-----BEGIN PGP SIGNED MESSAGE-----

Hash: SHA1

bogofilter-SA-2005-01

Topic:		heap buffer overrun in bogofilter/bogolexer 0.93.5 - 0.96.2

Announcement:	bogofilter-SA-2005-01

Writer:		Matthias Andree

Version:	1.00

CVE ID:		CVE-2005-4591

Announced:	2006-01-02

Category:	vulnerability

Type:		buffer overrun through malformed input

Impact:		heap corruption, application crash

Credits:	David Relson, Clint Adams

Danger:		medium

URL:		http://bogofilter.sourceforge.net/security/bogofilter-SA-2005-01

Affected:	bogofilter 0.96.2

		bogofilter 0.95.2

		bogofilter 0.94.14

		bogofilter 0.94.12

		all "current" versions from 0.93.5 to 0.96.2 inclusively

		CVS between 2005-01-09T17:32Z and 2005-10-22T00:51Z

		CVS between 2005-12-31T10:22Z and 2005-12-31T12:45Z

Not affected:	bogofilter 0.96.3 "current" (released 2005-10-26)

		bogofilter 0.96.6           (released 2005-11-19)

		bogofilter 1.0.0            (released 2005-12-01)

		bogofilter 1.0.1            (released 2006-01-01)

1. Background

=============

Bogofilter is a software package for classifying a message as spam or

non-spam.  It uses a data base to store words and must be trained

which messages are spam and non-spam. It uses the probabilities of

individual words for classifying the message.

Note that the bogofilter project is issuing security announcements only

for current "stable" releases, and not necessarily for past "stable"

releases.

2. Problem description

======================

When using Unicode databases (default in more recent bogofilter

installations), upon encountering invalid input sequences, bogofilter or

bogolexer could overrun a malloc()'d buffer, corrupting the heap, while

converting character sets. Bogofilter would usually be processing

untrusted data received from the network at that time.

This problem was aggravated by an unrelated bug that made bogofilter

process binary attachments as though they were text, and attempt charset

conversion on them.  Given the MIME default character set, US-ASCII, all

input octets in the range 0x80...0xff were considered invalid input

sequences and could trigger the heap corruption.

The faulty code was first released with bogofilter "current" 0.93.5,

initially under the aegis of "./configure --enable-iconv", which was

later renamed "--enable-unicode" and enabled by default.

3. Impact

=========

Vulnerable bogofilter and bogolexer applications corrupt their heap and

crash. The consequences are dependent on the local configuration which

is up to the user; in common configurations, messages would be placed

back in the mail queue and ultimately be returned to the sender when the

mail queue lifetime expired, or they might be processed as though

bogofilter had classified them as "ham".

The bogofilter maintainers are not aware of exploits against this

vulnerability in the wild.

4. Solution

===========

Upgrade your bogofilter to version 1.0.1 (or a newer release).

bogofilter is available from SourceForge:

<https://sourceforge.net/project/showfiles.php?group_id=62265>

A. Copyright, License and Warranty

==================================

(C) Copyright 2005 - 2006 by Matthias Andree, <matthias.andree@gmx.de>.

Some rights reserved.

This work is dual-licensed under the

Creative Commons Attribution-NoDerivs 3.0 Germany License (CC BY-ND 3.0),

and the GNU General Public License, v3, or later.

To view a copy of the Creative Commons Attribution-NoDerivs 3.0

Germany license, visit

http://creativecommons.org/licenses/by-nd/3.0/de/deed.en or send a

letter to:

Creative Commons

444 Castro Street

Suite 900

MOUNTAIN VIEW, CALIFORNIA 94041

USA

This program is free software: you can redistribute it and/or modify

it under the terms of the GNU General Public License as published by

the Free Software Foundation, either version 3 of the License, or (at

your option) any later version.

This program is distributed in the hope that it will be useful, but

WITHOUT ANY WARRANTY; without even the implied warranty of

MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU

General Public License for more details.

You should have received a copy of the GNU General Public License

along with this program, in the file ../gpl-3.0.txt.

If not, see <http://www.gnu.org/licenses/>.

THIS WORK IS PROVIDED FREE OF CHARGE AND WITHOUT ANY WARRANTIES.

Use the information herein at your own risk.

END of bogofilter-SA-2005-01

-----BEGIN PGP SIGNATURE-----

Version: GnuPG v1.4.11 (GNU/Linux)

iEYEARECAAYFAlHYI0gACgkQvmGDOQUufZXVRgCgmd/F4AAHMsARVYw6che2+XmR

y6MAoMSR1LcUbwtnUxISkBvlgNe3eKtd

=fDhh

-----END PGP SIGNATURE-----