Secunia Research has discovered a vulnerability in Link Grammar, which
can be exploited by malicious people to compromise an application using
The vulnerability is caused due to a boundary error within the
"separate_word()" function in tokenize.c when processing overly long
words (over 61 bytes). This can be exploited to cause a stack-based
buffer overflow via a specially crafted sentence passed to the
Successful exploitation allows execution of arbitrary code.
The vulnerability is confirmed in version 4.1b.
The vulnerability is caused by incorrectly calling the "strncpy()"
function in several places throughout "separate_word()".
The vulnerability can be reproduced by calling the "separate_sentence()"
function with an overly long "input_string" parameter (200 bytes).
A PoC is available upon request.
We have assigned this vulnerability Secunia advisory SA27300 and CVE
Disclosure date: As soon as the vendor releases a patch, or 2007-11-07.
Note that this may be changed if the vendor requests it.
Alin Rad Pop, Secunia Research.
Created attachment 135199 [details, diff]
Upstream committed a patch on Oct. 27. Attached the patch and upstream log message.
revbumped in tree. Compile and pass tests fine.
Arch security liaisons please test and mark stable. Target keywords are:
link-grammar-4.2.4-r1.ebuild="alpha amd64 hppa ia64 ppc ppc64 sparc x86"
Stable for HPPA.
Stable for SPARC (gustavoz has resigned).
Adding armin for alpha
Public as per $URL.
Only amd64 is missing.
GLSA request filed.