Bug 53389

Comment 1 Florian Schilhabel (RETIRED) 2004-06-09 04:25:57 UTC

intro:

Aspell was intended as a more accurate and robust
replacement for the popular ispell package, and was
written by GNU.  Aspell includes a small utility for
compressing and decompressing wordlists before
processing by aspell, namely 'word-list-compress'.

Due to insufficient bounds checking, a malformed
wordlist can cause for a stack based buffer overflow
to occur, possibly allowing execution of arbitrary
code with the privileges of the invoking user.

demo:


[root@leela](~) # echo `perl -e 'print "a"x1000'` | word-list-compress c
Segmentation fault
[root@leela](~) # echo `perl -e 'print "a"x1000'` | word-list-compress d
t·®Â½
t·®Â½
Segmentation fault

--patch--

--- aspell-bug.patch ---
--- compress.orig.c        2004-06-08 16:37:00.000000000
+0100
+++ compress.c        2004-06-08 16:34:35.000000000 +0100
@@ -28,6 +28,9 @@
 
 #endif
 
+int count; 
+
+
 void usage () 
 {
   fputs("Compresses or uncompresses sorted word
lists.\n"     , stderr);
@@ -47,6 +50,7 @@
     *w++ = (char)(c);
   } while (c = getc(in), c != EOF && c > 32);
   *w = '\0';
+  count++;
   ungetc(c, in);
   if (c == EOF) return 0;
   else return 1;
@@ -69,6 +73,7 @@
 
     SETBIN (stdout);
 
+    while(count < 256) {
     while (get_word(stdin, cur)) {
       int i = 0;
       /* get the length of the prefix */
@@ -85,6 +90,7 @@
         prev = s2; cur = s1;
       }
     }
+    }
     return 0;
 
   } else if (argv[1][0] == 'd') {
@@ -100,8 +106,11 @@
       if (i == 0)
         i = getc(stdin);
       --i;  
-      while ((c = getc(stdin)) > 32)
+      while ((c = getc(stdin)) > 32 && count < 256) {

         cur[i++] = (char)c;
+        count++;
+    }
+      
       cur[i] = '\0';
       fputs(cur, stdout);
       putc('\n', stdout);
--- EOF ---

...found in bugtraq...

best regards

florian



Reproducible: Always
Steps to Reproduce:
1.
2.
3.

Comment 2 Seemant Kulleen (RETIRED) 2004-06-09 09:15:18 UTC

thanks Florian, I'll check this out then check it in.

Comment 3 Seemant Kulleen (RETIRED) 2004-06-09 09:30:24 UTC

florian, securityfocus seems to have removed this.  can you verify the URL to the advisory please?

Comment 4 Florian Schilhabel (RETIRED) 2004-06-09 09:55:52 UTC

hi seemant,
the original advisory can be found at:

http://nettwerked.mg2.org/advisories/wlc

Best Regards,
Florian

Comment 5 Seemant Kulleen (RETIRED) 2004-06-09 13:42:52 UTC

ok, aspell-0.50.5-r1 is in portage and stable on x86 and s390.  Awaiting EVERY other arch to stabilise.

Since you asked so nicely... sparc mips

Comment 7 Luca Barbato 2004-06-09 14:34:41 UTC

Marked ppc

Comment 8 Guy Martin (RETIRED) 2004-06-09 14:47:25 UTC

Stable on hppa.

Comment 9 Bryan Østergaard (RETIRED) 2004-06-10 09:14:06 UTC

Stable on alpha.

Comment 10 Thierry Carrez (RETIRED) 2004-06-14 09:33:54 UTC

Stable on all required arches, we can issue a GLSA.

Comment 11 Sune Kloppenborg Jeppesen (RETIRED) 2004-06-14 13:07:44 UTC

GLSA drafted: security please review.

It seems this patch breaks the word-list-compress binary in app-text/aspell-0.50.5-r1.  See Bug 53801 for more details.  Here is a new patch that passes the tests posted here as well as restores the previous functionality.

30a31,32
> #define WORD_BUFF_SIZE 256
>
43a46
>   int count = 0;
48c51,52
<   } while (c = getc(in), c != EOF && c > 32);
---
>     count++;
>   } while (c = getc(in), c != EOF && c > 32 && count < (WORD_BUFF_SIZE - 1));
64,65c68,69
<     char s1[256];
<     char s2[256];
---
>     char s1[WORD_BUFF_SIZE];
>     char s2[WORD_BUFF_SIZE];
92c96
<     char cur[256];
---
>     char cur[WORD_BUFF_SIZE];
103c107
<       while ((c = getc(stdin)) > 32)
---
>       while ((c = getc(stdin)) > 32 && i < (WORD_BUFF_SIZE - 1)) {
104a109
>       }

Comment 13 Thierry Carrez (RETIRED) 2004-06-15 01:44:35 UTC

Bug 53801 blocks this fix. Going back to [ebuild] status while investigating.

Comment 14 Thierry Carrez (RETIRED) 2004-06-17 05:10:19 UTC

Ready for the GLSA now...

Comment 15 Thierry Carrez (RETIRED) 2004-06-17 12:41:28 UTC

GLSA 200406-14

Comment 16 solar (RETIRED) 2004-08-18 12:19:26 UTC

Arch maintainers please test and stabilize aspell-0.50.5-r4.ebuild

The previous security patch included in gentoo for aspell was apparently
incorrect. It counted the words rather than characters. This revision fixes
that. This was brought to our attention by by Ludwig Nussel
<ludwig.nussel@suse.de>

http://savannah.gnu.org/cgi-bin/viewcvs/aspell/aspell/prog/compress.c.diff?r1=1.2.2.3&r2=1.2.2.1

Comment 17 Aron Griffis (RETIRED) 2004-08-18 12:43:52 UTC

alpha, amd64, ia64 and x86 done

Comment 18 Pieter Van den Abeele (RETIRED) 2004-08-18 18:10:00 UTC

stable on ppc

Comment 19 Gustavo Zacarias (RETIRED) 2004-08-18 18:25:33 UTC

sparc happy.

Comment 20 Hardave Riar (RETIRED) 2004-08-18 19:21:30 UTC

Stable on mips

Comment 21 Gustavo Zacarias (RETIRED) 2004-08-18 19:24:50 UTC

As i said, it's sparc happy, so s390@ goes back and sparc@ goes out of the cc, thanks hardave for the headsup!

Comment 22 Sune Kloppenborg Jeppesen (RETIRED) 2004-08-18 22:09:34 UTC

GLSA 200406-14 updated.

Klieber will you issue an errata?

Comment 23 Guy Martin (RETIRED) 2004-08-19 01:50:33 UTC

Stable on hppa.

Comment 24 SpanKY 2004-08-19 19:37:51 UTC

arm stable

Comment 25 Sune Kloppenborg Jeppesen (RETIRED) 2004-08-23 06:47:13 UTC

GLSA 200406-14 reissued

Comment 26 SpanKY 2004-09-22 21:37:33 UTC

s390 stable