Debian Bug report logs -
#648359
[CVE-2011-4000] Unspecified buffer overflow vulnerability
Reported by: Florian Weimer <fw@deneb.enyo.de>
Date: Thu, 10 Nov 2011 19:21:02 UTC
Severity: grave
Tags: security
Found in version chasen/2.4.4-16
Fixed in version chasen/2.4.4-17
Done: NOKUBI Takatsugu <knok@daionet.gr.jp>
Bug is archived. No further changes may be made.
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, NOKUBI Takatsugu <knok@daionet.gr.jp>
:
Bug#648359
; Package libchasen2
.
(Thu, 10 Nov 2011 19:21:05 GMT) (full text, mbox, link).
Acknowledgement sent
to Florian Weimer <fw@deneb.enyo.de>
:
New Bug report received and forwarded. Copy sent to NOKUBI Takatsugu <knok@daionet.gr.jp>
.
(Thu, 10 Nov 2011 19:21:05 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Package: libchasen2
Version: 2.4.4-16
Severity: grave
Tags: security
JPCERT disclosed an unspecified buffer overflow vulnerability in
ChaSen:
<http://jvn.jp/en/jp/JVN16901583/index.html>
Apparently, upstream will not provide patches. Would you be willing
to work on this issue if we can obtain further details?
Information forwarded
to debian-bugs-dist@lists.debian.org, NOKUBI Takatsugu <knok@daionet.gr.jp>
:
Bug#648359
; Package libchasen2
.
(Mon, 14 Nov 2011 13:03:08 GMT) (full text, mbox, link).
Acknowledgement sent
to Hideki Yamane <henrich@debian.or.jp>
:
Extra info received and forwarded to list. Copy sent to NOKUBI Takatsugu <knok@daionet.gr.jp>
.
(Mon, 14 Nov 2011 13:03:12 GMT) (full text, mbox, link).
Message #10 received at 648359@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
Hi,
On Thu, 10 Nov 2011 20:18:15 +0100
Florian Weimer <fw@deneb.enyo.de> wrote:
> JPCERT disclosed an unspecified buffer overflow vulnerability in
> ChaSen:
>
> <http://jvn.jp/en/jp/JVN16901583/index.html>
>
> Apparently, upstream will not provide patches. Would you be willing
> to work on this issue if we can obtain further details?
Yes, I and Nokubi-san hope so, and I asked JVN to send more detail
about it if they can.
--
Regards,
Hideki Yamane henrich @ debian.or.jp/org
http://wiki.debian.org/HidekiYamane
[Message part 2 (application/pgp-signature, inline)]
Information forwarded
to debian-bugs-dist@lists.debian.org, NOKUBI Takatsugu <knok@daionet.gr.jp>
:
Bug#648359
; Package libchasen2
.
(Tue, 22 Nov 2011 20:18:03 GMT) (full text, mbox, link).
Acknowledgement sent
to Moritz Mühlenhoff <jmm@inutil.org>
:
Extra info received and forwarded to list. Copy sent to NOKUBI Takatsugu <knok@daionet.gr.jp>
.
(Tue, 22 Nov 2011 20:18:03 GMT) (full text, mbox, link).
Message #15 received at 648359@bugs.debian.org (full text, mbox, reply):
On Mon, Nov 14, 2011 at 10:01:41PM +0900, Hideki Yamane wrote:
> Hi,
>
> On Thu, 10 Nov 2011 20:18:15 +0100
> Florian Weimer <fw@deneb.enyo.de> wrote:
> > JPCERT disclosed an unspecified buffer overflow vulnerability in
> > ChaSen:
> >
> > <http://jvn.jp/en/jp/JVN16901583/index.html>
> >
> > Apparently, upstream will not provide patches. Would you be willing
> > to work on this issue if we can obtain further details?
>
> Yes, I and Nokubi-san hope so, and I asked JVN to send more detail
> about it if they can.
Any results yet?
Cheers,
Moritz
Information forwarded
to debian-bugs-dist@lists.debian.org, NOKUBI Takatsugu <knok@daionet.gr.jp>
:
Bug#648359
; Package libchasen2
.
(Wed, 23 Nov 2011 13:45:08 GMT) (full text, mbox, link).
Acknowledgement sent
to Hideki Yamane <henrich@debian.or.jp>
:
Extra info received and forwarded to list. Copy sent to NOKUBI Takatsugu <knok@daionet.gr.jp>
.
