There is no POC exploit or testsuite available. There are multiple buffer overflows.
Please note - I removed the debdiff for Gutsy at this stage as I found an actual build error with the package on Gutsy. I will be submitting an SRU to have this fixed, and then will reapply security fix. For each release - Intrepid / Hardy / Feisty the following was tested by building a chroot image using pbuilder and confirming the behaviour of the unpatched version, and then installing the newly built patched .deb file and testing again. I wrote a simple test: wordnet `python -c "print 'A'*255"` -synsv Where 255 is the number of chars to print. 255 should produce no errors. When 255 is increased to 256 the following is produced. [EMAIL PROTECTED]:~$ wordnet `python -c "print 'A'*256"` -synsv Synonyms/Hypernyms (Ordered by Estimated Frequency) of verb aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa *** buffer overflow detected ***: wordnet terminated ======= Backtrace: ========= /lib/tls/i686/cmov/libc.so.6(__fortify_fail+0x48)[0xb7ff2388] /lib/tls/i686/cmov/libc.so.6[0xb7ff04b0] /lib/tls/i686/cmov/libc.so.6(__strcpy_chk+0x44)[0xb7fef784] /usr/lib/libwordnet-3.0.so(morphstr+0x58)[0xb8059108] wordnet[0x8048b92] wordnet[0x80492a8] /lib/tls/i686/cmov/libc.so.6(__libc_start_main+0xe5)[0xb7f0e685] wordnet[0x80489c1] ======= Memory map: ======== 08048000-0804b000 r-xp 00000000 fe:01 220731 /usr/bin/wn 0804b000-0804c000 r--p 00002000 fe:01 220731 /usr/bin/wn 0804c000-0804d000 rw-p 00003000 fe:01 220731 /usr/bin/wn 086c1000-086e2000 rw-p 086c1000 00:00 0 [heap] b7ef7000-b7ef8000 rw-p b7ef7000 00:00 0 b7ef8000-b8050000 r-xp 00000000 fe:05 7857 /lib/tls/i686/cmov/libc-2.8.90.so b8050000-b8052000 r--p 00158000 fe:05 7857 /lib/tls/i686/cmov/libc-2.8.90.so b8052000-b8053000 rw-p 0015a000 fe:05 7857 /lib/tls/i686/cmov/libc-2.8.90.so b8053000-b8056000 rw-p b8053000 00:00 0 b8056000-b8064000 r-xp 00000000 fe:01 220730 /usr/lib/libwordnet-3.0.so b8064000-b8065000 r--p 0000d000 fe:01 220730 /usr/lib/libwordnet-3.0.so b8065000-b8068000 rw-p 0000e000 fe:01 220730 /usr/lib/libwordnet-3.0.so b8068000-b80a9000 rw-p b8068000 00:00 0 b80ab000-b80b8000 r-xp 00000000 fe:05 7628 /lib/libgcc_s.so.1 b80b8000-b80b9000 r--p 0000c000 fe:05 7628 /lib/libgcc_s.so.1 b80b9000-b80ba000 rw-p 0000d000 fe:05 7628 /lib/libgcc_s.so.1 b80ba000-b80be000 rw-p b80ba000 00:00 0 b80be000-b80bf000 r-xp b80be000 00:00 0 [vdso] b80bf000-b80d9000 r-xp 00000000 fe:05 26004 /lib/ld-2.8.90.so b80d9000-b80da000 r--p 0001a000 fe:05 26004 /lib/ld-2.8.90.so b80da000-b80db000 rw-p 0001b000 fe:05 26004 /lib/ld-2.8.90.so bfac5000-bfada000 rw-p bffeb000 00:00 0 [stack] , %sAborted (core dumped) 257 produces: [EMAIL PROTECTED]:~$ wordnet `python -c "print 'A'*257"` -synsv Segmentation fault (core dumped) There we're reports also in Debian that some patches broke the -synsn functionality. This was also tested to ensure this regression is not present. http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=497649 After applying the patches -synsv and the buffer overflows we're not possible using the above test. Output is now wordnet `python -c "print 'A'*256"` -synsv WordNet library error: search term is too long -- [CVE-2008-2149] wordnet 2.0, 2.1, 3 affected by multiple buffer overflows https://bugs.launchpad.net/bugs/267067 You received this bug notification because you are a member of Ubuntu Bugs, which is a direct subscriber. -- ubuntu-bugs mailing list [email protected] https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
