[CVE-2008-2149] wordnet 2.0, 2.1, 3 affected by multiple buffer overflows

This bug was closed in Debian, but the changelog states they only addressed minor components of this bug.

http://www.ocert.org/advisories/ocert-2008-014.html

shows the release of a more comprehensive patch.

http://www.ocert.org/analysis/2008-014/wordnet.patch

Please find debdiff for Intrepid attached.

New Intrepid debdiff with patches pulled in from Debian wordnet 3.0-13.

New Intrepid debdiff with patches pulled in from Debian wordnet 3.0-13. (updated version number to 11ubuntu0.1)

debdiff for hardy-security attached.

debdiff for gutsy-security attached and feisty-security attached.

All of the above debdiff files include the patch directly from Debian.

There is no POC exploit or testsuite available. There are multiple buffer overflows.

Please note - I removed the debdiff for Gutsy at this stage as I found an actual build error with the package on Gutsy. I will be submitting an SRU to have this fixed, and then will reapply security fix.

For each release - Intrepid / Hardy / Feisty the following was tested by building a chroot image using pbuilder and confirming the behaviour of the unpatched version, and then installing the newly built patched .deb file and testing again.

I wrote a simple test:

wordnet `python -c "print 'A'*255"` -synsv

Where 255 is the number of chars to print. 255 should produce no errors.

When 255 is increased to 256 the following is produced.

stefan@lsd:~$ wordnet `python -c "print 'A'*256"` -synsv

Synonyms/Hypernyms (Ordered by Estimated Frequency) of verb aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
*** buffer overflow detected ***: wordnet terminated
======= Backtrace: =========
/lib/tls/i686/cmov/libc.so.6(__fortify_fail+0x48)[0xb7ff2388]
/lib/tls/i686/cmov/libc.so.6[0xb7ff04b0]
/lib/tls/i686/cmov/libc.so.6(__strcpy_chk+0x44)[0xb7fef784]
/usr/lib/libwordnet-3.0.so(morphstr+0x58)[0xb8059108]
wordnet[0x8048b92]
wordnet[0x80492a8]
/lib/tls/i686/cmov/libc.so.6(__libc_start_main+0xe5)[0xb7f0e685]
wordnet[0x80489c1]
======= Memory map: ========
08048000-0804b000 r-xp 00000000 fe:01 220731 /usr/bin/wn
0804b000-0804c000 r--p 00002000 fe:01 220731 /usr/bin/wn
0804c000-0804d000 rw-p 00003000 fe:01 220731 /usr/bin/wn
086c1000-086e2000 rw-p 086c1000 00:00 0 [heap]
b7ef7000-b7ef8000 rw-p b7ef7000 00:00 0
b7ef8000-b8050000 r-xp 00000000 fe:05 7857 /lib/tls/i686/cmov/libc-2.8.90.so
b8050000-b8052000 r--p 00158000 fe:05 7857 /lib/tls/i686/cmov/libc-2.8.90.so
b8052000-b8053000 rw-p 0015a000 fe:05 7857 /lib/tls/i686/cmov/libc-2.8.90.so
b8053000-b8056000 rw-p b8053000 00:00 0
b8056000-b8064000 r-xp 00000000 fe:01 220730 /usr/lib/libwordnet-3.0.so
b8064000-b8065000 r--p 0000d000 fe:01 220730 /usr/lib/libwordnet-3.0.so
b8065000-b8068000 rw-p 0000e000 fe:01 220730 /usr/lib/libwordnet-3.0.so
b8068000-b80a9000 rw-p b8068000 00:00 0
b80ab000-b80b8000 r-xp 00000000 fe:05 7628 /lib/libgcc_s.so.1
b80b8000-b80b9000 r--p 0000c000 fe:05 7628 /lib/libgcc_s.so.1
b80b9000-b80ba000 rw-p 0000d000 fe:05 7628 /lib/libgcc_s.so.1
b80ba000-b80be000 rw-p b80ba000 00:00 0
b80be000-b80bf000 r-xp b80be000 00:00 0 [vdso]
b80bf000-b80d9000 r-xp 00000000 fe:05 26004 /lib/ld-2.8.90.so
b80d9000-b80da000 r--p 0001a000 fe:05 26004 /lib/ld-2.8.90.so
b80da000-b80db000 rw-p 0001b000 fe:05 26004 /lib/ld-2.8.90.so
bfac5000-bfada000 rw-p bffeb000 00:00 0 [stack]
, %sAborted (core dumped)

257 produces:

stefan@lsd:~$ wordnet `python -c "print 'A'*257"` -synsv
Segmentation fault (core dumped)

There we're reports also in Debian that some patches broke the -synsn functionality. This was also tested to ...

SRU to fix Gutsy package before Security update can be applied is found here - https://bugs.edge.launchpad.net/ubuntu/+source/wordnet/+bug/275122

Excellent work! The feisty debdiff did not use 'feisty-security', but beyond that everything looked great. I have uploaded feisty, hardy and intrepid. I have marked gutsy as 'Triaged', but please put back as 'In Progress' when the SRU process is taken care of.

Thanks for your thorough work!

This bug was fixed in the package wordnet - 1:3.0-11ubuntu0.1

---------------
wordnet (1:3.0-11ubuntu0.1) intrepid; urgency=low

  * SECURITY UPDATE: Stack overflows fed via the command line, environment
    variables or WordNet library calls can result in arbitrary code
    execution. (Closes LP: #267067)
  * 51_overflows.patch:
    - ocert patch to address additional potential security exploits.
  * 51_overflows_memcpy.patch:
    - Fix part of oCERT patch that breaks 'wordnet test -synsn'.
  * References
    http://www.ocert.org/advisories/ocert-2008-014.html
    CVE-2008-2149

 -- Stefan Lesicnik <email address hidden> Thu, 11 Sep 2008 10:45:13 +0200

wordnet (1:3.0-6ubuntu0.1) hardy-security; urgency=low

  * SECURITY UPDATE: Stack overflows fed via the command line, environment
    variables or WordNet library calls can result in arbitrary code
    execution. (Closes LP: #257067)
  * 50_CVE-2008-2149_buffer_overflows.dpatch:
    - buffer overflow patch ( <email address hidden> (tille: 0) ).
  * 51_overflows.dpatch:
    - ocert patch to address additional potential security exploits.
  * 51_overflows_memcpy.dpatch:
    - Fix part of oCERT patch that breaks 'wordnet test -synsn'.
  * References
    http://www.ocert.org/advisories/ocert-2008-014.html
    CVE-2008-2149

The 18 month support period for Gutsy Gibbon 7.10 has reached its end of life -
http://www.ubuntu.com/news/ubuntu-7.10-eol . As a result, we are closing the
Gutsy task.