Bug 712863
| Summary: | Libvoikko Java/Python interfaces improper input validation | ||||||
|---|---|---|---|---|---|---|---|
| Product: | [Other] Security Response | Reporter: | Jan Lieskovsky <jlieskov> | ||||
| Component: | vulnerability | Assignee: | Red Hat Product Security <security-response-team> | ||||
| Status: | CLOSED WONTFIX | QA Contact: | |||||
| Severity: | low | Docs Contact: | |||||
| Priority: | low | ||||||
| Version: | unspecified | CC: | eng-i18n-bugs, petersen, rcvalle, vpvainio | ||||
| Target Milestone: | --- | Keywords: | Security | ||||
| Target Release: | --- | ||||||
| Hardware: | All | ||||||
| OS: | Linux | ||||||
| Whiteboard: | |||||||
| Fixed In Version: | Doc Type: | Bug Fix | |||||
| Doc Text: | Story Points: | --- | |||||
| Clone Of: | Environment: | ||||||
| Last Closed: | 2011-09-22 12:53:51 UTC | Type: | --- | ||||
| Regression: | --- | Mount Type: | --- | ||||
| Documentation: | --- | CRM: | |||||
| Verified Versions: | Category: | --- | |||||
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||
| Cloudforms Team: | --- | Target Upstream Version: | |||||
| Embargoed: | |||||||
| Bug Depends On: | |||||||
| Bug Blocks: | 712872 | ||||||
| Attachments: |
|
||||||
|
Description
Jan Lieskovsky
2011-06-13 12:14:42 UTC
This issue affects the version of the libvoikko package, as shipped with Red Hat Enterprise Linux 6. -- This issue is scheduled to be updated in the following libvoikko package updates for Fedora: 1) libvoikko-2.3.1-2.fc13 for Fedora-13, 2) libvoikko-3.0-3.fc14 for Fedora-14 and 3) libvoikko-3.2.1-1.fc15 for Fedora-15. CVE Request: [5] http://www.openwall.com/lists/oss-security/2011/06/13/3 Do we really want to call this security? Client app crash-only bugs are not considered security. This bug seems to be triggered by inputs processed via Python and Java binding. Fedora only seem to provide Python bindings (python-libvoikko), which does not seem to be used by any other package. Created attachment 511658 [details]
Test case
This minimal python test case extracts tests added to upstream test suite in the commits referenced above. It does not crash voikko 2.2.2, 3.0, and 3.2 (from RHEL6 and Fedora). So it's still unclear what the underlying issue may be.
Upstream post does not seem to provide much extra detail: http://lists.puimula.org/pipermail/libvoikko/2011-May/000296.html I've not found a test case that actually triggers crash. Ville-Pekka, do you possibly know more? (In reply to comment #5) > Upstream post does not seem to provide much extra detail: > http://lists.puimula.org/pipermail/libvoikko/2011-May/000296.html > > I've not found a test case that actually triggers crash. Ville-Pekka, do you > possibly know more? In that post the lead developer writes: "Previously such characters could lead to erratic results or, in Java, infinite loops." It seems the possible DoS can only happen when using the Java interface which has never been shipped in Fedora or, to my knowledge, RHEL. Maybe this doesn't actually qualify as a security update after all? The wording of that mail suggests python bindings are (potentially?) affected too. Looking upstream patches, it seems that the possible denial of service condition due to an infinite loop is possible both in Java and Python codes. However, in Red Hat Enterprise Linux 6, the python-libvoikko also does not seem to be required by any other package shipped with it. I'm closing this bug as WONTFIX. Statement: The Red Hat Security Response Team has rated this issue as having low security impact. This issue is not currently planned to be addressed in future updates. For additional information, refer to the Issue Severity Classification: https://access.redhat.com/security/updates/classification/. |