oss-sec mailing list archives

Re: CVE Request -- libvoikko -- DoS of application linked against libvoikko due improper handling of embedded null characters in input strings

From: Josh Bressers <bressers () redhat com>
Date: Mon, 13 Jun 2011 15:47:11 -0400 (EDT)

Steve,

Can MITRE comment on this one? I'm not really sure what to do.

The core issue, embedded null characters seems to be the same for both Java and Python, but the fix covers two 
different bits of code.

My guess is it's just one ID, but I'd like to be certain.

Thanks.

-- 
    JB


----- Original Message -----

Hello, Josh, Steve, vendors,

A denial of service flaw was found in the way Python and Java
interfaces of libvoikko, a library for spellcheckers and hyphenators,
processed embedded null characters in input strings. If a specially-
crafted input string was provided to an application linked against
libvoikko, it could lead to that particular application termination.

References:
[1] http://voikko.sourceforge.net/releases.html
[2] https://bugzilla.redhat.com/show_bug.cgi?id=712863

Upstream patches:
[3]
http://voikko.svn.sourceforge.net/viewvc/voikko?view=revision&revision=3901
[4]
http://voikko.svn.sourceforge.net/viewvc/voikko?view=revision&revision=3902
[5]
http://voikko.svn.sourceforge.net/viewvc/voikko?view=revision&revision=3903

Could you allocate a CVE identifier for this?

Thank you && Regards, Jan.
--
Jan iankko Lieskovsky / Red Hat Security Response Team

Current thread:

CVE Request -- libvoikko -- DoS of application linked against libvoikko due improper handling of embedded null characters in input strings Jan Lieskovsky (Jun 13)
- Re: CVE Request -- libvoikko -- DoS of application linked against libvoikko due improper handling of embedded null characters in input strings Josh Bressers (Jun 13)