|
Packit Service |
8f0814 |
-----BEGIN PGP SIGNED MESSAGE-----
|
|
Packit Service |
8f0814 |
Hash: SHA1
|
|
Packit Service |
8f0814 |
|
|
Packit Service |
8f0814 |
bogofilter-SA-2005-01
|
|
Packit Service |
8f0814 |
|
|
Packit Service |
8f0814 |
Topic: heap buffer overrun in bogofilter/bogolexer 0.93.5 - 0.96.2
|
|
Packit Service |
8f0814 |
|
|
Packit Service |
8f0814 |
Announcement: bogofilter-SA-2005-01
|
|
Packit Service |
8f0814 |
Writer: Matthias Andree
|
|
Packit Service |
8f0814 |
Version: 1.00
|
|
Packit Service |
8f0814 |
CVE ID: CVE-2005-4591
|
|
Packit Service |
8f0814 |
Announced: 2006-01-02
|
|
Packit Service |
8f0814 |
Category: vulnerability
|
|
Packit Service |
8f0814 |
Type: buffer overrun through malformed input
|
|
Packit Service |
8f0814 |
Impact: heap corruption, application crash
|
|
Packit Service |
8f0814 |
Credits: David Relson, Clint Adams
|
|
Packit Service |
8f0814 |
Danger: medium
|
|
Packit Service |
8f0814 |
URL: http://bogofilter.sourceforge.net/security/bogofilter-SA-2005-01
|
|
Packit Service |
8f0814 |
|
|
Packit Service |
8f0814 |
Affected: bogofilter 0.96.2
|
|
Packit Service |
8f0814 |
bogofilter 0.95.2
|
|
Packit Service |
8f0814 |
bogofilter 0.94.14
|
|
Packit Service |
8f0814 |
bogofilter 0.94.12
|
|
Packit Service |
8f0814 |
all "current" versions from 0.93.5 to 0.96.2 inclusively
|
|
Packit Service |
8f0814 |
CVS between 2005-01-09T17:32Z and 2005-10-22T00:51Z
|
|
Packit Service |
8f0814 |
CVS between 2005-12-31T10:22Z and 2005-12-31T12:45Z
|
|
Packit Service |
8f0814 |
|
|
Packit Service |
8f0814 |
Not affected: bogofilter 0.96.3 "current" (released 2005-10-26)
|
|
Packit Service |
8f0814 |
bogofilter 0.96.6 (released 2005-11-19)
|
|
Packit Service |
8f0814 |
bogofilter 1.0.0 (released 2005-12-01)
|
|
Packit Service |
8f0814 |
bogofilter 1.0.1 (released 2006-01-01)
|
|
Packit Service |
8f0814 |
|
|
Packit Service |
8f0814 |
1. Background
|
|
Packit Service |
8f0814 |
=============
|
|
Packit Service |
8f0814 |
|
|
Packit Service |
8f0814 |
Bogofilter is a software package for classifying a message as spam or
|
|
Packit Service |
8f0814 |
non-spam. It uses a data base to store words and must be trained
|
|
Packit Service |
8f0814 |
which messages are spam and non-spam. It uses the probabilities of
|
|
Packit Service |
8f0814 |
individual words for classifying the message.
|
|
Packit Service |
8f0814 |
|
|
Packit Service |
8f0814 |
Note that the bogofilter project is issuing security announcements only
|
|
Packit Service |
8f0814 |
for current "stable" releases, and not necessarily for past "stable"
|
|
Packit Service |
8f0814 |
releases.
|
|
Packit Service |
8f0814 |
|
|
Packit Service |
8f0814 |
2. Problem description
|
|
Packit Service |
8f0814 |
======================
|
|
Packit Service |
8f0814 |
|
|
Packit Service |
8f0814 |
When using Unicode databases (default in more recent bogofilter
|
|
Packit Service |
8f0814 |
installations), upon encountering invalid input sequences, bogofilter or
|
|
Packit Service |
8f0814 |
bogolexer could overrun a malloc()'d buffer, corrupting the heap, while
|
|
Packit Service |
8f0814 |
converting character sets. Bogofilter would usually be processing
|
|
Packit Service |
8f0814 |
untrusted data received from the network at that time.
|
|
Packit Service |
8f0814 |
|
|
Packit Service |
8f0814 |
This problem was aggravated by an unrelated bug that made bogofilter
|
|
Packit Service |
8f0814 |
process binary attachments as though they were text, and attempt charset
|
|
Packit Service |
8f0814 |
conversion on them. Given the MIME default character set, US-ASCII, all
|
|
Packit Service |
8f0814 |
input octets in the range 0x80...0xff were considered invalid input
|
|
Packit Service |
8f0814 |
sequences and could trigger the heap corruption.
|
|
Packit Service |
8f0814 |
|
|
Packit Service |
8f0814 |
The faulty code was first released with bogofilter "current" 0.93.5,
|
|
Packit Service |
8f0814 |
initially under the aegis of "./configure --enable-iconv", which was
|
|
Packit Service |
8f0814 |
later renamed "--enable-unicode" and enabled by default.
