[gentoo-announce] [ GLSA 200810-01 ] WordNet: Execution of arbitrary code - gentoo-announce

From:	Tobias Heinlein <keytoaster@g.o>
To:	gentoo-announce@g.o
Cc:	bugtraq@×××××××××××××.com, full-disclosure@××××××××××××××.uk, security-alerts@×××××××××××××.com
Subject:	[gentoo-announce] [ GLSA 200810-01 ] WordNet: Execution of arbitrary code
Date:	Thu, 09 Oct 2008 18:05:59
Message-Id:	`48EBA6D2.8070601@gentoo.org`

1

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

2

Gentoo Linux Security Advisory                           GLSA 200810-01

3

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

4

                                            http://security.gentoo.org/

5

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

6

7

  Severity: Normal

8

     Title: WordNet: Execution of arbitrary code

9

      Date: October 07, 2008

10

      Bugs: #211491

11

        ID: 200810-01

12

13

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

14

15

Synopsis

16

========

17

18

Multiple vulnerabilities were found in WordNet, possibly allowing for

19

the execution of arbitrary code.

20

21

Background

22

==========

23

24

WordNet is a large lexical database of English.

25

26

Affected packages

27

=================

28

29

    -------------------------------------------------------------------

30

     Package            /  Vulnerable  /                    Unaffected

31

    -------------------------------------------------------------------

32

  1  app-dicts/wordnet      < 3.0-r2                         >= 3.0-r2

33

34

Description

35

===========

36

37

Jukka Ruohonen initially reported a boundary error within the

38

searchwn() function in src/wn.c. A thorough investigation by the oCERT

39

team revealed several other vulnerabilities in WordNet:

40

41

* Jukka Ruohonen and Rob Holland (oCERT) reported multiple boundary

42

  errors within the searchwn() function in src/wn.c, the wngrep()

43

  function in lib/search.c, the morphstr() and morphword() functions in

44

  lib/morph.c, and the getindex() in lib/search.c, which lead to

45

  stack-based buffer overflows.

46

47

* Rob Holland (oCERT) reported two boundary errors within the

48

  do_init() function in lib/morph.c, which lead to stack-based buffer

49

  overflows via specially crafted "WNSEARCHDIR" or "WNHOME" environment

50

  variables.

51

52

* Rob Holland (oCERT) reported multiple boundary errors in the

53

  bin_search() and bin_search_key() functions in binsrch.c, which lead

54

  to stack-based buffer overflows via specially crafted data files.

55

56

* Rob Holland (oCERT) reported a boundary error within the

57

  parse_index() function in lib/search.c, which leads to a heap-based

58

  buffer overflow via specially crafted data files.

59

60

Impact

61

======

62

63

* In case the application is accessible e.g. via a web server, a

64

  remote attacker could pass overly long strings as arguments to the

65

  "wm" binary, possibly leading to the execution of arbitrary code.

66

67

* A local attacker could exploit the second vulnerability via

68

  specially crafted "WNSEARCHDIR" or "WNHOME" environment variables,

69

  possibly leading to the execution of arbitrary code with escalated

70

  privileges.

71

72

* A local attacker could exploit the third and fourth vulnerability

73

  by making the application use specially crafted data files, possibly

74

  leading to the execution of arbitrary code.

75

76

Workaround

77

==========

78

79

There is no known workaround at this time.

80

81

Resolution

82

==========

83

84

All WordNet users should upgrade to the latest version:

85

86

    # emerge --sync

87

    # emerge --ask --oneshot --verbose ">=app-dicts/wordnet-3.0-r2"

88

89

References

90

==========

91

92

  [ 1 ] CVE-2008-2149

93

        http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-2149

94

  [ 2 ] CVE-2008-3908

95

        http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-3908

96

97

Availability

98

============

99

100

This GLSA and any updates to it are available for viewing at

101

the Gentoo Security Website:

102

103

  http://security.gentoo.org/glsa/glsa-200810-01.xml

104

105

Concerns?

106

=========

107

108

Security is a primary focus of Gentoo Linux and ensuring the

109

confidentiality and security of our users machines is of utmost

110

importance to us. Any security concerns should be addressed to

111

security@g.o or alternatively, you may file a bug at

112

http://bugs.gentoo.org.

