intro: Aspell was intended as a more accurate and robust replacement for the popular ispell package, and was written by GNU. Aspell includes a small utility for compressing and decompressing wordlists before processing by aspell, namely 'word-list-compress'. Due to insufficient bounds checking, a malformed wordlist can cause for a stack based buffer overflow to occur, possibly allowing execution of arbitrary code with the privileges of the invoking user. demo: [root@leela](~) # echo `perl -e 'print "a"x1000'` | word-list-compress c Segmentation fault [root@leela](~) # echo `perl -e 'print "a"x1000'` | word-list-compress d t
intro: Aspell was intended as a more accurate and robust replacement for the popular ispell package, and was written by GNU. Aspell includes a small utility for compressing and decompressing wordlists before processing by aspell, namely 'word-list-compress'. Due to insufficient bounds checking, a malformed wordlist can cause for a stack based buffer overflow to occur, possibly allowing execution of arbitrary code with the privileges of the invoking user. demo: [root@leela](~) # echo `perl -e 'print "a"x1000'` | word-list-compress c Segmentation fault [root@leela](~) # echo `perl -e 'print "a"x1000'` | word-list-compress d t·®Â½ t·®Â½ Segmentation fault --patch-- --- aspell-bug.patch --- --- compress.orig.c 2004-06-08 16:37:00.000000000 +0100 +++ compress.c 2004-06-08 16:34:35.000000000 +0100 @@ -28,6 +28,9 @@ #endif +int count; + + void usage () { fputs("Compresses or uncompresses sorted word lists.\n" , stderr); @@ -47,6 +50,7 @@ *w++ = (char)(c); } while (c = getc(in), c != EOF && c > 32); *w = '\0'; + count++; ungetc(c, in); if (c == EOF) return 0; else return 1; @@ -69,6 +73,7 @@ SETBIN (stdout); + while(count < 256) { while (get_word(stdin, cur)) { int i = 0; /* get the length of the prefix */ @@ -85,6 +90,7 @@ prev = s2; cur = s1; } } + } return 0; } else if (argv[1][0] == 'd') { @@ -100,8 +106,11 @@ if (i == 0) i = getc(stdin); --i; - while ((c = getc(stdin)) > 32) + while ((c = getc(stdin)) > 32 && count < 256) { cur[i++] = (char)c; + count++; + } + cur[i] = '\0'; fputs(cur, stdout); putc('\n', stdout); --- EOF --- ...found in bugtraq... best regards florian Reproducible: Always Steps to Reproduce: 1. 2. 3.
thanks Florian, I'll check this out then check it in.
florian, securityfocus seems to have removed this. can you verify the URL to the advisory please?
hi seemant, the original advisory can be found at: http://nettwerked.mg2.org/advisories/wlc Best Regards, Florian
ok, aspell-0.50.5-r1 is in portage and stable on x86 and s390. Awaiting EVERY other arch to stabilise.
Since you asked so nicely... sparc mips
Marked ppc
Stable on hppa.
Stable on alpha.
Stable on all required arches, we can issue a GLSA.
GLSA drafted: security please review.
It seems this patch breaks the word-list-compress binary in app-text/aspell-0.50.5-r1. See Bug 53801 for more details. Here is a new patch that passes the tests posted here as well as restores the previous functionality. 30a31,32 > #define WORD_BUFF_SIZE 256 > 43a46 > int count = 0; 48c51,52 < } while (c = getc(in), c != EOF && c > 32); --- > count++; > } while (c = getc(in), c != EOF && c > 32 && count < (WORD_BUFF_SIZE - 1)); 64,65c68,69 < char s1[256]; < char s2[256]; --- > char s1[WORD_BUFF_SIZE]; > char s2[WORD_BUFF_SIZE]; 92c96 < char cur[256]; --- > char cur[WORD_BUFF_SIZE]; 103c107 < while ((c = getc(stdin)) > 32) --- > while ((c = getc(stdin)) > 32 && i < (WORD_BUFF_SIZE - 1)) { 104a109 > }
Bug 53801 blocks this fix. Going back to [ebuild] status while investigating.
Ready for the GLSA now...
GLSA 200406-14
Arch maintainers please test and stabilize aspell-0.50.5-r4.ebuild The previous security patch included in gentoo for aspell was apparently incorrect. It counted the words rather than characters. This revision fixes that. This was brought to our attention by by Ludwig Nussel <ludwig.nussel@suse.de> http://savannah.gnu.org/cgi-bin/viewcvs/aspell/aspell/prog/compress.c.diff?r1=1.2.2.3&r2=1.2.2.1
alpha, amd64, ia64 and x86 done
stable on ppc
sparc happy.
Stable on mips
As i said, it's sparc happy, so s390@ goes back and sparc@ goes out of the cc, thanks hardave for the headsup!
GLSA 200406-14 updated. Klieber will you issue an errata?
arm stable
GLSA 200406-14 reissued
s390 stable