|
|
Packit Service |
8f0814 |
|
|
Packit Service |
8f0814 |
3. Impact
|
|
Packit Service |
8f0814 |
=========
|
|
Packit Service |
8f0814 |
|
|
Packit Service |
8f0814 |
Vulnerable bogofilter and bogolexer applications corrupt their heap and
|
|
Packit Service |
8f0814 |
crash. The consequences are dependent on the local configuration which
|
|
Packit Service |
8f0814 |
is up to the user; in common configurations, messages would be placed
|
|
Packit Service |
8f0814 |
back in the mail queue and ultimately be returned to the sender when the
|
|
Packit Service |
8f0814 |
mail queue lifetime expired, or they might be processed as though
|
|
Packit Service |
8f0814 |
bogofilter had classified them as "ham".
|
|
Packit Service |
8f0814 |
|
|
Packit Service |
8f0814 |
The bogofilter maintainers are not aware of exploits against this
|
|
Packit Service |
8f0814 |
vulnerability in the wild.
|
|
Packit Service |
8f0814 |
|
|
Packit Service |
8f0814 |
4. Solution
|
|
Packit Service |
8f0814 |
===========
|
|
Packit Service |
8f0814 |
|
|
Packit Service |
8f0814 |
Upgrade your bogofilter to version 1.0.1 (or a newer release).
|
|
Packit Service |
8f0814 |
|
|
Packit Service |
8f0814 |
bogofilter is available from SourceForge:
|
|
Packit Service |
8f0814 |
|
|
Packit Service |
8f0814 |
<https://sourceforge.net/project/showfiles.php?group_id=62265>
|
|
Packit Service |
8f0814 |
|
|
Packit Service |
8f0814 |
A. Copyright, License and Warranty
|
|
Packit Service |
8f0814 |
==================================
|
|
Packit Service |
8f0814 |
|
|
Packit Service |
8f0814 |
(C) Copyright 2005 - 2006 by Matthias Andree, <matthias.andree@gmx.de>.
|
|
Packit Service |
8f0814 |
Some rights reserved.
|
|
Packit Service |
8f0814 |
|
|
Packit Service |
8f0814 |
This work is dual-licensed under the
|
|
Packit Service |
8f0814 |
Creative Commons Attribution-NoDerivs 3.0 Germany License (CC BY-ND 3.0),
|
|
Packit Service |
8f0814 |
and the GNU General Public License, v3, or later.
|
|
Packit Service |
8f0814 |
|
|
Packit Service |
8f0814 |
To view a copy of the Creative Commons Attribution-NoDerivs 3.0
|
|
Packit Service |
8f0814 |
Germany license, visit
|
|
Packit Service |
8f0814 |
http://creativecommons.org/licenses/by-nd/3.0/de/deed.en or send a
|
|
Packit Service |
8f0814 |
letter to:
|
|
Packit Service |
8f0814 |
|
|
Packit Service |
8f0814 |
Creative Commons
|
|
Packit Service |
8f0814 |
444 Castro Street
|
|
Packit Service |
8f0814 |
Suite 900
|
|
Packit Service |
8f0814 |
MOUNTAIN VIEW, CALIFORNIA 94041
|
|
Packit Service |
8f0814 |
USA
|
|
Packit Service |
8f0814 |
|
|
Packit Service |
8f0814 |
|
|
Packit Service |
8f0814 |
This program is free software: you can redistribute it and/or modify
|
|
Packit Service |
8f0814 |
it under the terms of the GNU General Public License as published by
|
|
Packit Service |
8f0814 |
the Free Software Foundation, either version 3 of the License, or (at
|
|
Packit Service |
8f0814 |
your option) any later version.
|
|
Packit Service |
8f0814 |
|
|
Packit Service |
8f0814 |
This program is distributed in the hope that it will be useful, but
|
|
Packit Service |
8f0814 |
WITHOUT ANY WARRANTY; without even the implied warranty of
|
|
Packit Service |
8f0814 |
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
|
|
Packit Service |
8f0814 |
General Public License for more details.
|
|
Packit Service |
8f0814 |
|
|
Packit Service |
8f0814 |
You should have received a copy of the GNU General Public License
|
|
Packit Service |
8f0814 |
along with this program, in the file ../gpl-3.0.txt.
|
|
Packit Service |
8f0814 |
If not, see <http://www.gnu.org/licenses/>.
|
|
Packit Service |
8f0814 |
|
|
Packit Service |
8f0814 |
|
|
Packit Service |
8f0814 |
THIS WORK IS PROVIDED FREE OF CHARGE AND WITHOUT ANY WARRANTIES.
|
|
Packit Service |
8f0814 |
Use the information herein at your own risk.
|
|
Packit Service |
8f0814 |
|
|
Packit Service |
8f0814 |
END of bogofilter-SA-2005-01
|
|
Packit Service |
8f0814 |
-----BEGIN PGP SIGNATURE-----
|
|
Packit Service |
8f0814 |
Version: GnuPG v1.4.11 (GNU/Linux)
|
|
Packit Service |
8f0814 |
|
|
Packit Service |
8f0814 |
iEYEARECAAYFAlHYI0gACgkQvmGDOQUufZXVRgCgmd/F4AAHMsARVYw6che2+XmR
|
|
Packit Service |
8f0814 |
y6MAoMSR1LcUbwtnUxISkBvlgNe3eKtd
|
|
Packit Service |
8f0814 |
=fDhh
|
|
Packit Service |
8f0814 |
-----END PGP SIGNATURE-----
|