[CVE-2008-2149] wordnet 2.0, 2.1, 3 affected by multiple buffer overflows

Bug #267067 reported by Stefan Lesicnik
258
Affects Status Importance Assigned to Milestone
wordnet (Debian)
Fix Released
Unknown
wordnet (Ubuntu)
Undecided
Unassigned
Feisty
Undecided
Unassigned
Gutsy
Undecided
Unassigned
Hardy
Undecided
Unassigned
Intrepid
Undecided
Unassigned

Bug Description

Binary package hint: wordnet

Stack-based buffer overflow in the searchwn function in Wordnet 2.0, 2.1,
and 3.0 might allow context-dependent attackers to execute arbitrary code
via a long command line option. NOTE: this issue probably does not cross
privilege boundaries except in cases in which Wordnet is used as a back
end.

References
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-2149

Related branches

CVE References

Revision history for this message
Stefan Lesicnik (stefanlsd) wrote :

This bug was closed in Debian, but the changelog states they only addressed minor components of this bug.

http://www.ocert.org/advisories/ocert-2008-014.html

shows the release of a more comprehensive patch.

http://www.ocert.org/analysis/2008-014/wordnet.patch

Changed in wordnet:
assignee: nobody → stefanlsd
status: New → In Progress
Revision history for this message
Stefan Lesicnik (stefanlsd) wrote :

Please find debdiff for Intrepid attached.

Changed in wordnet:
status: Unknown → Fix Released
Revision history for this message
Stefan Lesicnik (stefanlsd) wrote :

New Intrepid debdiff with patches pulled in from Debian wordnet 3.0-13.

Revision history for this message
Stefan Lesicnik (stefanlsd) wrote :

New Intrepid debdiff with patches pulled in from Debian wordnet 3.0-13. (updated version number to 11ubuntu0.1)

Revision history for this message
Stefan Lesicnik (stefanlsd) wrote :

debdiff for hardy-security attached.

Changed in wordnet:
status: New → In Progress
Changed in wordnet:
assignee: stefanlsd → nobody
Revision history for this message
Stefan Lesicnik (stefanlsd) wrote :

debdiff for gutsy-security attached and feisty-security attached.

Revision history for this message
Stefan Lesicnik (stefanlsd) wrote :

All of the above debdiff files include the patch directly from Debian.

Changed in wordnet:
status: New → In Progress
status: New → In Progress
Revision history for this message
Stefan Lesicnik (stefanlsd) wrote :
Revision history for this message
Stefan Lesicnik (stefanlsd) wrote :
Download full text (3.4 KiB)

There is no POC exploit or testsuite available. There are multiple buffer overflows.

Please note - I removed the debdiff for Gutsy at this stage as I found an actual build error with the package on Gutsy. I will be submitting an SRU to have this fixed, and then will reapply security fix.

For each release - Intrepid / Hardy / Feisty the following was tested by building a chroot image using pbuilder and confirming the behaviour of the unpatched version, and then installing the newly built patched .deb file and testing again.

I wrote a simple test:

wordnet `python -c "print 'A'*255"` -synsv

Where 255 is the number of chars to print. 255 should produce no errors.

When 255 is increased to 256 the following is produced.

