Ubuntu
wordnet package

  1. Hardy (8.04)
  2. Bug #267067
  3. Comment #10

Comment 10 for bug 267067

Revision history for this message
Stefan Lesicnik (stefanlsd) wrote :

There is no POC exploit or testsuite available. There are multiple buffer overflows.

Please note - I removed the debdiff for Gutsy at this stage as I found an actual build error with the package on Gutsy. I will be submitting an SRU to have this fixed, and then will reapply security fix.

For each release - Intrepid / Hardy / Feisty the following was tested by building a chroot image using pbuilder and confirming the behaviour of the unpatched version, and then installing the newly built patched .deb file and testing again.

I wrote a simple test:

wordnet `python -c "print 'A'*255"` -synsv

Where 255 is the number of chars to print. 255 should produce no errors.

When 255 is increased to 256 the following is produced.

stefan@lsd:~$ wordnet `python -c "print 'A'*256"` -synsv

Synonyms/Hypernyms (Ordered by Estimated Frequency) of verb aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
*** buffer overflow detected ***: wordnet terminated
======= Backtrace: =========
/lib/tls/i686/cmov/libc.so.6(__fortify_fail+0x48)[0xb7ff2388]
/lib/tls/i686/cmov/libc.so.6[0xb7ff04b0]
/lib/tls/i686/cmov/libc.so.6(__strcpy_chk+0x44)[0xb7fef784]
/usr/lib/libwordnet-3.0.so(morphstr+0x58)[0xb8059108]
wordnet[0x8048b92]
wordnet[0x80492a8]
/lib/tls/i686/cmov/libc.so.6(__libc_start_main+0xe5)[0xb7f0e685]
wordnet[0x80489c1]
======= Memory map: ========
08048000-0804b000 r-xp 00000000 fe:01 220731 /usr/bin/wn
0804b000-0804c000 r--p 00002000 fe:01 220731 /usr/bin/wn
0804c000-0804d000 rw-p 00003000 fe:01 220731 /usr/bin/wn
086c1000-086e2000 rw-p 086c1000 00:00 0 [heap]
b7ef7000-b7ef8000 rw-p b7ef7000 00:00 0
b7ef8000-b8050000 r-xp 00000000 fe:05 7857 /lib/tls/i686/cmov/libc-2.8.90.so
b8050000-b8052000 r--p 00158000 fe:05 7857 /lib/tls/i686/cmov/libc-2.8.90.so
b8052000-b8053000 rw-p 0015a000 fe:05 7857 /lib/tls/i686/cmov/libc-2.8.90.so
b8053000-b8056000 rw-p b8053000 00:00 0
b8056000-b8064000 r-xp 00000000 fe:01 220730 /usr/lib/libwordnet-3.0.so
b8064000-b8065000 r--p 0000d000 fe:01 220730 /usr/lib/libwordnet-3.0.so
b8065000-b8068000 rw-p 0000e000 fe:01 220730 /usr/lib/libwordnet-3.0.so
b8068000-b80a9000 rw-p b8068000 00:00 0
b80ab000-b80b8000 r-xp 00000000 fe:05 7628 /lib/libgcc_s.so.1
b80b8000-b80b9000 r--p 0000c000 fe:05 7628 /lib/libgcc_s.so.1
b80b9000-b80ba000 rw-p 0000d000 fe:05 7628 /lib/libgcc_s.so.1
b80ba000-b80be000 rw-p b80ba000 00:00 0
b80be000-b80bf000 r-xp b80be000 00:00 0 [vdso]
b80bf000-b80d9000 r-xp 00000000 fe:05 26004 /lib/ld-2.8.90.so
b80d9000-b80da000 r--p 0001a000 fe:05 26004 /lib/ld-2.8.90.so
b80da000-b80db000 rw-p 0001b000 fe:05 26004 /lib/ld-2.8.90.so
bfac5000-bfada000 rw-p bffeb000 00:00 0 [stack]
, %sAborted (core dumped)

257 produces:

stefan@lsd:~$ wordnet `python -c "print 'A'*257"` -synsv
Segmentation fault (core dumped)

There we're reports also in Debian that some patches broke the -synsn functionality. This was also tested to ensure this regression is not present. http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=497649

After applying the patches -synsv and the buffer overflows we're not possible using the above test. Output is now

wordnet `python -c "print 'A'*256"` -synsv
WordNet library error: search term is too long