity   : SECURITY_HOLE,
          extra      : yum_report 
        );
        exit(0);
      }
      else
      {
        audit_message = "affected by Red Hat security advisory " + rhsa;
        audit(AUDIT_OS_NOT, audit_message);
      }
    }
    else
    {
      flag = 0;
      if (rpm_check(release:"RHEL5", cpu:"i386", reference:"icu-3.6-5.11.1")) flag++;
    
      if (rpm_check(release:"RHEL5", cpu:"s390x", reference:"icu-3.6-5.11.1")) flag++;
    
      if (rpm_check(release:"RHEL5", cpu:"x86_64", reference:"icu-3.6-5.11.1")) flag++;
    
      if (rpm_check(release:"RHEL5", reference:"libicu-3.6-5.11.1")) flag++;
    
      if (rpm_check(release:"RHEL5", reference:"libicu-devel-3.6-5.11.1")) flag++;
    
      if (rpm_check(release:"RHEL5", cpu:"i386", reference:"libicu-doc-3.6-5.11.1")) flag++;
    
      if (rpm_check(release:"RHEL5", cpu:"s390x", reference:"libicu-doc-3.6-5.11.1")) flag++;
    
      if (rpm_check(release:"RHEL5", cpu:"x86_64", reference:"libicu-doc-3.6-5.11.1")) flag++;
    
    
      if (flag)
      {
        security_report_v4(
          port       : 0,
          severity   : SECURITY_HOLE,
          extra      : rpm_report_get() + redhat_report_package_caveat()
        );
        exit(0);
      }
      else
      {
        tested = pkg_tests_get();
        if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
        else audit(AUDIT_PACKAGE_NOT_INSTALLED, "icu / libicu / libicu-devel / libicu-doc");
      }
    }
    
  • NASL familyGentoo Local Security Checks
    NASL idGENTOO_GLSA-200803-20.NASL
    descriptionThe remote host is affected by the vulnerability described in GLSA-200803-20 (International Components for Unicode: Multiple vulnerabilities) Will Drewry (Google Security) reported a vulnerability in the regular expression engine when using back references to capture \\0 characters (CVE-2007-4770). He also found that the backtracking stack size is not limited, possibly allowing for a heap-based buffer overflow (CVE-2007-4771). Impact : A remote attacker could submit specially crafted regular expressions to an application using the library, possibly resulting in the remote execution of arbitrary code with the privileges of the user running the application or a Denial of Service. Workaround : There is no known workaround at this time.
    last seen2020-06-01
    modified2020-06-02
    plugin id31446
    published2008-03-13
    reporterThis script is Copyright (C) 2008-2019 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/31446
    titleGLSA-200803-20 : International Components for Unicode: Multiple vulnerabilities
    code
    #%NASL_MIN_LEVEL 80502
    #
    # (C) Tenable Network Security, Inc.
    #
    # The descriptive text and package checks in this plugin were
    # extracted from Gentoo Linux Security Advisory GLSA 200803-20.
    #
    # The advisory text is Copyright (C) 2001-2017 Gentoo Foundation, Inc.
    # and licensed under the Creative Commons - Attribution / Share Alike 
    # license. See http://creativecommons.org/licenses/by-sa/3.0/
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(31446);
      script_version("1.15");
      script_cvs_date("Date: 2019/08/02 13:32:44");
    
      script_cve_id("CVE-2007-4770", "CVE-2007-4771");
      script_xref(name:"GLSA", value:"200803-20");
    
      script_name(english:"GLSA-200803-20 : International Components for Unicode: Multiple vulnerabilities");
      script_summary(english:"Checks for updated package(s) in /var/db/pkg");
    
      script_set_attribute(
        attribute:"synopsis", 
        value:
    "The remote Gentoo host is missing one or more security-related
    patches."
      );
      script_set_attribute(
        attribute:"description", 
        value:
    "The remote host is affected by the vulnerability described in GLSA-200803-20
    (International Components for Unicode: Multiple vulnerabilities)
    
        Will Drewry (Google Security) reported a vulnerability in the regular
        expression engine when using back references to capture \\0 characters
        (CVE-2007-4770). He also found that the backtracking stack size is not
        limited, possibly allowing for a heap-based buffer overflow
        (CVE-2007-4771).
      
    Impact :
    
        A remote attacker could submit specially crafted regular expressions to
        an application using the library, possibly resulting in the remote
        execution of arbitrary code with the privileges of the user running the
        application or a Denial of Service.
      
