spamassassin: CVE-2018-11780: potential remote code execution bug with the PDFInfo plugin

Debian Bug report logs - #908970
spamassassin: CVE-2018-11780: potential remote code execution bug with the PDFInfo plugin

Toggle useless messages

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Salvatore Bonaccorso <carnil@debian.org>

To: Debian Bug Tracking System <submit@bugs.debian.org>

Subject: spamassassin: CVE-2018-11780: potential remote code execution bug with the PDFInfo plugin

Date: Sun, 16 Sep 2018 22:41:24 +0200

Source: spamassassin
Version: 3.4.1-1
Severity: grave
Tags: security

Hi,

The following vulnerability was published for spamassassin.

CVE-2018-11780[0]:
potential remote code execution bug with the PDFInfo plugin

It is fixed in new upstream version 3.4.2.

If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2018-11780
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-11780
[1] https://www.openwall.com/lists/oss-security/2018/09/16/1

Please adjust the affected versions in the BTS as needed.

Regards,
Salvatore

Message #10 received at 908970-close@bugs.debian.org (full text, mbox, reply):

From: Noah Meyerhans <noahm@debian.org>

To: 908970-close@bugs.debian.org

Subject: Bug#908970: fixed in spamassassin 3.4.2-1

Date: Mon, 01 Oct 2018 07:05:38 +0000

Source: spamassassin
Source-Version: 3.4.2-1

We believe that the bug you reported is fixed in the latest version of
spamassassin, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 908970@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Noah Meyerhans <noahm@debian.org> (supplier of updated spamassassin package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Format: 1.8
Date: Sun, 30 Sep 2018 23:44:58 -0700
Source: spamassassin
Binary: spamassassin spamc sa-compile
Architecture: source all amd64
Version: 3.4.2-1
Distribution: unstable
Urgency: medium
Maintainer: Noah Meyerhans <noahm@debian.org>
Changed-By: Noah Meyerhans <noahm@debian.org>
Description:
 sa-compile - Tools for compiling SpamAssassin rules into C
 spamassassin - Perl-based spam filter using text analysis
 spamc      - Client for SpamAssassin spam filtering daemon
Closes: 858457 865924 883775 884163 889501 890650 891041 891833 908969 908970 908971
Changes:
 spamassassin (3.4.2-1) unstable; urgency=medium
 .
   * New upstream release fixes multiple security vulnerabilities
     - CVE-2017-15705: Denial of service issue in which certain unclosed
       tags in emails cause markup to be handled incorrectly leading to
       scan timeouts. (Closes: 908969)
     - CVE-2016-1238: Unsafe usage of "." in @INC in a configuration
       script.
     - CVE-2018-11780: potential Remote Code Execution bug with the
       PDFInfo plugin. (Closes: 908970)
     - CVE-2018-11781: local user code injection in the meta rule syntax.
       (Closes: 908971)
     - BayesStore: bayes_expire table grows, remove_running_expire_tok not
       called (Closes: 883775)
     - Fix use of uninitialized variable warning in PDFInfo.pm
       (Closes: 865924)
     - Fix "failed to parse plugin" error in
       Mail::SpamAssassin::Plugin::URILocalBL (Closes: 891041)
   * Don't recursively chown /var/lib/spamassassin during postinst.
     (Closes: 889501)
   * Reload spamd after compiling rules in sa-compile.postinst.
   * Preserve locally set ENABLED=1 setting from /etc/default/spamassassin
     when installing on systemd-based systems. (Closes: 884163, 858457)
   * Update SysV init script to cope with upstream's change to $0.
   * Remove compiled rules upon removal of the sa-compile package.
   * Ensure that /var/lib/spamassassin/compiled doesn't change modes with
     the cron job's execution. (Closes: 890650)
   * Update standards version to 4.2.1
   * Create /var/lib/spamassassin via dpkg, rather than the postinst.
     (Closes: 891833)
Checksums-Sha1:
 4682b1ae4582df205cb676ed6fa0c1c5fea5dc2f 2437 spamassassin_3.4.2-1.dsc
 a7c72a47e9aa88276aeefc926a159c27dc4a74ab 234232 spamassassin_3.4.2.orig-pkgrules.tar.xz
 f295571631e4163225ee3eab04d5c0cce3a69fbc 1873396 spamassassin_3.4.2.orig.tar.xz
 9e99ec3e223bc4c0e184e217319ca57c98e72d7a 38612 spamassassin_3.4.2-1.debian.tar.xz
 c16c099174bb14f2f54bca19ab6b54296a14aa10 47904 sa-compile_3.4.2-1_all.deb
 b4e85ee7bd6c0dc29464e4b3280f90d626044cf7 1121628 spamassassin_3.4.2-1_all.deb
 0e8572c1644a85745e3747d06fb063533e73234c 6491 spamassassin_3.4.2-1_amd64.buildinfo
 44fc9bf2f894a10619d88a09d96db1d7047a3528 51632 spamc-dbgsym_3.4.2-1_amd64.deb
 45074abc06c7a56a62f8ca17ff680782e343f6b8 82708 spamc_3.4.2-1_amd64.deb
Checksums-Sha256:
 9610aa6bc6168cb62197fe93c043af76479291c6d14526c2317390bfa38f4c21 2437 spamassassin_3.4.2-1.dsc
 3f3349bb45ac63a7b85a7562a365a9805c4afce91aa11718f0dacfe034890066 234232 spamassassin_3.4.2.orig-pkgrules.tar.xz
 aae73f835e1201713458fbe012f686eae395f7672c4729e62c91a92b3ced50df 1873396 spamassassin_3.4.2.orig.tar.xz
 9e9e924e59665796641d60edbdc88905f88bb545a9d208921af1713a1771d998 38612 spamassassin_3.4.2-1.debian.tar.xz
 3f5021d8e5e36f105b16b0722b8dbe6a0251af1180be0630a6ceda86fabff77c 47904 sa-compile_3.4.2-1_all.deb
 098dddb2cdceeb381b8014a029272b5084aa8f8a9c3a49f99a29928744f2ab7a 1121628 spamassassin_3.4.2-1_all.deb
 7213c9d8ca428f77e583c25eee1097508ac297078bae3b47e8ec0f43d9aed4c7 6491 spamassassin_3.4.2-1_amd64.buildinfo
 41cc3eb33ced6fc54e31cfe159093e0502eede572e6534bd3c2b60a7e4d03504 51632 spamc-dbgsym_3.4.2-1_amd64.deb
 a709456209fd939897c6f7b03bea6753dc18e2957479a9a4b553a360b47d5180 82708 spamc_3.4.2-1_amd64.deb
Files:
 64bce716ff4cdc590337a551c07c4f94 2437 mail optional spamassassin_3.4.2-1.dsc
 d1616326f1d3a442aff01347e615cabd 234232 mail optional spamassassin_3.4.2.orig-pkgrules.tar.xz
 0f6d6733613ec670b13d37ce6f6244f8 1873396 mail optional spamassassin_3.4.2.orig.tar.xz
 64ce474e3e6bd3f4d6b58c09c49730fa 38612 mail optional spamassassin_3.4.2-1.debian.tar.xz
 9a301495a878db9e55c0db3dc90c6811 47904 mail optional sa-compile_3.4.2-1_all.deb
 ced8ac1a4cba624255deeea4bad829db 1121628 mail optional spamassassin_3.4.2-1_all.deb
 6028e236374e3a706be97c65807372f7 6491 mail optional spamassassin_3.4.2-1_amd64.buildinfo
 a1679615f961382eeb5ff44ce4d3ad9c 51632 debug optional spamc-dbgsym_3.4.2-1_amd64.deb
 2b7afe5834fa3f84acf960bcc3f22477 82708 mail optional spamc_3.4.2-1_amd64.deb

