Bugzilla – Bug 133416
VUL-0: CVE-2005-3351: spamassassin DoS
Last modified: 2021-12-17 16:21:41 UTC
We received the following report via security@suse.de. The issue is public. DoS due to "To:" regex. No mention of that on the spamassassin web site :-( Date: Thu, 10 Nov 2005 18:03:26 +0100 From: win-sec-ssc@dfn-cert.de To: win-sec-ssc@dfn-cert.de Cc: Subject: [security@suse.de] [Fedora] Schwachstelle in SpamAssassin - FEDORA-2005-1066 X-Spam-Level: -----BEGIN PGP SIGNED MESSAGE----- Liebe Kolleginnen und Kollegen, soeben erreichte uns nachfolgendes Fedora Security Advisory. Wir geben diese Informationen unveraendert an Sie weiter. SpamAssassin wird verwendet, um Unsolicited Commercial Emails (SPAM) zu erkennen und diese im Zusammenspiel mit dem Mail-Server zu filtern oder in einem getrennten Folder einzusortieren. CAN-2005-3351 - Komplexitaetsprobleme durch regulaeren Ausdruck In SpamAssassin wird ein ungeeigneter regulaerer Ausdruck zum Parsen der "To:" Headerzeilen verwendet. Ist diese Zeile sehr lang, stuerzt SpamAssassin beim Auswerten dieses regulaeren Ausdrucks ab. Ein entfernter Angreifer kann diese Schwachstelle durch eine entsprechend konstruierte E-Mail fuer einen Denial of Service Angriff ausnutzen. Betroffen sind die folgenden Software Pakete und Plattformen: Paket spamassassin Fedora Core 4 Vom Hersteller werden ueberarbeitete Pakete zur Verfuegung gestellt. Hersteller Advisory: https://www.redhat.com/archives/fedora-announce-list/2005-November/msg00029.html (c) der deutschen Zusammenfassung bei DFN-CERT Services GmbH; die Verbreitung, auch auszugsweise, ist nur unter Hinweis auf den Urheber, DFN-CERT Services GmbH, und nur zu nicht kommerziellen Zwecken gestattet. Mit freundlichen Gruessen, Jan Kohlrausch, DFN-CERT - -- Jan Kohlrausch (CSIRT), DFN-CERT Services GmbH Web: https://www.dfn-cert.de/, Phone: +49-40-808077-555 PGP RSA/2048, A5DD03D1, A2 55 1C 51 0A 30 3E 78 5B 40 DA B7 14 F7 C9 E8 - --------------------------------------------------------------------- Fedora Update Notification FEDORA-2005-1066 2005-11-09 - --------------------------------------------------------------------- Product : Fedora Core 4 Name : spamassassin Version : 3.0.4 Release : 2.fc4 Summary : Spam filter for email which can be invoked from mail delivery agents. Description : SpamAssassin provides you with a way to reduce if not completely eliminate Unsolicited Commercial Email (SPAM) from your incoming email. It can be invoked by a MDA such as sendmail or postfix, or can be called from a procmail script, .forward file, etc. It uses a genetic-algorithm evolved scoring system to identify messages which look spammy, then adds headers to the message so they can be filtered by the user's mail reading software. This distribution includes the spamd/spamc components which create a server that considerably speeds processing of mail. To enable spamassassin, if you are receiving mail locally, simply add this line to your ~/.procmailrc: INCLUDERC=/etc/mail/spamassassin/spamassassin-default.rc To filter spam for all users, add that line to /etc/procmailrc (creating if necessary). - --------------------------------------------------------------------- Update Information: Solves CVE-2005-3351 and a few other minor bugs to improve spam detection accuracy. You could consider this a release candidate for 3.0.5. Also solved is #161785 which ensures that "service spamassassin restart" should never fail. - --------------------------------------------------------------------- * Tue Nov 8 2005 Warren Togami <wtogami@redhat.com> - 3.0.4-2 - - 3.0.5 release candidate - --------------------------------------------------------------------- This update can be downloaded from: http://download.fedora.redhat.com/pub/fedora/linux/core/updates/4/ a3184e0e7b45e21c81fe1c00ff5ccfac SRPMS/spamassassin-3.0.4-2.fc4.src.rpm 1a6999505d3a2463a0fc5846e6aceb54 ppc/spamassassin-3.0.4-2.fc4.ppc.rpm c38abb943979ffdcbda9ca17d8de4310 ppc/debug/spamassassin-debuginfo-3.0.4-2.fc4.ppc.rpm 275684eefc91620a9c566a90e5597ff1 x86_64/spamassassin-3.0.4-2.fc4.x86_64.rpm 2f6d781ce0bb53b5e981fbe10638413c x86_64/debug/spamassassin-debuginfo-3.0.4-2.fc4.x86_64.rpm 00fa4a7e89ab752961b4601b3cbd5431 i386/spamassassin-3.0.4-2.fc4.i386.rpm 61e7a5f2ebbb12304fd88ea33aca1c9a i386/debug/spamassassin-debuginfo-3.0.4-2.fc4.i386.rpm This update can also be installed with the Update Agent; you can launch the Update Agent with the 'up2date' command. - --------------------------------------------------------------------- - -- Jan Kohlrausch (CSIRT), DFN-CERT Services GmbH Web: https://www.dfn-cert.de/, Phone: +49-40-808077-555 PGP RSA/2048, A5DD03D1, A2 55 1C 51 0A 30 3E 78 5B 40 DA B7 14 F7 C9 E8 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.2 (SunOS) Comment: Processed by Mailcrypt 3.5.8 <http://mailcrypt.sourceforge.net/> iQEVAwUBQ3N9WeI9ttyl3QPRAQFs1AgAhJyP1LudEwuF6RKXQGHJHKcm5CKHVtP2 bNU5BtVbJdB4ET8lFQcRndEk7JQcXSbLZMKo/1VPTbUHhE1vLdcKhYGAzGFsb0rg V0Xbu0HH82pYELWCABNCd8WVWC5rSwsTpwmTFSu6FQ/x619ZrML6rZceUUmJr3v7 aaLHqbINEX+JTEY6Pkxd81+q+X/y6D4fDfyDC2PzWo9CtNin88oEQAJTdNapvqae 39jBip125m0yBiyyCcOAuXzswguJ0hSbeQwHiH6yAHMlV0OI69w+2ZTe4uLXHSeb rG0Z9Re0tCKV2ZYOiXli1AeexR4qkw4lvb9y4gm/VqLnnQgk6P4WLw== =X5Ca -----END PGP SIGNATURE-----
Hmmm, SA 3.1 came out after 3.0.4, no 3.0.5 version at all. Just downloaded the spm of the newest fedora package and it looks like the patch named spamassassin-3.0.4-4570-avoid-segfault-large-headers.patch is the fix.
Created attachment 57238 [details] spamassassin-3.0.4-4570-avoid-segfault-large-headers.patch
affected versions: 10.0, 9.3 and 9.2 (if spamassassin 2.x is NOT affected). How to proceed? Should I submit packages?
Hmm, the regex looks complicated :-) Michael can you judge whether this is a valid fix for the described problem?
Looks ok to me. I'm a bit worried about the \Q \E, but this seems to be an additional bug fix.
Thanks. Maintenance-Tracker-2898 Yes, please submit packages unless you say this a non-issue.
updates released
CVE-2005-3351: CVSS v2 Base Score: 5.0 (AV:N/AC:L/Au:N/C:N/I:P/A:N)