Note: This is a beta release of Red Hat Bugzilla 5.0. The data contained within is a snapshot of the live data so any changes you make will not be reflected in the production Bugzilla. Also email is disabled so feel free to test any aspect of the site that you want. File any problems you find or give feedback here.
Bug 152851 - CAN-2004-0796 SpamAssassin Message Handling DoS
Summary: CAN-2004-0796 SpamAssassin Message Handling DoS
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Fedora Legacy
Classification: Retired
Component: Package request
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Fedora Legacy Bugs
QA Contact:
URL: http://secunia.com/advisories/12255/
Whiteboard: 1, LEGACY
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2004-11-09 23:09 UTC by David Lawrence
Modified: 2007-04-18 17:22 UTC (History)
2 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2005-04-05 22:30:02 UTC


Attachments (Terms of Use)

Description David Lawrence 2005-03-30 23:29:40 UTC
http://secunia.com/advisories/12255/

A vulnerability has been discovered in SpamAssassin, which can be exploited by
malicious people to cause a DoS (Denial of Service).

The vulnerability is caused due to an unspecified error within the processing of
certain malformed messages.

CVE: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0796

Red Hat Bugzilla: 
https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=129337
https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=129284



------- Additional Comments From rob.myers@gtri.gatech.edu 2004-11-16 08:03:25 ----

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
 
Here is an updated spamassassin package to QA for fc1:
  
- - patch from RHEL3 for CAN-2004-0796 applied
 
changelog:
* Tue Nov 16 2004 Rob Myers <rob.myers@gtri.gatech.edu> 2.63-0.2.1.legacy
- - patch for CAN-2004-0796 (FL #2268)
 
sha1sums:
f1bb38bb40c5722618707c685c37ceb5b3479511  spamassassin-2.63-0.2.1.legacy.i386.rpm
c0910fd8c7bae3c43e196fd62014606449f287a5  spamassassin-2.63-0.2.1.legacy.src.rpm
44636e571d4ec3f9f19052b3664459808c3ed50c 
spamassassin-debuginfo-2.63-0.2.1.legacy.i386.rpm
  
files:
http://www.stl.gtri.gatech.edu/rmyers/fedoralegacy/spamassassin-2.63-0.2.1.legacy.i386.rpm
http://www.stl.gtri.gatech.edu/rmyers/fedoralegacy/spamassassin-2.63-0.2.1.legacy.src.rpm
http://www.stl.gtri.gatech.edu/rmyers/fedoralegacy/spamassassin-debuginfo-2.63-0.2.1.legacy.i386.rpm
 
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.3 (GNU/Linux)
 
iD8DBQFBmkAitU2XAt1OWnsRAsyyAJ9j7kz/0RlWzZXC7A+HefR3JtIokwCfb0Qc
Zrsy6X89Ozrnr1r62yr4dA0=
=dIDF
-----END PGP SIGNATURE-----




------- Additional Comments From pekkas@netcore.fi 2004-12-19 08:01:35 ----

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

QA on SRPM w/ rpm-build-compare.sh:
 - original packaging and other files OK
 - only very minimal specfile changes
 - the patch verified to come from RHEL.
 - compilation or install not tested; to be done in at updates-testing.

However, it must be noted that RHEL ships with 2.55, and this is 2.63.
Therefore I went and looked at the diff between upstream 2.63 and 2.64
releases, and noticed two differences wrt. the security parts:
1) in lib/Mail/SpamAssassin/Bayes.pm, tokenize_headers() is not patched to
   include the upper limits.  I think this is a problem.
2) in the header, there are some diffs wrt TOKENIZE_LONG_TOKENS_AS_SKIPS,
   BODY_TOKENIZE_LONG_TOKENS_AS_SKIPS and the like, but the patch is not
   trying to change them, so this is not a problem (except possibly for
   applying the patch)

I'm going to re-open the RHEL3 PR for 1), but in the meantime, I'd suggest
that if we move forward, we'll use the a patch between spamassassin-2.63 and
spamassassin-2.64, minus the changes to the rules.  I've also attached one
for reference.

