Debian Bug report logs -
#497441
wordnet: security audit found several vulnerabilities
Reported by: Thijs Kinkhorst <thijs@debian.org>
Date: Mon, 1 Sep 2008 19:24:01 UTC
Severity: serious
Tags: patch, security
Found in version wordnet/1:2.1-4
Fixed in versions 1:2.1-4+etch4, 1:3.0-11+lenny1, wordnet/1:3.0-12
Done: Andreas Tille <tille@debian.org>
Bug is archived. No further changes may be made.
Toggle useless messages
Report forwarded to debian-bugs-dist@lists.debian.org, Debian Science Team <debian-science-maintainers@lists.alioth.debian.org>
:
Bug#497441
; Package wordnet
.
(full text, mbox, link).
Acknowledgement sent to Thijs Kinkhorst <thijs@debian.org>
:
New Bug report received and forwarded. Copy sent to Debian Science Team <debian-science-maintainers@lists.alioth.debian.org>
.
(full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
Package: wordnet
Version: 1:2.1-4
Severity: serious
Tags: security patch
Hi,
As a followup to #481186, oCERT conducted a security audit finding several
more vulnerabilities:
http://www.ocert.org/advisories/ocert-2008-014.html
The advisory has a patch which was also used for lenny and etch. Please fix
the issue in unstable aswell.
thanks,
Thijs
[Message part 2 (application/pgp-signature, inline)]
Bug marked as fixed in version 1:2.1-4+etch4.
Request was from Thijs Kinkhorst <thijs@debian.org>
to control@bugs.debian.org
.
(Tue, 02 Sep 2008 06:57:02 GMT) (full text, mbox, link).
Bug marked as fixed in version 1:3.0-11+lenny1.
Request was from Thijs Kinkhorst <thijs@debian.org>
to control@bugs.debian.org
.
(Tue, 02 Sep 2008 06:57:03 GMT) (full text, mbox, link).
Reply sent to Andreas Tille <tille@debian.org>
:
You have taken responsibility.
(full text, mbox, link).
Notification sent to Thijs Kinkhorst <thijs@debian.org>
:
Bug acknowledged by developer.
(full text, mbox, link).
Message #14 received at 497441-close@bugs.debian.org (full text, mbox, reply):
Source: wordnet
Source-Version: 1:3.0-12
We believe that the bug you reported is fixed in the latest version of
wordnet, which is due to be installed in the Debian FTP archive:
dict-wn_3.0-12_all.deb
to pool/main/w/wordnet/dict-wn_3.0-12_all.deb
wordnet-base_3.0-12_all.deb
to pool/main/w/wordnet/wordnet-base_3.0-12_all.deb
wordnet-dev_3.0-12_i386.deb
to pool/main/w/wordnet/wordnet-dev_3.0-12_i386.deb
wordnet-grind_3.0-12_i386.deb
to pool/main/w/wordnet/wordnet-grind_3.0-12_i386.deb
wordnet-sense-index_3.0-12_all.deb
to pool/main/w/wordnet/wordnet-sense-index_3.0-12_all.deb
wordnet_3.0-12.diff.gz
to pool/main/w/wordnet/wordnet_3.0-12.diff.gz
wordnet_3.0-12.dsc
to pool/main/w/wordnet/wordnet_3.0-12.dsc
wordnet_3.0-12_i386.deb
to pool/main/w/wordnet/wordnet_3.0-12_i386.deb
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 497441@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Andreas Tille <tille@debian.org> (supplier of updated wordnet package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.8
Date: Tue, 02 Sep 2008 13:12:21 +0200
Source: wordnet
Binary: wordnet wordnet-dev wordnet-base wordnet-sense-index wordnet-grind dict-wn
Architecture: source all i386
Version: 1:3.0-12
Distribution: unstable
Urgency: low
Maintainer: Debian Science Team <debian-science-maintainers@lists.alioth.debian.org>
Changed-By: Andreas Tille <tille@debian.org>
Description:
dict-wn - electronic lexical database of English language for dict
wordnet - electronic lexical database of English language
wordnet-base - electronic lexical database of English language
wordnet-dev - electronic lexical database of English language
wordnet-grind - WordNet lexicographer files processor
wordnet-sense-index - electronic lexical database of English language
Closes: 497441
Changes:
wordnet (1:3.0-12) unstable; urgency=low
.
