gnu: wordnet: Fix CVE-2008-2149, CVE-2008-3908.

* gnu/packages/wordnet.scm (wordnet)[source]: Add patches.
* gnu/packages/patches/wordnet-CVE-2008-2149.patch,
gnu/packages/patches/wordnet-CVE-2008-3908-pt1.patch,
gnu/packages/patches/wordnet-CVE-2008-3908-pt2.patch: New variables.
* gnu/local.mk (dist_patch_DATA): Add them.

1 files changed, 19 insertions, 0 deletions

diff --git a/gnu/packages/patches/wordnet-CVE-2008-2149.patch b/gnu/packages/patches/wordnet-CVE-2008-2149.patch
new file mode 100644
index 0000000000..9828efa4bc
--- /dev/null
+++ b/gnu/packages/patches/wordnet-CVE-2008-2149.patch
@@ -0,0 +1,19 @@
+Fix CVE-2008-2149: buffer overflows by limiting the length of the string in sprintf
+format string
+Closes: #481186 (CVE-2008-2149)
+Please note: The WordNet code contains several other occurences of potentially
+exploitable functions like strcpy()/strcat()/...  and so even if there are no
+known exploits the code needs a full security audit.
+
+--- a/src/wn.c
++++ b/src/wn.c
+@@ -206,7 +206,8 @@ static int searchwn(int ac, char *av[])
+ 		    outsenses += do_search(av[1], optptr->pos, optptr->search,
+ 					    whichsense, optptr->label);
+ 	    } else {
+-		sprintf(tmpbuf, "wn: invalid search option: %s\n", av[j]);
++		/* Fix CVE-2008-2149: buffer overflows Andreas Tille <tille@debian.org> */
++		sprintf(tmpbuf, "wn: invalid search option: %.200s\n", av[j]);
+ 		display_message(tmpbuf);
+ 		errcount++;
+ 	    }