Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 211491 (CVE-2008-2149)

Summary: app-dicts/wordnet <3.0-r2 buffer overflow (CVE-2008-2149,CVE-2008-3908)
Product: Gentoo Security Reporter: Jukka Ruohonen <drear>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: normal CC: app-dicts+disabled
Priority: High    
Version: unspecified   
Hardware: All   
OS: Linux   
URL: http://www.ocert.org/advisories/ocert-2008-014.html
Whiteboard: B2 [glsa]
Package list:
Runtime testing required: ---

Description Jukka Ruohonen 2008-02-26 10:30:26 UTC
A classic:

in the function 'searchwn()', called from 'main()', there is a static 'char tmpbuf[256]' into which an invalid command line option is copied using sprintf():

            } else {
                sprintf(tmpbuf, "wn: invalid search option: %s\n", av[j]);
                display_message(tmpbuf);
                errcount++;
            }

So pass your favourite long string to wn with an invalid command line option, yielding a segfault. All versions (2.0, 2.1 and 3.0) in Portage are affected.

I filed this under security since I have seen that Wordnet is sometimes used as a backend in e.g. web applications. Please judge yourself and move to an appropriate category if needed.

Patching should be trivial.
Comment 1 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2008-02-26 10:34:22 UTC
app-dicts please advise.
Comment 2 Pierre-Yves Rofes (RETIRED) gentoo-dev 2008-02-26 10:55:53 UTC
(In reply to comment #0)
> A classic:
> 
> in the function 'searchwn()', called from 'main()', there is a static 'char
> tmpbuf[256]' into which an invalid command line option is copied using
> sprintf():
[...]
> I filed this under security since I have seen that Wordnet is sometimes used as
> a backend in e.g. web applications. Please judge yourself and move to an
> appropriate category if needed.

Thanks for the report.

> Patching should be trivial. 

Unfortunately, I don't think so. I just took a quick look to the code, and given the number of strcpy()/strcat()/... I'm pretty sure other are exploitable as well. e.g this one:

lib/search.c:2126:    strcpy(wdbuf, synptr->words[wdnum]);

with wdbuf being a 256 chars static buffer... I'd say this stuff would need a full security audit.
Comment 3 Jukka Ruohonen 2008-02-26 11:47:03 UTC
> (In reply to comment #0)
> Unfortunately, I don't think so. I just took a quick look to the code, and
> given the number of strcpy()/strcat()/... I'm pretty sure other are exploitable

With my ten seconds with the code, I did not even dare to look that far. Indeed: e.g. from do_search() through findtheinfo() to wngrep() (in ../lib/search.c) and therein an user-controlled strcpy with static 256 buffer. A simple test:

wn [long string here] -grepn

which results an obvious segfault again. As you said, the code is full of these.

> with wdbuf being a 256 chars static buffer... I'd say this stuff would need a
> full security audit.

Hopefully Princeton-upstream is interested -- after all, Wordnet is an award-winning piece of software with academic publications and research grants. 

A recommendation from an user: if no one is going to take the big task of a almost complete rewrite, mask the packages, at least for the time being.
Comment 4 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2008-02-26 11:51:54 UTC
py did you contact upstream?
Comment 5 Pierre-Yves Rofes (RETIRED) gentoo-dev 2008-02-26 12:18:55 UTC
(In reply to comment #4)
> py did you contact upstream?
> 
Upstream contacted with a link to this bug.
Comment 6 Robert Buchholz (RETIRED) gentoo-dev 2008-09-02 23:15:57 UTC
oCERT has covered more bugs in their #2008-014 advisory. Rob has also prepared a patch, which we should apply.
http://www.ocert.org/advisories/ocert-2008-014.html
Comment 7 Peter Volkov (RETIRED) gentoo-dev 2008-09-10 06:57:59 UTC
Patch was added in wordnet-3.0-r1. x86 team, please, stabilize it.
Comment 8 Robert Buchholz (RETIRED) gentoo-dev 2008-09-10 11:34:33 UTC
going back to [ebuild]. The oCert patch does not address CVE-2008-2149, the first issue in this bug. Please also apply this patch:
http://svn.debian.org/wsvn/debian-science/packages/wordnet/trunk/debian/patches/50_CVE-2008-2149_buffer_overflows.patch?op=file&rev=0&sc=0
Comment 9 Peter Volkov (RETIRED) gentoo-dev 2008-09-12 19:36:18 UTC
Thank you Robert. Done in wordnet-3.0-r2.
Comment 10 Markus Meier gentoo-dev 2008-09-17 20:32:10 UTC
x86 stable, all arches done.
Comment 11 Pierre-Yves Rofes (RETIRED) gentoo-dev 2008-09-21 11:09:23 UTC
GLSA request filed
Comment 12 Tobias Heinlein (RETIRED) gentoo-dev 2008-10-07 18:14:43 UTC
GLSA 200810-01.