On Wed, 14 May 2008, Steffen Joeris wrote:
CVE-2008-2149:
Stack-based buffer overflow in the searchwn function in Wordnet 2.0,
2.1, and 3.0 might allow context-dependent attackers to execute
arbitrary code via a long command line option. NOTE: this issue probably
does not cross privilege boundaries except in cases in which Wordnet is
used as a back end.
More information can be found in the gentoo bugreport(1).
As stated in the Gentoo BTS
https://bugs.gentoo.org/show_bug.cgi?id=211491
there are potentially more issues of other sprintf()/strcpy()/strcat()/...
occurences. So I wonder if you accept the attached patch as a fix for
the problem. It actually cures the long command line option problem but
not more.
Kind regards
Andreas.
--
http://fam-tille.de--- wordnet-3.0.orig/src/wn.c
+++ wordnet-3.0/src/wn.c
@@ -206,7 +206,8 @@
outsenses += do_search(av[1], optptr->pos, optptr->search,
whichsense, optptr->label);
} else {
- sprintf(tmpbuf, "wn: invalid search option: %s\n", av[j]);
+ /* Fix CVE-2008-2149: buffer overflows Andreas Tille <[EMAIL PROTECTED]> */
+ sprintf(tmpbuf, "wn: invalid search option: %.200s\n", av[j]);
display_message(tmpbuf);
errcount++;
}
