wordnet: security audit found several vulnerabilities

Debian Bug report logs - #497441
wordnet: security audit found several vulnerabilities

Toggle useless messages

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Thijs Kinkhorst <thijs@debian.org>

To: submit@bugs.debian.org

Subject: wordnet: security audit found several vulnerabilities

Date: Mon, 1 Sep 2008 21:20:26 +0200

[Message part 1 (text/plain, inline)]

Package: wordnet
Version: 1:2.1-4
Severity: serious
Tags: security patch

Hi,

As a followup to #481186, oCERT conducted a security audit finding several 
more vulnerabilities:
http://www.ocert.org/advisories/ocert-2008-014.html

The advisory has a patch which was also used for lenny and etch. Please fix 
the issue in unstable aswell.


thanks,
Thijs

[Message part 2 (application/pgp-signature, inline)]

Message #14 received at 497441-close@bugs.debian.org (full text, mbox, reply):

From: Andreas Tille <tille@debian.org>

To: 497441-close@bugs.debian.org

Subject: Bug#497441: fixed in wordnet 1:3.0-12

Date: Tue, 02 Sep 2008 12:17:05 +0000

Source: wordnet
Source-Version: 1:3.0-12

We believe that the bug you reported is fixed in the latest version of
wordnet, which is due to be installed in the Debian FTP archive:

dict-wn_3.0-12_all.deb
  to pool/main/w/wordnet/dict-wn_3.0-12_all.deb
wordnet-base_3.0-12_all.deb
  to pool/main/w/wordnet/wordnet-base_3.0-12_all.deb
wordnet-dev_3.0-12_i386.deb
  to pool/main/w/wordnet/wordnet-dev_3.0-12_i386.deb
wordnet-grind_3.0-12_i386.deb
  to pool/main/w/wordnet/wordnet-grind_3.0-12_i386.deb
wordnet-sense-index_3.0-12_all.deb
  to pool/main/w/wordnet/wordnet-sense-index_3.0-12_all.deb
wordnet_3.0-12.diff.gz
  to pool/main/w/wordnet/wordnet_3.0-12.diff.gz
wordnet_3.0-12.dsc
  to pool/main/w/wordnet/wordnet_3.0-12.dsc
wordnet_3.0-12_i386.deb
  to pool/main/w/wordnet/wordnet_3.0-12_i386.deb



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 497441@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Andreas Tille <tille@debian.org> (supplier of updated wordnet package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.8
Date: Tue, 02 Sep 2008 13:12:21 +0200
Source: wordnet
Binary: wordnet wordnet-dev wordnet-base wordnet-sense-index wordnet-grind dict-wn
Architecture: source all i386
Version: 1:3.0-12
Distribution: unstable
Urgency: low
Maintainer: Debian Science Team <debian-science-maintainers@lists.alioth.debian.org>
Changed-By: Andreas Tille <tille@debian.org>
Description: 
 dict-wn    - electronic lexical database of English language for dict
 wordnet    - electronic lexical database of English language
 wordnet-base - electronic lexical database of English language
 wordnet-dev - electronic lexical database of English language
 wordnet-grind - WordNet lexicographer files processor
 wordnet-sense-index - electronic lexical database of English language
Closes: 497441
Changes: 
 wordnet (1:3.0-12) unstable; urgency=low
 .
   * debian/wnb: Added command line arguments to wrapper (Thanks to
     Chung-chieh Shan <ccshan@post.harvard.edu>)
   * Incorporate security patches
     Closes: #497441
Checksums-Sha1: 
 89ffbfecb2d8dc065d6ff66c7bc3ce6b12a56a90 1497 wordnet_3.0-12.dsc
 183906bd28dcbd352ac3ec713ede202dd1279cfd 74734 wordnet_3.0-12.diff.gz
 4faac68eee9458fb88a8a22e2abaa8dff32a2c06 8759844 wordnet-base_3.0-12_all.deb
 d0006a77b3e8a02f390eebbccd575d0dc25f2908 2241576 wordnet-sense-index_3.0-12_all.deb
 53c5985d3059f079c4f6e98e855e32c5de0026d0 10893568 dict-wn_3.0-12_all.deb
 fc93525203b0343e2ad2cfad6cb8689c2d9fd479 103156 wordnet_3.0-12_i386.deb
 a917a46316bc6aa3e0ff2d3e2db39b3520bc8b45 62740 wordnet-dev_3.0-12_i386.deb
 419e2b3766e72cc4c09707e12bad1b2a76373527 41268 wordnet-grind_3.0-12_i386.deb
Checksums-Sha256: 
 df5817d6750b2d0dbc464510ee073b768c0ee92a22a805778718881100411934 1497 wordnet_3.0-12.dsc
 e5295b8c554fc30bcc078511186feedb19dccee3a0f167ec622340cae092ffcd 74734 wordnet_3.0-12.diff.gz
 d51c87e739c317f3b379248edfd8f417865dab2e6a25f8852b35d110ffbcd9b2 8759844 wordnet-base_3.0-12_all.deb
 d945cad2b9f57209280f005eb88e40127c8283dc6b275f90cee67431275e6e24 2241576 wordnet-sense-index_3.0-12_all.deb
 c60529828f4d75da3e0e6a2ade079963523e8c9529fbf67ab3fb1771648a5073 10893568 dict-wn_3.0-12_all.deb
 4044acc60d9b6e9e9db42f1ec4521750dcd406d0cc09e4bfefa1171395a98de8 103156 wordnet_3.0-12_i386.deb
 b89f1ff527d40a7ed2102bc6eddb60f7afa8446258060beac6a8b0a952cbb3bf 62740 wordnet-dev_3.0-12_i386.deb
 4eabf35929517413244b3e77667dc008c97e93ba6d585d189d854d45db5581e1 41268 wordnet-grind_3.0-12_i386.deb
Files: 
 d320ba65a1adc2b3a20c325e088bb7f8 1497 text optional wordnet_3.0-12.dsc
 a49c38b2b41340ed39da72161d110078 74734 text optional wordnet_3.0-12.diff.gz
 e7346300b2caeed6d0202c4436b7f321 8759844 text optional wordnet-base_3.0-12_all.deb
 bf85f028455d1d3e3ee3331934fd22bd 2241576 text extra wordnet-sense-index_3.0-12_all.deb
 d12757d702b410dc33073fc411dc2edf 10893568 text optional dict-wn_3.0-12_all.deb
 e378c63929f050e79cca2e5948351bf5 103156 text optional wordnet_3.0-12_i386.deb
 a748c3deea04976f0d7ad6e48fcd2924 62740 devel optional wordnet-dev_3.0-12_i386.deb
 6c92c3c8fe8af354fd74c3d4796e5ce5 41268 text extra wordnet-grind_3.0-12_i386.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)

