Bug 152851 - CAN-2004-0796 SpamAssassin Message Handling DoS
CAN-2004-0796 SpamAssassin Message Handling DoS
Status: CLOSED ERRATA
Product: Fedora Legacy
Classification: Retired
Component: Package request (Show other bugs)
unspecified
All Linux
medium Severity medium
: ---
: ---
Assigned To: Fedora Legacy Bugs
http://secunia.com/advisories/12255/
1, LEGACY
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2004-11-09 18:09 EST by David Lawrence
Modified: 2007-04-18 13:22 EDT (History)
2 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2005-04-05 18:30:02 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description David Lawrence 2005-03-30 18:29:40 EST
http://secunia.com/advisories/12255/

A vulnerability has been discovered in SpamAssassin, which can be exploited by
malicious people to cause a DoS (Denial of Service).

The vulnerability is caused due to an unspecified error within the processing of
certain malformed messages.

CVE: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0796

Red Hat Bugzilla: 
https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=129337
https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=129284



------- Additional Comments From rob.myers@gtri.gatech.edu 2004-11-16 08:03:25 ----

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
 
Here is an updated spamassassin package to QA for fc1:
  
- - patch from RHEL3 for CAN-2004-0796 applied
 
changelog:
* Tue Nov 16 2004 Rob Myers <rob.myers@gtri.gatech.edu> 2.63-0.2.1.legacy
- - patch for CAN-2004-0796 (FL #2268)
 
sha1sums:
f1bb38bb40c5722618707c685c37ceb5b3479511  spamassassin-2.63-0.2.1.legacy.i386.rpm
c0910fd8c7bae3c43e196fd62014606449f287a5  spamassassin-2.63-0.2.1.legacy.src.rpm
44636e571d4ec3f9f19052b3664459808c3ed50c 
spamassassin-debuginfo-2.63-0.2.1.legacy.i386.rpm
  
files:
http://www.stl.gtri.gatech.edu/rmyers/fedoralegacy/spamassassin-2.63-0.2.1.legacy.i386.rpm
http://www.stl.gtri.gatech.edu/rmyers/fedoralegacy/spamassassin-2.63-0.2.1.legacy.src.rpm
http://www.stl.gtri.gatech.edu/rmyers/fedoralegacy/spamassassin-debuginfo-2.63-0.2.1.legacy.i386.rpm
 
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.3 (GNU/Linux)
 
iD8DBQFBmkAitU2XAt1OWnsRAsyyAJ9j7kz/0RlWzZXC7A+HefR3JtIokwCfb0Qc
Zrsy6X89Ozrnr1r62yr4dA0=
=dIDF
-----END PGP SIGNATURE-----




------- Additional Comments From pekkas@netcore.fi 2004-12-19 08:01:35 ----

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

QA on SRPM w/ rpm-build-compare.sh:
 - original packaging and other files OK
 - only very minimal specfile changes
 - the patch verified to come from RHEL.
 - compilation or install not tested; to be done in at updates-testing.

However, it must be noted that RHEL ships with 2.55, and this is 2.63.
Therefore I went and looked at the diff between upstream 2.63 and 2.64
releases, and noticed two differences wrt. the security parts:
1) in lib/Mail/SpamAssassin/Bayes.pm, tokenize_headers() is not patched to
   include the upper limits.  I think this is a problem.
2) in the header, there are some diffs wrt TOKENIZE_LONG_TOKENS_AS_SKIPS,
   BODY_TOKENIZE_LONG_TOKENS_AS_SKIPS and the like, but the patch is not
   trying to change them, so this is not a problem (except possibly for
   applying the patch)

I'm going to re-open the RHEL3 PR for 1), but in the meantime, I'd suggest
that if we move forward, we'll use the a patch between spamassassin-2.63 and
spamassassin-2.64, minus the changes to the rules.  I've also attached one
for reference.