    Workaround :
    
        There is no known workaround at this time."
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://security.gentoo.org/glsa/200803-20"
      );
      script_set_attribute(
        attribute:"solution", 
        value:
    "All International Components for Unicode users should upgrade to the
        latest version:
        # emerge --sync
        # emerge --ask --oneshot --verbose '>=dev-libs/icu-3.8.1-r1'"
      );
      script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C");
      script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
      script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
      script_set_attribute(attribute:"exploit_available", value:"false");
      script_cwe_id(399);
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:gentoo:linux:icu");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:gentoo:linux");
    
      script_set_attribute(attribute:"patch_publication_date", value:"2008/03/11");
      script_set_attribute(attribute:"plugin_publication_date", value:"2008/03/13");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_copyright(english:"This script is Copyright (C) 2008-2019 Tenable Network Security, Inc.");
      script_family(english:"Gentoo Local Security Checks");
    
      script_dependencies("ssh_get_info.nasl");
      script_require_keys("Host/local_checks_enabled", "Host/Gentoo/release", "Host/Gentoo/qpkg-list");
    
      exit(0);
    }
    
    
    include("audit.inc");
    include("global_settings.inc");
    include("qpkg.inc");
    
    if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
    if (!get_kb_item("Host/Gentoo/release")) audit(AUDIT_OS_NOT, "Gentoo");
    if (!get_kb_item("Host/Gentoo/qpkg-list")) audit(AUDIT_PACKAGE_LIST_MISSING);
    
    
    flag = 0;
    
    if (qpkg_check(package:"dev-libs/icu", unaffected:make_list("ge 3.8.1-r1", "rge 3.6-r2"), vulnerable:make_list("lt 3.8.1-r1"))) flag++;
    
    if (flag)
    {
      if (report_verbosity > 0) security_hole(port:0, extra:qpkg_report_get());
      else security_hole(0);
      exit(0);
    }
    else
    {
      tested = qpkg_tests_get();
      if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
      else audit(AUDIT_PACKAGE_NOT_INSTALLED, "International Components for Unicode");
    }
    
