First Last Prev Next    No search results available      Search page      Enter new bug
Bug#: 196803
Alias:
Product:
Component:
Status: RESOLVED
Resolution: FIXED
Assigned To: Gentoo Security <security@gentoo.org>
Hardware:
OS:
Version:
Priority:
Severity:
Reporter: Raphael Marichez <falco@gentoo.org>
Add CC:
CC:
Remove selected CCs
URL:
Summary:
Status Whiteboard:
Keywords:
Flags: Requestee:
 
 
  ()

Filename Description Type Creator Created Size Actions
link-grammar-CVE-2007-5395.patch link-grammar-CVE-2007-5395.patch patch Robert Buchholz 2007-11-04 21:26 0000 3.94 KB Details | Diff
Create a New Attachment (proposed patch, testcase, etc.) View All

Bug 196803 depends on: Show dependency tree
Bug 196803 blocks:

Additional Comments: (this is where you put emerge --info)


Not eligible to see or edit group visibility for this bug.






View Bug Activity   |   Format For Printing   |   XML   |   Clone This Bug

Description:   Opened: 2007-10-23 16:02 0000 
Secunia Research has discovered a vulnerability in Link Grammar, which
can be exploited by malicious people to compromise an application using
the library.

The vulnerability is caused due to a boundary error within the
"separate_word()" function in tokenize.c when processing overly long
words (over 61 bytes). This can be exploited to cause a stack-based
buffer overflow via a specially crafted sentence passed to the
"separate_sentence()" function.

Successful exploitation allows execution of arbitrary code.

The vulnerability is confirmed in version 4.1b.

Vulnerability Details:
----------------------

The vulnerability is caused by incorrectly calling the "strncpy()"
function in several places throughout "separate_word()".

Exploitation:
-------------

The vulnerability can be reproduced by calling the "separate_sentence()"
function with an overly long "input_string" parameter (200 bytes).

A PoC is available upon request.

Closing comments:
-----------------

We have assigned this vulnerability Secunia advisory SA27300 and CVE
identifier CVE-2007-5395.

Upstream contacted.
Disclosure date: As soon as the vendor releases a patch, or 2007-11-07.
                 Note that this may be changed if the vendor requests it.

Credits:
Alin Rad Pop, Secunia Research.

------- Comment #1 From Robert Buchholz 2007-11-04 21:26:50 0000 ------- 
Created an attachment (id=135199) [details]
link-grammar-CVE-2007-5395.patch

Upstream committed a patch on Oct. 27. Attached the patch and upstream log
message.

------- Comment #2 From Gilles Dartiguelongue 2007-11-04 23:15:26 0000 ------- 
revbumped in tree. Compile and pass tests fine.

------- Comment #3 From Sune Kloppenborg Jeppesen 2007-11-05 07:55:35 0000 ------- 
Arch security liaisons please test and mark stable. Target keywords are:

link-grammar-4.2.4-r1.ebuild="alpha amd64 hppa ia64 ppc ppc64 sparc x86"

------- Comment #4 From Jeroen Roovers 2007-11-05 12:28:25 0000 ------- 
Stable for HPPA.

------- Comment #5 From Tobias Scherbaum 2007-11-05 16:57:26 0000 ------- 
ppc stable

------- Comment #6 From Jeroen Roovers 2007-11-05 21:01:18 0000 ------- 
Stable for SPARC (gustavoz has resigned).

------- Comment #7 From Fernando J. Pereda (RETIRED) 2007-11-05 21:18:14 0000 ------- 
Adding armin for alpha

------- Comment #8 From Markus Rothe 2007-11-06 07:57:17 0000 ------- 
ppc64 stable

------- Comment #9 From Raúl Porcel 2007-11-06 12:49:08 0000 ------- 
alpha/ia64/x86 stable

------- Comment #10 From Robert Buchholz 2007-11-07 15:52:20 0000 ------- 
Public as per $URL.

Only amd64 is missing.

------- Comment #11 From Steve Dibb 2007-11-14 03:38:47 0000 ------- 
amd64 stable

------- Comment #12 From Robert Buchholz 2007-11-14 17:43:36 0000 ------- 
GLSA request filed.

------- Comment #13 From Pierre-Yves Rofes 2007-11-18 23:12:44 0000 ------- 
GLSA 200711-27
First Last Prev Next    No search results available      Search page      Enter new bug