oss-sec mailing list archives

CVE Request -- libvoikko -- DoS of application linked against libvoikko due improper handling of embedded null characters in input strings

From: Jan Lieskovsky <jlieskov () redhat com>
Date: Mon, 13 Jun 2011 14:30:44 +0200

Hello, Josh, Steve, vendors,

  A denial of service flaw was found in the way Python and Java
interfaces of libvoikko, a library for spellcheckers and hyphenators,
processed embedded null characters in input strings. If a specially-
crafted input string was provided to an application linked against
libvoikko, it could lead to that particular application termination.

References:
[1] http://voikko.sourceforge.net/releases.html
[2] https://bugzilla.redhat.com/show_bug.cgi?id=712863

Upstream patches:

[3]http://voikko.svn.sourceforge.net/viewvc/voikko?view=revision&revision=3901[4]http://voikko.svn.sourceforge.net/viewvc/voikko?view=revision&revision=3902[5]http://voikko.svn.sourceforge.net/viewvc/voikko?view=revision&revision=3903


Could you allocate a CVE identifier for this?

Thank you && Regards, Jan.
--
Jan iankko Lieskovsky / Red Hat Security Response Team

Current thread:

CVE Request -- libvoikko -- DoS of application linked against libvoikko due improper handling of embedded null characters in input strings Jan Lieskovsky (Jun 13)
- Re: CVE Request -- libvoikko -- DoS of application linked against libvoikko due improper handling of embedded null characters in input strings Josh Bressers (Jun 13)