(Wed, 23 Nov 2011 13:45:08 GMT) (full text, mbox, link).
Message #20 received at 648359@bugs.debian.org (full text, mbox, reply):
Hi,
On Tue, 22 Nov 2011 21:16:14 +0100
Moritz Mühlenhoff <jmm@inutil.org> wrote:
> Any results yet?
We've got report from JPCERT and Nokubi-san made a patch for it and
send it to them. Should it be reviewed by security-team before disclose
it?
--
Regards,
Hideki Yamane henrich @ debian.or.jp/org
http://wiki.debian.org/HidekiYamane
Information forwarded
to debian-bugs-dist@lists.debian.org
:
Bug#648359
; Package libchasen2
.
(Wed, 23 Nov 2011 23:27:16 GMT) (full text, mbox, link).
Acknowledgement sent
to NOKUBI Takatsugu <knok@daionet.gr.jp>
:
Extra info received and forwarded to list.
(Wed, 23 Nov 2011 23:27:16 GMT) (full text, mbox, link).
Message #25 received at 648359@bugs.debian.org (full text, mbox, reply):
At Tue, 22 Nov 2011 21:16:14 +0100,
Moritz Mühlenhoff wrote:
> > > JPCERT disclosed an unspecified buffer overflow vulnerability in
> > > ChaSen:
> > >
> > > <http://jvn.jp/en/jp/JVN16901583/index.html>
> > >
> > > Apparently, upstream will not provide patches. Would you be willing
> > > to work on this issue if we can obtain further details?
> >
> > Yes, I and Nokubi-san hope so, and I asked JVN to send more detail
> > about it if they can.
>
> Any results yet?
The following is the patch to fix the issue:
diff --git a/lib/chalib.c b/lib/chalib.c
index 5d79e13..66caee3 100644
--- a/lib/chalib.c
+++ b/lib/chalib.c
@@ -306,9 +306,14 @@ chasen_sparse_main(char *input, FILE *output)
*/
while (*input) {
int c = 0, len, cursor;
- if ((crlf = strpbrk(input, "\r\n")) == NULL)
+ if ((crlf = strpbrk(input, "\r\n")) == NULL) {
len = strlen(input);
- else {
+ if (len > CHA_INPUT_SIZE) {
+ len = CHA_INPUT_SIZE;
+ crlf = input + CHA_INPUT_SIZE - 1;
+ c = 0;
+ }
+ } else {
len = crlf - input;
c = *crlf;
*crlf = '\0';
Information forwarded
to debian-bugs-dist@lists.debian.org
:
Bug#648359
; Package libchasen2
.
(Thu, 24 Nov 2011 01:48:05 GMT) (full text, mbox, link).
Acknowledgement sent
to NOKUBI Takatsugu <knok@daionet.gr.jp>
:
Extra info received and forwarded to list.
(Thu, 24 Nov 2011 01:48:05 GMT) (full text, mbox, link).
Message #30 received at 648359@bugs.debian.org (full text, mbox, reply):
Sorry, the previous patch was wrong, here is the second patch.
BTW, the security issue coms from fixed length string buffer
(CHA_INPUT_SIZE = 8192) and input string will be longer than 8192
bytes in some situation.
The patch is for chasen_sparse_str() function, and the function works
almost same as chasen_fparse_str(). The 2 function differ with input
source (string or file pointer).
diff --git a/lib/chalib.c b/lib/chalib.c
index 5d79e13..cddf51b 100644
--- a/lib/chalib.c
+++ b/lib/chalib.c
@@ -306,9 +306,14 @@ chasen_sparse_main(char *input, FILE *output)
*/
while (*input) {
int c = 0, len, cursor;
- if ((crlf = strpbrk(input, "\r\n")) == NULL)
+ if ((crlf = strpbrk(input, "\r\n")) == NULL) {
len = strlen(input);
- else {
+ if (len >= CHA_INPUT_SIZE) {
+ len = CHA_INPUT_SIZE - 1;
+ crlf = input + CHA_INPUT_SIZE - 2;
+ c = 0;
+ }
+ } else {
len = crlf - input;
c = *crlf;
*crlf = '\0';
Information forwarded
to debian-bugs-dist@lists.debian.org
:
Bug#648359
; Package libchasen2
.
(Thu, 24 Nov 2011 02:09:03 GMT) (full text, mbox, link).
Acknowledgement sent
to NOKUBI Takatsugu <knok@daionet.gr.jp>
:
Extra info received and forwarded to list.
