Secunia Research has discovered a vulnerability in Link Grammar, which can be exploited by malicious people to compromise an application using the library. The vulnerability is caused due to a boundary error within the "separate_word()" function in tokenize.c when processing overly long words (over 61 bytes). This can be exploited to cause a stack-based buffer overflow via a specially crafted sentence passed to the "separate_sentence()" function. Successful exploitation allows execution of arbitrary code. The vulnerability is confirmed in version 4.1b. Vulnerability Details: ---------------------- The vulnerability is caused by incorrectly calling the "strncpy()" function in several places throughout "separate_word()". Exploitation: ------------- The vulnerability can be reproduced by calling the "separate_sentence()" function with an overly long "input_string" parameter (200 bytes). A PoC is available upon request. Closing comments: ----------------- We have assigned this vulnerability Secunia advisory SA27300 and CVE identifier CVE-2007-5395. Upstream contacted. Disclosure date: As soon as the vendor releases a patch, or 2007-11-07. Note that this may be changed if the vendor requests it. Credits: Alin Rad Pop, Secunia Research.
Created attachment 135199 [details, diff] link-grammar-CVE-2007-5395.patch Upstream committed a patch on Oct. 27. Attached the patch and upstream log message.
revbumped in tree. Compile and pass tests fine.
Arch security liaisons please test and mark stable. Target keywords are: link-grammar-4.2.4-r1.ebuild="alpha amd64 hppa ia64 ppc ppc64 sparc x86"
Stable for HPPA.
ppc stable
Stable for SPARC (gustavoz has resigned).
Adding armin for alpha
ppc64 stable
alpha/ia64/x86 stable
Public as per $URL. Only amd64 is missing.
amd64 stable
GLSA request filed.
GLSA 200711-27