CVE-2008-2149: buffer overflows

Debian Bug report logs - #481186
CVE-2008-2149: buffer overflows

Toggle useless messages

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Steffen Joeris <steffen.joeris@skolelinux.de>

To: Debian Bug Tracking System <submit@bugs.debian.org>

Subject: CVE-2008-2149: buffer overflows

Date: Wed, 14 May 2008 22:17:40 +1000

Package: wordnet
Severity: grave
Tags: security
Justification: user security hole

Hi

The following CVE(0) has been issued against wordnet.

CVE-2008-2149:

Stack-based buffer overflow in the searchwn function in Wordnet 2.0,
2.1, and 3.0 might allow context-dependent attackers to execute
arbitrary code via a long command line option. NOTE: this issue probably
does not cross privilege boundaries except in cases in which Wordnet is
used as a back end.

More information can be found in the gentoo bugreport(1).
I filled it as an RC bug, because wordnet is sometimes used as a backend
for web applications


Please mention the CVE id in your changelog, when you fix this bug.

Cheers
Steffen

(0): http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-2149

(1): https://bugs.gentoo.org/show_bug.cgi?id=211491

Message #10 received at 481186@bugs.debian.org (full text, mbox, reply):

From: Andreas Tille <tillea@rki.de>

To: Steffen Joeris <steffen.joeris@skolelinux.de>, 481186@bugs.debian.org

Cc: Debian Security Team <team@security.debian.org>, Debian Testing Security Team <secure-testing-team@lists.alioth.debian.org>, jaervosz@gentoo.org, py@gentoo.org, Gentoo Security <security@gentoo.org>, drear@iki.fi, Authors of Wordnet <wordnet@princeton.edu>

Subject: Re: Bug#481186: CVE-2008-2149: buffer overflows

Date: Thu, 15 May 2008 14:46:57 +0200 (CEST)

[Message part 1 (text/plain, inline)]

On Wed, 14 May 2008, Steffen Joeris wrote:

> CVE-2008-2149:
>
> Stack-based buffer overflow in the searchwn function in Wordnet 2.0,
> 2.1, and 3.0 might allow context-dependent attackers to execute
> arbitrary code via a long command line option. NOTE: this issue probably
> does not cross privilege boundaries except in cases in which Wordnet is
> used as a back end.
>
> More information can be found in the gentoo bugreport(1).

As stated in the Gentoo BTS

   https://bugs.gentoo.org/show_bug.cgi?id=211491

there are potentially more issues of other sprintf()/strcpy()/strcat()/...
occurences.  So I wonder if you accept the attached patch as a fix for
the problem.  It actually cures the long command line option problem but
not more.

Kind regards

        Andreas.

-- 
http://fam-tille.de

[50_CVE-2008-2149_buffer_overflows.patch (text/x-diff, ATTACHMENT)]

--- wordnet-3.0.orig/src/wn.c
+++ wordnet-3.0/src/wn.c
@@ -206,7 +206,8 @@
 		    outsenses += do_search(av[1], optptr->pos, optptr->search,
 					    whichsense, optptr->label);
 	    } else {
-		sprintf(tmpbuf, "wn: invalid search option: %s\n", av[j]);
+		/* Fix CVE-2008-2149: buffer overflows Andreas Tille <tille@debian.org> */
+		sprintf(tmpbuf, "wn: invalid search option: %.200s\n", av[j]);
 		display_message(tmpbuf);
 		errcount++;
 	    }

Message #15 received at 481186@bugs.debian.org (full text, mbox, reply):

From: Andreas Tille <tillea@rki.de>

To: Steffen Joeris <steffen.joeris@skolelinux.de>, 481186@bugs.debian.org

Cc: Debian Security Team <team@security.debian.org>, Debian Testing Security Team <secure-testing-team@lists.alioth.debian.org>

Subject: Re: Bug#481186: CVE-2008-2149: buffer overflows

Date: Fri, 16 May 2008 13:59:49 +0200 (CEST)

On Thu, 15 May 2008, Andreas Tille wrote:

> As stated in the Gentoo BTS
>
>   https://bugs.gentoo.org/show_bug.cgi?id=211491
>
> there are potentially more issues of other sprintf()/strcpy()/strcat()/...
> occurences.  So I wonder if you accept the attached patch as a fix for
> the problem.  It actually cures the long command line option problem but
> not more.

