diff -u link-grammar-4.1.3/debian/patches/series link-grammar-4.1.3/debian/patches/series --- link-grammar-4.1.3/debian/patches/series +++ link-grammar-4.1.3/debian/patches/series @@ -5,0 +6 @@ +CVE-2007-5395 diff -u link-grammar-4.1.3/debian/changelog link-grammar-4.1.3/debian/changelog --- link-grammar-4.1.3/debian/changelog +++ link-grammar-4.1.3/debian/changelog @@ -1,3 +1,18 @@ +link-grammar (4.1.3-1ubuntu0.1) dapper-security; urgency=low + + * SECURITY UPDATE: Stack-based buffer overflow in the separate_word function + in tokenize.c in Link Grammar 4.1b and possibly other versions, as used in + AbiWord Link Grammar 4.2.4, allows remote attackers to execute arbitrary code + via a long word, as reachable through the separate_sentence function. + * debian/patches/CVE-2007-5395: Added patch according to upstream. + (See: https://bugzilla.redhat.com/attachment.cgi?id=255061) + (LP: #162511) + * References: + CVE-2007-5395 + https://bugzilla.redhat.com/show_bug.cgi?id=371221 + + -- Stephan Hermann Tue, 13 Nov 2007 22:57:07 +0100 + link-grammar (4.1.3-1) unstable; urgency=low * Initial release Closes: #337277 only in patch2: unchanged: --- link-grammar-4.1.3.orig/debian/patches/CVE-2007-5395 +++ link-grammar-4.1.3/debian/patches/CVE-2007-5395 @@ -0,0 +1,79 @@ +Index: link-grammar-4.1.3/link-grammar/tokenize.c +=================================================================== +--- link-grammar-4.1.3.orig/link-grammar/tokenize.c 2007-11-13 22:53:57.000000000 +0100 ++++ link-grammar-4.1.3/link-grammar/tokenize.c 2007-11-13 22:56:14.000000000 +0100 +@@ -172,6 +172,8 @@ + used in a sentence. + */ + ++#undef MIN ++#define MIN(a, b) (((a) < (b)) ? (a) : (b)) + + + static int separate_word(Sentence sent, char *w, char *wend, int is_first_word, int quote_found) { +@@ -256,8 +258,8 @@ + + for (n_r_stripped = 0; n_r_stripped < MAX_STRIP; n_r_stripped++) { + +- strncpy(word, w, wend-w); +- word[wend-w] = '\0'; ++ strncpy(word, w, MIN(wend-w, MAX_WORD)); ++ word[MIN(wend-w, MAX_WORD)] = '\0'; + if (wend == w) break; /* it will work without this */ + + if (boolean_dictionary_lookup(sent->dict, word) || is_initials_word(word)) break; +@@ -285,8 +287,8 @@ + /* Now we strip off suffixes...w points to the remaining word, "wend" to the end of the word. */ + + s_stripped = -1; +- strncpy(word, w, wend-w); +- word[wend-w] = '\0'; ++ strncpy(word, w, MIN(wend-w, MAX_WORD)); ++ word[MIN(wend-w, MAX_WORD)] = '\0'; + word_is_in_dict=0; + + if (boolean_dictionary_lookup(sent->dict, word) || is_initials_word(word)) word_is_in_dict=1; +@@ -309,16 +311,16 @@ + + if(s_ok==1 || i==s_strippable) { + +- strncpy(newword, w, (wend-len)-w); +- newword[(wend-len)-w] = '\0'; ++ strncpy(newword, w, MIN((wend-len)-w, MAX_WORD)); ++ newword[MIN((wend-len)-w, MAX_WORD)] = '\0'; + + /* Check if the remainder is in the dictionary; for the no-suffix case, it won't be */ + if (boolean_dictionary_lookup(sent->dict, newword)) { + if(verbosity>1) if(i< s_strippable) printf("Splitting word into two: %s-%s\n", newword, suffix[i]); + s_stripped = i; + wend -= len; +- strncpy(word, w, wend-w); +- word[wend-w] = '\0'; ++ strncpy(word, w, MIN(wend-w, MAX_WORD)); ++ word[MIN(wend-w, MAX_WORD)] = '\0'; + break; + } + +@@ -326,17 +328,17 @@ + else { + for (j=0; jdict, newword)) { + if(verbosity>1) if(i < s_strippable) printf("Splitting word into three: %s-%s-%s\n", prefix[j], newword, suffix[i]); + if (!issue_sentence_word(sent, prefix[j])) return FALSE; + if(i < s_strippable) s_stripped = i; + wend -= len; + w += strlen(prefix[j]); +- strncpy(word, w, wend-w); +- word[wend-w] = '\0'; +- break; ++ strncpy(word, w, MIN(wend-w, MAX_WORD)); ++ word[MIN(wend-w, MAX_WORD)] = '\0'; ++ break; + } + } + }