Package: ispell
Version: 3.4.02
Severity: normal
X-Debbugs-Cc: kangwoos...@gmail.com
Dear Maintainer,
there are potential buffer overflow vulnerabilities in ispell.
In tree.c:163, the program reads the value of 'h' from an environment variable.
Then at line 219 and 278, it is used to sprintf with no length check.
Since the size of 'personaldict' is fixed, it may cause buffer overflow which
leads to buggy behavior.
--------------------------------------------------
163 if ((h = getenv (HOME)) == NULL)
...
219 (void) sprintf (personaldict, "%s/%s%s", h == NULL ? "" : h,
220 DEFPDICT, LibDict);
...
278 (void) sprintf (personaldict, "%s/%s", h, p);
--------------------------------------------------
Similar issus are appear in ispell.c
--------------------------------------------------
295 p = getenv (DICTIONARYVAR);
296 if (p != NULL)
297 {
298 if (last_slash (p) != NULL)
299 (void) strcpy (hashname, p);
300 else
301 (void) sprintf (hashname, "%s/%s", libdir, p);
--------------------------------------------------
1013 (void) sprintf (logfilename, "%s/%s/%s",
1014 getenv ("HOME") == NULL ? "" : getenv ("HOME"),
1015 DEFLOGDIR, LibDict);
--------------------------------------------------
Thank you.
-- System Information:
Debian Release: 11.0
APT prefers stable
APT policy: (500, 'stable')
Architecture: amd64 (x86_64)
Kernel: Linux 5.10.16.3-microsoft-standard-WSL2 (SMP w/8 CPU threads)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), LANGUAGE not set
Shell: /bin/sh linked to /bin/dash
Init: unable to detect
Versions of packages ispell depends on:
ii libc6 2.31-13
ii libtinfo6 6.2+20201114-2
Versions of packages ispell recommends:
pn iamerican | ispell-dictionary <none>
pn wamerican | wordlist <none>
Versions of packages ispell suggests:
pn spell <none>
