Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 196803 - dev-libs/link-grammar: buffer overflow in tokenize.c (separate_word()) (CVE-2007-5395)
Summary: dev-libs/link-grammar: buffer overflow in tokenize.c (separate_word()) (CVE-2...
Status: RESOLVED FIXED
Alias: None
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: High normal (vote)
Assignee: Gentoo Security
URL: http://secunia.com/advisories/27300/
Whiteboard: B2 [glsa] Falco
Keywords:
Depends on:
Blocks:
 
Reported: 2007-10-23 16:02 UTC by Raphael Marichez (Falco) (RETIRED)
Modified: 2007-11-18 23:12 UTC (History)
2 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments
link-grammar-CVE-2007-5395.patch (link-grammar-CVE-2007-5395.patch,3.94 KB, patch)
2007-11-04 21:26 UTC, Robert Buchholz (RETIRED)
no flags Details | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description Raphael Marichez (Falco) (RETIRED) gentoo-dev 2007-10-23 16:02:20 UTC
Secunia Research has discovered a vulnerability in Link Grammar, which
can be exploited by malicious people to compromise an application using
the library.

The vulnerability is caused due to a boundary error within the
"separate_word()" function in tokenize.c when processing overly long
words (over 61 bytes). This can be exploited to cause a stack-based
buffer overflow via a specially crafted sentence passed to the
"separate_sentence()" function.

Successful exploitation allows execution of arbitrary code.

The vulnerability is confirmed in version 4.1b.

Vulnerability Details:
----------------------

The vulnerability is caused by incorrectly calling the "strncpy()"
function in several places throughout "separate_word()".

Exploitation:
-------------

The vulnerability can be reproduced by calling the "separate_sentence()"
function with an overly long "input_string" parameter (200 bytes).

A PoC is available upon request.

Closing comments:
-----------------

We have assigned this vulnerability Secunia advisory SA27300 and CVE
identifier CVE-2007-5395.

Upstream contacted.
Disclosure date: As soon as the vendor releases a patch, or 2007-11-07.
                 Note that this may be changed if the vendor requests it.

Credits:
Alin Rad Pop, Secunia Research.
Comment 1 Robert Buchholz (RETIRED) gentoo-dev 2007-11-04 21:26:50 UTC
Created attachment 135199 [details, diff]
link-grammar-CVE-2007-5395.patch

Upstream committed a patch on Oct. 27. Attached the patch and upstream log message.
Comment 2 Gilles Dartiguelongue (RETIRED) gentoo-dev 2007-11-04 23:15:26 UTC
revbumped in tree. Compile and pass tests fine.
Comment 3 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2007-11-05 07:55:35 UTC
Arch security liaisons please test and mark stable. Target keywords are:

link-grammar-4.2.4-r1.ebuild="alpha amd64 hppa ia64 ppc ppc64 sparc x86"
Comment 4 Jeroen Roovers (RETIRED) gentoo-dev 2007-11-05 12:28:25 UTC
Stable for HPPA.
Comment 5 Tobias Scherbaum (RETIRED) gentoo-dev 2007-11-05 16:57:26 UTC
ppc stable
Comment 6 Jeroen Roovers (RETIRED) gentoo-dev 2007-11-05 21:01:18 UTC
Stable for SPARC (gustavoz has resigned).
Comment 7 Fernando J. Pereda (RETIRED) gentoo-dev 2007-11-05 21:18:14 UTC
Adding armin for alpha
Comment 8 Markus Rothe (RETIRED) gentoo-dev 2007-11-06 07:57:17 UTC
ppc64 stable
Comment 9 Raúl Porcel (RETIRED) gentoo-dev 2007-11-06 12:49:08 UTC
alpha/ia64/x86 stable
Comment 10 Robert Buchholz (RETIRED) gentoo-dev 2007-11-07 15:52:20 UTC
Public as per $URL.

Only amd64 is missing.
Comment 11 Steve Dibb (RETIRED) gentoo-dev 2007-11-14 03:38:47 UTC
amd64 stable
Comment 12 Robert Buchholz (RETIRED) gentoo-dev 2007-11-14 17:43:36 UTC
GLSA request filed.
Comment 13 Pierre-Yves Rofes (RETIRED) gentoo-dev 2007-11-18 23:12:44 UTC
GLSA 200711-27