Debian Bug report logs - #450695
CVE-2007-5395 arbitrary code execution via crafted file

version graph

Package: link-grammar; Maintainer for link-grammar is Ken Bloom <kbloom@gmail.com>; Source for link-grammar is src:link-grammar.

Reported by: Nico Golde <nion@debian.org>

Date: Fri, 9 Nov 2007 10:18:01 UTC

Severity: grave

Tags: patch, security

Found in version link-grammar/4.2.2-1

Fixed in versions link-grammar/4.2.5-1, link-grammar/4.2.2-4etch1

Done: Ken Bloom <kbloom@gmail.com>

Bug is archived. No further changes may be made.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox


Report forwarded to debian-bugs-dist@lists.debian.org, Ken Bloom <kbloom@gmail.com>:
Bug#450695; Package link-grammar. Full text and rfc822 format available.

Acknowledgement sent to Nico Golde <nion@debian.org>:
New Bug report received and forwarded. Copy sent to Ken Bloom <kbloom@gmail.com>. Full text and rfc822 format available.

Message #5 received at submit@bugs.debian.org (full text, mbox):

From: Nico Golde <nion@debian.org>
To: submit@bugs.debian.org
Subject: CVE-2007-5395 arbitrary code execution via crafted file
Date: Fri, 9 Nov 2007 11:15:34 +0100
[Message part 1 (text/plain, inline)]
Package: link-grammar
Version: 4.2.2-1
Severity: grave
Tags: security patch

Hi,
the following CVE (Common Vulnerabilities & Exposures) id was
published for link-grammar.

CVE-2007-5395[0]:
| Stack-based buffer overflow in the separate_word function in
| tokenize.c in Link Grammar 4.1b and possibly other versions, as used
| in AbiWord Link Grammar 4.2.4, allows remote attackers to execute
| arbitrary code via a long word, as reachable through the
| separate_sentence function.

A patch for this extracted from upstream CVS is attached.
This is the cvs log for this fix:
RCS file: /cvsroot/link-grammar/link-grammar/tokenize.c,v
Working file: tokenize.c
head: 1.4
branch:
locks: strict
access list:
symbolic names:
    link-grammar-4-2-4: 1.3
    release-4-2-2: 1.2
    release-4-2-1: 1.2
    release-4-1-3: 1.1.1.1
    release-4-1-1: 1.1.1.1
    begin: 1.1.1.1
    start: 1.1.1
keyword substitution: kv
total revisions: 5; selected revisions: 1
description:
----------------------------
revision 1.4
date: 2007/10/27 19:03:40;  author: dom;  state: Exp;  lines: +15 -14
Secunia advisory SA27340 and CVE identifier CVE-2007-5395.

The vulnerability is caused due to a boundary error within the
"separate_word()" function in tokenize.c when processing overly long
words (over 61 bytes). This can be exploited to cause a stack-based
buffer overflow via a specially crafted sentence passed to the
"separate_sentence()" function.

If you fix this vulnerability please also include the CVE id
in your changelog entry.

For further information:
[0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-5395

Kind regards
Nico

-- 
Nico Golde - http://www.ngolde.de - nion@jabber.ccc.de - GPG: 0x73647CFF
For security reasons, all text in this mail is double-rot13 encrypted.
[CVE-2007-5395.patch (text/x-diff, attachment)]
[Message part 3 (application/pgp-signature, inline)]

Reply sent to Ken Bloom <kbloom@gmail.com>:
You have taken responsibility. Full text and rfc822 format available.

Notification sent to Nico Golde <nion@debian.org>:
Bug acknowledged by developer. Full text and rfc822 format available.