I've got no answer to this question for nearly 24 hours.  Because I consider
it more important to fix a known issue _now_ instead of doing a long research
for other issues for perhaps weeks I will upload packages with the proposed
fix in the next hour.  Other issues might be solved in later uploads.

Please tell me what I should do to support the security team.  It's just
my first security relevant bug.

Kind regards

          Andreas.

-- 
http://fam-tille.de

Message #20 received at 481186@bugs.debian.org (full text, mbox, reply):

From: "Thijs Kinkhorst" <thijs@debian.org>

To: "Andreas Tille" <tillea@rki.de>

Cc: "Steffen Joeris" <steffen.joeris@skolelinux.de>, 481186@bugs.debian.org, "Debian Testing Security Team" <secure-testing-team@lists.alioth.debian.org>, "Debian Security Team" <team@security.debian.org>

Subject: Re: [Secure-testing-team] Bug#481186: CVE-2008-2149: buffer overflows

Date: Fri, 16 May 2008 14:09:36 +0200 (CEST)

On Fri, May 16, 2008 13:59, Andreas Tille wrote:
> I've got no answer to this question for nearly 24 hours.  Because I
> consider it more important to fix a known issue _now_ instead of doing a
> long research for other issues for perhaps weeks I will upload packages
> with the proposed fix in the next hour.  Other issues might be solved in
> later uploads.
>
> Please tell me what I should do to support the security team.  It's just
> my first security relevant bug.

If you have a fix for unstable please upload it with urgency=medium or
high and mention of the CVE id in the changelog. If you suspect that the
fix may be incomplete then mention that in the changelog aswell.

For stable we'd rather wait a bit to see if there are indeed more issues
there.


cheers,
Thijs

Message #25 received at 481186@bugs.debian.org (full text, mbox, reply):

From: Steffen Joeris <steffen.joeris@skolelinux.de>

To: Andreas Tille <tillea@rki.de>

Cc: 481186@bugs.debian.org, Debian Security Team <team@security.debian.org>, Debian Testing Security Team <secure-testing-team@lists.alioth.debian.org>

Subject: Re: Bug#481186: CVE-2008-2149: buffer overflows

Date: Fri, 16 May 2008 22:11:33 +1000

[Message part 1 (text/plain, inline)]

Hi Andreas

Sorry for the late reply.
> I've got no answer to this question for nearly 24 hours.  Because I
> consider it more important to fix a known issue _now_ instead of doing a
> long research for other issues for perhaps weeks I will upload packages
> with the proposed fix in the next hour.  Other issues might be solved in
> later uploads.
For testing-security just make sure you upload with priority=high .
I would not want to think about DTSAs or migration stuff yet, because I 
suspect that there will be some development in the near future by fixing more 
of the security bugs. 
We'll get back to you, if we need any further maintainer interaction regarding 
testing.
I can't say anything about stable though.


> Please tell me what I should do to support the security team.  It's just
> my first security relevant bug.
Thanks for your work, it is good to see a maintainer being very responsive and 
pationate about it.

Cheers
Steffen

[signature.asc (application/pgp-signature, inline)]

Message #30 received at 481186@bugs.debian.org (full text, mbox, reply):

From: Andreas Tille <tillea@rki.de>

To: 481186@bugs.debian.org

Cc: Debian Security Team <team@security.debian.org>, Debian Testing Security Team <secure-testing-team@lists.alioth.debian.org>, Andreas Tille <tille@debian.org>

Subject: Re: Bug#481186: CVE-2008-2149: buffer overflows

Date: Fri, 16 May 2008 14:40:16 +0200 (CEST)

On Fri, 16 May 2008, Steffen Joeris wrote:

> Sorry for the late reply.

