First Last Prev Next    No search results available      Search page      Enter new bug
Bug#: 53389
Alias:
Product:
Component:
Status: RESOLVED
Resolution: FIXED
Assigned To: Gentoo Security <security@gentoo.org>
Hardware:
OS:
Version:
Priority:
Severity:
Reporter: Florian Schilhabel (RETIRED) <ruth@gentoo.org>
Add CC:
CC:
URL:
Summary:
Status Whiteboard:
Keywords:
Flags: Requestee:
 
 
seemant: ()

Filename Description Type Creator Created Size Actions
Create a New Attachment (proposed patch, testcase, etc.) View All

Bug 53389 depends on: 53801 Show dependency tree
Show dependency graph
Bug 53389 blocks:
Votes: 0    Show votes for this bug    Vote for this bug

Additional Comments: (this is where you put emerge --info)







View Bug Activity   |   Format For Printing   |   XML   |   Clone This Bug

Description:   Opened: 2004-06-09 04:25 0000 
intro:

Aspell was intended as a more accurate and robust
replacement for the popular ispell package, and was
written by GNU.  Aspell includes a small utility for
compressing and decompressing wordlists before
processing by aspell, namely 'word-list-compress'.

Due to insufficient bounds checking, a malformed
wordlist can cause for a stack based buffer overflow
to occur, possibly allowing execution of arbitrary
code with the privileges of the invoking user.

demo:


[root@leela](~) # echo `perl -e 'print "a"x1000'` | word-list-compress c
Segmentation fault
[root@leela](~) # echo `perl -e 'print "a"x1000'` | word-list-compress d
t

------- Comment #1 From Florian Schilhabel (RETIRED) 2004-06-09 04:25:57 0000 ------- 
intro:

Aspell was intended as a more accurate and robust
replacement for the popular ispell package, and was
written by GNU.  Aspell includes a small utility for
compressing and decompressing wordlists before
processing by aspell, namely 'word-list-compress'.

Due to insufficient bounds checking, a malformed
wordlist can cause for a stack based buffer overflow
to occur, possibly allowing execution of arbitrary
code with the privileges of the invoking user.

demo:


[root@leela](~) # echo `perl -e 'print "a"x1000'` | word-list-compress c
Segmentation fault
[root@leela](~) # echo `perl -e 'print "a"x1000'` | word-list-compress d
t·®Â½
t·®Â½
Segmentation fault

--patch--

--- aspell-bug.patch ---
--- compress.orig.c        2004-06-08 16:37:00.000000000
+0100
+++ compress.c        2004-06-08 16:34:35.000000000 +0100
@@ -28,6 +28,9 @@
 
 #endif
 
+int count; 
+
+
 void usage () 
 {
   fputs("Compresses or uncompresses sorted word
lists.\n"     , stderr);
@@ -47,6 +50,7 @@
     *w++ = (char)(c);
   } while (c = getc(in), c != EOF && c > 32);
   *w = '\0';
+  count++;
   ungetc(c, in);
   if (c == EOF) return 0;
   else return 1;
@@ -69,6 +73,7 @@
 
     SETBIN (stdout);
 
+    while(count < 256) {
     while (get_word(stdin, cur)) {
       int i = 0;
       /* get the length of the prefix */
@@ -85,6 +90,7 @@
         prev = s2; cur = s1;
       }
     }
+    }
     return 0;
 
   } else if (argv[1][0] == 'd') {
@@ -100,8 +106,11 @@
       if (i == 0)
         i = getc(stdin);
       --i;  
-      while ((c = getc(stdin)) > 32)
+      while ((c = getc(stdin)) > 32 && count < 256) {

         cur[i++] = (char)c;
+        count++;
+    }
+      
       cur[i] = '\0';
       fputs(cur, stdout);
       putc('\n', stdout);
--- EOF ---

...found in bugtraq...

best regards

florian



Reproducible: Always
Steps to Reproduce:
1.
2.
3.

------- Comment #2 From Seemant Kulleen (RETIRED) 2004-06-09 09:15:18 0000 ------- 
thanks Florian, I'll check this out then check it in.

------- Comment #3 From Seemant Kulleen (RETIRED) 2004-06-09 09:30:24 0000 ------- 
florian, securityfocus seems to have removed this.  can you verify the URL to
the advisory please?

------- Comment #4 From Florian Schilhabel (RETIRED) 2004-06-09 09:55:52 0000 ------- 
hi seemant,
the original advisory can be found at:

http://nettwerked.mg2.org/advisories/wlc

Best Regards,
Florian

------- Comment #5 From Seemant Kulleen (RETIRED) 2004-06-09 13:42:52 0000 ------- 
ok, aspell-0.50.5-r1 is in portage and stable on x86 and s390.  Awaiting EVERY
other arch to stabilise.