-----BEGIN PGP SIGNATURE-----

iQJFBAEBCAAvFiEE65xaF5r2LDCTz+zyV68+Bn2yWDMFAluxxFcRHG5vYWhtQGRl
Ymlhbi5vcmcACgkQV68+Bn2yWDPsWw/7BDz/TPpD5Vcq1D8l5peV54bwL8l5QT8M
4o+TOBUgaqxwYnBsYbbsYGlV8RSr14W+l1DZuGEDG3/8qIX95PGEXq+zRtIai47w
QEJZsDWOAbyGp+izGA07dbAKoLnqUoP9wpjfBb2uKWs8qV1KY5tEfBKusKOU30Uy
Qf9tAaIyc2dS3xSISMe7Iw5iEw94161t+Yr1OotjUebzcAZk8SWu5hSaBMJVRUU4
bdjiJqyRNkgtmvSiwWthjSeIn7ANmLGOoN57amIIETWMesJVhk9qw9shRnnUAXZB
PBcZ369ImAF0gA9DhEh61KE8RYSPvbxy6/nVeVzoHJlGvMSS3ZUJRIiT6m1V9ruG
xKR7/UEld3bxhHG/NEaKVel57Ir0V929p6o9+1LhQZJZJwLd+ApYCmHC32zpsSmY
mAcKt4pHBjebPxNr8ZAakQMTPEPuE9f6TMebY07TD63yKr2SqNi17NVaPrGfrlSk
z7+JdPRHTshp/KMwvnLjUH62MQG3VawBFK7uQmD2rvtDtxQTgp1nExT/ksxwm/yD
pCenviVSGcKhqR90EtTL+AjhVmmlixaJvMNX/lSwmw8SJi/2yyYe3Gh43duP6yLH
XOv0Os2k1CBguRbrwZzfFtrRd4HSx80+nweXub5IT6fIpxzIoD0YaLuNa28sHccn
0ZPPBQdkOMQ=
=4gYQ
-----END PGP SIGNATURE-----

Message #15 received at 908970-close@bugs.debian.org (full text, mbox, reply):