No problem.

> For testing-security just make sure you upload with priority=high .

pdebuild with priority=high in changelog is currently running.

> I would not want to think about DTSAs or migration stuff yet, because I
> suspect that there will be some development in the near future by fixing more
> of the security bugs.

Sounds reasonable.

> We'll get back to you, if we need any further maintainer interaction regarding
> testing.

Feel free to do so.

> I can't say anything about stable though.

Well, I assume they are aware of the issue and could bother me if I
could / should do something, right?

> Thanks for your work, it is good to see a maintainer being very responsive and
> pationate about it.

Surely I do - isn't this the duty of a maintainer?  At least I try to take my
work as honest as possible.

Kind regards and thanks for working on security.debian.org

       Andreas.

-- 
http://fam-tille.de

Message #35 received at 481186-close@bugs.debian.org (full text, mbox, reply):

From: Andreas Tille <tille@debian.org>

To: 481186-close@bugs.debian.org

Subject: Bug#481186: fixed in wordnet 1:3.0-10

Date: Fri, 16 May 2008 13:02:06 +0000

Source: wordnet
Source-Version: 1:3.0-10

We believe that the bug you reported is fixed in the latest version of
wordnet, which is due to be installed in the Debian FTP archive:

dict-wn_3.0-10_all.deb
  to pool/main/w/wordnet/dict-wn_3.0-10_all.deb
wordnet-base_3.0-10_all.deb
  to pool/main/w/wordnet/wordnet-base_3.0-10_all.deb
wordnet-dev_3.0-10_i386.deb
  to pool/main/w/wordnet/wordnet-dev_3.0-10_i386.deb
wordnet-grind_3.0-10_i386.deb
  to pool/main/w/wordnet/wordnet-grind_3.0-10_i386.deb
wordnet-sense-index_3.0-10_all.deb
  to pool/main/w/wordnet/wordnet-sense-index_3.0-10_all.deb
wordnet_3.0-10.diff.gz
  to pool/main/w/wordnet/wordnet_3.0-10.diff.gz
wordnet_3.0-10.dsc
  to pool/main/w/wordnet/wordnet_3.0-10.dsc
wordnet_3.0-10_i386.deb
  to pool/main/w/wordnet/wordnet_3.0-10_i386.deb