stefan@lsd:~$ wordnet `python -c "print 'A'*256"` -synsv

Synonyms/Hypernyms (Ordered by Estimated Frequency) of verb aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
*** buffer overflow detected ***: wordnet terminated
======= Backtrace: =========
/lib/tls/i686/cmov/libc.so.6(__fortify_fail+0x48)[0xb7ff2388]
/lib/tls/i686/cmov/libc.so.6[0xb7ff04b0]
/lib/tls/i686/cmov/libc.so.6(__strcpy_chk+0x44)[0xb7fef784]
/usr/lib/libwordnet-3.0.so(morphstr+0x58)[0xb8059108]
wordnet[0x8048b92]
wordnet[0x80492a8]
/lib/tls/i686/cmov/libc.so.6(__libc_start_main+0xe5)[0xb7f0e685]
wordnet[0x80489c1]
======= Memory map: ========
08048000-0804b000 r-xp 00000000 fe:01 220731 /usr/bin/wn
0804b000-0804c000 r--p 00002000 fe:01 220731 /usr/bin/wn
0804c000-0804d000 rw-p 00003000 fe:01 220731 /usr/bin/wn
086c1000-086e2000 rw-p 086c1000 00:00 0 [heap]
b7ef7000-b7ef8000 rw-p b7ef7000 00:00 0
b7ef8000-b8050000 r-xp 00000000 fe:05 7857 /lib/tls/i686/cmov/libc-2.8.90.so
b8050000-b8052000 r--p 00158000 fe:05 7857 /lib/tls/i686/cmov/libc-2.8.90.so
b8052000-b8053000 rw-p 0015a000 fe:05 7857 /lib/tls/i686/cmov/libc-2.8.90.so
b8053000-b8056000 rw-p b8053000 00:00 0
b8056000-b8064000 r-xp 00000000 fe:01 220730 /usr/lib/libwordnet-3.0.so
b8064000-b8065000 r--p 0000d000 fe:01 220730 /usr/lib/libwordnet-3.0.so
b8065000-b8068000 rw-p 0000e000 fe:01 220730 /usr/lib/libwordnet-3.0.so
b8068000-b80a9000 rw-p b8068000 00:00 0
b80ab000-b80b8000 r-xp 00000000 fe:05 7628 /lib/libgcc_s.so.1
b80b8000-b80b9000 r--p 0000c000 fe:05 7628 /lib/libgcc_s.so.1
b80b9000-b80ba000 rw-p 0000d000 fe:05 7628 /lib/libgcc_s.so.1
b80ba000-b80be000 rw-p b80ba000 00:00 0
b80be000-b80bf000 r-xp b80be000 00:00 0 [vdso]
b80bf000-b80d9000 r-xp 00000000 fe:05 26004 /lib/ld-2.8.90.so
b80d9000-b80da000 r--p 0001a000 fe:05 26004 /lib/ld-2.8.90.so
b80da000-b80db000 rw-p 0001b000 fe:05 26004 /lib/ld-2.8.90.so
bfac5000-bfada000 rw-p bffeb000 00:00 0 [stack]
, %sAborted (core dumped)

257 produces:

stefan@lsd:~$ wordnet `python -c "print 'A'*257"` -synsv
Segmentation fault (core dumped)

There we're reports also in Debian that some patches broke the -synsn functionality. This was also tested to ...

Read more...

Revision history for this message
Stefan Lesicnik (stefanlsd) wrote :

SRU to fix Gutsy package before Security update can be applied is found here - https://bugs.edge.launchpad.net/ubuntu/+source/wordnet/+bug/275122

Revision history for this message
Jamie Strandboge (jdstrand) wrote :

Excellent work! The feisty debdiff did not use 'feisty-security', but beyond that everything looked great. I have uploaded feisty, hardy and intrepid. I have marked gutsy as 'Triaged', but please put back as 'In Progress' when the SRU process is taken care of.

Thanks for your thorough work!

Changed in wordnet:
status: In Progress → Fix Committed
status: In Progress → Fix Committed
status: In Progress → Fix Committed
status: In Progress → Fix Committed
status: Fix Committed → Triaged
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package wordnet - 1:3.0-11ubuntu0.1

---------------
wordnet (1:3.0-11ubuntu0.1) intrepid; urgency=low

  * SECURITY UPDATE: Stack overflows fed via the command line, environment
    variables or WordNet library calls can result in arbitrary code
    execution. (Closes LP: #267067)
  * 51_overflows.patch:
    - ocert patch to address additional potential security exploits.
  * 51_overflows_memcpy.patch:
    - Fix part of oCERT patch that breaks 'wordnet test -synsn'.
  * References
    http://www.ocert.org/advisories/ocert-2008-014.html
    CVE-2008-2149

 -- Stefan Lesicnik <email address hidden> Thu, 11 Sep 2008 10:45:13 +0200

Changed in wordnet:
status: Fix Committed → Fix Released
Revision history for this message
Jamie Strandboge (jdstrand) wrote :

wordnet (1:3.0-6ubuntu0.1) hardy-security; urgency=low

  * SECURITY UPDATE: Stack overflows fed via the command line, environment
    variables or WordNet library calls can result in arbitrary code
    execution. (Closes LP: #257067)
  * 50_CVE-2008-2149_buffer_overflows.dpatch:
    - buffer overflow patch ( <email address hidden> (tille: 0) ).
  * 51_overflows.dpatch:
    - ocert patch to address additional potential security exploits.
  * 51_overflows_memcpy.dpatch:
    - Fix part of oCERT patch that breaks 'wordnet test -synsn'.
  * References
    http://www.ocert.org/advisories/ocert-2008-014.html
    CVE-2008-2149

Changed in wordnet:
status: Fix Committed → Fix Released
status: Fix Committed → Fix Released
Revision history for this message
Sergio Zanchetta (primes2h) wrote :

The 18 month support period for Gutsy Gibbon 7.10 has reached its end of life -
http://www.ubuntu.com/news/ubuntu-7.10-eol . As a result, we are closing the
Gutsy task.

Changed in wordnet (Ubuntu Gutsy):
status: Triaged → Won't Fix
To post a comment you must log in.
This report contains Public Security information  Edit
Everyone can see this security related information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.