From: Noah Meyerhans <noahm@debian.org>

To: 908970-close@bugs.debian.org

Subject: Bug#908970: fixed in spamassassin 3.4.2-1~deb9u1

Date: Thu, 01 Nov 2018 19:56:21 +0000

Source: spamassassin
Source-Version: 3.4.2-1~deb9u1

We believe that the bug you reported is fixed in the latest version of
spamassassin, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 908970@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Noah Meyerhans <noahm@debian.org> (supplier of updated spamassassin package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Format: 1.8
Date: Sun, 30 Sep 2018 23:44:58 -0700
Source: spamassassin
Binary: spamassassin spamc sa-compile
Architecture: source all amd64
Version: 3.4.2-1~deb9u1
Distribution: stretch
Urgency: high
Maintainer: Noah Meyerhans <noahm@debian.org>
Changed-By: Noah Meyerhans <noahm@debian.org>
Description:
 sa-compile - Tools for compiling SpamAssassin rules into C
 spamassassin - Perl-based spam filter using text analysis
 spamc      - Client for SpamAssassin spam filtering daemon
Closes: 808804 853913 861671 864810 865356 865514 865924 869408 883775 889501 890650 891041 891833 908969 908970 908971 910434
Changes:
 spamassassin (3.4.2-1~deb9u1) stretch; urgency=high
 .
   * New upstream release fixes multiple security vulnerabilities
     - CVE-2017-15705: Denial of service issue in which certain unclosed
       tags in emails cause markup to be handled incorrectly leading to
       scan timeouts. (Closes: 908969)
     - CVE-2016-1238: Unsafe usage of "." in @INC in a configuration
       script.
     - CVE-2018-11780: potential Remote Code Execution bug with the
       PDFInfo plugin. (Closes: 908970)
     - CVE-2018-11781: local user code injection in the meta rule syntax.
       (Closes: 908971)
     - BayesStore: bayes_expire table grows, remove_running_expire_tok not
       called (Closes: 883775)
     - Fix use of uninitialized variable warning in PDFInfo.pm
       (Closes: 865924)
     - Fix "failed to parse plugin" error in
       Mail::SpamAssassin::Plugin::URILocalBL (Closes: 891041)
   * Don't recursively chown /var/lib/spamassassin during postinst.
     (Closes: 889501)
   * Reload spamd after compiling rules in sa-compile.postinst.
   * Update SysV init script to cope with upstream's change to $0.
   * Remove compiled rules upon removal of the sa-compile package.
   * Ensure that /var/lib/spamassassin/compiled doesn't change modes with
     the cron job's execution. (Closes: 890650)
   * Create /var/lib/spamassassin via dpkg, rather than the postinst.
     (Closes: 891833)
   * Add libbsd-resource-perl to Suggests (Closes: 910434)
 .
 spamassassin (3.4.1-8) unstable; urgency=medium
 .
   * Fix inappropriate invocation of invoke-rc.d in cron script.
     (Closes: 865514)
   * Update systemd unit dependencies to include network and syslog.
     (Closes: 864810)
   * Migrate packaging to git, finally.
   * Apply upstream patch to fix regex error leading to warnings in perl
     5.26+ (Closes: 869408)
   * Update standards version to 4.1.0.0
   * Remove references to the obsolete syslog.target dependency in the
     systemd service file.
   * Clarify the use of the perl-major-upgrade dpkg trigger.