  • NASL familyOracle Linux Local Security Checks
    NASL idORACLELINUX_ELSA-2008-0090.NASL
    descriptionFrom Red Hat Security Advisory 2008:0090 : Updated icu packages that fix two security issues are now available for Red Hat Enterprise Linux 5. This update has been rated as having important security impact by the Red Hat Security Response Team. The International Components for Unicode (ICU) library provides robust and full-featured Unicode services. Will Drewry reported multiple flaws in the way libicu processed certain malformed regular expressions. If an application linked against ICU, such as OpenOffice.org, processed a carefully crafted regular expression, it may be possible to execute arbitrary code as the user running the application. (CVE-2007-4770, CVE-2007-4771) All users of icu should upgrade to these updated packages, which contain backported patches to resolve these issues.
    last seen2020-06-01
    modified2020-06-02
    plugin id67646
    published2013-07-12
    reporterThis script is Copyright (C) 2013-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/67646
    titleOracle Linux 5 : icu (ELSA-2008-0090)
  • NASL familySuSE Local Security Checks
    NASL idSUSE_ICU-5013.NASL
    descriptionCertain regular expressions could crash the ICU library (CVE-2007-4770, CVE-2007-4771).
    last seen2020-06-01
    modified2020-06-02
    plugin id31399
    published2008-03-07
    reporterThis script is Copyright (C) 2008-2019 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/31399
    titleopenSUSE 10 Security Update : icu (icu-5013)
  • NASL familyFedora Local Security Checks
    NASL idFEDORA_2008-1036.NASL
    descriptionCVE-2007-4770 & CVE-2007-4771 Flaws in icu regexp handling. Technical details can be found at http://sourceforge.net/mailarchive/message.php?msg_name= d03a2ffb0801221538x68825e42xb4a4aaf0fcccecbd%2540mail.gmail.com Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen2020-06-01
    modified2020-06-02
    plugin id30086
    published2008-01-27
    reporterThis script is Copyright (C) 2008-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/30086
    titleFedora 8 : icu-3.8-5.fc8 (2008-1036)
  • NASL familyCentOS Local Security Checks
    NASL idCENTOS_RHSA-2008-0090.NASL
    descriptionUpdated icu packages that fix two security issues are now available for Red Hat Enterprise Linux 5. This update has been rated as having important security impact by the Red Hat Security Response Team. The International Components for Unicode (ICU) library provides robust and full-featured Unicode services. Will Drewry reported multiple flaws in the way libicu processed certain malformed regular expressions. If an application linked against ICU, such as OpenOffice.org, processed a carefully crafted regular expression, it may be possible to execute arbitrary code as the user running the application. (CVE-2007-4770, CVE-2007-4771) All users of icu should upgrade to these updated packages, which contain backported patches to resolve these issues.
    last seen2020-06-01
    modified2020-06-02
    plugin id43673
    published2010-01-06
    reporterThis script is Copyright (C) 2010-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/43673
    titleCentOS 5 : icu (CESA-2008:0090)
  • NASL familyWindows
    NASL idOPENOFFICE_240.NASL
    descriptionThe version of Sun Microsystems OpenOffice.org installed on the remote host is affected by several issues : - Heap overflow and arbitrary code execution vulnerabilities involving ODF text documents with XForms (CVE-2007-4770/4771). - Heap overflow and arbitrary code execution vulnerabilities involving Quattro Pro files (CVE-2007-5745/5747). - Heap overflow and arbitrary code execution vulnerabilities involving EMF files (CVE-2007-5746). - Heap overflow and arbitrary code execution vulnerabilities involving OLE files (CVE-2008-0320).
    last seen2020-06-01
    modified2020-06-02
    plugin id31968
    published2008-04-17
    reporterThis script is Copyright (C) 2008-2018 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/31968
    titleSun OpenOffice.org < 2.4 Multiple Vulnerabilities
  • NASL familyUbuntu Local Security Checks
    NASL idUBUNTU_USN-591-1.NASL
    descriptionWill Drewry discovered that libicu did not properly handle
    last seen2020-06-01
    modified2020-06-02
    plugin id31678
    published2008-03-26
    reporterUbuntu Security Notice (C) 2008-2019 Canonical, Inc. / NASL script (C) 2018 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/31678
    titleUbuntu 6.06 LTS / 6.10 / 7.04 / 7.10 : icu vulnerabilities (USN-591-1)
  • NASL familySuSE Local Security Checks
    NASL idSUSE_ICU-5014.NASL
    descriptionCertain regular expressions could crash the ICU library. (CVE-2007-4770 / CVE-2007-4771)
    last seen2020-06-01
    modified2020-06-02
    plugin id31400
    published2008-03-07
    reporterThis script is Copyright (C) 2008-2019 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/31400
    titleSuSE 10 Security Update : icu (ZYPP Patch Number 5014)
  • NASL familySuSE Local Security Checks
    NASL idSUSE_OPENOFFICE_ORG-5053.NASL
    descriptionThis update of OpenOffice fixes various critical security vulnerabilities - heap-overflow when parsing PPT files (CVE-2008-0320) - various buffer-overflows while parsing QPRO files (CVE-2007-5745, CVE-2007-5747) - out-of-bound memory access and a heap-overflow&nbsp;in the regex engine of libICU (CVE-2007-4770,CVE-2007-4771)
    last seen2020-06-01
    modified2020-06-02
    plugin id32023
    published2008-04-22
    reporterThis script is Copyright (C) 2008-2019 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/32023
    titleopenSUSE 10 Security Update : OpenOffice_org (OpenOffice_org-5053)
  • NASL familyDebian Local Security Checks
    NASL idDEBIAN_DSA-1511.NASL
    descriptionSeveral local vulnerabilities have been discovered in libicu, International Components for Unicode, The Common Vulnerabilities and Exposures project identifies the following problems : - CVE-2007-4770 libicu in International Components for Unicode (ICU) 3.8.1 and earlier attempts to process backreferences to the nonexistent capture group zero (aka \0), which might allow context-dependent attackers to read from, or write to, out-of-bounds memory locations, related to corruption of REStackFrames. - CVE-2007-4771 Heap-based buffer overflow in the doInterval function in regexcmp.cpp in libicu in International Components for Unicode (ICU) 3.8.1 and earlier allows context-dependent attackers to cause a denial of service (memory consumption) and possibly have unspecified other impact via a regular expression that writes a large amount of data to the backtracking stack.
    last seen2020-06-01
    modified2020-06-02
    plugin id31358
    published2008-03-07
    reporterThis script is Copyright (C) 2008-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/31358
    titleDebian DSA-1511-1 : libicu - various
  • NASL familyScientific Linux Local Security Checks
    NASL idSL_20080125_ICU_ON_SL5_X.NASL
    descriptionWill Drewry reported multiple flaws in the way libicu processed certain malformed regular expressions. If an application linked against ICU, such as OpenOffice.org, processed a carefully crafted regular expression, it may be possible to execute arbitrary code as the user running the application. (CVE-2007-4770, CVE-2007-4771)
    last seen2020-06-01
    modified2020-06-02
    plugin id60352
    published2012-08-01
    reporterThis script is Copyright (C) 2012-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/60352
    titleScientific Linux Security Update : icu on SL5.x i386/x86_64