iD8DBQFIvSLpYDBbMcCf01oRArs8AJ96fZLNMPM9YO//Z+XFNWadarMzbQCgjWQB
KYsu/M1ZwQdiybXA+OBggcc=
=lYe5
-----END PGP SIGNATURE-----

Message #19 received at 497441@bugs.debian.org (full text, mbox, reply):

From: Andreas Tille <tillea@rki.de>

To: Francesco Potorti` <Potorti@isti.cnr.it>, 497649@bugs.debian.org

Cc: Francesco Potorti` <pot@potorti.it>, Debian Science Team <debian-science-maintainers@lists.alioth.debian.org>, Authors of Wordnet <wordnet@princeton.edu>, 497441@bugs.debian.org, Thijs Kinkhorst <thijs@debian.org>

Subject: Re: Bug#497649: wordnet: wnb does not show all synonims any more

Date: Thu, 4 Sep 2008 12:38:08 +0200 (CEST)

On Wed, 3 Sep 2008, Francesco Potorti` wrote:

> In the wordnet browser, after looking for a name, I ask for its
> synonims.  However, I only get a line saying that there are N senses.  I
> can only get the synonims one at a time, by writing a sense number in
> the sense box and then asking for synonims.

I can confirm that

  $ wordnet test -synsn
  Synonyms/Hypernyms (Ordered by Estimated Frequency) of noun test

  6 senses of test

shows the problem - so the problem is not only in the wnb GUI but has
its roots in the underlying library / command line interface.

> This is a regression with respect to the previous behaviour of
> displaying the synonims of all the senses if the sense box was empty.

I can also confirm that this problem does not occure in version
3.0-11 package version of WordNet - so the security audited version
that was uploaded to fix #497441 was not clean and just produces this
bug.

I will give try to inspect the patch and with some luck and reverting
parts of the patch set we might find the part which will introduce
this bug.  I keep #497441 in CC to make people aware that something
is wrong with the patch but I have no idea how to contact the issuer
of the patch (there is no e-mail attached).

Kind regards

       Andreas.

-- 
http://fam-tille.de

Message #24 received at 497441@bugs.debian.org (full text, mbox, reply):

From: Nico Golde <nion@debian.org>

To: 497441@bugs.debian.org

Subject: CVE id

Date: Thu, 4 Sep 2008 18:54:43 +0200

[Message part 1 (text/plain, inline)]

Hi,
use CVE-2008-3908 as the CVE id for these issues.

Cheers
Nico

-- 
Nico Golde - http://www.ngolde.de - nion@jabber.ccc.de - GPG: 0x73647CFF
For security reasons, all text in this mail is double-rot13 encrypted.

[Message part 2 (application/pgp-signature, inline)]

Message #29 received at 497441@bugs.debian.org (full text, mbox, reply):

From: Andreas Tille <tillea@rki.de>

To: Steffen Joeris <white@debian.org>, security@debian.org

Cc: 497649@bugs.debian.org, 497441@bugs.debian.org, Authors of Wordnet <wordnet@princeton.edu>, Thijs Kinkhorst <thijs@debian.org>

Subject: Broken security patch for WordNet

Date: Fri, 5 Sep 2008 15:30:07 +0200 (CEST)

Hi,

in http://bugs.debian.org/497441 a patch is provided that should fix
several security problems.  When investigating into the problem that
WordNet stopped working as usual when looking for synonym sets like
for instance

   $ wordnet test -synsn

which should not only print

   6 senses of test

but also the six senses with explanation I found the critical part
in the provided patch.  I extracted it to

   http://svn.debian.org/wsvn/debian-science/packages/wordnet/trunk/debian/patches/51_overflows.patch.broken?op=file&rev=0&sc=0

and I would like you to pronounce your opinion to my comment in the
header which says:

  This part of the patch is completely broken, breaks funktionality of
     wordnet test -synsn
  and I really wonder in how far a "strcpy(bufstart, tmpbuf);" is a
  security fix compared to "strncpy(bufstart, tmpbuf, strlen(tmpbuf));"
  Who did this patch????