   * Fix spamd service management on package upgrades. (Closes: #865356)
 .
 spamassassin (3.4.1-7) unstable; urgency=medium
 .
   * Ensure that spamd doesn't automatically start upon initial
     installation.
   * Disable bb.barracudacentral.org (RCVD_IN_BRBL_LASTEXT), as
     it requires users to register. (Closes: #861671)
   * Update the systemd unit file to use the same pid file as was
     used in the sysvinit script. (Closes: #808804)
   * Update spamassassin docs to remove outdated gpg version
     compatibility note. (Closes: #853913)
Checksums-Sha1:
 0fe215425a542e1366e627468d834e3b90eb17e4 2465 spamassassin_3.4.2-1~deb9u1.dsc
 a7c72a47e9aa88276aeefc926a159c27dc4a74ab 234232 spamassassin_3.4.2.orig-pkgrules.tar.xz
 f295571631e4163225ee3eab04d5c0cce3a69fbc 1873396 spamassassin_3.4.2.orig.tar.xz
 245b236f974de483d56fa2f36c08050a4f542f67 38168 spamassassin_3.4.2-1~deb9u1.debian.tar.xz
 fe4735d062829571e7bd6df813836f50eb30dc73 47526 sa-compile_3.4.2-1~deb9u1_all.deb
 abbca004ad48d702b256d75eca20db18ca1fc65d 1122358 spamassassin_3.4.2-1~deb9u1_all.deb
 21e5b7d155d3d9519f820161eb37e4f6c59c74f0 7038 spamassassin_3.4.2-1~deb9u1_amd64.buildinfo
 e8e98bd2f67d3c55f5b7b3a28e621d43a348041f 43806 spamc-dbgsym_3.4.2-1~deb9u1_amd64.deb
 6792de805393b60dad0746a622916c36b3346a0d 82686 spamc_3.4.2-1~deb9u1_amd64.deb
Checksums-Sha256:
 1ab5862919c0f01902ca6bdc14625598ca8e4e624bc8165b1c940b6cc5f0fc8f 2465 spamassassin_3.4.2-1~deb9u1.dsc
 3f3349bb45ac63a7b85a7562a365a9805c4afce91aa11718f0dacfe034890066 234232 spamassassin_3.4.2.orig-pkgrules.tar.xz
 aae73f835e1201713458fbe012f686eae395f7672c4729e62c91a92b3ced50df 1873396 spamassassin_3.4.2.orig.tar.xz
 d100da85c5b88dd7dc301de1af6835e06a039892c44747de5b1150e8a7ce6640 38168 spamassassin_3.4.2-1~deb9u1.debian.tar.xz
 9fa265f079061ac3a34994f90cad41bb9df9af4fa5aba2e3c796fb2bc262f5ca 47526 sa-compile_3.4.2-1~deb9u1_all.deb
 d9e43b2f774464a347a9b3dc225ca7f477c9790157fa9a94f8aee99fdf0e05df 1122358 spamassassin_3.4.2-1~deb9u1_all.deb
 ee838cb685bddb2b998bf2ca97afaa739cf327e90f52c843fb144c576250aec3 7038 spamassassin_3.4.2-1~deb9u1_amd64.buildinfo
 88b79c34b99da9a192170c1d111b36ce06292198ac2bcf33f9ca5f013698f7e3 43806 spamc-dbgsym_3.4.2-1~deb9u1_amd64.deb
 0df0da94e2779efe3fe342db53a6458120ace1524b3cb2e1d926cbbca605604f 82686 spamc_3.4.2-1~deb9u1_amd64.deb
Files:
 e4b97bb4255ea4f55bb860f6c9a95c29 2465 mail optional spamassassin_3.4.2-1~deb9u1.dsc
 d1616326f1d3a442aff01347e615cabd 234232 mail optional spamassassin_3.4.2.orig-pkgrules.tar.xz
 0f6d6733613ec670b13d37ce6f6244f8 1873396 mail optional spamassassin_3.4.2.orig.tar.xz
 f8d56133ed767697a71b787226c57924 38168 mail optional spamassassin_3.4.2-1~deb9u1.debian.tar.xz
 0c56bd88fd19275265424c607dad1ebf 47526 mail optional sa-compile_3.4.2-1~deb9u1_all.deb
 db4375aa9f308f1631058a905278e000 1122358 mail optional spamassassin_3.4.2-1~deb9u1_all.deb
 26244b4f06cd64283c9829a240a9d636 7038 mail optional spamassassin_3.4.2-1~deb9u1_amd64.buildinfo
 b9ebbdca978978cb80c705d52264bec5 43806 debug extra spamc-dbgsym_3.4.2-1~deb9u1_amd64.deb
 473a55ecdddb784d8bd1ce2ab3ca418c 82686 mail optional spamc_3.4.2-1~deb9u1_amd64.deb

