[CVE-2011-4000] Unspecified buffer overflow vulnerability

Debian Bug report logs - #648359
[CVE-2011-4000] Unspecified buffer overflow vulnerability

Toggle useless messages

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Florian Weimer <fw@deneb.enyo.de>

To: submit@bugs.debian.org

Subject: [CVE-2011-4000] Unspecified buffer overflow vulnerability

Date: Thu, 10 Nov 2011 20:18:15 +0100

Package: libchasen2
Version: 2.4.4-16
Severity: grave
Tags: security

JPCERT disclosed an unspecified buffer overflow vulnerability in
ChaSen:

<http://jvn.jp/en/jp/JVN16901583/index.html>

Apparently, upstream will not provide patches.  Would you be willing
to work on this issue if we can obtain further details?

Message #10 received at 648359@bugs.debian.org (full text, mbox, reply):

From: Hideki Yamane <henrich@debian.or.jp>

To: Florian Weimer <fw@deneb.enyo.de>, 648359@bugs.debian.org

Subject: Re: Bug#648359: [CVE-2011-4000] Unspecified buffer overflow vulnerability

Date: Mon, 14 Nov 2011 22:01:41 +0900

[Message part 1 (text/plain, inline)]

Hi,

On Thu, 10 Nov 2011 20:18:15 +0100
Florian Weimer <fw@deneb.enyo.de> wrote:
> JPCERT disclosed an unspecified buffer overflow vulnerability in
> ChaSen:
> 
> <http://jvn.jp/en/jp/JVN16901583/index.html>
> 
> Apparently, upstream will not provide patches.  Would you be willing
> to work on this issue if we can obtain further details?

 Yes, I and Nokubi-san hope so, and I asked JVN to send more detail
 about it if they can.


-- 
Regards,

 Hideki Yamane     henrich @ debian.or.jp/org
 http://wiki.debian.org/HidekiYamane

[Message part 2 (application/pgp-signature, inline)]

Message #15 received at 648359@bugs.debian.org (full text, mbox, reply):

From: Moritz Mühlenhoff <jmm@inutil.org>

To: Hideki Yamane <henrich@debian.or.jp>

Cc: Florian Weimer <fw@deneb.enyo.de>, 648359@bugs.debian.org

Subject: Re: Bug#648359: [CVE-2011-4000] Unspecified buffer overflow vulnerability

Date: Tue, 22 Nov 2011 21:16:14 +0100

On Mon, Nov 14, 2011 at 10:01:41PM +0900, Hideki Yamane wrote:
> Hi,
> 
> On Thu, 10 Nov 2011 20:18:15 +0100
> Florian Weimer <fw@deneb.enyo.de> wrote:
> > JPCERT disclosed an unspecified buffer overflow vulnerability in
> > ChaSen:
> > 
> > <http://jvn.jp/en/jp/JVN16901583/index.html>
> > 
> > Apparently, upstream will not provide patches.  Would you be willing
> > to work on this issue if we can obtain further details?
> 
>  Yes, I and Nokubi-san hope so, and I asked JVN to send more detail
>  about it if they can.

Any results yet?

Cheers,
        Moritz

Message #20 received at 648359@bugs.debian.org (full text, mbox, reply):

From: Hideki Yamane <henrich@debian.or.jp>

To: Moritz Mühlenhoff <jmm@inutil.org>

Cc: Florian Weimer <fw@deneb.enyo.de>, 648359@bugs.debian.org, NOKUBI Takatsugu <knok@daionet.gr.jp>

Subject: Re: Bug#648359: [CVE-2011-4000] Unspecified buffer overflow vulnerability

Date: Wed, 23 Nov 2011 22:11:52 +0900

Hi,

On Tue, 22 Nov 2011 21:16:14 +0100
Moritz Mühlenhoff <jmm@inutil.org> wrote:
> Any results yet?

 We've got report from JPCERT and Nokubi-san made a patch for it and
 send it to them. Should it be reviewed by security-team before disclose
 it?
 

