GLSA Advocate
Joined: 12 May 2004 Posts: 2663
|
Posted: Tue Oct 07, 2008 6:26 pm Post subject: [ GLSA 200810-01 ] WordNet: Execution of arbitrary code |
|
|
Gentoo Linux Security Advisory
Title: WordNet: Execution of arbitrary code (GLSA 200810-01)
Severity: normal
Exploitable: local, remote
Date: October 07, 2008
Bug(s): #211491
ID: 200810-01
Synopsis
Multiple vulnerabilities were found in WordNet, possibly allowing for the
execution of arbitrary code.
Background
WordNet is a large lexical database of English.
Affected Packages
Package: app-dicts/wordnet
Vulnerable: < 3.0-r2
Unaffected: >= 3.0-r2
Architectures: All supported architectures
Description
Jukka Ruohonen initially reported a boundary error within the
searchwn() function in src/wn.c. A thorough investigation by the oCERT
team revealed several other vulnerabilities in WordNet:
- Jukka Ruohonen and Rob Holland (oCERT) reported multiple boundary
errors within the searchwn() function in src/wn.c, the wngrep()
function in lib/search.c, the morphstr() and morphword() functions in
lib/morph.c, and the getindex() in lib/search.c, which lead to
stack-based buffer overflows. - Rob Holland (oCERT) reported two
boundary errors within the do_init() function in lib/morph.c, which
lead to stack-based buffer overflows via specially crafted
"WNSEARCHDIR" or "WNHOME" environment variables. - Rob Holland
(oCERT) reported multiple boundary errors in the bin_search() and
bin_search_key() functions in binsrch.c, which lead to stack-based
buffer overflows via specially crafted data files. - Rob Holland
(oCERT) reported a boundary error within the parse_index() function in
lib/search.c, which leads to a heap-based buffer overflow via specially
crafted data files.
Impact
- In case the application is accessible e.g. via a web server,
a remote attacker could pass overly long strings as arguments to the
"wm" binary, possibly leading to the execution of arbitrary code. - A local attacker could exploit the second vulnerability via
specially crafted "WNSEARCHDIR" or "WNHOME" environment variables,
possibly leading to the execution of arbitrary code with escalated
privileges. - A local attacker could exploit the third and
fourth vulnerability by making the application use specially crafted
data files, possibly leading to the execution of arbitrary code.
Workaround
There is no known workaround at this time.
Resolution
All WordNet users should upgrade to the latest version:
Code: | # emerge --sync
# emerge --ask --oneshot --verbose ">=app-dicts/wordnet-3.0-r2" |
References
CVE-2008-2149
CVE-2008-3908
Last edited by GLSA on Sat Sep 19, 2009 4:18 am; edited 2 times in total |
|