spamassassin: URI parsing causes local DoS

Debian Bug report logs - #410843
spamassassin: URI parsing causes local DoS

Toggle useless messages

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Micah Anderson <micah@debian.org>

To: Debian Bug Tracking System <submit@bugs.debian.org>

Subject: spamassassin: URI parsing causes local DoS

Date: Tue, 13 Feb 2007 13:13:41 -0700

Package: spamassassin
Version: 3.1.7-1
Severity: important
Tags: security patch


There is a DoS in apparantly all versions of spamassassin prior to
3.1.8 (which is not released yet). The details of this are obtained
through this bugzilla log:

http://issues.apache.org/SpamAssassin/show_bug.cgi?id=5318

As well as a patch to fix the issue for 3.1.8. This will likely require
a backported fix for sarge. 

CVE id to be assigned shortly.

Micah


-- System Information:
Debian Release: 4.0
  APT prefers unstable
  APT policy: (500, 'unstable')
Architecture: i386 (i686)
Shell:  /bin/sh linked to /bin/bash
Kernel: Linux 2.6.18-3-vserver-686
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)

Versions of packages spamassassin depends on:
ii  libdigest-sha1-perl           2.11-2     NIST SHA-1 message digest algorith
ii  libhtml-parser-perl           3.56-1     A collection of modules that parse
ii  libnet-dns-perl               0.59-1     Perform DNS queries from a Perl sc
pn  libsocket6-perl               <none>     (no description available)
ii  perl                          5.8.8-7    Larry Wall's Practical Extraction 

Versions of packages spamassassin recommends:
pn  libmail-spf-query-perl        <none>     (no description available)
ii  perl [libmime-base64-perl]    5.8.8-7    Larry Wall's Practical Extraction 
pn  spamc                         <none>     (no description available)

Message #10 received at 410843@bugs.debian.org (full text, mbox, reply):

From: Mark J Cox <mjc@redhat.com>

To: 410843@bugs.debian.org

Subject: CVE name

Date: Tue, 13 Feb 2007 21:05:01 +0000 (GMT)

This is CVE-2007-0451

Message #17 received at 410843-close@bugs.debian.org (full text, mbox, reply):

From: Duncan Findlay <duncf@debian.org>

To: 410843-close@bugs.debian.org

Subject: Bug#410843: fixed in spamassassin 3.1.7-2

Date: Thu, 15 Feb 2007 05:47:03 +0000

Source: spamassassin
Source-Version: 3.1.7-2

We believe that the bug you reported is fixed in the latest version of
spamassassin, which is due to be installed in the Debian FTP archive:

spamassassin_3.1.7-2.diff.gz
  to pool/main/s/spamassassin/spamassassin_3.1.7-2.diff.gz
spamassassin_3.1.7-2.dsc
  to pool/main/s/spamassassin/spamassassin_3.1.7-2.dsc
spamassassin_3.1.7-2_all.deb
  to pool/main/s/spamassassin/spamassassin_3.1.7-2_all.deb
spamc_3.1.7-2_i386.deb
  to pool/main/s/spamassassin/spamc_3.1.7-2_i386.deb



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 410843@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Duncan Findlay <duncf@debian.org> (supplier of updated spamassassin package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.7
Date: Wed, 14 Feb 2007 21:46:52 -0500
Source: spamassassin
Binary: spamassassin spamc
Architecture: source all i386
Version: 3.1.7-2
Distribution: unstable
Urgency: high
Maintainer: Duncan Findlay <duncf@debian.org>
Changed-By: Duncan Findlay <duncf@debian.org>
Description: 
 spamassassin - Perl-based spam filter using text analysis
 spamc      - Client for SpamAssassin spam filtering daemon
Closes: 410843
Changes: 
 spamassassin (3.1.7-2) unstable; urgency=high
 .
   * Security fixes backported from 3.1.8:
     - CVE-2007-0451: potential DoS with long URIs found in the message
     content (Closes: #410843)
     - Prevents perl code from being loaded via sa-update by default
     (override with --allowplugins) (SpamAssassin bug 5240)
Files: 
 a28f5809ec45cec91bf1e8617782ab82 738 mail optional spamassassin_3.1.7-2.dsc
 70f3d69e81dd5f7e6ecd819709565103 30993 mail optional spamassassin_3.1.7-2.diff.gz
 e154445c3a04bb4b7da52088c3c2dfa4 973862 mail optional spamassassin_3.1.7-2_all.deb
 4aa3fc65789fd755e223666a475869b8 75246 mail optional spamc_3.1.7-2_i386.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)

iD8DBQFF0++wqjUzNGvmnNARAnNRAJ9EFQu/jIL7GYuiC4oaz74bbfw1SwCglUlX
urP3aAIg57F9ITMUKsrlhhA=
=IzT9
-----END PGP SIGNATURE-----

Message #22 received at 410843@bugs.debian.org (full text, mbox, reply):

From: intrigeri <intrigeri@boum.org>

To: 410843@bugs.debian.org

Subject: Re: Bug#410843: fixed in spamassassin 3.1.7-2

Date: Fri, 16 Feb 2007 12:25:27 +0100

Hello,

Duncan Findlay wrote (15 Feb 2007 05:47:03 GMT) :
> Source: spamassassin
> Source-Version: 3.1.7-2
> We believe that the bug you reported is fixed in the latest version of
> spamassassin, which is due to be installed in the Debian FTP archive:

Are there plans to prepare sarge packages backporting the security fix ?

Ciao,
--
  intrigeri <intrigeri@boum.org>
  | gnupg key @ http://intrigeri.boum.org/intrigeri.asc
  | The impossible just takes a bit longer.

Message #29 received at 410843-close@bugs.debian.org (full text, mbox, reply):

From: Martin Zobel-Helas <zobel@ftbfs.de>

To: 410843-close@bugs.debian.org

Subject: Bug#410843: fixed in spamassassin 3.1.4-0volatile2

Date: Tue, 20 Feb 2007 13:46:47 +0100

Source: spamassassin
Source-Version: 3.1.4-0volatile2

It will be fixed in debian-volatile with version 3.1.4-0volatile2 and
[VUA 26-1].

Greetings
Martin
-- 
[root@debian /root]# man real-life
No manual entry for real-life

Send a report that this bug log contains spam.