113

114

License

115

=======

116

117

Copyright 2008 Gentoo Foundation, Inc; referenced text

118

belongs to its owner(s).

119

120

The contents of this document are licensed under the

121

Creative Commons - Attribution / Share Alike license.

122

123

http://creativecommons.org/licenses/by-sa/2.5

Gentoo Archives: gentoo-announce

Attachments

1	- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
2	Gentoo Linux Security Advisory GLSA 200810-01
3	- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
4	http://security.gentoo.org/
5	- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
6
7	Severity: Normal
8	Title: WordNet: Execution of arbitrary code
9	Date: October 07, 2008
10	Bugs: #211491
11	ID: 200810-01
12
13	- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
14
15	Synopsis
16	========
17
18	Multiple vulnerabilities were found in WordNet, possibly allowing for
19	the execution of arbitrary code.
20
21	Background
22	==========
23
24	WordNet is a large lexical database of English.
25
26	Affected packages
27	=================
28
29	-------------------------------------------------------------------
30	Package / Vulnerable / Unaffected
31	-------------------------------------------------------------------
32	1 app-dicts/wordnet < 3.0-r2 >= 3.0-r2
33
34	Description
35	===========
36
37	Jukka Ruohonen initially reported a boundary error within the
38	searchwn() function in src/wn.c. A thorough investigation by the oCERT
39	team revealed several other vulnerabilities in WordNet:
40
41	* Jukka Ruohonen and Rob Holland (oCERT) reported multiple boundary
42	errors within the searchwn() function in src/wn.c, the wngrep()
43	function in lib/search.c, the morphstr() and morphword() functions in
44	lib/morph.c, and the getindex() in lib/search.c, which lead to
45	stack-based buffer overflows.
46
47	* Rob Holland (oCERT) reported two boundary errors within the
48	do_init() function in lib/morph.c, which lead to stack-based buffer
49	overflows via specially crafted "WNSEARCHDIR" or "WNHOME" environment
50	variables.
51
52	* Rob Holland (oCERT) reported multiple boundary errors in the
53	bin_search() and bin_search_key() functions in binsrch.c, which lead
54	to stack-based buffer overflows via specially crafted data files.
55
56	* Rob Holland (oCERT) reported a boundary error within the
57	parse_index() function in lib/search.c, which leads to a heap-based
58	buffer overflow via specially crafted data files.
59
60	Impact
61	======
62
63	* In case the application is accessible e.g. via a web server, a
64	remote attacker could pass overly long strings as arguments to the
65	"wm" binary, possibly leading to the execution of arbitrary code.
66
67	* A local attacker could exploit the second vulnerability via
68	specially crafted "WNSEARCHDIR" or "WNHOME" environment variables,
69	possibly leading to the execution of arbitrary code with escalated
70	privileges.
71
72	* A local attacker could exploit the third and fourth vulnerability
73	by making the application use specially crafted data files, possibly
74	leading to the execution of arbitrary code.
75
76	Workaround
77	==========
78
79	There is no known workaround at this time.
80
81	Resolution
82	==========
83
84	All WordNet users should upgrade to the latest version:
85
86	# emerge --sync
87	# emerge --ask --oneshot --verbose ">=app-dicts/wordnet-3.0-r2"
88
89	References
90	==========
91
92	[ 1 ] CVE-2008-2149
93	http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-2149
94	[ 2 ] CVE-2008-3908
95	http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-3908
96
97	Availability
98	============
99
100	This GLSA and any updates to it are available for viewing at
101	the Gentoo Security Website:
102
103	http://security.gentoo.org/glsa/glsa-200810-01.xml
104
105	Concerns?
106	=========
107
108	Security is a primary focus of Gentoo Linux and ensuring the
109	confidentiality and security of our users machines is of utmost
110	importance to us. Any security concerns should be addressed to
111	security@g.o or alternatively, you may file a bug at
112	http://bugs.gentoo.org.
113
114	License
115	=======
116
117	Copyright 2008 Gentoo Foundation, Inc; referenced text
118	belongs to its owner(s).
119
120	The contents of this document are licensed under the
121	Creative Commons - Attribution / Share Alike license.
122
123	http://creativecommons.org/licenses/by-sa/2.5