-----BEGIN PGP SIGNATURE-----

iQJFBAEBCAAvFiEE65xaF5r2LDCTz+zyV68+Bn2yWDMFAlvadQ4RHG5vYWhtQGRl
Ymlhbi5vcmcACgkQV68+Bn2yWDPNMg//XMpxGU+xuDOSFJQPTvFtRMAwxTF1e9jz
2Z2MrGU17+2Rdu7GYzZ01NV63HyqAaHpFthZPc2MniQI6tGDTqNTyap+/QzeKRq9
g8BnLNf9ReghJu5Wkv6RFLjcGqH3ykJlBTaAYlvGQgzT/hTDXb1qmmpt2r8DP3gr
Jw0b77OO10XTtBaCV8nHsCDe8q8S89vWHb/vchzDU1wsSPjaLgx2FoaV/DsWzLTS
O0IpZ0F9K1TUc7uymgls52KR/hK3xH6OHA0AdbNOfEXGdhD513nd8SkkpGZoxpaX
lXHMsQ2WBkbxH3/7KAesM1OdyMG3DY3z1uXdRKgyFcpZUFoJMD7ixWIbj6Pc8qnD
jPh/MOtyNsRDWpFFpkVkHLyK5S5dC2IXgHfgr+hxe3Z6dVNv2DJvSHTfzoPOSBvD
VzPaLmBH5mCyW8A/Om6iJ2xDQJJExgirPrVuHbrD0d9U2tx4kZEpGDJnUGB9q8dM
ir9wCnKXJrQsp7Kopp/XdJEZJVxFZ2wBOywiLXRuV05sLMBS5EJoyp6XCcmt7osr
v8t98pyk2PLj/tAJcjfvzCo3sfWUGLJfZxDHEHq0rioLZ8lrLvJqB84KkD0n3F2H
/yoUxWkz5bjljxUEr+5agCTbN9pgKGnKvvG9n6foPpNIZf9e4aQCMHqYHIJ8k5Hr
uUR05OHYvnQ=
=8LvD
-----END PGP SIGNATURE-----

Send a report that this bug log contains spam.