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 481186@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Andreas Tille <tille@debian.org> (supplier of updated wordnet package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.8
Date: Thu, 15 May 2008 14:20:57 +0200
Source: wordnet
Binary: wordnet wordnet-dev wordnet-base wordnet-sense-index wordnet-grind dict-wn
Architecture: source all i386
Version: 1:3.0-10
Distribution: unstable
Urgency: high
Maintainer: Andreas Tille <tille@debian.org>
Changed-By: Andreas Tille <tille@debian.org>
Description: 
 dict-wn    - electronic lexical database of English language for dict
 wordnet    - electronic lexical database of English language
 wordnet-base - electronic lexical database of English language
 wordnet-dev - electronic lexical database of English language
 wordnet-grind - WordNet lexicographer files processor
 wordnet-sense-index - electronic lexical database of English language
Closes: 481186
Changes: 
 wordnet (1:3.0-10) unstable; urgency=high
 .
   * Fix CVE-2008-2149: buffer overflows by limiting the length
     of the string in sprintf format string
     Closes: #481186
     Please note: The WordNet code contains several other occurences
     of potentially exploitable functions like strcpy()/strcat()/...
     and so even if there are no known exploits the code needs a
     full security audit.
   * Mentioned the potential security issues in README.Debian
Checksums-Sha1: 
 877fca56c3ac4b217cdf55f89c56b14798bfd107 1227 wordnet_3.0-10.dsc
 ff8507333e165283a960ac769db62fb4e1ba0e16 68038 wordnet_3.0-10.diff.gz
 e7e671b1abce7422d9aaf6296ad1d9730fefdaee 8759496 wordnet-base_3.0-10_all.deb
 a82a66c017d26ea50cfad2acbec5886e855ce414 2241376 wordnet-sense-index_3.0-10_all.deb
 15c9f9224731f2e3d89caf6e63deda14c2f82204 10893236 dict-wn_3.0-10_all.deb
 87570974f02f518e8ebd4c5d7554c270d06c1102 104074 wordnet_3.0-10_i386.deb
 9110e4fbf5a30176d3625edcb33f4d808ad666a4 61316 wordnet-dev_3.0-10_i386.deb
 15c59c768d15e389f843d1ef5710d2b420afd3ef 40916 wordnet-grind_3.0-10_i386.deb
Checksums-Sha256: 
 3f35eec4645acbf0ed87c9704dd4b27be24d3c6deb9f82974ef6cc462a21919a 1227 wordnet_3.0-10.dsc
 3c2f1c1e15f4eb54ec39315e9bf2327d7ca61711baf15d949183ddcece297c9f 68038 wordnet_3.0-10.diff.gz
 9bc884b844dd5ea3de93ee3171a7334dc8e2fba9417feabed7277694bd2de1d8 8759496 wordnet-base_3.0-10_all.deb
 39e996e1a2ce90f7683e121bd24356051d3f575dd87e2e016d7a95712d26616f 2241376 wordnet-sense-index_3.0-10_all.deb
 71634b25150b035bb407d1f97f3ad17ac59c0119a2460774b01d2c23a74e4f45 10893236 dict-wn_3.0-10_all.deb
 f16458352bf0b1565d0afafc0d7e24805241eb74661a3e4630a5c4b06094bf1a 104074 wordnet_3.0-10_i386.deb
 3a9452beb9541f3165dea3dcfe4936a0811804666ac04406d8b0bf4283ce68c6 61316 wordnet-dev_3.0-10_i386.deb
 529fd03362227a2095070178e9766104c7e206eaa2d03c6c285359363bb96289 40916 wordnet-grind_3.0-10_i386.deb
Files: 
 10934dc8536f76c16402a05849db7c9e 1227 text optional wordnet_3.0-10.dsc
 108ca9c7c738fe7c6a8d63b9757c61d4 68038 text optional wordnet_3.0-10.diff.gz
 57a88da8a5e291637a7aafabb8045ea7 8759496 text optional wordnet-base_3.0-10_all.deb
 685e2aa8e2adfd5f1ecc26177ca0368e 2241376 text extra wordnet-sense-index_3.0-10_all.deb
 8ba0754d8442541279e65971dfd84cd4 10893236 text optional dict-wn_3.0-10_all.deb
 3085204765ee84c6a4af4c49fbc9e151 104074 text optional wordnet_3.0-10_i386.deb
 d12a8a6f02206b0cf2576a892c39bf6c 61316 devel optional wordnet-dev_3.0-10_i386.deb
 f10c10a5aa4bdaba562ab878b9b735cb 40916 text extra wordnet-grind_3.0-10_i386.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)

iD8DBQFILYKMYDBbMcCf01oRAmMhAJ9MQsn1aS6VDXip9DrSnx4ZbYFsUgCgjs5Q
S9FCFUewXCGKXLmCu1ujLkI=
=f7fq
-----END PGP SIGNATURE-----

Message #40 received at 481186@bugs.debian.org (full text, mbox, reply):

From: Nico Golde <debian-secure-testing+ml@ngolde.de>

To: Andreas Tille <tillea@rki.de>, 481186@bugs.debian.org, Authors of Wordnet <wordnet@princeton.edu>

