Secure testing team - May 2008 - Bug#481186: CVE-2008-2149: buffer overflows

Package: wordnet
Severity: grave
Tags: security
Justification: user security hole

Hi

The following CVE(0) has been issued against wordnet.

CVE-2008-2149:

Stack-based buffer overflow in the searchwn function in Wordnet 2.0,
2.1, and 3.0 might allow context-dependent attackers to execute
arbitrary code via a long command line option. NOTE: this issue probably
does not cross privilege boundaries except in cases in which Wordnet is
used as a back end.

More information can be found in the gentoo bugreport(1).
I filled it as an RC bug, because wordnet is sometimes used as a backend
for web applications


Please mention the CVE id in your changelog, when you fix this bug.

Cheers
Steffen

(0): http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-2149

(1): https://bugs.gentoo.org/show_bug.cgi?id=211491

On Wed, 14 May 2008, Steffen Joeris wrote:
> CVE-2008-2149:
>
> Stack-based buffer overflow in the searchwn function in Wordnet 2.0,
> 2.1, and 3.0 might allow context-dependent attackers to execute
> arbitrary code via a long command line option. NOTE: this issue probably
> does not cross privilege boundaries except in cases in which Wordnet is
> used as a back end.
>
> More information can be found in the gentoo bugreport(1).
As stated in the Gentoo BTS

    https://bugs.gentoo.org/show_bug.cgi?id=211491

there are potentially more issues of other sprintf()/strcpy()/strcat()/...
occurences.  So I wonder if you accept the attached patch as a fix for
the problem.  It actually cures the long command line option problem but
not more.

Kind regards

         Andreas.

-- 
http://fam-tille.de
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 50_CVE-2008-2149_buffer_overflows.patch
Type: text/x-diff
Size: 463 bytes
Desc: 
Url :
http://lists.alioth.debian.org/pipermail/secure-testing-team/attachments/20080515/d7293c34/attachment.patch

On Thu, 15 May 2008, Andreas Tille wrote:
> As stated in the Gentoo BTS
>
>   https://bugs.gentoo.org/show_bug.cgi?id=211491
>
> there are potentially more issues of other sprintf()/strcpy()/strcat()/...
> occurences.  So I wonder if you accept the attached patch as a fix for
> the problem.  It actually cures the long command line option problem but
> not more.
I''ve got no answer to this question for nearly 24 hours.  Because I
consider
it more important to fix a known issue _now_ instead of doing a long research
for other issues for perhaps weeks I will upload packages with the proposed
fix in the next hour.  Other issues might be solved in later uploads.

Please tell me what I should do to support the security team.  It''s
just
my first security relevant bug.

Kind regards

           Andreas.

-- 
http://fam-tille.de

On Fri, May 16, 2008 13:59, Andreas Tille wrote:
> I''ve got no answer to this question for nearly 24 hours.  Because
I
> consider it more important to fix a known issue _now_ instead of doing a
> long research for other issues for perhaps weeks I will upload packages
> with the proposed fix in the next hour.  Other issues might be solved in
> later uploads.
>
> Please tell me what I should do to support the security team. 
It''s just
> my first security relevant bug.
If you have a fix for unstable please upload it with urgency=medium or
high and mention of the CVE id in the changelog. If you suspect that the
fix may be incomplete then mention that in the changelog aswell.

For stable we''d rather wait a bit to see if there are indeed more
issues
there.


cheers,
Thijs

Hi Andreas

Sorry for the late reply.
> I''ve got no answer to this question for nearly 24 hours.  Because
I
> consider it more important to fix a known issue _now_ instead of doing a
> long research for other issues for perhaps weeks I will upload packages
> with the proposed fix in the next hour.  Other issues might be solved in
> later uploads.
For testing-security just make sure you upload with priority=high .
I would not want to think about DTSAs or migration stuff yet, because I 
suspect that there will be some development in the near future by fixing more 
of the security bugs. 
We''ll get back to you, if we need any further maintainer interaction
regarding
testing.
I can''t say anything about stable though.

> Please tell me what I should do to support the security team. 
It''s just
> my first security relevant bug.
Thanks for your work, it is good to see a maintainer being very responsive and 
pationate about it.

Cheers
Steffen
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part.
Url :
http://lists.alioth.debian.org/pipermail/secure-testing-team/attachments/20080516/db0cb234/attachment.pgp

On Fri, 16 May 2008, Steffen Joeris wrote:
> Sorry for the late reply.
No problem.
> For testing-security just make sure you upload with priority=high .
pdebuild with priority=high in changelog is currently running.
> I would not want to think about DTSAs or migration stuff yet, because I
> suspect that there will be some development in the near future by fixing
more
> of the security bugs.
Sounds reasonable.
> We''ll get back to you, if we need any further maintainer
interaction regarding
> testing.
Feel free to do so.
> I can''t say anything about stable though.
Well, I assume they are aware of the issue and could bother me if I
could / should do something, right?
> Thanks for your work, it is good to see a maintainer being very responsive
and
> pationate about it.
Surely I do - isn''t this the duty of a maintainer?  At least I try to
take my
work as honest as possible.

Kind regards and thanks for working on security.debian.org

        Andreas.

-- 
http://fam-tille.de

Andreas Tille wrote:
> > I can''t say anything about stable though.
> 
> Well, I assume they are aware of the issue and could bother me if I
> could / should do something, right?
If there''s indication that the currently known issues are just the tip
of
the iceberg, please ask for a review by debian-audit:
http://www.debian.org/security/audit/

Cheers,
        Moritz

On Sun, 18 May 2008, Moritz Muehlenhoff wrote:
> If there''s indication that the currently known issues are just the
tip of
> the iceberg, please ask for a review by debian-audit:
> http://www.debian.org/security/audit/
Thanks for the hint and I would like to do this.  But please ignore my
ignorance I have not made out what exactly I would have to do to report
this problem to debian-audit.  I did not even found a list with this
name at lists.debian.org.  So please be patient and try to be more
verbose to ignorant people like me.

Kind regards

          Andreas.

-- 
http://fam-tille.de

On Sun, May 18, 2008 at 11:37:44PM +0200, Andreas Tille
wrote:
> On Sun, 18 May 2008, Moritz Muehlenhoff wrote:
> 
> > If there''s indication that the currently known issues are
just the tip of
> > the iceberg, please ask for a review by debian-audit:
> > http://www.debian.org/security/audit/
> 
> Thanks for the hint and I would like to do this.  But please ignore my
> ignorance I have not made out what exactly I would have to do to report
> this problem to debian-audit.  I did not even found a list with this
> name at lists.debian.org.  So please be patient and try to be more
> verbose to ignorant people like me.
Ok, I''ll take care of getting an audit organized.

Cheers,
        Moritz

On Mon, 19 May 2008, Moritz Muehlenhoff wrote:
> Ok, I''ll take care of getting an audit organized.
Many thanks.  On the other hand once you are doing this perhaps you
might ask the audit people to make the proces more transparent how to
ask for an audit.  A mailing list you can post to or a Wiki page
you are able to add stuff to comes to mind.

Many thanks for your security work

          Andreas.

-- 
http://fam-tille.de

On Mon, May 19, 2008 at 09:23:02AM +0200, Andreas Tille wrote:
> Many thanks.  On the other hand once you are doing this perhaps you
> might ask the audit people to make the proces more transparent how to
> ask for an audit.  A mailing list you can post to or a Wiki page
> you are able to add stuff to comes to mind.
FYI, http://www.debian.org/security/audit/faq#contribute gives their
mailing list. Somewhat hidden.