WordNet contains multiple overflow conditions in the wn component. The issue is due to the 'searchwn()' function in src/wn.c, the 'wngrep()' function in lib/search.c, the 'morphstr()' and 'morphword()' functions in lib/morph.c, and the 'getindex()' in lib/search.c not validating user-supplied input. With a specially crafted request containing an overly long string, a context-dependent attacker can cause a buffer overflow, resulting in a denial of service or potentially execution of arbitrary code.

Multiple vendors have released an upgrade to address this vulnerability. Check the vendor advisory, changelog, or solution in the references section for details.

• CVE ID: 2008-2149 (see also: NVD)
• Secunia Advisory ID: 30242 31654 32184
• Other Advisory URL: http://lists.debian.org/debian-security-announce/2008/msg00223.html
• Vendor URL: http://wordnet.princeton.edu/
• Vendor Specific Advisory URL: http://www.gentoo.org/security/en/glsa/glsa-200810-01.xml
• Vendor Specific News/Changelog Entry: https://bugs.gentoo.org/show_bug.cgi?id=211491

• Jukka Ruohonen