Subject: Re: Bug#481186: CVE-2008-2149: buffer overflows

Date: Fri, 16 May 2008 15:01:48 +0200

[Message part 1 (text/plain, inline)]

Heyho Andreas,
* Andreas Tille <tillea@rki.de> [2008-05-15 14:57]:
> On Wed, 14 May 2008, Steffen Joeris wrote:
> 
> >CVE-2008-2149:
[...] 
> there are potentially more issues of other sprintf()/strcpy()/strcat()/...
> occurences.  So I wonder if you accept the attached patch as a fix for
> the problem.  It actually cures the long command line option problem but
> not more.
[...] 
> --- wordnet-3.0.orig/src/wn.c
> +++ wordnet-3.0/src/wn.c
> @@ -206,7 +206,8 @@
>  		    outsenses += do_search(av[1], optptr->pos, optptr->search,
>  					    whichsense, optptr->label);
>  	    } else {
> -		sprintf(tmpbuf, "wn: invalid search option: %s\n", av[j]);
> +		/* Fix CVE-2008-2149: buffer overflows Andreas Tille <tille@debian.org> */
> +		sprintf(tmpbuf, "wn: invalid search option: %.200s\n", av[j]);
>  		display_message(tmpbuf);
>  		errcount++;
>  	    }

Please use snprintf(tmpbuf, sizeof(tmpbuf), ... instead of 
this. Apart from that I think fixing this for now is fine, 
we can issue more updates later.

As Thijs already mentioned, please include the CVE id in 
your changelog.

Cheers
Nico

-- 
Nico Golde - http://www.ngolde.de - nion@jabber.ccc.de - GPG: 0x73647CFF
For security reasons, all text in this mail is double-rot13 encrypted.

[Message part 2 (application/pgp-signature, inline)]

Message #45 received at 481186@bugs.debian.org (full text, mbox, reply):

From: Andreas Tille <tillea@rki.de>

To: Nico Golde <debian-secure-testing+ml@ngolde.de>

Cc: 481186@bugs.debian.org, Authors of Wordnet <wordnet@princeton.edu>

Subject: Re: Bug#481186: CVE-2008-2149: buffer overflows

Date: Fri, 16 May 2008 15:47:04 +0200 (CEST)

On Fri, 16 May 2008, Nico Golde wrote:

>> -		sprintf(tmpbuf, "wn: invalid search option: %s\n", av[j]);
>> +		/* Fix CVE-2008-2149: buffer overflows Andreas Tille <tille@debian.org> */
>> +		sprintf(tmpbuf, "wn: invalid search option: %.200s\n", av[j]);
>
> Please use snprintf(tmpbuf, sizeof(tmpbuf), ... instead of this.

I just followed
   https://buildsecurityin.us-cert.gov/daisy/bsi-rules/home/g1/840.html
and unfortuantely it is to late now because the package just hit unstable.
Feel free to NMU if there are any reasons to do so.

Just for the sake of interest: What is the essential difference between
the patch above and snprintf()?

> Apart from that I think fixing this for now is fine,
> we can issue more updates later.
>
> As Thijs already mentioned, please include the CVE id in
> your changelog.

As I said this is just done

      Andreas.

-- 
http://fam-tille.de

Message #50 received at 481186@bugs.debian.org (full text, mbox, reply):

From: Sven Joachim <svenjoac@gmx.de>

To: Andreas Tille <tillea@rki.de>

Cc: 481186@bugs.debian.org, Nico Golde <debian-secure-testing+ml@ngolde.de>, Authors of Wordnet <wordnet@princeton.edu>

Subject: Re: Bug#481186: CVE-2008-2149: buffer overflows

Date: Fri, 16 May 2008 16:07:42 +0200

Am 16.05.2008 um 15:47 schrieb Andreas Tille:

> On Fri, 16 May 2008, Nico Golde wrote:
>
>>> -		sprintf(tmpbuf, "wn: invalid search option: %s\n", av[j]);
>>> +		/* Fix CVE-2008-2149: buffer overflows Andreas Tille <tille@debian.org> */
>>> +		sprintf(tmpbuf, "wn: invalid search option: %.200s\n", av[j]);
>>
>> Please use snprintf(tmpbuf, sizeof(tmpbuf), ... instead of this.
>
> I just followed
>    https://buildsecurityin.us-cert.gov/daisy/bsi-rules/home/g1/840.html
> and unfortuantely it is to late now because the package just hit unstable.
> Feel free to NMU if there are any reasons to do so.
>
> Just for the sake of interest: What is the essential difference between
> the patch above and snprintf()?

The latter is safer, because the tmpbuf buffer will not overflow even if
somebody decides to reduce its size.

Sven

Message #55 received at 481186@bugs.debian.org (full text, mbox, reply):

From: Nico Golde <nion@debian.org>

To: Andreas Tille <tillea@rki.de>

Cc: 481186@bugs.debian.org, Authors of Wordnet <wordnet@princeton.edu>

Subject: Re: Bug#481186: CVE-2008-2149: buffer overflows

Date: Fri, 16 May 2008 16:13:19 +0200

[Message part 1 (text/plain, inline)]

Hi Andreas,
* Andreas Tille <tillea@rki.de> [2008-05-16 15:53]:
> On Fri, 16 May 2008, Nico Golde wrote:
> 
> >>-		sprintf(tmpbuf, "wn: invalid search option: %s\n", av[j]);
> >>+		/* Fix CVE-2008-2149: buffer overflows Andreas Tille <tille@debian.org> */
> >>+		sprintf(tmpbuf, "wn: invalid search option: %.200s\n", av[j]);
> >
> >Please use snprintf(tmpbuf, sizeof(tmpbuf), ... instead of this.
> 
> I just followed
>    https://buildsecurityin.us-cert.gov/daisy/bsi-rules/home/g1/840.html
> and unfortuantely it is to late now because the package just hit unstable.
> Feel free to NMU if there are any reasons to do so.
> 
> Just for the sake of interest: What is the essential difference between
> the patch above and snprintf()?

I first thought the buffer you write into is also 200 bytes 
big then the 0 byte sprintf writes at the end would cause an 
off-by-one. I just saw that its 256 bytes big so this should 
be no problem. However I still prefer clean fixes and 
snprintf is the clean fix for boundary problems of sprintf.

Anyway, nothing that needs to be fixed with an additional 
upload.

Kind regards
Nico
-- 
Nico Golde - http://www.ngolde.de - nion@jabber.ccc.de - GPG: 0x73647CFF
For security reasons, all text in this mail is double-rot13 encrypted.

[Message part 2 (application/pgp-signature, inline)]

Message #60 received at 481186@bugs.debian.org (full text, mbox, reply):

From: Andreas Tille <tillea@rki.de>

To: Nico Golde <nion@debian.org>

Cc: 481186@bugs.debian.org, Authors of Wordnet <wordnet@princeton.edu>

Subject: Re: Bug#481186: CVE-2008-2149: buffer overflows

Date: Fri, 16 May 2008 16:32:32 +0200 (CEST)

On Fri, 16 May 2008, Nico Golde wrote:

> I first thought the buffer you write into is also 200 bytes
> big then the 0 byte sprintf writes at the end would cause an
> off-by-one. I just saw that its 256 bytes big so this should
> be no problem.

Yes, I left some space.  You have to add the fix format string
to 200 which is all in all something less than the allocated size
of 256.

> However I still prefer clean fixes and
> snprintf is the clean fix for boundary problems of sprintf.

Fully ACK.

> Anyway, nothing that needs to be fixed with an additional
> upload.

OK.  Just learned some lession about security anyway

    Andreas.