I have no idea who did this patch and how to reach this person, but besides
breaking the functionality of the program IMHO this is a terrible thing
security wise.  I would really like to get this patch revised for further
problems like this.

What would be the best strategy to fix the packages in Debian?
I could upload packages to unstable without this part of the
patch - it's just in SVN.  But I have serious doubt about the
remaining parts.

Kind regards

       Andreas.

-- 
http://fam-tille.de

Message #34 received at 497441@bugs.debian.org (full text, mbox, reply):

From: Nico Golde <nion@debian.org>

To: Andreas Tille <tillea@rki.de>, 497649@bugs.debian.org

Cc: Steffen Joeris <white@debian.org>, security@debian.org, 497441@bugs.debian.org, Authors of Wordnet <wordnet@princeton.edu>, Thijs Kinkhorst <thijs@debian.org>

Subject: Re: Bug#497649: Broken security patch for WordNet

Date: Fri, 5 Sep 2008 15:47:55 +0200

[Message part 1 (text/plain, inline)]

Hi Andreas,
* Andreas Tille <tillea@rki.de> [2008-09-05 15:40]:
[...] 
>   This part of the patch is completely broken, breaks funktionality of
>      wordnet test -synsn
>   and I really wonder in how far a "strcpy(bufstart, tmpbuf);" is a
>   security fix compared to "strncpy(bufstart, tmpbuf, strlen(tmpbuf));"
>   Who did this patch????

As far as I know this was part of the patch by oCert. 
However its not a security fix but just a cleanup as both 
function calls are equal.

[...] 
Cheers
Nico
-- 
Nico Golde - http://www.ngolde.de - nion@jabber.ccc.de - GPG: 0x73647CFF
For security reasons, all text in this mail is double-rot13 encrypted.

[Message part 2 (application/pgp-signature, inline)]

Message #39 received at 497441@bugs.debian.org (full text, mbox, reply):

From: Andreas Tille <tillea@rki.de>

To: Nico Golde <nion@debian.org>

Cc: 497649@bugs.debian.org, security@debian.org, 497441@bugs.debian.org

Subject: Re: Bug#497649: Broken security patch for WordNet

Date: Fri, 5 Sep 2008 17:03:03 +0200 (CEST)

On Fri, 5 Sep 2008, Nico Golde wrote:

> As far as I know this was part of the patch by oCert.

Well, who actually is oCert, i.e. how can I report problems with
their patches?

> However its not a security fix but just a cleanup as both
> function calls are equal.

Well, apparently they are not.  If you include the patch wordnet
fails displaying synonyms.  I have no idea why.  And while I'm
no security expert I prefer strncpy - OK I admit strlen seeks
for a '\0' and thus it might look equal at first view, but feel
free to try the difference with and without this part of the
patch (check out from SVN might help you seeing the difference).

Kind regards

        Andreas.

-- 
http://fam-tille.de

Message #44 received at 497441@bugs.debian.org (full text, mbox, reply):

From: Nico Golde <nion@debian.org>

To: Andreas Tille <tillea@rki.de>

Cc: 497649@bugs.debian.org, security@debian.org, 497441@bugs.debian.org

Subject: Re: Bug#497649: Broken security patch for WordNet

Date: Fri, 5 Sep 2008 18:57:14 +0200

[Message part 1 (text/plain, inline)]

Hi Andreas,
* Andreas Tille <tillea@rki.de> [2008-09-05 17:59]:
> On Fri, 5 Sep 2008, Nico Golde wrote:
> 
> >As far as I know this was part of the patch by oCert.
> 
> Well, who actually is oCert, i.e. how can I report problems with
> their patches?

http://www.ocert.org/advisories/ocert-2008-014.html
https://www.ocert.org/contact_info.html has some contact
information.

> >However its not a security fix but just a cleanup as both
> >function calls are equal.
> 
> Well, apparently they are not.  If you include the patch wordnet
> fails displaying synonyms.  I have no idea why.  And while I'm
> no security expert I prefer strncpy - OK I admit strlen seeks
> for a '\0' and thus it might look equal at first view, but feel
> free to try the difference with and without this part of the
> patch (check out from SVN might help you seeing the difference).

Sorry I have no time to dig into this further as I'm moving 
to a new house on monday :)

Cheers
Nico
-- 
Nico Golde - http://www.ngolde.de - nion@jabber.ccc.de - GPG: 0x73647CFF
For security reasons, all text in this mail is double-rot13 encrypted.

[Message part 2 (application/pgp-signature, inline)]

Send a report that this bug log contains spam.