Secunia

Some vulnerabilities have been reported in WordNet, which can potentially be exploited by malicious, local users to gain escalated privileges, and by malicious people to compromise a vulnerable system.

1) Boundary errors exist within the "searchwn()" function in src/wn.c, the "wngrep()" function in lib/search.c, the "morphstr()" and "morphword()" functions in lib/morph.c, and the "getindex()" in lib/search.c. These can be exploited to cause stack-based buffer overflows via overly long strings passed as arguments to the "wn" binary.

Successful exploitation may allow execution of arbitrary code, but requires that the application is accessible e.g. via a web server.

2) Two boundary errors within the "do_init()" function in lib/morph.c can potentially be exploited to cause stack-based buffer overflows via specially crafted "WNSEARCHDIR" or "WNHOME" environment variables.

Successful exploitation may allow execution of arbitrary code with escalated privileges but depends on the application using the library functions.

3) Boundary errors in the "bin_search()" and "bin_search_key()" functions within binsrch.c can be exploited to cause stack-based buffer overflows via specially crafted data files.

4) A boundary error within the "parse_index()" function in lib/search.c can be exploited to cause a heap-based buffer overflow via specially crafted data files.

Successful exploitation of vulnerabilities #3 and #4 may allow execution of arbitrary code, but requires that the application uses specially crafted data files.

5) A format string error within "error_message()" function in src/wn.c can be exploited to potentially execute arbitrary code via a specially crafted string to the "wn" binary.

Successful exploitation requires that the application is accessible e.g. via a web server.

The vulnerabilities are reported in version 3.0. Other versions may also be affected.

Solution
Restrict access to trusted users only.
Further details available in Customer Area

Provided and/or discovered by
1) Reported in a Gentoo bug report by Jukka Ruohonen.
Rob Holland, oCERT Team
2 - 4) Rob Holland, oCERT Team
5) Reported in a RedHat bug report by Petr Pisar.

Changelog
Further details available in Customer Area

Original Advisory
https://bugs.gentoo.org/show_bug.cgi?id=211491

oCERT:
http://www.ocert.org/advisories/ocert-2008-014.html

Red Hat:
https://bugzilla.redhat.com/show_bug.cgi?id=585206

Deep Links
Links available in Customer Area