* debian/wnb: Added command line arguments to wrapper (Thanks to
Chung-chieh Shan <ccshan@post.harvard.edu>)
* Incorporate security patches
Closes: #497441
Checksums-Sha1:
89ffbfecb2d8dc065d6ff66c7bc3ce6b12a56a90 1497 wordnet_3.0-12.dsc
183906bd28dcbd352ac3ec713ede202dd1279cfd 74734 wordnet_3.0-12.diff.gz
4faac68eee9458fb88a8a22e2abaa8dff32a2c06 8759844 wordnet-base_3.0-12_all.deb
d0006a77b3e8a02f390eebbccd575d0dc25f2908 2241576 wordnet-sense-index_3.0-12_all.deb
53c5985d3059f079c4f6e98e855e32c5de0026d0 10893568 dict-wn_3.0-12_all.deb
fc93525203b0343e2ad2cfad6cb8689c2d9fd479 103156 wordnet_3.0-12_i386.deb
a917a46316bc6aa3e0ff2d3e2db39b3520bc8b45 62740 wordnet-dev_3.0-12_i386.deb
419e2b3766e72cc4c09707e12bad1b2a76373527 41268 wordnet-grind_3.0-12_i386.deb
Checksums-Sha256:
df5817d6750b2d0dbc464510ee073b768c0ee92a22a805778718881100411934 1497 wordnet_3.0-12.dsc
e5295b8c554fc30bcc078511186feedb19dccee3a0f167ec622340cae092ffcd 74734 wordnet_3.0-12.diff.gz
d51c87e739c317f3b379248edfd8f417865dab2e6a25f8852b35d110ffbcd9b2 8759844 wordnet-base_3.0-12_all.deb
d945cad2b9f57209280f005eb88e40127c8283dc6b275f90cee67431275e6e24 2241576 wordnet-sense-index_3.0-12_all.deb
c60529828f4d75da3e0e6a2ade079963523e8c9529fbf67ab3fb1771648a5073 10893568 dict-wn_3.0-12_all.deb
4044acc60d9b6e9e9db42f1ec4521750dcd406d0cc09e4bfefa1171395a98de8 103156 wordnet_3.0-12_i386.deb
b89f1ff527d40a7ed2102bc6eddb60f7afa8446258060beac6a8b0a952cbb3bf 62740 wordnet-dev_3.0-12_i386.deb
4eabf35929517413244b3e77667dc008c97e93ba6d585d189d854d45db5581e1 41268 wordnet-grind_3.0-12_i386.deb
Files:
d320ba65a1adc2b3a20c325e088bb7f8 1497 text optional wordnet_3.0-12.dsc
a49c38b2b41340ed39da72161d110078 74734 text optional wordnet_3.0-12.diff.gz
e7346300b2caeed6d0202c4436b7f321 8759844 text optional wordnet-base_3.0-12_all.deb
bf85f028455d1d3e3ee3331934fd22bd 2241576 text extra wordnet-sense-index_3.0-12_all.deb
d12757d702b410dc33073fc411dc2edf 10893568 text optional dict-wn_3.0-12_all.deb
e378c63929f050e79cca2e5948351bf5 103156 text optional wordnet_3.0-12_i386.deb
a748c3deea04976f0d7ad6e48fcd2924 62740 devel optional wordnet-dev_3.0-12_i386.deb
6c92c3c8fe8af354fd74c3d4796e5ce5 41268 text extra wordnet-grind_3.0-12_i386.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
iD8DBQFIvSLpYDBbMcCf01oRArs8AJ96fZLNMPM9YO//Z+XFNWadarMzbQCgjWQB
KYsu/M1ZwQdiybXA+OBggcc=
=lYe5
-----END PGP SIGNATURE-----
Information forwarded to debian-bugs-dist@lists.debian.org, Debian Science Team <debian-science-maintainers@lists.alioth.debian.org>
:
Bug#497441
; Package wordnet
.
