Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 53389

Summary: app-text/aspell - Stack overflow
Product: Gentoo Security Reporter: Florian Schilhabel (RETIRED) <ruth>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: normal Flags: seemant: Assigned_To+
Priority: High    
Version: unspecified   
Hardware: All   
OS: Linux   
Whiteboard: B2 [glsa]
Package list:
Runtime testing required: ---
Bug Depends on: 53801    
Bug Blocks:    

Description Florian Schilhabel (RETIRED) gentoo-dev 2004-06-09 04:25:57 UTC
intro:

Aspell was intended as a more accurate and robust
replacement for the popular ispell package, and was
written by GNU.  Aspell includes a small utility for
compressing and decompressing wordlists before
processing by aspell, namely 'word-list-compress'.

Due to insufficient bounds checking, a malformed
wordlist can cause for a stack based buffer overflow
to occur, possibly allowing execution of arbitrary
code with the privileges of the invoking user.

demo:


[root@leela](~) # echo `perl -e 'print "a"x1000'` | word-list-compress c
Segmentation fault
[root@leela](~) # echo `perl -e 'print "a"x1000'` | word-list-compress d
t
Comment 1 Florian Schilhabel (RETIRED) gentoo-dev 2004-06-09 04:25:57 UTC
intro:

Aspell was intended as a more accurate and robust
replacement for the popular ispell package, and was
written by GNU.  Aspell includes a small utility for
compressing and decompressing wordlists before
processing by aspell, namely 'word-list-compress'.

Due to insufficient bounds checking, a malformed
wordlist can cause for a stack based buffer overflow
to occur, possibly allowing execution of arbitrary
code with the privileges of the invoking user.

demo:


[root@leela](~) # echo `perl -e 'print "a"x1000'` | word-list-compress c
Segmentation fault
[root@leela](~) # echo `perl -e 'print "a"x1000'` | word-list-compress d
t·®Â½
t·®Â½
Segmentation fault

--patch--

--- aspell-bug.patch ---
--- compress.orig.c        2004-06-08 16:37:00.000000000
+0100
+++ compress.c        2004-06-08 16:34:35.000000000 +0100
@@ -28,6 +28,9 @@
 
 #endif
 
+int count; 
+
+
 void usage () 
 {
   fputs("Compresses or uncompresses sorted word
lists.\n"     , stderr);
@@ -47,6 +50,7 @@
     *w++ = (char)(c);
   } while (c = getc(in), c != EOF && c > 32);
   *w = '\0';
+  count++;
   ungetc(c, in);
   if (c == EOF) return 0;
   else return 1;
@@ -69,6 +73,7 @@
 
     SETBIN (stdout);
 
+    while(count < 256) {
     while (get_word(stdin, cur)) {
       int i = 0;
       /* get the length of the prefix */
@@ -85,6 +90,7 @@
         prev = s2; cur = s1;
       }
     }
+    }
     return 0;
 
   } else if (argv[1][0] == 'd') {
@@ -100,8 +106,11 @@
       if (i == 0)
         i = getc(stdin);
       --i;  
-      while ((c = getc(stdin)) > 32)
+      while ((c = getc(stdin)) > 32 && count < 256) {

         cur[i++] = (char)c;
+        count++;
+    }
+      
       cur[i] = '\0';
       fputs(cur, stdout);
       putc('\n', stdout);
--- EOF ---

...found in bugtraq...

best regards

florian



Reproducible: Always
Steps to Reproduce:
1.
2.
3.
Comment 2 Seemant Kulleen (RETIRED) gentoo-dev 2004-06-09 09:15:18 UTC
thanks Florian, I'll check this out then check it in.
Comment 3 Seemant Kulleen (RETIRED) gentoo-dev 2004-06-09 09:30:24 UTC
florian, securityfocus seems to have removed this.  can you verify the URL to the advisory please?
Comment 4 Florian Schilhabel (RETIRED) gentoo-dev 2004-06-09 09:55:52 UTC
hi seemant,
the original advisory can be found at:

