WordNet contains an overflow condition in the handling of data files. The issue is due to the 'bin_search()' and 'bin_search_key()' functions in binsrch.c not validating user-supplied input. With a specially crafted data file, a context-dependent attacker can cause a buffer overflow, resulting in a denial of service or potentially execution of arbitrary code.

The vendor has deceased further development of WordNet. However, Rob Holland from oCert has released an unofficial patch and multiple Linux vendors have released an upgrade to address this vulnerability. Check the oCert advisory in the references section for details.

As with all third-party solutions, ensure they come from a reliable source and are permitted under your company's security policy.

• CVE ID: 2008-3908 (see also: NVD)
• Bugtraq ID: 30958
• Secunia Advisory ID: 32184
• ISS X-Force ID: 44848 44849 44850 44851
• Related OSVDB ID: 48476 48477 48478 48479
• Mail List Post: http://archives.neohapsis.com/archives/bugtraq/2008-09/0006.html
  http://www.securityfocus.com/archive/1/archive/1/495883/100/0/threaded
• Other Advisory URL: http://securityreason.com/securityalert/4217
  http://www.ocert.org/advisories/ocert-2008-014.html
  http://www.ocert.org/analysis/2008-014/analysis.txt
• Vendor URL: http://wordnet.princeton.edu/
• Vendor Specific Advisory URL: http://www.gentoo.org/security/en/glsa/glsa-200810-01.xml
• Vendor Specific Solution URL: http://www.gentoo.org/security/en/glsa/glsa-200810-01.xml
• Other Solution URL: http://www.ocert.org/analysis/2008-014/wordnet.patch

• Rob Holland - oCERT