Vulmon Recent Vulnerabilities Research Posts Trends Blog About Contact

spamassassin: CVE-2020-1946: arbitrary code execution via malicious rule configuration files

Related Vulnerabilities: CVE-2020-1946  

Source

Debian Bug report logs - #985962
spamassassin: CVE-2020-1946: arbitrary code execution via malicious rule configuration files

version graph

Package: src:spamassassin; Maintainer for src:spamassassin is Noah Meyerhans <noahm@debian.org>;

Reported by: Noah Meyerhans <noahm@debian.org>

Date: Fri, 26 Mar 2021 22:06:01 UTC

Severity: grave

Tags: patch, security, upstream

Found in versions spamassassin/3.4.2-1, spamassassin/3.4.2-1+deb10u2

Fixed in versions spamassassin/4.0.0~0.0svn1879217-1, spamassassin/3.4.5~pre1-1

Reply or subscribe to this bug.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox

Report forwarded to debian-bugs-dist@lists.debian.org, team@security.debian.org:
Bug#985962; Package src:spamassassin. (Fri, 26 Mar 2021 22:06:03 GMT) (full text, mbox, link).

Acknowledgement sent to Noah Meyerhans <noahm@debian.org>:
New Bug report received and forwarded. Copy sent to team@security.debian.org. (Fri, 26 Mar 2021 22:06:03 GMT) (full text, mbox, link).

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Noah Meyerhans <noahm@debian.org>
To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: spamassassin: arbitrary code execution via malicious rule configuration files
Date: Fri, 26 Mar 2021 15:03:55 -0700
Source: spamassassin
Version: 3.4.2-1+deb10u2
Severity: grave
Tags: security patch upstream
Justification: user security hole
X-Debbugs-Cc: Debian Security Team <team@security.debian.org>

CVE-2020-1946
Quoting from https://www.openwall.com/lists/oss-security/2021/03/24/3 :

    In Apache SpamAssassin before 3.4.5, malicious rule configuration
    (.cf) files can be configured to run system commands without any
    output or errors. With this, exploits can be injected in a number of
    scenarios.  In addition to upgrading to SA version 3.4.5, users
    should only use update channels or 3rd party .cf files from trusted
    places.

The fix was silently added to the 3.4 branch prior to 3.4.5~pre1 being
packaged for Debian, so it is already present in unstable and bullseye.

Buster remains exposed.

noah

Changed Bug title to 'spamassassin: CVE-2020-1946: arbitrary code execution via malicious rule configuration files' from 'spamassassin: arbitrary code execution via malicious rule configuration files'. Request was from Salvatore Bonaccorso <carnil@debian.org> to control@bugs.debian.org. (Fri, 26 Mar 2021 23:21:02 GMT) (full text, mbox, link).

Marked as fixed in versions spamassassin/3.4.5~pre1-1. Request was from Salvatore Bonaccorso <carnil@debian.org> to control@bugs.debian.org. (Fri, 26 Mar 2021 23:24:03 GMT) (full text, mbox, link).

Marked as found in versions spamassassin/3.4.2-1. Request was from Salvatore Bonaccorso <carnil@debian.org> to control@bugs.debian.org. (Fri, 26 Mar 2021 23:24:04 GMT) (full text, mbox, link).

Marked as fixed in versions spamassassin/4.0.0~0.0svn1879217-1. Request was from Noah Meyerhans <noahm@debian.org> to control@bugs.debian.org. (Sat, 27 Mar 2021 00:15:02 GMT) (full text, mbox, link).

Send a report that this bug log contains spam.

Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Sat Mar 27 13:26:07 2021; Machine Name: buxtehude

Debian Bug tracking system

Debbugs is free software and licensed under the terms of the GNU Public License version 2. The current version can be obtained from https://bugs.debian.org/debbugs-source/.

Copyright © 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson, 2005-2017 Don Armstrong, and many other contributors.

Vulmon Search

Vulmon Search is a vulnerability search engine. It gives comprehensive vulnerability information through a very simple user interface.

About

Home Recent Vulnerabilities Research Posts Trends Blog About Contact

Products

Vulmon Search Vulmon Research Vulmon Alerts Vulmap

Connect

Twitter Reddit Linkedin Facebook

Vulnerability Notification Service
You don’t have to wait for vulnerability scanning results
Get Started