317265 – ~app-dicts/wordnet-3.0 format string vulnerability (CVE requested)

Bug 317265 - ~app-dicts/wordnet-3.0 format string vulnerability (CVE requested)

Summary: ~app-dicts/wordnet-3.0 format string vulnerability (CVE requested)

Status:	RESOLVED WONTFIX

Alias:	None

Product:	Gentoo Security
Classification:	Unclassified
Component:	Vulnerabilities (show other bugs)
Hardware:	All Linux

Importance:	High minor (vote)
Assignee:	Gentoo Security

URL:	https://bugzilla.redhat.com/show_bug....
Whiteboard:	C2 [upstream/ebuild]
Keywords:

Depends on:
Blocks:

Reported:	2010-04-26 08:02 UTC by Petr Pisar
Modified:	2013-09-03 18:39 UTC (History)
CC List:	1 user (show)

See Also:
Package list:
Runtime testing required:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Petr Pisar 2010-04-26 08:02:31 UTC

Notice: This report is based on RHEL and Fedora distros, but I believe Gentoo is affected too. Upstream has been notified (no response yet).

Flaw overview
================

`wn' utility from wordnet-3.0 package passes user input (executable positional
argument) to fprintf(3) as format string without check for format escapes.


Flaw details
============

WordNet-3.0/src/wn.c, line 208 after applying RHEL patches (or line 207 in
vanilla sources):

    /* Fix CVE-2008-2149: buffer overflows Andreas Tille <tille@debian.org> */
    sprintf(tmpbuf, "wn: invalid search option: %.200s\n", av[j]);
    display_message(tmpbuf);

copies positional argument (av[j]) to error message (tmpbuf) and pass it to
display_message() in turn.

display_message is global variable pointing (WordNet-3.0/src/wn.c:134) to
error_message() function (WordNet-3.0/src/wn.c:346):

    static int error_message(char *msg)
    {
        fprintf(stderr, msg);
        return(0);
    }

that passes message msg (hence tmpbuf) to fprintf(3) as format string.

If msg variable contains format sequences, fprintf() will try to read or write
(%n) from or to unexpected place on process stack.


How to reproduce
================

Compile and install wordnet package and invoke `wn' executable with invalid
arguments resulting in application error message:

    $ wn -antsn 'Hello world'
    wn: invalid search option: Hello world

Now try some formating escapes:

    $ wn -antsn '%s'
    Segmentation fault (core dumped)

    $ wn -antsn '%x %x %x %x'
    wn: invalid search option: 1 b 0 1789f60d

    $ wn -antsn '%n'
    *** %n in writable segment detected ***
    Aborted (core dumped)


Flaw impacts
============

Malicous user input can cause memory access violation, can disclose stack
content, or can write onto the process stack to execute any arbitrary code.


Affected versions
=================

All app-dict/wordnet-3.0* packages are affected.


Proposed fix
============

diff --git a/src/wn.c b/src/wn.c
index ddb27aa..b160392 100644
--- a/src/wn.c
+++ b/src/wn.c
@@ -344,7 +344,7 @@ static int getoptidx(char *searchtype)
 
 static int error_message(char *msg)
 {
-    fprintf(stderr, msg);
+    fprintf(stderr, "%s", msg);
     return(0);
 }

Comment 1 Alex Legler (RETIRED) archtester

2010-04-26 17:29:25 UTC

Thanks for the report.
I don't see a trust boundary violated here as you need a way to execute the program and specify an argument to trigger the issue in the first place.

app-dicts: When upstream releases a new version, please bump. I don't currently see the need to immediately patch this issue.

Comment 2 Chris Reffett (RETIRED) gentoo-dev

2013-09-03 18:39:54 UTC

Can't find a CVE, no bumps to package since this was last considered, and as mentioned before it only denies service to yourself. Closing WONTFIX.