-- 
http://fam-tille.de

Message #65 received at 481186@bugs.debian.org (full text, mbox, reply):

From: Moritz Muehlenhoff <jmm@inutil.org>

To: Andreas Tille <tillea@rki.de>

Cc: 481186@bugs.debian.org, Debian Testing Security Team <secure-testing-team@lists.alioth.debian.org>, Debian Security Team <team@security.debian.org>, Andreas Tille <tille@debian.org>

Subject: Re: [Secure-testing-team] Bug#481186: CVE-2008-2149: buffer overflows

Date: Sun, 18 May 2008 22:33:25 +0200

Andreas Tille wrote:

> > I can't say anything about stable though.
> 
> Well, I assume they are aware of the issue and could bother me if I
> could / should do something, right?

If there's indication that the currently known issues are just the tip of
the iceberg, please ask for a review by debian-audit:
http://www.debian.org/security/audit/

Cheers,
        Moritz

Message #70 received at 481186@bugs.debian.org (full text, mbox, reply):

From: "Stefan Lesicnik" <stefan@lsd.co.za>

To: 481186@bugs.debian.org

Subject: CVE-2008-2149: buffer overflows - reopen

Date: Sat, 6 Sep 2008 10:31:25 +0200

[Message part 1 (text/plain, inline)]

Hi,

As the changelog indicates, there may still be various potential
security flaws within this product.

http://www.ocert.org/advisories/ocert-2008-014.html

shows the release of a more comprehensive patch.

http://www.ocert.org/analysis/2008-014/wordnet.patch

Attached is the debian-debdiff to apply this. (some modification may
be required)

Thanks
Stefan

[debdiff-debian (application/octet-stream, attachment)]

Message #75 received at 481186@bugs.debian.org (full text, mbox, reply):

From: Nico Golde <nion@debian.org>

To: Stefan Lesicnik <stefan@lsd.co.za>, 481186@bugs.debian.org

Subject: Re: Bug#481186: CVE-2008-2149: buffer overflows - reopen

Date: Sat, 6 Sep 2008 12:40:48 +0200

[Message part 1 (text/plain, inline)]

Hi Stefan,
* Stefan Lesicnik <stefan@lsd.co.za> [2008-09-06 11:46]:
> As the changelog indicates, there may still be various potential
> security flaws within this product.
> 
> http://www.ocert.org/advisories/ocert-2008-014.html
> 
> shows the release of a more comprehensive patch.
> 
> http://www.ocert.org/analysis/2008-014/wordnet.patch
> 
> Attached is the debian-debdiff to apply this. (some modification may
> be required)

This patch is included wordnet 1:3.0-12.
Cheers
Nico
-- 
Nico Golde - http://www.ngolde.de - nion@jabber.ccc.de - GPG: 0x73647CFF
For security reasons, all text in this mail is double-rot13 encrypted.

[Message part 2 (application/pgp-signature, inline)]

Message #80 received at 481186@bugs.debian.org (full text, mbox, reply):

From: Andreas Tille <tillea@rki.de>

To: Nico Golde <nion@debian.org>, 481186@bugs.debian.org

Cc: Stefan Lesicnik <stefan@lsd.co.za>, debian-bugs-dist@lists.debian.org, Debian Science Team <debian-science-maintainers@lists.alioth.debian.org>

Subject: Re: Bug#481186: CVE-2008-2149: buffer overflows - reopen

Date: Sat, 6 Sep 2008 19:41:50 +0200 (CEST)

On Sat, 6 Sep 2008, Nico Golde wrote:

> This patch is included wordnet 1:3.0-12.

Well, not really.  There was a problem with the original
patch which was reported to security@debian.org.  The
problem was fixed and you can obtain patches from

     http://svn.debian.org/wsvn/debian-science/packages/wordnet/trunk/debian/patches/?rev=0&sc=0

in files 51_*.

An upload of this patch to unstable will be done on Monday.

Kind regards

     Andreas.

-- 
http://fam-tille.de

Send a report that this bug log contains spam.