(full text, mbox, link).
Acknowledgement sent to Andreas Tille <tillea@rki.de>
:
Extra info received and forwarded to list. Copy sent to Debian Science Team <debian-science-maintainers@lists.alioth.debian.org>
.
(full text, mbox, link).
Message #19 received at 497441@bugs.debian.org (full text, mbox, reply):
On Wed, 3 Sep 2008, Francesco Potorti` wrote:
> In the wordnet browser, after looking for a name, I ask for its
> synonims. However, I only get a line saying that there are N senses. I
> can only get the synonims one at a time, by writing a sense number in
> the sense box and then asking for synonims.
I can confirm that
$ wordnet test -synsn
Synonyms/Hypernyms (Ordered by Estimated Frequency) of noun test
6 senses of test
shows the problem - so the problem is not only in the wnb GUI but has
its roots in the underlying library / command line interface.
> This is a regression with respect to the previous behaviour of
> displaying the synonims of all the senses if the sense box was empty.
I can also confirm that this problem does not occure in version
3.0-11 package version of WordNet - so the security audited version
that was uploaded to fix #497441 was not clean and just produces this
bug.
I will give try to inspect the patch and with some luck and reverting
parts of the patch set we might find the part which will introduce
this bug. I keep #497441 in CC to make people aware that something
is wrong with the patch but I have no idea how to contact the issuer
of the patch (there is no e-mail attached).
Kind regards
Andreas.
--
http://fam-tille.de
Information forwarded to debian-bugs-dist@lists.debian.org, Debian Science Team <debian-science-maintainers@lists.alioth.debian.org>
:
Bug#497441
; Package wordnet
.
(full text, mbox, link).
Acknowledgement sent to Nico Golde <nion@debian.org>
:
Extra info received and forwarded to list. Copy sent to Debian Science Team <debian-science-maintainers@lists.alioth.debian.org>
.
(full text, mbox, link).
Message #24 received at 497441@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
Hi,
use CVE-2008-3908 as the CVE id for these issues.
Cheers
Nico
--
Nico Golde - http://www.ngolde.de - nion@jabber.ccc.de - GPG: 0x73647CFF
For security reasons, all text in this mail is double-rot13 encrypted.
[Message part 2 (application/pgp-signature, inline)]
Information forwarded to debian-bugs-dist@lists.debian.org, Debian Science Team <debian-science-maintainers@lists.alioth.debian.org>
:
Bug#497441
; Package wordnet
.
(full text, mbox, link).
Acknowledgement sent to Andreas Tille <tillea@rki.de>
:
Extra info received and forwarded to list. Copy sent to Debian Science Team <debian-science-maintainers@lists.alioth.debian.org>
.
(full text, mbox, link).
Message #29 received at 497441@bugs.debian.org (full text, mbox, reply):
Hi,
in http://bugs.debian.org/497441 a patch is provided that should fix
several security problems. When investigating into the problem that
WordNet stopped working as usual when looking for synonym sets like
for instance
$ wordnet test -synsn
which should not only print
6 senses of test
but also the six senses with explanation I found the critical part
in the provided patch. I extracted it to
http://svn.debian.org/wsvn/debian-science/packages/wordnet/trunk/debian/patches/51_overflows.patch.broken?op=file&rev=0&sc=0
and I would like you to pronounce your opinion to my comment in the
header which says:
This part of the patch is completely broken, breaks funktionality of
wordnet test -synsn
and I really wonder in how far a "strcpy(bufstart, tmpbuf);" is a
security fix compared to "strncpy(bufstart, tmpbuf, strlen(tmpbuf));"
Who did this patch????
I have no idea who did this patch and how to reach this person, but besides
breaking the functionality of the program IMHO this is a terrible thing
security wise. I would really like to get this patch revised for further
problems like this.
What would be the best strategy to fix the packages in Debian?
I could upload packages to unstable without this part of the
patch - it's just in SVN. But I have serious doubt about the
remaining parts.
Kind regards
Andreas.
--
http://fam-tille.de
Information forwarded to debian-bugs-dist@lists.debian.org, Debian Science Team <debian-science-maintainers@lists.alioth.debian.org>
:
Bug#497441
; Package wordnet
.
