Bug 129337 - CAN-2004-0796 DOS attack open to certain malformed messages
Summary: CAN-2004-0796 DOS attack open to certain malformed messages
Alias: None
Product: Red Hat Enterprise Linux 3
Classification: Red Hat
Component: spamassassin
Version: 3.0
Hardware: All
OS: Linux
Target Milestone: ---
Assignee: Warren Togami
QA Contact:
Keywords: Security
Depends On:
TreeView+ depends on / blocked
Reported: 2004-08-06 16:55 UTC by Josh Bressers
Modified: 2007-11-30 22:07 UTC (History)
3 users (show)

Clone Of:
Last Closed: 2005-04-20 00:08:11 UTC

Attachments (Terms of Use)
RHEL3 spamassassin patch (6.10 KB, patch)
2004-08-19 22:00 UTC, Josh Bressers
no flags Details | Diff
Compressed POC message (13.07 KB, application/x-gzip)
2004-08-19 22:03 UTC, Josh Bressers
no flags Details

External Trackers
Tracker ID Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2004:451 normal SHIPPED_LIVE Important: spamassassin security update 2004-09-30 04:00:00 UTC

Description Josh Bressers 2004-08-06 16:55:30 UTC
Release of new Upstream-Version 2.64

Summary of major changes since 2.63
- -----------------------------------
  - Security fix prevents a denial of service attack open to certain
    malformed messages; this DoS affects all SpamAssassin 2.5x
    and 2.6x versions to date.
  - Backported several very reliable rules from the SpamAssassin 3.0.0

FC[12] are handled by bug 129284

RHEL2.1 does not contain spamassassin, therefore is not affected.

Comment 1 Josh Bressers 2004-08-19 21:56:25 UTC
OK, I have found the upstream fix for this DOS.  Here's the output of
my demo file

cat 999  0.00s user 0.01s system 1% cpu 0.766 total
spamassassin  8.48s user 0.60s system 37% cpu 24.460 total

Not Fixed
cat 999  0.00s user 0.02s system 2% cpu 0.939 total
spamassassin  150.75s user 1.37s system 95% cpu 2:38.95 total

I'll attach the patch against the 3.0E src.rpm along with the demo file.

Comment 2 Josh Bressers 2004-08-19 22:00:10 UTC
Created attachment 102901 [details]
RHEL3 spamassassin patch

Comment 3 Josh Bressers 2004-08-19 22:03:29 UTC
Created attachment 102902 [details]
Compressed POC message

This message is 5 megs when uncompressed, so I opted to gzip it for sanity's

Comment 4 Josh Bressers 2004-08-25 13:40:00 UTC
This is going to be RHSA-2004:451

Comment 6 Josh Bressers 2004-09-30 14:23:50 UTC
An errata has been issued which should help the problem 
described in this bug report. This report is therefore being 
closed with a resolution of ERRATA. For more information
on the solution and/or where to find the updated files, 
please follow the link below. You may reopen this bug report 
if the solution does not work for you.


Comment 7 Pekka Savola 2004-12-19 18:06:20 UTC
It seems the patch may be incomplete.  It seems to be missing a change
to lib/Mail/SpamAssassin/Bayes.pm - tokenize_headers() was also
patched in 2.64 (vs the diff to 2.63).

I fear here may lurk a slightly different attack vector, but I have
not analyzed this in detail.

See comment #2 at https://bugzilla.fedora.us/show_bug.cgi?id=2268 for

Note You need to log in before you can comment on or make changes to this bug.