Bugtraq mailing list archives
[ GLSA 200810-01 ] WordNet: Execution of arbitrary code
From: Tobias Heinlein <keytoaster () gentoo org>
Date: Tue, 07 Oct 2008 20:13:38 +0200
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Gentoo Linux Security Advisory GLSA 200810-01
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
http://security.gentoo.org/
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Severity: Normal
Title: WordNet: Execution of arbitrary code
Date: October 07, 2008
Bugs: #211491
ID: 200810-01
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Synopsis
========
Multiple vulnerabilities were found in WordNet, possibly allowing for
the execution of arbitrary code.
Background
==========
WordNet is a large lexical database of English.
Affected packages
=================
-------------------------------------------------------------------
Package / Vulnerable / Unaffected
-------------------------------------------------------------------
1 app-dicts/wordnet < 3.0-r2 >= 3.0-r2
Description
===========
Jukka Ruohonen initially reported a boundary error within the
searchwn() function in src/wn.c. A thorough investigation by the oCERT
team revealed several other vulnerabilities in WordNet:
* Jukka Ruohonen and Rob Holland (oCERT) reported multiple boundary
errors within the searchwn() function in src/wn.c, the wngrep()
function in lib/search.c, the morphstr() and morphword() functions in
lib/morph.c, and the getindex() in lib/search.c, which lead to
stack-based buffer overflows.
* Rob Holland (oCERT) reported two boundary errors within the
do_init() function in lib/morph.c, which lead to stack-based buffer
overflows via specially crafted "WNSEARCHDIR" or "WNHOME" environment
variables.
* Rob Holland (oCERT) reported multiple boundary errors in the
bin_search() and bin_search_key() functions in binsrch.c, which lead
to stack-based buffer overflows via specially crafted data files.
* Rob Holland (oCERT) reported a boundary error within the
parse_index() function in lib/search.c, which leads to a heap-based
buffer overflow via specially crafted data files.
Impact
======
* In case the application is accessible e.g. via a web server, a
remote attacker could pass overly long strings as arguments to the
"wm" binary, possibly leading to the execution of arbitrary code.
* A local attacker could exploit the second vulnerability via
specially crafted "WNSEARCHDIR" or "WNHOME" environment variables,
possibly leading to the execution of arbitrary code with escalated
privileges.
* A local attacker could exploit the third and fourth vulnerability
by making the application use specially crafted data files, possibly
leading to the execution of arbitrary code.
Workaround
==========
There is no known workaround at this time.
Resolution
==========
All WordNet users should upgrade to the latest version:
# emerge --sync
# emerge --ask --oneshot --verbose ">=app-dicts/wordnet-3.0-r2"
References
==========
[ 1 ] CVE-2008-2149
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-2149
[ 2 ] CVE-2008-3908
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-3908
Availability
============
This GLSA and any updates to it are available for viewing at
the Gentoo Security Website:
http://security.gentoo.org/glsa/glsa-200810-01.xml
Concerns?
=========
Security is a primary focus of Gentoo Linux and ensuring the
confidentiality and security of our users machines is of utmost
importance to us. Any security concerns should be addressed to
security () gentoo org or alternatively, you may file a bug at
http://bugs.gentoo.org.
License
=======
Copyright 2008 Gentoo Foundation, Inc; referenced text
belongs to its owner(s).
The contents of this document are licensed under the
Creative Commons - Attribution / Share Alike license.
http://creativecommons.org/licenses/by-sa/2.5
Attachment:
signature.asc
Description: OpenPGP digital signature
Current thread:
- [ GLSA 200810-01 ] WordNet: Execution of arbitrary code Tobias Heinlein (Oct 07)