------- Comment #6 From Ciaran McCreesh 2004-06-09 14:22:47 0000 ------- 
Since you asked so nicely... sparc mips

------- Comment #7 From Luca Barbato 2004-06-09 14:34:41 0000 ------- 
Marked ppc

------- Comment #8 From Guy Martin 2004-06-09 14:47:25 0000 ------- 
Stable on hppa.

------- Comment #9 From Bryan Østergaard (RETIRED) 2004-06-10 09:14:06 0000 ------- 
Stable on alpha.

------- Comment #10 From Thierry Carrez (RETIRED) 2004-06-14 09:33:54 0000 ------- 
Stable on all required arches, we can issue a GLSA.

------- Comment #11 From Sune Kloppenborg Jeppesen 2004-06-14 13:07:44 0000 ------- 
GLSA drafted: security please review.

------- Comment #12 From Adam Bregenzer 2004-06-14 14:34:37 0000 ------- 
It seems this patch breaks the word-list-compress binary in
app-text/aspell-0.50.5-r1.  See Bug 53801 for more details.  Here is a new
patch that passes the tests posted here as well as restores the previous
functionality.

30a31,32
> #define WORD_BUFF_SIZE 256
>
43a46
>   int count = 0;
48c51,52
<   } while (c = getc(in), c != EOF && c > 32);
---
>     count++;
>   } while (c = getc(in), c != EOF && c > 32 && count < (WORD_BUFF_SIZE - 1));
64,65c68,69
<     char s1[256];
<     char s2[256];
---
>     char s1[WORD_BUFF_SIZE];
>     char s2[WORD_BUFF_SIZE];
92c96
<     char cur[256];
---
>     char cur[WORD_BUFF_SIZE];
103c107
<       while ((c = getc(stdin)) > 32)
---
>       while ((c = getc(stdin)) > 32 && i < (WORD_BUFF_SIZE - 1)) {
104a109
>       }

------- Comment #13 From Thierry Carrez (RETIRED) 2004-06-15 01:44:35 0000 ------- 
Bug 53801 blocks this fix. Going back to [ebuild] status while investigating.

------- Comment #14 From Thierry Carrez (RETIRED) 2004-06-17 05:10:19 0000 ------- 
Ready for the GLSA now...

------- Comment #15 From Thierry Carrez (RETIRED) 2004-06-17 12:41:28 0000 ------- 
GLSA 200406-14

------- Comment #16 From solar 2004-08-18 12:19:26 0000 ------- 
Arch maintainers please test and stabilize aspell-0.50.5-r4.ebuild

The previous security patch included in gentoo for aspell was apparently
incorrect. It counted the words rather than characters. This revision fixes
that. This was brought to our attention by by Ludwig Nussel
<ludwig.nussel@suse.de>

http://savannah.gnu.org/cgi-bin/viewcvs/aspell/aspell/prog/compress.c.diff?r1=1.2.2.3&r2=1.2.2.1

------- Comment #17 From Aron Griffis (RETIRED) 2004-08-18 12:43:52 0000 ------- 
alpha, amd64, ia64 and x86 done

------- Comment #18 From Pieter Van den Abeele 2004-08-18 18:10:00 0000 ------- 
stable on ppc

------- Comment #19 From Gustavo Zacarias (RETIRED) 2004-08-18 18:25:33 0000 ------- 
sparc happy.

------- Comment #20 From Hardave Riar (RETIRED) 2004-08-18 19:21:30 0000 ------- 
Stable on mips

------- Comment #21 From Gustavo Zacarias (RETIRED) 2004-08-18 19:24:50 0000 ------- 
As i said, it's sparc happy, so s390@ goes back and sparc@ goes out of the cc,
thanks hardave for the headsup!

------- Comment #22 From Sune Kloppenborg Jeppesen 2004-08-18 22:09:34 0000 ------- 
GLSA 200406-14 updated.

Klieber will you issue an errata?

------- Comment #23 From Guy Martin 2004-08-19 01:50:33 0000 ------- 
Stable on hppa.

------- Comment #24 From SpanKY 2004-08-19 19:37:51 0000 ------- 
arm stable

------- Comment #25 From Sune Kloppenborg Jeppesen 2004-08-23 06:47:13 0000 ------- 
GLSA 200406-14 reissued

------- Comment #26 From SpanKY 2004-09-22 21:37:33 0000 ------- 
s390 stable
First Last Prev Next    No search results available      Search page      Enter new bug