-- 
Regards,

 Hideki Yamane     henrich @ debian.or.jp/org
 http://wiki.debian.org/HidekiYamane

Message #25 received at 648359@bugs.debian.org (full text, mbox, reply):

From: NOKUBI Takatsugu <knok@daionet.gr.jp>

To: Moritz Mühlenhoff <jmm@inutil.org>, 648359@bugs.debian.org

Cc: Hideki Yamane <henrich@debian.or.jp>, Florian Weimer <fw@deneb.enyo.de>

Subject: Re: Bug#648359: [CVE-2011-4000] Unspecified buffer overflow vulnerability

Date: Thu, 24 Nov 2011 08:16:57 +0900

At Tue, 22 Nov 2011 21:16:14 +0100,
Moritz Mühlenhoff wrote:
> > > JPCERT disclosed an unspecified buffer overflow vulnerability in
> > > ChaSen:
> > > 
> > > <http://jvn.jp/en/jp/JVN16901583/index.html>
> > > 
> > > Apparently, upstream will not provide patches.  Would you be willing
> > > to work on this issue if we can obtain further details?
> > 
> >  Yes, I and Nokubi-san hope so, and I asked JVN to send more detail
> >  about it if they can.
> 
> Any results yet?

The following is the patch to fix the issue:

diff --git a/lib/chalib.c b/lib/chalib.c
index 5d79e13..66caee3 100644
--- a/lib/chalib.c
+++ b/lib/chalib.c
@@ -306,9 +306,14 @@ chasen_sparse_main(char *input, FILE *output)
      */
     while (*input) {
        int c = 0, len, cursor;
-       if ((crlf = strpbrk(input, "\r\n")) == NULL)
+       if ((crlf = strpbrk(input, "\r\n")) == NULL) {
            len = strlen(input);
-       else {
+           if (len > CHA_INPUT_SIZE) {
+               len = CHA_INPUT_SIZE;
+               crlf = input + CHA_INPUT_SIZE - 1;
+               c = 0;
+           }
+       } else {
            len = crlf - input;
            c = *crlf;
            *crlf = '\0';

Message #30 received at 648359@bugs.debian.org (full text, mbox, reply):

From: NOKUBI Takatsugu <knok@daionet.gr.jp>

To: NOKUBI Takatsugu <knok@daionet.gr.jp>

Cc: Moritz Mühlenhoff <jmm@inutil.org>, 648359@bugs.debian.org, Hideki Yamane <henrich@debian.or.jp>, Florian Weimer <fw@deneb.enyo.de>

Subject: Re: Bug#648359: [CVE-2011-4000] Unspecified buffer overflow vulnerability

Date: Thu, 24 Nov 2011 10:45:12 +0900

Sorry, the previous patch was wrong, here is the second patch.

BTW, the security issue coms from fixed length string buffer
(CHA_INPUT_SIZE = 8192) and input string will be longer than 8192
bytes in some situation.

The patch is for chasen_sparse_str() function, and the function works
almost same as chasen_fparse_str(). The 2 function differ with input
source (string or file pointer).

diff --git a/lib/chalib.c b/lib/chalib.c
index 5d79e13..cddf51b 100644
--- a/lib/chalib.c
+++ b/lib/chalib.c
@@ -306,9 +306,14 @@ chasen_sparse_main(char *input, FILE *output)
      */
     while (*input) {
        int c = 0, len, cursor;
-       if ((crlf = strpbrk(input, "\r\n")) == NULL)
+       if ((crlf = strpbrk(input, "\r\n")) == NULL) {
            len = strlen(input);
-       else {
+           if (len >= CHA_INPUT_SIZE) {
+               len = CHA_INPUT_SIZE - 1;
+               crlf = input + CHA_INPUT_SIZE - 2;
+               c = 0;
+           }
+       } else {
            len = crlf - input;
            c = *crlf;
            *crlf = '\0';

Message #35 received at 648359@bugs.debian.org (full text, mbox, reply):

From: NOKUBI Takatsugu <knok@daionet.gr.jp>

To: NOKUBI Takatsugu <knok@daionet.gr.jp>

Cc: Moritz Mühlenhoff <jmm@inutil.org>, 648359@bugs.debian.org, Hideki Yamane <henrich@debian.or.jp>, Florian Weimer <fw@deneb.enyo.de>

Subject: Re: Bug#648359: [CVE-2011-4000] Unspecified buffer overflow vulnerability

Date: Thu, 24 Nov 2011 11:05:05 +0900

I wrote a DSA draft, check it please.