(Thu, 24 Nov 2011 02:09:03 GMT) (full text, mbox, link).
Message #35 received at 648359@bugs.debian.org (full text, mbox, reply):
I wrote a DSA draft, check it please.
BTW, JVN's workaround is not correct. There is also the same problem
in ChaSen 2.3.3.
--
DSA-xxxx-1 chasen -- buffer overflow
Affected Packages:
libchasen2
libchasen-dev
libtext-chasen-perl
Vulnerable:
Yes
Security database references:
In Mitre's CVE dictionary: CVE-2011-4000
In the Japan Vulnerability Notes: JVN16901583 <http://jvn.jp/en/jp/JVN16901583/index.html>
More information:
It was discovered that buffer overflow in ChaSen's processing of Japanese string parsing in memory.
It only affects chasen_sparse_tosrt function, and not chasen command and other parsing function like chasen_fparse_tostr.
There is a workaround to use chasen command via pipe, instead of chasen_sparse_tostr function.
Information forwarded
to debian-bugs-dist@lists.debian.org, NOKUBI Takatsugu <knok@daionet.gr.jp>
:
Bug#648359
; Package libchasen2
.
(Thu, 24 Nov 2011 17:12:03 GMT) (full text, mbox, link).
Acknowledgement sent
to Moritz Muehlenhoff <jmm@inutil.org>
:
Extra info received and forwarded to list. Copy sent to NOKUBI Takatsugu <knok@daionet.gr.jp>
.
(Thu, 24 Nov 2011 17:12:04 GMT) (full text, mbox, link).
Message #40 received at 648359@bugs.debian.org (full text, mbox, reply):
On Thu, Nov 24, 2011 at 11:05:05AM +0900, NOKUBI Takatsugu wrote:
> I wrote a DSA draft, check it please.
>
> BTW, JVN's workaround is not correct. There is also the same problem
> in ChaSen 2.3.3.
>
> --
> DSA-xxxx-1 chasen -- buffer overflow
>
> Affected Packages:
> libchasen2
> libchasen-dev
> libtext-chasen-perl
Does that mean that the vulnerable code is also present in
libtext-chasen-perl?
Please prepare updated packages for stable-security.
http://www.debian.org/doc/manuals/developers-reference/pkgs.html#bug-security
You need to build the package with "-sa"
Cheers,
Moritz
Information forwarded
to debian-bugs-dist@lists.debian.org
:
Bug#648359
; Package libchasen2
.
(Fri, 25 Nov 2011 03:36:03 GMT) (full text, mbox, link).
Acknowledgement sent
to NOKUBI Takatsugu <knok@daionet.gr.jp>
:
Extra info received and forwarded to list.
(Fri, 25 Nov 2011 03:36:03 GMT) (full text, mbox, link).
Message #45 received at 648359@bugs.debian.org (full text, mbox, reply):
At Thu, 24 Nov 2011 18:08:24 +0100,
Moritz Muehlenhoff wrote:
>
> > Affected Packages:
> > libchasen2
> > libchasen-dev
> > libtext-chasen-perl
>
> Does that mean that the vulnerable code is also present in
> libtext-chasen-perl?
Ah, it means libtext-chsaen-perl depends libchasen2, and it uses
vulnerable function. But I think it doesn't need to rebuild.
> Please prepare updated packages for stable-security.
> http://www.debian.org/doc/manuals/developers-reference/pkgs.html#bug-security
>
> You need to build the package with "-sa"
I see. Thank you for the information.
Reply sent
to NOKUBI Takatsugu <knok@daionet.gr.jp>
:
You have taken responsibility.
(Thu, 08 Dec 2011 02:51:04 GMT) (full text, mbox, link).
Notification sent
to Florian Weimer <fw@deneb.enyo.de>
:
Bug acknowledged by developer.
(Thu, 08 Dec 2011 02:51:04 GMT) (full text, mbox, link).
