Your message dated Mon, 12 Nov 2007 12:02:02 +0000 with message-id <[EMAIL PROTECTED]> and subject line Bug#450695: fixed in link-grammar 4.2.5-1 has caused the attached Bug report to be marked as done.
This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what I am talking about this indicates a serious mail system misconfiguration somewhere. Please contact me immediately.) Debian bug tracking system administrator (administrator, Debian Bugs database)
--- Begin Message ---Package: link-grammar Version: 4.2.2-1 Severity: grave Tags: security patch Hi, the following CVE (Common Vulnerabilities & Exposures) id was published for link-grammar. CVE-2007-5395[0]: | Stack-based buffer overflow in the separate_word function in | tokenize.c in Link Grammar 4.1b and possibly other versions, as used | in AbiWord Link Grammar 4.2.4, allows remote attackers to execute | arbitrary code via a long word, as reachable through the | separate_sentence function. A patch for this extracted from upstream CVS is attached. This is the cvs log for this fix: RCS file: /cvsroot/link-grammar/link-grammar/tokenize.c,v Working file: tokenize.c head: 1.4 branch: locks: strict access list: symbolic names: link-grammar-4-2-4: 1.3 release-4-2-2: 1.2 release-4-2-1: 1.2 release-4-1-3: 1.1.1.1 release-4-1-1: 1.1.1.1 begin: 1.1.1.1 start: 1.1.1 keyword substitution: kv total revisions: 5; selected revisions: 1 description: ---------------------------- revision 1.4 date: 2007/10/27 19:03:40; author: dom; state: Exp; lines: +15 -14 Secunia advisory SA27340 and CVE identifier CVE-2007-5395. The vulnerability is caused due to a boundary error within the "separate_word()" function in tokenize.c when processing overly long words (over 61 bytes). This can be exploited to cause a stack-based buffer overflow via a specially crafted sentence passed to the "separate_sentence()" function. If you fix this vulnerability please also include the CVE id in your changelog entry. For further information: [0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-5395 Kind regards Nico -- Nico Golde - http://www.ngolde.de - [EMAIL PROTECTED] - GPG: 0x73647CFF For security reasons, all text in this mail is double-rot13 encrypted.diff -u -r1.3 -r1.4 --- link-grammar/tokenize.c 16 Aug 2006 17:07:02 -0000 1.3 +++ link-grammar/tokenize.c 27 Oct 2007 19:03:40 -0000 1.4 @@ -172,7 +172,8 @@ used in a sentence. */ - +#undef MIN +#define MIN(a, b) (((a) < (b)) ? (a) : (b)) static int separate_word(Sentence sent, char *w, char *wend, int is_first_word, int quote_found) { /* w points to a string, wend points to the char one after the end. The @@ -256,8 +257,8 @@ for (n_r_stripped = 0; n_r_stripped < MAX_STRIP; n_r_stripped++) { - strncpy(word, w, wend-w); - word[wend-w] = '\0'; + strncpy(word, w, MIN(wend-w, MAX_WORD)); + word[MIN(wend-w, MAX_WORD)] = '\0'; if (wend == w) break; /* it will work without this */ if (boolean_dictionary_lookup(sent->dict, word) || is_initials_word(word)) break; @@ -285,8 +286,8 @@ /* Now we strip off suffixes...w points to the remaining word, "wend" to the end of the word. */ s_stripped = -1; - strncpy(word, w, wend-w); - word[wend-w] = '\0'; + strncpy(word, w, MIN(wend-w, MAX_WORD)); + word[MIN(wend-w, MAX_WORD)] = '\0'; word_is_in_dict=0; if (boolean_dictionary_lookup(sent->dict, word) || is_initials_word(word)) word_is_in_dict=1; @@ -309,16 +310,16 @@ if(s_ok==1 || i==s_strippable) { - strncpy(newword, w, (wend-len)-w); - newword[(wend-len)-w] = '\0'; + strncpy(newword, w, MIN((wend-len)-w, MAX_WORD)); + newword[MIN((wend-len)-w, MAX_WORD)] = '\0'; /* Check if the remainder is in the dictionary; for the no-suffix case, it won't be */ if (boolean_dictionary_lookup(sent->dict, newword)) { if(verbosity>1) if(i< s_strippable) printf("Splitting word into two: %s-%s\n", newword, suffix[i]); s_stripped = i; wend -= len; - strncpy(word, w, wend-w); - word[wend-w] = '\0'; + strncpy(word, w, MIN(wend-w, MAX_WORD)); + word[MIN(wend-w, MAX_WORD)] = '\0'; break; } @@ -326,17 +327,17 @@ else { for (j=0; j<p_strippable; j++) { if (strncmp(w, prefix[j], strlen(prefix[j])) == 0) { - strncpy(newword, w+strlen(prefix[j]), (wend-len)-(w+strlen(prefix[j]))); - newword[(wend-len)-(w+strlen(prefix[j]))]='\0'; + strncpy(newword, w+strlen(prefix[j]), MIN((wend-len)-(w+strlen(prefix[j])), MAX_WORD)); + newword[MIN((wend-len)-(w+strlen(prefix[j])), MAX_WORD)]='\0'; if(boolean_dictionary_lookup(sent->dict, newword)) { if(verbosity>1) if(i < s_strippable) printf("Splitting word into three: %s-%s-%s\n", prefix[j], newword, suffix[i]); if (!issue_sentence_word(sent, prefix[j])) return FALSE; if(i < s_strippable) s_stripped = i; wend -= len; w += strlen(prefix[j]); - strncpy(word, w, wend-w); - word[wend-w] = '\0'; - break; + strncpy(word, w, MIN(wend-w, MAX_WORD)); + word[MIN(wend-w, MAX_WORD)] = '\0'; + break; } } }
pgpWJkT5xUpMt.pgp
Description: PGP signature
--- End Message ---
--- Begin Message ---Source: link-grammar Source-Version: 4.2.5-1 We believe that the bug you reported is fixed in the latest version of link-grammar, which is due to be installed in the Debian FTP archive: liblink-grammar4-dev_4.2.5-1_i386.deb to pool/main/l/link-grammar/liblink-grammar4-dev_4.2.5-1_i386.deb liblink-grammar4_4.2.5-1_i386.deb to pool/main/l/link-grammar/liblink-grammar4_4.2.5-1_i386.deb link-grammar-dictionaries-en_4.2.5-1_all.deb to pool/main/l/link-grammar/link-grammar-dictionaries-en_4.2.5-1_all.deb link-grammar_4.2.5-1.diff.gz to pool/main/l/link-grammar/link-grammar_4.2.5-1.diff.gz link-grammar_4.2.5-1.dsc to pool/main/l/link-grammar/link-grammar_4.2.5-1.dsc link-grammar_4.2.5-1_i386.deb to pool/main/l/link-grammar/link-grammar_4.2.5-1_i386.deb link-grammar_4.2.5.orig.tar.gz to pool/main/l/link-grammar/link-grammar_4.2.5.orig.tar.gz A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to [EMAIL PROTECTED], and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Ken Bloom <[EMAIL PROTECTED]> (supplier of updated link-grammar package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing [EMAIL PROTECTED]) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Format: 1.7 Date: Fri, 09 Nov 2007 14:19:10 -0600 Source: link-grammar Binary: link-grammar-dictionaries-en liblink-grammar4 liblink-grammar4-dev link-grammar Architecture: source all i386 Version: 4.2.5-1 Distribution: unstable Urgency: high Maintainer: Ken Bloom <[EMAIL PROTECTED]> Changed-By: Ken Bloom <[EMAIL PROTECTED]> Description: liblink-grammar4 - Carnegie Mellon University's link grammar parser for English liblink-grammar4-dev - Carnegie Mellon University's link grammar parser for English link-grammar - Carnegie Mellon University's link grammar parser for English link-grammar-dictionaries-en - Carnegie Mellon University's link grammar parser for English Closes: 450695 Changes: link-grammar (4.2.5-1) unstable; urgency=high . * New upstream release. - Fixes boundary in separate_word() function. CVE-2007-5395 and Secunia advisory SA27340 (Closes: #450695) - Adds new API for extracting constituents. * Removed all local patches as they've all been accepted upstream. Files: 03d32d1896af20e6840c1c41d046c235 702 text optional link-grammar_4.2.5-1.dsc 302fa0cad0fa5b2aab126549553ad3f4 756081 text optional link-grammar_4.2.5.orig.tar.gz cc08d5a1ddce782b90f08fa00fb77361 5702 text optional link-grammar_4.2.5-1.diff.gz c00c1aec62ab847ad3dbb448ff9fb977 269168 text optional link-grammar-dictionaries-en_4.2.5-1_all.deb bcc0066e8d1e89aadbd0b9d28623ebe3 15474 text optional link-grammar_4.2.5-1_i386.deb 6348db72fe3ffd9fd919d3a73e485377 88966 libs optional liblink-grammar4_4.2.5-1_i386.deb c100cde8fdcd0ffba34c238cfc50049d 108998 libdevel optional liblink-grammar4-dev_4.2.5-1_i386.deb -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.6 (GNU/Linux) iD8DBQFHOD2xHYflSXNkfP8RAvr5AJwL2RCx82yW7h1jl4+DJsVW1kEavQCgn5zJ NZtxYCNMjrOPg4C3WVQUU88= =KDCf -----END PGP SIGNATURE-----
--- End Message ---
