Bug 133416 (CVE-2005-3351)

Summary: VUL-0: CVE-2005-3351: spamassassin DoS
Product: [Novell Products] SUSE Security Incidents Reporter: Ludwig Nussel <lnussel>
Component: IncidentsAssignee: Carsten Hoeger <choeger>
Status: RESOLVED FIXED QA Contact: Security Team bot <security-team>
Severity: Normal    
Priority: P5 - None CC: security-team
Version: unspecified   
Target Milestone: ---   
Hardware: Other   
OS: Other   
Whiteboard: CVE-2005-3351: CVSS v2 Base Score: 5.0 (AV:N/AC:L/Au:N/C:N/I:P/A:N)
Found By: Other Services Priority:
Business Priority: Blocker: ---
Marketing QA Status: --- IT Deployment: ---
Attachments: spamassassin-3.0.4-4570-avoid-segfault-large-headers.patch

Description Ludwig Nussel 2005-11-11 08:58:14 UTC 
We received the following report via security@suse.de.
The issue is public.

DoS due to "To:" regex. No mention of that on the spamassassin web site :-(

Date: Thu, 10 Nov 2005 18:03:26 +0100
From: win-sec-ssc@dfn-cert.de
To: win-sec-ssc@dfn-cert.de
Cc: 
Subject: [security@suse.de] [Fedora] Schwachstelle in SpamAssassin -
	FEDORA-2005-1066
X-Spam-Level: 

-----BEGIN PGP SIGNED MESSAGE-----

Liebe Kolleginnen und Kollegen,

soeben erreichte uns nachfolgendes Fedora Security Advisory. Wir geben
diese Informationen unveraendert an Sie weiter.

SpamAssassin wird verwendet, um Unsolicited Commercial Emails (SPAM) zu
erkennen und diese im Zusammenspiel mit dem Mail-Server zu filtern oder
in einem getrennten Folder einzusortieren.

CAN-2005-3351 - Komplexitaetsprobleme durch regulaeren Ausdruck

  In SpamAssassin wird ein ungeeigneter regulaerer Ausdruck zum Parsen
  der "To:" Headerzeilen verwendet. Ist diese Zeile sehr lang, stuerzt
  SpamAssassin beim Auswerten dieses regulaeren Ausdrucks ab. Ein
  entfernter Angreifer kann diese Schwachstelle durch eine entsprechend
  konstruierte E-Mail fuer einen Denial of Service Angriff ausnutzen.

Betroffen sind die folgenden Software Pakete und Plattformen:

  Paket spamassassin

  Fedora Core 4

Vom Hersteller werden ueberarbeitete Pakete zur Verfuegung gestellt.

Hersteller Advisory:
  https://www.redhat.com/archives/fedora-announce-list/2005-November/msg00029.html


(c) der deutschen Zusammenfassung bei DFN-CERT Services GmbH; die
Verbreitung, auch auszugsweise, ist nur unter Hinweis auf den Urheber,
DFN-CERT Services GmbH, und nur zu nicht kommerziellen Zwecken
gestattet.

Mit freundlichen Gruessen,

           Jan Kohlrausch, DFN-CERT

- --
Jan Kohlrausch (CSIRT), DFN-CERT Services GmbH
Web: https://www.dfn-cert.de/, Phone: +49-40-808077-555
PGP RSA/2048, A5DD03D1, A2 55 1C 51 0A 30 3E 78  5B 40 DA B7 14 F7 C9 E8

- ---------------------------------------------------------------------
Fedora Update Notification
FEDORA-2005-1066
2005-11-09
- ---------------------------------------------------------------------

Product     : Fedora Core 4
Name        : spamassassin
Version     : 3.0.4                      
Release     : 2.fc4                  
Summary     : Spam filter for email which can be invoked from mail delivery agents.
Description :
SpamAssassin provides you with a way to reduce if not completely eliminate
Unsolicited Commercial Email (SPAM) from your incoming email.  It can
be invoked by a MDA such as sendmail or postfix, or can be called from
a procmail script, .forward file, etc.  It uses a genetic-algorithm
evolved scoring system to identify messages which look spammy, then
adds headers to the message so they can be filtered by the user's mail
reading software.  This distribution includes the spamd/spamc components
which create a server that considerably speeds processing of mail.

To enable spamassassin, if you are receiving mail locally, simply add
this line to your ~/.procmailrc:
INCLUDERC=/etc/mail/spamassassin/spamassassin-default.rc

To filter spam for all users, add that line to /etc/procmailrc
(creating if necessary).

- ---------------------------------------------------------------------
Update Information:

Solves CVE-2005-3351 and a few other minor bugs to improve
spam detection accuracy.  You could consider this a release
candidate for 3.0.5.

