Bug 62636 (CVE-2004-1007)

Summary: VUL-0: CVE-2004-1007: bogofilter denial of service attack
Product: [Novell Products] SUSE Security Incidents Reporter: Marcus Meissner <meissner>
Component: IncidentsAssignee: Security Team bot <security-team>
Status: RESOLVED FIXED QA Contact: Security Team bot <security-team>
Severity: Normal    
Priority: P3 - Medium CC: aj, lmuelle, security-team
Version: unspecified   
Target Milestone: ---   
Hardware: All   
OS: Linux   
Whiteboard: CVE-2004-1007: CVSS v2 Base Score: 5.0 (AV:N/AC:L/Au:N/C:N/I:N/A:P)
Found By: --- Services Priority:
Business Priority: Blocker: ---
Marketing QA Status: --- IT Deployment: ---

Description Marcus Meissner 2004-10-26 23:12:28 UTC 
From: Matthias Andree <matthias.andree@gmx.de> 
To: security@suse.de, lmuelle@suse.de 
Subject: [security@suse.de] Advance SECURITY NOTICE: bogofilter versions >    
        0.16.4 and < 0.92.8 
 
Dear SuSE security team, dear Lars, 
 
a vulnerability has been discovered in 0.16.4 < bogofilter < 0.92.8 that 
allows a remote attacker to crash bogofilter. Versions up to and 
including 0.16.4 (shipped with SuSE Linux 9.1) are not affected, but it 
is likely that the version you packaged to ship with SuSE Linux 9.2 
(probably some 0.92.X release) is vulnerable. 
 
The bug has been fixed in bogofilter 0.92.8 which is a "stable" release. 
 
We're still researching this issue, as we know the bug has been 
introduced between 0.16.4 and 0.17.5 but have not yet tracked down the 
failure inducing change, so we cannot provide a "minimum patch" to fix 
the problem at this time. We also have not yet been able to evaluate 
whether this bug is exploitable, for instance, for code injection. 
 
Input from seasoned security teams on this matter will be appreciated. 
 
Please allow me to refer you to 
http://www.vuxml.org/freebsd/f4428842-a583-4a4c-89b7-297c3459a1c3.html 
for the current state of what we know; FreeBSD and Debian 
unstable/testing were shipping vulnerable packages and have already 
uploaded fixed ports or packages. 
 
We'll post an official announcement soon. 
 
Yours sincerely, 
 
-- 
Matthias Andree
Comment 1 Marcus Meissner 2004-10-26 23:12:28 UTC 
<!-- SBZ_reproduce  -->
n/a
Comment 2 Lars Müller 2004-10-27 04:55:17 UTC 
I suggest a version update to 0.92.8 for SuSE LInux 9.2.

Andreas:  Is this ok for you?
Comment 3 Andreas Jaeger 2004-10-27 14:40:25 UTC 
A version update is in general not ok for me.  I'd like the security 
team to evaluate the issue first and if they think a version update is 
our only chance, then let's do it.
Comment 4 Marcus Meissner 2004-11-02 20:10:17 UTC 
test mail (perhaps line wrapping borked): 
 
From nowhere@example.com Thu Sep 16 21:42:32 2004 
Subject: [Broken] 
=?ISO-8859-1?Q?Re=3A_=5BBroken=5D_=3D=3FISO-8859-1=3FQ=3F=3D5B?= 
 =?ISO-8859-1?Q?Broken=3D5DBlah=3D20Foo=3DE4=3D20Bar=3D20Blah 
 _?= =?ISO-8859-1?Q?Foo=3D3D28=3D5F=3F=3D_Bar=5F=5F=3F=3D_t=E4Blah?= 
 =?ISO-8859-1?Q?Foo=E4t=29?= 
X-Spam-Status: No, hits=0.0 required=5.0 tests=none autolearn=no version=2.64 
Status: RO 
Content-Length: 4 
Lines: 1 
 
Hi.
Comment 5 Lars Müller 2004-11-02 20:19:18 UTC 
Let's keep the workload generated by this bug as small as possible and just
update to a fixed 0.92.8.

bogofilter is not a critical or core component.
Comment 6 Marcus Meissner 2004-11-02 21:45:36 UTC 
We do not do version upgrades usually, even for non core packages. 
 
I have reviewed the patch between .7 and .8 and it has more stability fixes 
apparently and no new features. 
 
I feel safe doing a version upgrade in this case only. 
 
Please do.
Comment 7 Lars Müller 2004-11-02 22:11:00 UTC 
Package submitted. Reassign to the security team for further processing.
Comment 8 Michael Schröder 2004-11-03 03:36:06 UTC 
Waiting for patchinfo...
Comment 9 Lars Müller 2004-11-03 18:15:46 UTC 
There is still no announcement from the bogofilter project.  Again asked for the
date of the announcement.  security in cc and security-team in bcc.

I'll provide an information update as soon as it is available.
Comment 10 Ludwig Nussel 2004-11-04 01:05:42 UTC 
CAN-2004-1007 
the issue is public 
http://bogofilter.sourceforge.net/security/bogofilter-SA-2004-01
Comment 11 Ludwig Nussel 2004-11-04 01:10:07 UTC 
what about 9.1? 0.17.5 is vulnerable according to the advisory.
Comment 12 Lars Müller 2004-11-04 17:47:27 UTC 
9.1 was shipped with 0.16.4.

Patchinfo created.
Comment 13 Ludwig Nussel 2004-11-04 17:58:23 UTC 
Hmm, I wonder why the pdb says 0.17.5
Comment 14 Ludwig Nussel 2004-11-11 00:00:53 UTC 
approved
Comment 15 Thomas Biege 2009-10-13 19:54:47 UTC 
CVE-2004-1007: CVSS v2 Base Score: 5.0 (AV:N/AC:L/Au:N/C:N/I:N/A:P)