Message #10 received at 450695-close@bugs.debian.org (full text, mbox):

From: Ken Bloom <kbloom@gmail.com>
To: 450695-close@bugs.debian.org
Subject: Bug#450695: fixed in link-grammar 4.2.5-1
Date: Mon, 12 Nov 2007 12:02:02 +0000
Source: link-grammar
Source-Version: 4.2.5-1

We believe that the bug you reported is fixed in the latest version of
link-grammar, which is due to be installed in the Debian FTP archive:

liblink-grammar4-dev_4.2.5-1_i386.deb
  to pool/main/l/link-grammar/liblink-grammar4-dev_4.2.5-1_i386.deb
liblink-grammar4_4.2.5-1_i386.deb
  to pool/main/l/link-grammar/liblink-grammar4_4.2.5-1_i386.deb
link-grammar-dictionaries-en_4.2.5-1_all.deb
  to pool/main/l/link-grammar/link-grammar-dictionaries-en_4.2.5-1_all.deb
link-grammar_4.2.5-1.diff.gz
  to pool/main/l/link-grammar/link-grammar_4.2.5-1.diff.gz
link-grammar_4.2.5-1.dsc
  to pool/main/l/link-grammar/link-grammar_4.2.5-1.dsc
link-grammar_4.2.5-1_i386.deb
  to pool/main/l/link-grammar/link-grammar_4.2.5-1_i386.deb
link-grammar_4.2.5.orig.tar.gz
  to pool/main/l/link-grammar/link-grammar_4.2.5.orig.tar.gz



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 450695@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Ken Bloom <kbloom@gmail.com> (supplier of updated link-grammar package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.7
Date: Fri, 09 Nov 2007 14:19:10 -0600
Source: link-grammar
Binary: link-grammar-dictionaries-en liblink-grammar4 liblink-grammar4-dev link-grammar
Architecture: source all i386
Version: 4.2.5-1
Distribution: unstable
Urgency: high
Maintainer: Ken Bloom <kbloom@gmail.com>
Changed-By: Ken Bloom <kbloom@gmail.com>
Description: 
 liblink-grammar4 - Carnegie Mellon University's link grammar parser for English
 liblink-grammar4-dev - Carnegie Mellon University's link grammar parser for English
 link-grammar - Carnegie Mellon University's link grammar parser for English
 link-grammar-dictionaries-en - Carnegie Mellon University's link grammar parser for English
Closes: 450695
Changes: 
 link-grammar (4.2.5-1) unstable; urgency=high
 .
   * New upstream release.
     - Fixes boundary in separate_word() function.
       CVE-2007-5395 and Secunia advisory SA27340
       (Closes: #450695)
     - Adds new API for extracting constituents.
   * Removed all local patches as they've all been accepted upstream.
Files: 
 03d32d1896af20e6840c1c41d046c235 702 text optional link-grammar_4.2.5-1.dsc
 302fa0cad0fa5b2aab126549553ad3f4 756081 text optional link-grammar_4.2.5.orig.tar.gz
 cc08d5a1ddce782b90f08fa00fb77361 5702 text optional link-grammar_4.2.5-1.diff.gz
 c00c1aec62ab847ad3dbb448ff9fb977 269168 text optional link-grammar-dictionaries-en_4.2.5-1_all.deb
 bcc0066e8d1e89aadbd0b9d28623ebe3 15474 text optional link-grammar_4.2.5-1_i386.deb
 6348db72fe3ffd9fd919d3a73e485377 88966 libs optional liblink-grammar4_4.2.5-1_i386.deb
 c100cde8fdcd0ffba34c238cfc50049d 108998 libdevel optional liblink-grammar4-dev_4.2.5-1_i386.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)

iD8DBQFHOD2xHYflSXNkfP8RAvr5AJwL2RCx82yW7h1jl4+DJsVW1kEavQCgn5zJ
NZtxYCNMjrOPg4C3WVQUU88=
=KDCf
-----END PGP SIGNATURE-----





Bug marked as fixed in version 4.2.2-4etch1, send any further explanations to Nico Golde <nion@debian.org> Request was from Ken Bloom <kbloom@gmail.com> to control@bugs.debian.org. (Mon, 14 Jul 2008 17:30:03 GMT) Full text and rfc822 format available.

Bug archived. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Tue, 12 Aug 2008 07:34:13 GMT) Full text and rfc822 format available.

Send a report that this bug log contains spam.


Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Thu Apr 17 02:08:09 2014; Machine Name: buxtehude.debian.org

Debian Bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.