I've packaged the patch (on RHL73, not tested!) at:

http://www.netcore.fi/pekkas/linux/spamassassin-2.63-0.2.2.legacy.src.rpm

SHA1:
9b1bc0b64756a7e3746959cf3f32ee397de9df9c spamassassin-2.63-0.2.2.legacy.src.rpm

Changelog:
* Sun Dec 19 2004 Pekka Savola <pekkas@netcore.fi> 2.63-0.2.2.legacy

- - more extensive patch for CAN-2004-0796 (from 2.64)

* Tue Nov 16 2004 Rob Myers <rob.myers@gtri.gatech.edu> 2.63-0.2.1.legacy

- - patch for CAN-2004-0796 (FL #2268)
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.7 (GNU/Linux)

iD8DBQFBxcHbGHbTkzxSL7QRAmoJAJwOFJPRNIDZE8fRvOvR5XXkJ72dEQCfQb5u
z+oltzFZ6TYBLnVPZvyR4xM=
=ym5r
-----END PGP SIGNATURE-----





------- Additional Comments From marcdeslauriers@videotron.ca 2005-03-02 16:51:41 ----

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

I did QA on the package in comment 2:

9b1bc0b64756a7e3746959cf3f32ee397de9df9c spamassassin-2.63-0.2.2.legacy.src.rpm

- - Source files match previous release
- - Patch file looks good (RH patch did look broken)
- - Spec file changes good

+PUBLISH

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.6 (GNU/Linux)

iD8DBQFCJnuyLMAs/0C4zNoRAlplAKC/dCXxhYx0suG6bfbK8uz4CM5ywACgwD7Y
l1QUh8XB+eU2gBtAIru6mVM=
=pSKb
-----END PGP SIGNATURE-----




------- Additional Comments From marcdeslauriers@videotron.ca 2005-03-05 04:56:22 ----

Packages were pushed to updates-testing



------- Additional Comments From marcdeslauriers@videotron.ca 2005-03-06 14:29:53 ----

Updated packages were pushed to updates-testing.



------- Additional Comments From mark.scott@csuk-solutions.net 2005-03-22 01:37:25 ----

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1


QA on FC1 spamassassin package:

e76200ac598d6cb56ec18b92cfe6ce6af0181683
  spamassassin-2.63-0.2.2.legacy.i386.rpm

sha1sum ok
gpg sig ok
install ok
tested spamassassin against POC mentioned in
https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=129337#c3

time cat 999 | spamassassin > /dev/null

real    0m46.607s
user    0m27.280s
sys     0m13.600s

I think that means it's fine.

Output looks normal.

+VERIFY FC1
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (GNU/Linux)

iD8DBQFCQANXl2I0fYrP+68RAh1RAKCHUOp6nt2MShOjfcVS1ogy8sfSBQCgpjfE
cihr/uGq1b5CjGfgWiKim04=
=mFg4
-----END PGP SIGNATURE-----




------- Bug moved to this database by dkl@redhat.com 2005-03-30 18:29 -------

This bug previously known as bug 2268 at https://bugzilla.fedora.us/
https://bugzilla.fedora.us/show_bug.cgi?id=2268
Originally filed under the Fedora Legacy product and Package request component.

Unknown priority P2. Setting to default priority "normal".
Unknown platform PC. Setting to default platform "All".
The original reporter of this bug does not have
   an account here. Reassigning to the person who moved
   it here, dkl@redhat.com.
   Previous reporter was fedora-legacy-bugzilla-2004@fumika.jp.
Setting qa contact to the default for this product.
   This bug either had no qa contact or an invalid one.



Comment 1 Marc Deslauriers 2005-04-05 22:30:02 UTC
Updated packages were released for this issue.

Comment 2 Matthew Miller 2005-04-12 04:53:46 UTC
FWIW, FC2 bug #129284 was never resolved, and now it's a Legacy issue.


Note You need to log in before you can comment on or make changes to this bug.