Bug 129337
| Summary: | CAN-2004-0796 DOS attack open to certain malformed messages | ||||||||
|---|---|---|---|---|---|---|---|---|---|
| Product: | Red Hat Enterprise Linux 3 | Reporter: | Josh Bressers <bressers> | ||||||
| Component: | spamassassin | Assignee: | Warren Togami <wtogami> | ||||||
| Status: | CLOSED WONTFIX | QA Contact: | |||||||
| Severity: | medium | Docs Contact: | |||||||
| Priority: | medium | ||||||||
| Version: | 3.0 | CC: | pekkas, redhat-bugzilla, tao | ||||||
| Target Milestone: | --- | Keywords: | Security | ||||||
| Target Release: | --- | ||||||||
| Hardware: | All | ||||||||
| OS: | Linux | ||||||||
| Whiteboard: | |||||||||
| Fixed In Version: | Doc Type: | Bug Fix | |||||||
| Doc Text: | Story Points: | --- | |||||||
| Clone Of: | Environment: | ||||||||
| Last Closed: | 2005-04-20 00:08:11 UTC | Type: | --- | ||||||
| Regression: | --- | Mount Type: | --- | ||||||
| Documentation: | --- | CRM: | |||||||
| Verified Versions: | Category: | --- | |||||||
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||||
| Cloudforms Team: | --- | Target Upstream Version: | |||||||
| Embargoed: | |||||||||
| Attachments: |
|
||||||||
OK, I have found the upstream fix for this DOS. Here's the output of my demo file Fixed cat 999 0.00s user 0.01s system 1% cpu 0.766 total spamassassin 8.48s user 0.60s system 37% cpu 24.460 total Not Fixed cat 999 0.00s user 0.02s system 2% cpu 0.939 total spamassassin 150.75s user 1.37s system 95% cpu 2:38.95 total I'll attach the patch against the 3.0E src.rpm along with the demo file. Created attachment 102901 [details]
RHEL3 spamassassin patch
Created attachment 102902 [details]
Compressed POC message
This message is 5 megs when uncompressed, so I opted to gzip it for sanity's
sake.
This is going to be RHSA-2004:451 An errata has been issued which should help the problem described in this bug report. This report is therefore being closed with a resolution of ERRATA. For more information on the solution and/or where to find the updated files, please follow the link below. You may reopen this bug report if the solution does not work for you. http://rhn.redhat.com/errata/RHSA-2004-451.html It seems the patch may be incomplete. It seems to be missing a change to lib/Mail/SpamAssassin/Bayes.pm - tokenize_headers() was also patched in 2.64 (vs the diff to 2.63). I fear here may lurk a slightly different attack vector, but I have not analyzed this in detail. See comment #2 at https://bugzilla.fedora.us/show_bug.cgi?id=2268 for more. |
Release of new Upstream-Version 2.64 Summary of major changes since 2.63 - ----------------------------------- - Security fix prevents a denial of service attack open to certain malformed messages; this DoS affects all SpamAssassin 2.5x and 2.6x versions to date. - Backported several very reliable rules from the SpamAssassin 3.0.0 codebase. FC[12] are handled by bug 129284 RHEL2.1 does not contain spamassassin, therefore is not affected.