Bug 1174960

Summary: AUDIT-0: CVE-2018-18944: artha: Buffer Overflow may lead to DoS
Product: [openSUSE] openSUSE Tumbleweed Reporter: Atri Bhattacharya <badshah400>
Component: SecurityAssignee: Matthias Gerstner <matthias.gerstner>
Status: RESOLVED INVALID QA Contact: E-mail List <qa-bugs>
Severity: Major    
Priority: P3 - Medium CC: atoptsoglou, matthias.gerstner, security-team
Version: Current   
Target Milestone: ---   
Hardware: Other   
OS: All   
URL: https://smash.suse.de/issue/235376/
Whiteboard:
Found By: Security Response Team Services Priority:
Business Priority: Blocker: ---
Marketing QA Status: --- IT Deployment: ---
Bug Depends on: 1143860    
Bug Blocks:    

Description Atri Bhattacharya 2020-08-06 12:08:10 UTC 
+++ This bug was initially created as a clone of Bug #1143860 +++

CVE-2018-18944

Artha ~ The Open Thesaurus 1.0.3.0 has a Buffer Overflow.

Exploit:

https://www.exploit-db.com/exploits/45760

References:
https://bugzilla.redhat.com/show_bug.cgi?id=1727889
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2018-18944
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-18944
https://www.exploit-db.com/author/?a=8844
https://www.exploit-db.com/exploits/45760

Artha has seen an update to version 1.0.5 recently (see https://build.opensuse.org/request/show/823029) and the exploit may no longer be reproducible on openSUSE Tumbleweed (see comments in the submit request above). Could the security team please have a look at the updated package from Education (https://build.opensuse.org/package/show/Education/artha) and let us know if we can resubmit it to openSUSE:Factory? Thanks!
Comment 2 Matthias Gerstner 2020-08-11 11:20:35 UTC 
Well this Artha package has multiple problems:

- The release 1.0.5 only contains four new commits that have been made since
  the year 2014. None of the commits seems to deal with a buffer overflow or
  CVE-2018-18944, specifically.
- CVE-2018-18944 is quite unprecise. There's only a python script that creates
  a file containing 256 times the letter 'A'. Supposedly feeding this long
  string to Artha as a query string should crash it.
- When testing the current Artha devel package entering just "test" as a query
  causes a segmentation fault. So something is pretty wrong in there.


I don't see a big security issue from a buffer overflow here, because an
interactive user would need to enter a very strange long string into the
application to cause any severe harm. But still the package currently doesn't
seem to be stable.
Comment 3 Atri Bhattacharya 2020-08-16 15:09:18 UTC 
Thanks, I see the instability too. Reported upstream, lets' wait and see what the app author says: <https://sourceforge.net/p/artha/news/2020/07/artha-105-released/#5fa1>
Comment 4 Atri Bhattacharya 2020-08-28 22:00:37 UTC 
Actually, the unstable behaviour was tracked down to wordnet being compiled with link-time-optimization. This sr: <https://build.opensuse.org/request/show/830366> should do the trick. Since you think artha is ok security wise, I shall resubmit artha along with the wordnet fix to Factory. Hope that sounds ok. Thanks again for the review.
Comment 5 Matthias Gerstner 2020-08-31 07:59:10 UTC 
Please let us know when the SR# got accepted and the basic instability is out
of the way. Maybe we can then see something regarding this claimed buffer
overflow.
Comment 6 Atri Bhattacharya 2020-08-31 09:59:56 UTC 
(In reply to Matthias Gerstner from comment #5)
> Please let us know when the SR# got accepted and the basic instability is out
> of the way. Maybe we can then see something regarding this claimed buffer
> overflow.

You may try it as of now from the Education repository. You will need both wordnet (specifically the pkg libWN3) and artha from there:

* https://build.opensuse.org/package/show/Education/artha
* https://build.opensuse.org/package/show/Education/wordnet

Thanks.
Comment 7 Matthias Gerstner 2020-08-31 11:15:19 UTC 
Using the new libWD the general instability is gone.

I can still not see what this CVE-2018-18944 is supposed to be. There's too
little in formation. The script found on vulnerabilitydb creates a file
containing a long string made up of 256 times the character 'A'.

Artha does not consume files as far as I can see. So the only thing that comes
to my mind is feeding the string into the query field. This does nothing bad.
I'd say this CVE can be disputed due to lack of reproducer and information.

I'm closing this bug as invalid. From the security point of view it should be
fine to add artha to Factory.
Comment 8 Atri Bhattacharya 2020-08-31 11:29:51 UTC 
(In reply to Matthias Gerstner from comment #7)
> Using the new libWD the general instability is gone.
> 
> I can still not see what this CVE-2018-18944 is supposed to be. There's too
> little in formation. The script found on vulnerabilitydb creates a file
> containing a long string made up of 256 times the character 'A'.
> 
> Artha does not consume files as far as I can see. So the only thing that
> comes
> to my mind is feeding the string into the query field. This does nothing bad.
> I'd say this CVE can be disputed due to lack of reproducer and information.
> 
> I'm closing this bug as invalid. From the security point of view it should be
> fine to add artha to Factory.

Matthias, I can't thank you enough for your prompt responses about this and the good news your last comment brings :-)
Comment 9 OBSbugzilla Bot 2020-08-31 12:10:07 UTC 
This is an autogenerated message for OBS integration:
This bug (1174960) was mentioned in
https://build.opensuse.org/request/show/830781 Factory / artha