Bug 129337 - CAN-2004-0796 DOS attack open to certain malformed messages
CAN-2004-0796 DOS attack open to certain malformed messages
Product: Red Hat Enterprise Linux 3
Classification: Red Hat
Component: spamassassin (Show other bugs)
All Linux
medium Severity medium
: ---
: ---
Assigned To: Warren Togami
: Security
Depends On:
  Show dependency treegraph
Reported: 2004-08-06 12:55 EDT by Josh Bressers
Modified: 2007-11-30 17:07 EST (History)
3 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2005-04-19 20:08:11 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)
RHEL3 spamassassin patch (6.10 KB, patch)
2004-08-19 18:00 EDT, Josh Bressers
no flags Details | Diff
Compressed POC message (13.07 KB, application/x-gzip)
2004-08-19 18:03 EDT, Josh Bressers
no flags Details

  None (edit)
Description Josh Bressers 2004-08-06 12:55:30 EDT
Release of new Upstream-Version 2.64

Summary of major changes since 2.63
- -----------------------------------
  - Security fix prevents a denial of service attack open to certain
    malformed messages; this DoS affects all SpamAssassin 2.5x
    and 2.6x versions to date.
  - Backported several very reliable rules from the SpamAssassin 3.0.0

FC[12] are handled by bug 129284

RHEL2.1 does not contain spamassassin, therefore is not affected.
Comment 1 Josh Bressers 2004-08-19 17:56:25 EDT
OK, I have found the upstream fix for this DOS.  Here's the output of
my demo file

cat 999  0.00s user 0.01s system 1% cpu 0.766 total
spamassassin  8.48s user 0.60s system 37% cpu 24.460 total

Not Fixed
cat 999  0.00s user 0.02s system 2% cpu 0.939 total
spamassassin  150.75s user 1.37s system 95% cpu 2:38.95 total

I'll attach the patch against the 3.0E src.rpm along with the demo file.
Comment 2 Josh Bressers 2004-08-19 18:00:10 EDT
Created attachment 102901 [details]
RHEL3 spamassassin patch
Comment 3 Josh Bressers 2004-08-19 18:03:29 EDT
Created attachment 102902 [details]
Compressed POC message

This message is 5 megs when uncompressed, so I opted to gzip it for sanity's
Comment 4 Josh Bressers 2004-08-25 09:40:00 EDT
This is going to be RHSA-2004:451
Comment 6 Josh Bressers 2004-09-30 10:23:50 EDT
An errata has been issued which should help the problem 
described in this bug report. This report is therefore being 
closed with a resolution of ERRATA. For more information
on the solution and/or where to find the updated files, 
please follow the link below. You may reopen this bug report 
if the solution does not work for you.

Comment 7 Pekka Savola 2004-12-19 13:06:20 EST
It seems the patch may be incomplete.  It seems to be missing a change
to lib/Mail/SpamAssassin/Bayes.pm - tokenize_headers() was also
patched in 2.64 (vs the diff to 2.63).

I fear here may lurk a slightly different attack vector, but I have
not analyzed this in detail.

See comment #2 at https://bugzilla.fedora.us/show_bug.cgi?id=2268 for

Note You need to log in before you can comment on or make changes to this bug.