There is no POC exploit or testsuite available. There are multiple buffer overflows.
Please note - I removed the debdiff for Gutsy at this stage as I found an actual build error with the package on Gutsy. I will be submitting an SRU to have this fixed, and then will reapply security fix.
For each release - Intrepid / Hardy / Feisty the following was tested by building a chroot image using pbuilder and confirming the behaviour of the unpatched version, and then installing the newly built patched .deb file and testing again.
I wrote a simple test:
wordnet `python -c "print 'A'*255"` -synsv
Where 255 is the number of chars to print. 255 should produce no errors.
When 255 is increased to 256 the following is produced.
There is no POC exploit or testsuite available. There are multiple buffer overflows.
Please note - I removed the debdiff for Gutsy at this stage as I found an actual build error with the package on Gutsy. I will be submitting an SRU to have this fixed, and then will reapply security fix.
For each release - Intrepid / Hardy / Feisty the following was tested by building a chroot image using pbuilder and confirming the behaviour of the unpatched version, and then installing the newly built patched .deb file and testing again.
I wrote a simple test:
wordnet `python -c "print 'A'*255"` -synsv
Where 255 is the number of chars to print. 255 should produce no errors.
When 255 is increased to 256 the following is produced.
stefan@lsd:~$ wordnet `python -c "print 'A'*256"` -synsv
Synonyms/Hypernyms (Ordered by Estimated Frequency) of verb aaaaaaaaaaaaaaa aaaaaaaaaaaaaaa aaaaaaaaaaaaaaa aaaaaaaaaaaaaaa aaaaaaaaaaaaaaa aaaaaaaaaaaaaaa aaaaaaaaaaaaaaa aaaaaaaaaaaaaaa aaaaaaaaaaaaaaa aaaaaaaaaaaaaaa aaaaaaaaaaaaaaa aaaaaaaaaaaaaaa aaaaaaaaaaaaaaa aaaaaaaaaaaaaaa aaaaaaaaaaaaaaa aaaaaaaaaaaaaaa aaaaaaaaaaaaaaa a i686/cmov/ libc.so. 6(__fortify_ fail+0x48) [0xb7ff2388] i686/cmov/ libc.so. 6[0xb7ff04b0] i686/cmov/ libc.so. 6(__strcpy_ chk+0x44) [0xb7fef784] libwordnet- 3.0.so( morphstr+ 0x58)[0xb805910 8] i686/cmov/ libc.so. 6(__libc_ start_main+ 0xe5)[0xb7f0e68 5] i686/cmov/ libc-2. 8.90.so i686/cmov/ libc-2. 8.90.so i686/cmov/ libc-2. 8.90.so libwordnet- 3.0.so libwordnet- 3.0.so libwordnet- 3.0.so
*** buffer overflow detected ***: wordnet terminated
======= Backtrace: =========
/lib/tls/
/lib/tls/
/lib/tls/
/usr/lib/
wordnet[0x8048b92]
wordnet[0x80492a8]
/lib/tls/
wordnet[0x80489c1]
======= Memory map: ========
08048000-0804b000 r-xp 00000000 fe:01 220731 /usr/bin/wn
0804b000-0804c000 r--p 00002000 fe:01 220731 /usr/bin/wn
0804c000-0804d000 rw-p 00003000 fe:01 220731 /usr/bin/wn
086c1000-086e2000 rw-p 086c1000 00:00 0 [heap]
b7ef7000-b7ef8000 rw-p b7ef7000 00:00 0
b7ef8000-b8050000 r-xp 00000000 fe:05 7857 /lib/tls/
b8050000-b8052000 r--p 00158000 fe:05 7857 /lib/tls/
b8052000-b8053000 rw-p 0015a000 fe:05 7857 /lib/tls/
b8053000-b8056000 rw-p b8053000 00:00 0
b8056000-b8064000 r-xp 00000000 fe:01 220730 /usr/lib/
b8064000-b8065000 r--p 0000d000 fe:01 220730 /usr/lib/
b8065000-b8068000 rw-p 0000e000 fe:01 220730 /usr/lib/
b8068000-b80a9000 rw-p b8068000 00:00 0
b80ab000-b80b8000 r-xp 00000000 fe:05 7628 /lib/libgcc_s.so.1
b80b8000-b80b9000 r--p 0000c000 fe:05 7628 /lib/libgcc_s.so.1
b80b9000-b80ba000 rw-p 0000d000 fe:05 7628 /lib/libgcc_s.so.1
b80ba000-b80be000 rw-p b80ba000 00:00 0
b80be000-b80bf000 r-xp b80be000 00:00 0 [vdso]
b80bf000-b80d9000 r-xp 00000000 fe:05 26004 /lib/ld-2.8.90.so
b80d9000-b80da000 r--p 0001a000 fe:05 26004 /lib/ld-2.8.90.so
b80da000-b80db000 rw-p 0001b000 fe:05 26004 /lib/ld-2.8.90.so
bfac5000-bfada000 rw-p bffeb000 00:00 0 [stack]
, %sAborted (core dumped)
257 produces:
stefan@lsd:~$ wordnet `python -c "print 'A'*257"` -synsv
Segmentation fault (core dumped)
There we're reports also in Debian that some patches broke the -synsn functionality. This was also tested to ensure this regression is not present. http:// bugs.debian. org/cgi- bin/bugreport. cgi?bug= 497649
After applying the patches -synsv and the buffer overflows we're not possible using the above test. Output is now
wordnet `python -c "print 'A'*256"` -synsv
WordNet library error: search term is too long