I've packaged the patch (on RHL73, not tested!) at:

http://www.netcore.fi/pekkas/linux/spamassassin-2.63-0.2.2.legacy.src.rpm

SHA1:
9b1bc0b64756a7e3746959cf3f32ee397de9df9c spamassassin-2.63-0.2.2.legacy.src.rpm

Changelog:
* Sun Dec 19 2004 Pekka Savola <pekkas@netcore.fi> 2.63-0.2.2.legacy

- - more extensive patch for CAN-2004-0796 (from 2.64)

* Tue Nov 16 2004 Rob Myers <rob.myers@gtri.gatech.edu> 2.63-0.2.1.legacy

- - patch for CAN-2004-0796 (FL #2268)
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.7 (GNU/Linux)

iD8DBQFBxcHbGHbTkzxSL7QRAmoJAJwOFJPRNIDZE8fRvOvR5XXkJ72dEQCfQb5u
z+oltzFZ6TYBLnVPZvyR4xM=
=ym5r
-----END PGP SIGNATURE-----





------- Additional Comments From marcdeslauriers@videotron.ca 2005-03-02 16:51:41 ----

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

I did QA on the package in comment 2:

9b1bc0b64756a7e3746959cf3f32ee397de9df9c spamassassin-2.63-0.2.2.legacy.src.rpm

- - Source files match previous release
- - Patch file looks good (RH patch did look broken)
- - Spec file changes good

+PUBLISH

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.6 (GNU/Linux)

iD8DBQFCJnuyLMAs/0C4zNoRAlplAKC/dCXxhYx0suG6bfbK8uz4CM5ywACgwD7Y
l1QUh8XB+eU2gBtAIru6mVM=
=pSKb
-----END PGP SIGNATURE-----




------- Additional Comments From marcdeslauriers@videotron.ca 2005-03-05 04:56:22 ----

Packages were pushed to updates-testing



------- Additional Comments From marcdeslauriers@videotron.ca 2005-03-06 14:29:53 ----

Updated packages were pushed to updates-testing.



------- Additional Comments From mark.scott@csuk-solutions.net 2005-03-22 01:37:25 ----

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1


QA on FC1 spamassassin package:

e76200ac598d6cb56ec18b92cfe6ce6af0181683
  spamassassin-2.63-0.2.2.legacy.i386.rpm

sha1sum ok
gpg sig ok
install ok
tested spamassassin against POC mentioned in
https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=129337#c3

time cat 999 | spamassassin > /dev/null

real    0m46.607s
user    0m27.280s
sys     0m13.600s

I think that means it's fine.

Output looks normal.

+VERIFY FC1
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (GNU/Linux)

iD8DBQFCQANXl2I0fYrP+68RAh1RAKCHUOp6nt2MShOjfcVS1ogy8sfSBQCgpjfE
cihr/uGq1b5CjGfgWiKim04=
=mFg4
-----END PGP SIGNATURE-----




------- Bug moved to this database by dkl@redhat.com 2005-03-30 18:29 -------

This bug previously known as bug 2268 at https://bugzilla.fedora.us/
https://bugzilla.fedora.us/show_bug.cgi?id=2268
Originally filed under the Fedora Legacy product and Package request component.

Unknown priority P2. Setting to default priority "normal".
Unknown platform PC. Setting to default platform "All".
The original reporter of this bug does not have
   an account here. Reassigning to the person who moved
   it here, dkl@redhat.com.
   Previous reporter was fedora-legacy-bugzilla-2004@fumika.jp.
Setting qa contact to the default for this product.
   This bug either had no qa contact or an invalid one.

Comment 1 Marc Deslauriers 2005-04-05 18:30:02 EDT
Updated packages were released for this issue.
Comment 2 Matthew Miller 2005-04-12 00:53:46 EDT
FWIW, FC2 bug #129284 was never resolved, and now it's a Legacy issue.

Note You need to log in before you can comment on or make changes to this bug.