CVE-2004-0548

Vulnerability

Multiple stack-based buffer overflows exist in the word-list-compress utility included in the Aspell package [1]. The utility provides c (compress) and d (decompress) options. The overflow occurs when the program processes a wordlist entry exceeding 256 bytes using the get_word() function, which performs no bounds checking before copying into fixed-size stack buffers s1 and s2 [1]. All versions of Aspell are reported to be affected [1][2].

Exploitation

An attacker can exploit this by supplying a carefully crafted wordlist containing a word entry longer than 256 bytes. The utility must be invoked with either the -c (compress) or -d (decompress) option on the malicious wordlist [1]. No special privileges are required beyond the ability to run word-list-compress; the attack is local [1][2].

Impact

Successful exploitation overwrites the saved return address or other critical stack data, allowing the attacker to execute arbitrary code with the privileges of the user running the utility [1][2]. The confidentiality, integrity, and availability of the system may be fully compromised, depending on the attacker's injected payload.

Mitigation

Gentoo has released updated packages: version >=app-text/aspell-0.50.5-r4 resolves the issue [2]. Users should upgrade to a patched version of Aspell. No workaround is available [2].