Oval

  • accepted2013-04-29T04:06:15.013-04:00
    classvulnerability
    contributors
    • nameAharon Chernin
      organizationSCAP.com, LLC
    • nameDragos Prisaca
      organizationG2, Inc.
    definition_extensions
    • commentThe operating system installed on the system is Red Hat Enterprise Linux 5
      ovaloval:org.mitre.oval:def:11414
    • commentThe operating system installed on the system is CentOS Linux 5.x
      ovaloval:org.mitre.oval:def:15802
    • commentOracle Linux 5.x
      ovaloval:org.mitre.oval:def:15459
    descriptionHeap-based buffer overflow in the doInterval function in regexcmp.cpp in libicu in International Components for Unicode (ICU) 3.8.1 and earlier allows context-dependent attackers to cause a denial of service (memory consumption) and possibly have unspecified other impact via a regular expression that writes a large amount of data to the backtracking stack. NOTE: some of these details are obtained from third party information.
    familyunix
    idoval:org.mitre.oval:def:10507
    statusaccepted
    submitted2010-07-09T03:56:16-04:00
    titleHeap-based buffer overflow in the doInterval function in regexcmp.cpp in libicu in International Components for Unicode (ICU) 3.8.1 and earlier allows context-dependent attackers to cause a denial of service (memory consumption) and possibly have unspecified other impact via a regular expression that writes a large amount of data to the backtracking stack. NOTE: some of these details are obtained from third party information.
    version18
  • accepted2008-04-21T04:00:22.018-04:00
    classvulnerability
    contributors
    namePai Peng
    organizationHewlett-Packard
    definition_extensions
    • commentSolaris 9 (SPARC) is installed
      ovaloval:org.mitre.oval:def:1457
    • commentSolaris 10 (SPARC) is installed
      ovaloval:org.mitre.oval:def:1440
    • commentSolaris 9 (x86) is installed
      ovaloval:org.mitre.oval:def:1683
    • commentSolaris 10 (x86) is installed
      ovaloval:org.mitre.oval:def:1926
    descriptionHeap-based buffer overflow in the doInterval function in regexcmp.cpp in libicu in International Components for Unicode (ICU) 3.8.1 and earlier allows context-dependent attackers to cause a denial of service (memory consumption) and possibly have unspecified other impact via a regular expression that writes a large amount of data to the backtracking stack. NOTE: some of these details are obtained from third party information.
    familyunix
    idoval:org.mitre.oval:def:5431
    statusaccepted
    submitted2008-03-11T10:54:48.000-04:00
    titleMultiple Security Vulnerabilities in ICU 3.2 Library Regular Expression Processing May Cause a Denial of Service (DoS)
    version35

Redhat

advisories
bugzilla
id429025
titleCVE-2007-4771 libicu incomplete interval handling
oval
OR
  • commentRed Hat Enterprise Linux must be installed
    ovaloval:com.redhat.rhba:tst:20070304026
  • AND
    • commentRed Hat Enterprise Linux 5 is installed
      ovaloval:com.redhat.rhba:tst:20070331005
    • OR
      • AND
        • commentlibicu is earlier than 0:3.6-5.11.1
          ovaloval:com.redhat.rhsa:tst:20080090001
        • commentlibicu is signed with Red Hat redhatrelease key
          ovaloval:com.redhat.rhsa:tst:20080090002
      • AND
        • commentlibicu-doc is earlier than 0:3.6-5.11.1
          ovaloval:com.redhat.rhsa:tst:20080090003
        • commentlibicu-doc is signed with Red Hat redhatrelease key
          ovaloval:com.redhat.rhsa:tst:20080090004
      • AND
        • commentlibicu-devel is earlier than 0:3.6-5.11.1
          ovaloval:com.redhat.rhsa:tst:20080090005
        • commentlibicu-devel is signed with Red Hat redhatrelease key
          ovaloval:com.redhat.rhsa:tst:20080090006
      • AND
        • commenticu is earlier than 0:3.6-5.11.1
          ovaloval:com.redhat.rhsa:tst:20080090007
        • commenticu is signed with Red Hat redhatrelease key
          ovaloval:com.redhat.rhsa:tst:20080090008
rhsa
idRHSA-2008:0090
released2008-01-25
severityImportant
titleRHSA-2008:0090: icu security update (Important)
rpms
  • icu-0:3.6-5.11.1
  • icu-debuginfo-0:3.6-5.11.1
  • libicu-0:3.6-5.11.1
  • libicu-devel-0:3.6-5.11.1
  • libicu-doc-0:3.6-5.11.1

References