Red Hat Bugzilla – Bug 129337
CAN-2004-0796 DOS attack open to certain malformed messages
Last modified: 2007-11-30 17:07:03 EST
Release of new Upstream-Version 2.64
Summary of major changes since 2.63
- Security fix prevents a denial of service attack open to certain
malformed messages; this DoS affects all SpamAssassin 2.5x
and 2.6x versions to date.
- Backported several very reliable rules from the SpamAssassin 3.0.0
FC are handled by bug 129284
RHEL2.1 does not contain spamassassin, therefore is not affected.
OK, I have found the upstream fix for this DOS. Here's the output of
my demo file
cat 999 0.00s user 0.01s system 1% cpu 0.766 total
spamassassin 8.48s user 0.60s system 37% cpu 24.460 total
cat 999 0.00s user 0.02s system 2% cpu 0.939 total
spamassassin 150.75s user 1.37s system 95% cpu 2:38.95 total
I'll attach the patch against the 3.0E src.rpm along with the demo file.
Created attachment 102901 [details]
RHEL3 spamassassin patch
Created attachment 102902 [details]
Compressed POC message
This message is 5 megs when uncompressed, so I opted to gzip it for sanity's
This is going to be RHSA-2004:451
An errata has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on the solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.
It seems the patch may be incomplete. It seems to be missing a change
to lib/Mail/SpamAssassin/Bayes.pm - tokenize_headers() was also
patched in 2.64 (vs the diff to 2.63).
I fear here may lurk a slightly different attack vector, but I have
not analyzed this in detail.
See comment #2 at https://bugzilla.fedora.us/show_bug.cgi?id=2268 for