Also solved is #161785 which ensures that "service
spamassassin restart" should never fail.
- ---------------------------------------------------------------------
* Tue Nov  8 2005 Warren Togami <wtogami@redhat.com> - 3.0.4-2
- - 3.0.5 release candidate


- ---------------------------------------------------------------------
This update can be downloaded from:
  http://download.fedora.redhat.com/pub/fedora/linux/core/updates/4/

a3184e0e7b45e21c81fe1c00ff5ccfac  SRPMS/spamassassin-3.0.4-2.fc4.src.rpm
1a6999505d3a2463a0fc5846e6aceb54  ppc/spamassassin-3.0.4-2.fc4.ppc.rpm
c38abb943979ffdcbda9ca17d8de4310  ppc/debug/spamassassin-debuginfo-3.0.4-2.fc4.ppc.rpm
275684eefc91620a9c566a90e5597ff1  x86_64/spamassassin-3.0.4-2.fc4.x86_64.rpm
2f6d781ce0bb53b5e981fbe10638413c  x86_64/debug/spamassassin-debuginfo-3.0.4-2.fc4.x86_64.rpm
00fa4a7e89ab752961b4601b3cbd5431  i386/spamassassin-3.0.4-2.fc4.i386.rpm
61e7a5f2ebbb12304fd88ea33aca1c9a  i386/debug/spamassassin-debuginfo-3.0.4-2.fc4.i386.rpm

This update can also be installed with the Update Agent; you can
launch the Update Agent with the 'up2date' command.  
- ---------------------------------------------------------------------
- -- 
Jan Kohlrausch (CSIRT), DFN-CERT Services GmbH
Web: https://www.dfn-cert.de/, Phone: +49-40-808077-555
PGP RSA/2048, A5DD03D1, A2 55 1C 51 0A 30 3E 78  5B 40 DA B7 14 F7 C9 E8
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.2 (SunOS)
Comment: Processed by Mailcrypt 3.5.8 <http://mailcrypt.sourceforge.net/>

iQEVAwUBQ3N9WeI9ttyl3QPRAQFs1AgAhJyP1LudEwuF6RKXQGHJHKcm5CKHVtP2
bNU5BtVbJdB4ET8lFQcRndEk7JQcXSbLZMKo/1VPTbUHhE1vLdcKhYGAzGFsb0rg
V0Xbu0HH82pYELWCABNCd8WVWC5rSwsTpwmTFSu6FQ/x619ZrML6rZceUUmJr3v7
aaLHqbINEX+JTEY6Pkxd81+q+X/y6D4fDfyDC2PzWo9CtNin88oEQAJTdNapvqae
39jBip125m0yBiyyCcOAuXzswguJ0hSbeQwHiH6yAHMlV0OI69w+2ZTe4uLXHSeb
rG0Z9Re0tCKV2ZYOiXli1AeexR4qkw4lvb9y4gm/VqLnnQgk6P4WLw==
=X5Ca
-----END PGP SIGNATURE-----
Comment 1 Carsten Hoeger 2005-11-14 12:51:07 UTC 
Hmmm, SA 3.1 came out after 3.0.4, no 3.0.5 version at all.
Just downloaded the spm of the newest fedora package and it looks like the patch named spamassassin-3.0.4-4570-avoid-segfault-large-headers.patch is the fix.
Comment 2 Carsten Hoeger 2005-11-14 12:51:39 UTC 
Created attachment 57238 [details]
spamassassin-3.0.4-4570-avoid-segfault-large-headers.patch
Comment 3 Carsten Hoeger 2005-11-14 13:00:19 UTC 
affected versions: 10.0, 9.3 and 9.2 (if spamassassin 2.x is NOT affected).
How to proceed?
Should I submit packages?
Comment 4 Ludwig Nussel 2005-11-14 13:20:38 UTC 
Hmm, the regex looks complicated :-) Michael can you judge whether this is a valid fix for the described problem?
Comment 5 Michael Schröder 2005-11-14 14:11:05 UTC 
Looks ok to me. I'm a bit worried about the \Q \E, but this seems to be an additional bug fix.
Comment 6 Ludwig Nussel 2005-11-14 14:52:40 UTC 
Thanks.
Maintenance-Tracker-2898
Yes, please submit packages unless you say this a non-issue.
Comment 7 Ludwig Nussel 2005-11-16 15:24:47 UTC 
updates released
Comment 8 Thomas Biege 2009-10-13 20:34:08 UTC 
CVE-2005-3351: CVSS v2 Base Score: 5.0 (AV:N/AC:L/Au:N/C:N/I:P/A:N)