BTW, JVN's workaround is not correct. There is also the same problem
in ChaSen 2.3.3.

-- 
DSA-xxxx-1 chasen -- buffer overflow

Affected Packages:
libchasen2
libchasen-dev
libtext-chasen-perl

Vulnerable:
Yes

Security database references:
In Mitre's CVE dictionary: CVE-2011-4000
In the Japan Vulnerability Notes: JVN16901583 <http://jvn.jp/en/jp/JVN16901583/index.html>

More information:

It was discovered that buffer overflow in ChaSen's processing of Japanese string parsing in memory.
It only affects chasen_sparse_tosrt function, and not chasen command and other parsing function like chasen_fparse_tostr.

There is a workaround to use chasen command via pipe, instead of chasen_sparse_tostr function.

Message #40 received at 648359@bugs.debian.org (full text, mbox, reply):

From: Moritz Muehlenhoff <jmm@inutil.org>

To: NOKUBI Takatsugu <knok@daionet.gr.jp>

Cc: 648359@bugs.debian.org, Hideki Yamane <henrich@debian.or.jp>, Florian Weimer <fw@deneb.enyo.de>

Subject: Re: Bug#648359: [CVE-2011-4000] Unspecified buffer overflow vulnerabilityg

Date: Thu, 24 Nov 2011 18:08:24 +0100

On Thu, Nov 24, 2011 at 11:05:05AM +0900, NOKUBI Takatsugu wrote:
> I wrote a DSA draft, check it please.
> 
> BTW, JVN's workaround is not correct. There is also the same problem
> in ChaSen 2.3.3.
> 
> -- 
> DSA-xxxx-1 chasen -- buffer overflow
> 
> Affected Packages:
> libchasen2
> libchasen-dev
> libtext-chasen-perl

Does that mean that the vulnerable code is also present in
libtext-chasen-perl?

Please prepare updated packages for stable-security.
http://www.debian.org/doc/manuals/developers-reference/pkgs.html#bug-security

You need to build the package with "-sa" 

Cheers,
        Moritz

Message #45 received at 648359@bugs.debian.org (full text, mbox, reply):

From: NOKUBI Takatsugu <knok@daionet.gr.jp>

To: Moritz Muehlenhoff <jmm@inutil.org>

Cc: NOKUBI Takatsugu <knok@daionet.gr.jp>, 648359@bugs.debian.org, Hideki Yamane <henrich@debian.or.jp>, Florian Weimer <fw@deneb.enyo.de>

Subject: Re: Bug#648359: [CVE-2011-4000] Unspecified buffer overflow vulnerabilityg

Date: Fri, 25 Nov 2011 12:32:43 +0900

At Thu, 24 Nov 2011 18:08:24 +0100,
Moritz Muehlenhoff wrote:
> 
> > Affected Packages:
> > libchasen2
> > libchasen-dev
> > libtext-chasen-perl
> 
> Does that mean that the vulnerable code is also present in
> libtext-chasen-perl?

Ah, it means libtext-chsaen-perl depends libchasen2, and it uses
vulnerable function. But I think it doesn't need to rebuild.

> Please prepare updated packages for stable-security.
> http://www.debian.org/doc/manuals/developers-reference/pkgs.html#bug-security
> 
> You need to build the package with "-sa" 

I see. Thank you for the information.

Message #50 received at 648359-close@bugs.debian.org (full text, mbox, reply):

From: NOKUBI Takatsugu <knok@daionet.gr.jp>

To: 648359-close@bugs.debian.org

Subject: Bug#648359: fixed in chasen 2.4.4-17

Date: Thu, 08 Dec 2011 02:47:32 +0000

Source: chasen
Source-Version: 2.4.4-17

We believe that the bug you reported is fixed in the latest version of
chasen, which is due to be installed in the Debian FTP archive:

chasen-dictutils_2.4.4-17_i386.deb
  to main/c/chasen/chasen-dictutils_2.4.4-17_i386.deb
chasen_2.4.4-17.diff.gz
  to main/c/chasen/chasen_2.4.4-17.diff.gz
chasen_2.4.4-17.dsc
  to main/c/chasen/chasen_2.4.4-17.dsc
chasen_2.4.4-17_i386.deb
  to main/c/chasen/chasen_2.4.4-17_i386.deb
libchasen-dev_2.4.4-17_i386.deb
  to main/c/chasen/libchasen-dev_2.4.4-17_i386.deb
libchasen2_2.4.4-17_i386.deb
  to main/c/chasen/libchasen2_2.4.4-17_i386.deb



