Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 196803

Summary: dev-libs/link-grammar: buffer overflow in tokenize.c (separate_word()) (CVE-2007-5395)
Product: Gentoo Security Reporter: Raphael Marichez (Falco) (RETIRED) <falco>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: normal CC: eva, joem
Priority: High    
Version: unspecified   
Hardware: All   
OS: Linux   
URL: http://secunia.com/advisories/27300/
Whiteboard: B2 [glsa] Falco
Package list:
Runtime testing required: ---
Attachments:
Description Flags
link-grammar-CVE-2007-5395.patch none

Description Raphael Marichez (Falco) (RETIRED) gentoo-dev 2007-10-23 16:02:20 UTC 
Secunia Research has discovered a vulnerability in Link Grammar, which
can be exploited by malicious people to compromise an application using
the library.

The vulnerability is caused due to a boundary error within the
"separate_word()" function in tokenize.c when processing overly long
words (over 61 bytes). This can be exploited to cause a stack-based
buffer overflow via a specially crafted sentence passed to the
"separate_sentence()" function.

Successful exploitation allows execution of arbitrary code.

The vulnerability is confirmed in version 4.1b.

Vulnerability Details:
----------------------

The vulnerability is caused by incorrectly calling the "strncpy()"
function in several places throughout "separate_word()".

Exploitation:
-------------

The vulnerability can be reproduced by calling the "separate_sentence()"
function with an overly long "input_string" parameter (200 bytes).

A PoC is available upon request.

Closing comments:
-----------------

We have assigned this vulnerability Secunia advisory SA27300 and CVE
identifier CVE-2007-5395.

Upstream contacted.
Disclosure date: As soon as the vendor releases a patch, or 2007-11-07.
                 Note that this may be changed if the vendor requests it.

Credits:
Alin Rad Pop, Secunia Research.
Comment 1 Robert Buchholz (RETIRED) gentoo-dev 2007-11-04 21:26:50 UTC 
Created attachment 135199 [details, diff]
link-grammar-CVE-2007-5395.patch

Upstream committed a patch on Oct. 27. Attached the patch and upstream log message.
Comment 2 Gilles Dartiguelongue (RETIRED) gentoo-dev 2007-11-04 23:15:26 UTC 
revbumped in tree. Compile and pass tests fine.
Comment 3 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2007-11-05 07:55:35 UTC 
Arch security liaisons please test and mark stable. Target keywords are:

link-grammar-4.2.4-r1.ebuild="alpha amd64 hppa ia64 ppc ppc64 sparc x86"
Comment 4 Jeroen Roovers (RETIRED) gentoo-dev 2007-11-05 12:28:25 UTC 
Stable for HPPA.
Comment 5 Tobias Scherbaum (RETIRED) gentoo-dev 2007-11-05 16:57:26 UTC 
ppc stable
Comment 6 Jeroen Roovers (RETIRED) gentoo-dev 2007-11-05 21:01:18 UTC 
Stable for SPARC (gustavoz has resigned).
Comment 7 Fernando J. Pereda (RETIRED) gentoo-dev 2007-11-05 21:18:14 UTC 
Adding armin for alpha
Comment 8 Markus Rothe (RETIRED) gentoo-dev 2007-11-06 07:57:17 UTC 
ppc64 stable
Comment 9 Raúl Porcel (RETIRED) gentoo-dev 2007-11-06 12:49:08 UTC 
alpha/ia64/x86 stable
Comment 10 Robert Buchholz (RETIRED) gentoo-dev 2007-11-07 15:52:20 UTC 
Public as per $URL.

Only amd64 is missing.
Comment 11 Steve Dibb (RETIRED) gentoo-dev 2007-11-14 03:38:47 UTC 
amd64 stable
Comment 12 Robert Buchholz (RETIRED) gentoo-dev 2007-11-14 17:43:36 UTC 
GLSA request filed.
Comment 13 Pierre-Yves Rofes (RETIRED) gentoo-dev 2007-11-18 23:12:44 UTC 
GLSA 200711-27