http://nettwerked.mg2.org/advisories/wlc

Best Regards,
Florian
Comment 5 Seemant Kulleen (RETIRED) gentoo-dev 2004-06-09 13:42:52 UTC
ok, aspell-0.50.5-r1 is in portage and stable on x86 and s390.  Awaiting EVERY other arch to stabilise.
Comment 6 Ciaran McCreesh 2004-06-09 14:22:47 UTC
Since you asked so nicely... sparc mips
Comment 7 Luca Barbato gentoo-dev 2004-06-09 14:34:41 UTC
Marked ppc
Comment 8 Guy Martin (RETIRED) gentoo-dev 2004-06-09 14:47:25 UTC
Stable on hppa.
Comment 9 Bryan Østergaard (RETIRED) gentoo-dev 2004-06-10 09:14:06 UTC
Stable on alpha.
Comment 10 Thierry Carrez (RETIRED) gentoo-dev 2004-06-14 09:33:54 UTC
Stable on all required arches, we can issue a GLSA.
Comment 11 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2004-06-14 13:07:44 UTC
GLSA drafted: security please review.
Comment 12 Adam Bregenzer 2004-06-14 14:34:37 UTC
It seems this patch breaks the word-list-compress binary in app-text/aspell-0.50.5-r1.  See Bug 53801 for more details.  Here is a new patch that passes the tests posted here as well as restores the previous functionality.

30a31,32
> #define WORD_BUFF_SIZE 256
>
43a46
>   int count = 0;
48c51,52
<   } while (c = getc(in), c != EOF && c > 32);
---
>     count++;
>   } while (c = getc(in), c != EOF && c > 32 && count < (WORD_BUFF_SIZE - 1));
64,65c68,69
<     char s1[256];
<     char s2[256];
---
>     char s1[WORD_BUFF_SIZE];
>     char s2[WORD_BUFF_SIZE];
92c96
<     char cur[256];
---
>     char cur[WORD_BUFF_SIZE];
103c107
<       while ((c = getc(stdin)) > 32)
---
>       while ((c = getc(stdin)) > 32 && i < (WORD_BUFF_SIZE - 1)) {
104a109
>       }
Comment 13 Thierry Carrez (RETIRED) gentoo-dev 2004-06-15 01:44:35 UTC
Bug 53801 blocks this fix. Going back to [ebuild] status while investigating.
Comment 14 Thierry Carrez (RETIRED) gentoo-dev 2004-06-17 05:10:19 UTC
Ready for the GLSA now...
Comment 15 Thierry Carrez (RETIRED) gentoo-dev 2004-06-17 12:41:28 UTC
GLSA 200406-14
Comment 16 solar (RETIRED) gentoo-dev 2004-08-18 12:19:26 UTC
Arch maintainers please test and stabilize aspell-0.50.5-r4.ebuild

The previous security patch included in gentoo for aspell was apparently
incorrect. It counted the words rather than characters. This revision fixes
that. This was brought to our attention by by Ludwig Nussel
<ludwig.nussel@suse.de>

http://savannah.gnu.org/cgi-bin/viewcvs/aspell/aspell/prog/compress.c.diff?r1=1.2.2.3&r2=1.2.2.1
Comment 17 Aron Griffis (RETIRED) gentoo-dev 2004-08-18 12:43:52 UTC
alpha, amd64, ia64 and x86 done
Comment 18 Pieter Van den Abeele (RETIRED) gentoo-dev 2004-08-18 18:10:00 UTC
stable on ppc
Comment 19 Gustavo Zacarias (RETIRED) gentoo-dev 2004-08-18 18:25:33 UTC
sparc happy.
Comment 20 Hardave Riar (RETIRED) gentoo-dev 2004-08-18 19:21:30 UTC
Stable on mips
Comment 21 Gustavo Zacarias (RETIRED) gentoo-dev 2004-08-18 19:24:50 UTC
As i said, it's sparc happy, so s390@ goes back and sparc@ goes out of the cc, thanks hardave for the headsup!
Comment 22 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2004-08-18 22:09:34 UTC
GLSA 200406-14 updated.

Klieber will you issue an errata?
Comment 23 Guy Martin (RETIRED) gentoo-dev 2004-08-19 01:50:33 UTC
Stable on hppa.
Comment 24 SpanKY gentoo-dev 2004-08-19 19:37:51 UTC
arm stable
Comment 25 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2004-08-23 06:47:13 UTC
GLSA 200406-14 reissued
Comment 26 SpanKY gentoo-dev 2004-09-22 21:37:33 UTC
s390 stable