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 648359@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
NOKUBI Takatsugu <knok@daionet.gr.jp> (supplier of updated chasen package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.8
Date: Thu, 08 Dec 2011 01:58:33 +0000
Source: chasen
Binary: libchasen-dev libchasen2 chasen chasen-dictutils
Architecture: source i386
Version: 2.4.4-17
Distribution: unstable
Urgency: low
Maintainer: NOKUBI Takatsugu <knok@daionet.gr.jp>
Changed-By: NOKUBI Takatsugu <knok@daionet.gr.jp>
Description: 
 chasen     - Japanese Morphological Analysis System
 chasen-dictutils - Japanese Morphological Analysis System - utilities for dictionary
 libchasen-dev - Japanese Morphological Analysis System (libraries and headers)
 libchasen2 - Japanese Morphological Analysis System (shared libraries)
Closes: 648359
Changes: 
 chasen (2.4.4-17) unstable; urgency=low
 .
   * debian/patches/sparse_main-secfix.dpatch: Added a security patch
     for CVE-2011-4000, closes: #648359
Checksums-Sha1: 
 f4773f13aaf1c8d629f1392b71752e311bf532e0 1248 chasen_2.4.4-17.dsc
 29cbd230092d075540539dfb087055c1328ebbdd 9837 chasen_2.4.4-17.diff.gz
 938fd44da9b7485b33f0f208f1f317f10c200e7b 54810 libchasen-dev_2.4.4-17_i386.deb
 f8498c7d1f08a1289e6782f4e984ae4cf67c457f 51858 libchasen2_2.4.4-17_i386.deb
 c239c8a402742ce5e9a6566f1a58cb443116e6e4 461836 chasen_2.4.4-17_i386.deb
 507840b18833161bd1d3165d2c0bdf2880d4decc 24788 chasen-dictutils_2.4.4-17_i386.deb
Checksums-Sha256: 
 a3f49248e31b7738b934d3cd609d8716f06200736a7f0836c4db76af3b969601 1248 chasen_2.4.4-17.dsc
 5d3512eeab5dc01123e8891eafd4b41af374deeca9745ee6bc31609ab1e16baf 9837 chasen_2.4.4-17.diff.gz
 d5bdf55778f1f56efda252ba778d53fb8ff91bb1643be6b9c19d46d9dd0ec21b 54810 libchasen-dev_2.4.4-17_i386.deb
 b30e2bf8dd2bba0c3924d73969cdbf8582e08b307749cd15e70dc6b2fd673ff4 51858 libchasen2_2.4.4-17_i386.deb
 81ec188a1626c0883e039ddb608e6d5437f9d74ed180a157fd19d8b103f54361 461836 chasen_2.4.4-17_i386.deb
 760dbeff96da2acf52e27d49431a0874d5f9a2613302738809b9fc42a53f9224 24788 chasen-dictutils_2.4.4-17_i386.deb
Files: 
 2007acc5bce100313f2daa993faa689d 1248 misc optional chasen_2.4.4-17.dsc
 30a8175ed0b8a605d730c3e68a06d281 9837 misc optional chasen_2.4.4-17.diff.gz
 aecee1dd3efc65d0aea684e1291a4ec9 54810 libdevel optional libchasen-dev_2.4.4-17_i386.deb
 06d062134f098cb5c342f12d2e421b4c 51858 libs optional libchasen2_2.4.4-17_i386.deb
 edec48f400792fa65035cee3f6d462f0 461836 misc optional chasen_2.4.4-17_i386.deb
 7c61f435f39ba3148136056cad756476 24788 misc optional chasen-dictutils_2.4.4-17_i386.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)

iD8DBQFO4Bs7K6gmAsLOgJkRArsGAJwNFOX12B9U/PXzP4uxc+3ddbKYfwCgjyic
/6kk1OxKMKeBQrUbXcnNLZ8=
=ip5e
-----END PGP SIGNATURE-----

Send a report that this bug log contains spam.