Message #50 received at 648359-close@bugs.debian.org (full text, mbox, reply):
Source: chasen
Source-Version: 2.4.4-17
We believe that the bug you reported is fixed in the latest version of
chasen, which is due to be installed in the Debian FTP archive:
chasen-dictutils_2.4.4-17_i386.deb
to main/c/chasen/chasen-dictutils_2.4.4-17_i386.deb
chasen_2.4.4-17.diff.gz
to main/c/chasen/chasen_2.4.4-17.diff.gz
chasen_2.4.4-17.dsc
to main/c/chasen/chasen_2.4.4-17.dsc
chasen_2.4.4-17_i386.deb
to main/c/chasen/chasen_2.4.4-17_i386.deb
libchasen-dev_2.4.4-17_i386.deb
to main/c/chasen/libchasen-dev_2.4.4-17_i386.deb
libchasen2_2.4.4-17_i386.deb
to main/c/chasen/libchasen2_2.4.4-17_i386.deb
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 648359@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
NOKUBI Takatsugu <knok@daionet.gr.jp> (supplier of updated chasen package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.8
Date: Thu, 08 Dec 2011 01:58:33 +0000
Source: chasen
Binary: libchasen-dev libchasen2 chasen chasen-dictutils
Architecture: source i386
Version: 2.4.4-17
Distribution: unstable
Urgency: low
Maintainer: NOKUBI Takatsugu <knok@daionet.gr.jp>
Changed-By: NOKUBI Takatsugu <knok@daionet.gr.jp>
Description:
chasen - Japanese Morphological Analysis System
chasen-dictutils - Japanese Morphological Analysis System - utilities for dictionary
libchasen-dev - Japanese Morphological Analysis System (libraries and headers)
libchasen2 - Japanese Morphological Analysis System (shared libraries)
Closes: 648359
Changes:
chasen (2.4.4-17) unstable; urgency=low
.
* debian/patches/sparse_main-secfix.dpatch: Added a security patch
for CVE-2011-4000, closes: #648359
Checksums-Sha1:
f4773f13aaf1c8d629f1392b71752e311bf532e0 1248 chasen_2.4.4-17.dsc
29cbd230092d075540539dfb087055c1328ebbdd 9837 chasen_2.4.4-17.diff.gz
938fd44da9b7485b33f0f208f1f317f10c200e7b 54810 libchasen-dev_2.4.4-17_i386.deb
f8498c7d1f08a1289e6782f4e984ae4cf67c457f 51858 libchasen2_2.4.4-17_i386.deb
c239c8a402742ce5e9a6566f1a58cb443116e6e4 461836 chasen_2.4.4-17_i386.deb
507840b18833161bd1d3165d2c0bdf2880d4decc 24788 chasen-dictutils_2.4.4-17_i386.deb
Checksums-Sha256:
a3f49248e31b7738b934d3cd609d8716f06200736a7f0836c4db76af3b969601 1248 chasen_2.4.4-17.dsc
5d3512eeab5dc01123e8891eafd4b41af374deeca9745ee6bc31609ab1e16baf 9837 chasen_2.4.4-17.diff.gz
d5bdf55778f1f56efda252ba778d53fb8ff91bb1643be6b9c19d46d9dd0ec21b 54810 libchasen-dev_2.4.4-17_i386.deb
b30e2bf8dd2bba0c3924d73969cdbf8582e08b307749cd15e70dc6b2fd673ff4 51858 libchasen2_2.4.4-17_i386.deb
81ec188a1626c0883e039ddb608e6d5437f9d74ed180a157fd19d8b103f54361 461836 chasen_2.4.4-17_i386.deb
760dbeff96da2acf52e27d49431a0874d5f9a2613302738809b9fc42a53f9224 24788 chasen-dictutils_2.4.4-17_i386.deb
Files:
2007acc5bce100313f2daa993faa689d 1248 misc optional chasen_2.4.4-17.dsc
30a8175ed0b8a605d730c3e68a06d281 9837 misc optional chasen_2.4.4-17.diff.gz
aecee1dd3efc65d0aea684e1291a4ec9 54810 libdevel optional libchasen-dev_2.4.4-17_i386.deb
06d062134f098cb5c342f12d2e421b4c 51858 libs optional libchasen2_2.4.4-17_i386.deb
edec48f400792fa65035cee3f6d462f0 461836 misc optional chasen_2.4.4-17_i386.deb
7c61f435f39ba3148136056cad756476 24788 misc optional chasen-dictutils_2.4.4-17_i386.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
iD8DBQFO4Bs7K6gmAsLOgJkRArsGAJwNFOX12B9U/PXzP4uxc+3ddbKYfwCgjyic
/6kk1OxKMKeBQrUbXcnNLZ8=
=ip5e
-----END PGP SIGNATURE-----
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org
.
(Sun, 15 Jan 2012 07:35:02 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed Jun 19 17:03:25 2019;
Machine Name:
beach
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.