(full text, mbox, link).
Acknowledgement sent to Nico Golde <nion@debian.org>
:
Extra info received and forwarded to list. Copy sent to Debian Science Team <debian-science-maintainers@lists.alioth.debian.org>
.
(full text, mbox, link).
Message #34 received at 497441@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
Hi Andreas,
* Andreas Tille <tillea@rki.de> [2008-09-05 15:40]:
[...]
> This part of the patch is completely broken, breaks funktionality of
> wordnet test -synsn
> and I really wonder in how far a "strcpy(bufstart, tmpbuf);" is a
> security fix compared to "strncpy(bufstart, tmpbuf, strlen(tmpbuf));"
> Who did this patch????
As far as I know this was part of the patch by oCert.
However its not a security fix but just a cleanup as both
function calls are equal.
[...]
Cheers
Nico
--
Nico Golde - http://www.ngolde.de - nion@jabber.ccc.de - GPG: 0x73647CFF
For security reasons, all text in this mail is double-rot13 encrypted.
[Message part 2 (application/pgp-signature, inline)]
Information forwarded to debian-bugs-dist@lists.debian.org, Debian Science Team <debian-science-maintainers@lists.alioth.debian.org>
:
Bug#497441
; Package wordnet
.
(full text, mbox, link).
Acknowledgement sent to Andreas Tille <tillea@rki.de>
:
Extra info received and forwarded to list. Copy sent to Debian Science Team <debian-science-maintainers@lists.alioth.debian.org>
.
(full text, mbox, link).
Message #39 received at 497441@bugs.debian.org (full text, mbox, reply):
On Fri, 5 Sep 2008, Nico Golde wrote:
> As far as I know this was part of the patch by oCert.
Well, who actually is oCert, i.e. how can I report problems with
their patches?
> However its not a security fix but just a cleanup as both
> function calls are equal.
Well, apparently they are not. If you include the patch wordnet
fails displaying synonyms. I have no idea why. And while I'm
no security expert I prefer strncpy - OK I admit strlen seeks
for a '\0' and thus it might look equal at first view, but feel
free to try the difference with and without this part of the
patch (check out from SVN might help you seeing the difference).
Kind regards
Andreas.
--
http://fam-tille.de
Information forwarded to debian-bugs-dist@lists.debian.org, Debian Science Team <debian-science-maintainers@lists.alioth.debian.org>
:
Bug#497441
; Package wordnet
.
(full text, mbox, link).
Acknowledgement sent to Nico Golde <nion@debian.org>
:
Extra info received and forwarded to list. Copy sent to Debian Science Team <debian-science-maintainers@lists.alioth.debian.org>
.
(full text, mbox, link).
Message #44 received at 497441@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
Hi Andreas,
* Andreas Tille <tillea@rki.de> [2008-09-05 17:59]:
> On Fri, 5 Sep 2008, Nico Golde wrote:
>
> >As far as I know this was part of the patch by oCert.
>
> Well, who actually is oCert, i.e. how can I report problems with
> their patches?
http://www.ocert.org/advisories/ocert-2008-014.html
https://www.ocert.org/contact_info.html has some contact
information.
> >However its not a security fix but just a cleanup as both
> >function calls are equal.
>
> Well, apparently they are not. If you include the patch wordnet
> fails displaying synonyms. I have no idea why. And while I'm
> no security expert I prefer strncpy - OK I admit strlen seeks
> for a '\0' and thus it might look equal at first view, but feel
> free to try the difference with and without this part of the
> patch (check out from SVN might help you seeing the difference).
Sorry I have no time to dig into this further as I'm moving
to a new house on monday :)
Cheers
Nico
--
Nico Golde - http://www.ngolde.de - nion@jabber.ccc.de - GPG: 0x73647CFF
For security reasons, all text in this mail is double-rot13 encrypted.
[Message part 2 (application/pgp-signature, inline)]
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org
.
(Fri, 24 Oct 2008 07:27:07 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed Jun 19 18:59:32 2019;
Machine Name:
buxtehude
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.