A denial of service flaw was found in the way Python and Java interfaces of libvoikko, a library for spellcheckers and hyphenators, processed embedded null characters in input strings. If a specially-crafted input string was provided to an application linked against libvoikko, it could lead to that particular application termination. References: [1] http://voikko.sourceforge.net/releases.html Upstream patches: [2] http://voikko.svn.sourceforge.net/viewvc/voikko?view=revision&revision=3901 [3] http://voikko.svn.sourceforge.net/viewvc/voikko?view=revision&revision=3902 [4] http://voikko.svn.sourceforge.net/viewvc/voikko?view=revision&revision=3903
This issue affects the version of the libvoikko package, as shipped with Red Hat Enterprise Linux 6. -- This issue is scheduled to be updated in the following libvoikko package updates for Fedora: 1) libvoikko-2.3.1-2.fc13 for Fedora-13, 2) libvoikko-3.0-3.fc14 for Fedora-14 and 3) libvoikko-3.2.1-1.fc15 for Fedora-15.
CVE Request: [5] http://www.openwall.com/lists/oss-security/2011/06/13/3
Do we really want to call this security? Client app crash-only bugs are not considered security. This bug seems to be triggered by inputs processed via Python and Java binding. Fedora only seem to provide Python bindings (python-libvoikko), which does not seem to be used by any other package.
Created attachment 511658 [details] Test case This minimal python test case extracts tests added to upstream test suite in the commits referenced above. It does not crash voikko 2.2.2, 3.0, and 3.2 (from RHEL6 and Fedora). So it's still unclear what the underlying issue may be.
Upstream post does not seem to provide much extra detail: http://lists.puimula.org/pipermail/libvoikko/2011-May/000296.html I've not found a test case that actually triggers crash. Ville-Pekka, do you possibly know more?
(In reply to comment #5) > Upstream post does not seem to provide much extra detail: > http://lists.puimula.org/pipermail/libvoikko/2011-May/000296.html > > I've not found a test case that actually triggers crash. Ville-Pekka, do you > possibly know more? In that post the lead developer writes: "Previously such characters could lead to erratic results or, in Java, infinite loops." It seems the possible DoS can only happen when using the Java interface which has never been shipped in Fedora or, to my knowledge, RHEL. Maybe this doesn't actually qualify as a security update after all?
The wording of that mail suggests python bindings are (potentially?) affected too.
Looking upstream patches, it seems that the possible denial of service condition due to an infinite loop is possible both in Java and Python codes. However, in Red Hat Enterprise Linux 6, the python-libvoikko also does not seem to be required by any other package shipped with it. I'm closing this bug as WONTFIX.
Statement: The Red Hat Security Response Team has rated this issue as having low security impact. This issue is not currently planned to be addressed in future updates. For additional information, refer to the Issue Severity Classification: https://access.redhat.com/security/updates/classification/.