JVN#16901583
ChaSen vulnerable to buffer overflow
Overview
ChaSen provided by Nara Institute of Science and Technology contains a buffer overflow vulnerability.
Products Affected
- ChaSen version 2.4.4 and earlier
- ChaSen version 2.3.3 and earlier
Description
ChaSen provided by Nara Institute of Science and Technology is a software for morphologically analyzing Japanese. ChaSen contains an issue when reading in strings, which may lead to a buffer overflow.
ChaSen legacy project has inherited development of ChaSen since 11/8/2011.
Impact
An arbitrary script may be executed by an attacker with access to a system that is running a product listed in "Products Affected."
Solution
Apply a patch
Apply a patch according to the information provided by ChaSen legacy project.
Vendor Status
| Vendor | Link |
| Nara Institute of Science and Technology | ChaSen legacy (Japanese only) |
| ChaSen legacy project | chasen244-secfix.diff (Japanese only) |
| Debian Project | Debian Security Advisory DSA-2361-1 chasen -- buffer overflow |
References
JPCERT/CC Addendum
As of 11/8/2011 "Products Affected" was listed as ChaSen 2.4.x
After testing by the ChaSen legacy project, ChaSen 2.3.3 and earlier were determined to be affected, therefore information under "Products Affected" has been updated.
Vulnerability Analysis by JPCERT/CC
Credit
Kenji Aiko of NetAgent Co., Ltd. reported this vulnerability to IPA.
JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.
Other Information
| JPCERT Alert | |
| JPCERT Reports | |
| CERT Advisory |
|
| CPNI Advisory |
|
| TRnotes |
|
| CVE |
CVE-2011-4000 |
| JVN iPedia |
JVNDB-2011-000099 |
Update History
- 2011/12/09
- Information under "Vendor Status" was updated.
- 2011/12/12
- Information under "Vendor Status" was updated.
- 2011/12/19
- Information under "Products Affected", "Description", "Solution", "Vendor Status" and "JPCERT/CC Addendum" were updated.