Bugzilla – Bug 62636
VUL-0: CVE-2004-1007: bogofilter denial of service attack
Last modified: 2021-10-17 14:54:48 UTC
From: Matthias Andree <matthias.andree@gmx.de> To: security@suse.de, lmuelle@suse.de Subject: [security@suse.de] Advance SECURITY NOTICE: bogofilter versions > 0.16.4 and < 0.92.8 Dear SuSE security team, dear Lars, a vulnerability has been discovered in 0.16.4 < bogofilter < 0.92.8 that allows a remote attacker to crash bogofilter. Versions up to and including 0.16.4 (shipped with SuSE Linux 9.1) are not affected, but it is likely that the version you packaged to ship with SuSE Linux 9.2 (probably some 0.92.X release) is vulnerable. The bug has been fixed in bogofilter 0.92.8 which is a "stable" release. We're still researching this issue, as we know the bug has been introduced between 0.16.4 and 0.17.5 but have not yet tracked down the failure inducing change, so we cannot provide a "minimum patch" to fix the problem at this time. We also have not yet been able to evaluate whether this bug is exploitable, for instance, for code injection. Input from seasoned security teams on this matter will be appreciated. Please allow me to refer you to http://www.vuxml.org/freebsd/f4428842-a583-4a4c-89b7-297c3459a1c3.html for the current state of what we know; FreeBSD and Debian unstable/testing were shipping vulnerable packages and have already uploaded fixed ports or packages. We'll post an official announcement soon. Yours sincerely, -- Matthias Andree
<!-- SBZ_reproduce --> n/a
I suggest a version update to 0.92.8 for SuSE LInux 9.2. Andreas: Is this ok for you?
A version update is in general not ok for me. I'd like the security team to evaluate the issue first and if they think a version update is our only chance, then let's do it.
test mail (perhaps line wrapping borked): From nowhere@example.com Thu Sep 16 21:42:32 2004 Subject: [Broken] =?ISO-8859-1?Q?Re=3A_=5BBroken=5D_=3D=3FISO-8859-1=3FQ=3F=3D5B?= =?ISO-8859-1?Q?Broken=3D5DBlah=3D20Foo=3DE4=3D20Bar=3D20Blah _?= =?ISO-8859-1?Q?Foo=3D3D28=3D5F=3F=3D_Bar=5F=5F=3F=3D_t=E4Blah?= =?ISO-8859-1?Q?Foo=E4t=29?= X-Spam-Status: No, hits=0.0 required=5.0 tests=none autolearn=no version=2.64 Status: RO Content-Length: 4 Lines: 1 Hi.
Let's keep the workload generated by this bug as small as possible and just update to a fixed 0.92.8. bogofilter is not a critical or core component.
We do not do version upgrades usually, even for non core packages. I have reviewed the patch between .7 and .8 and it has more stability fixes apparently and no new features. I feel safe doing a version upgrade in this case only. Please do.
Package submitted. Reassign to the security team for further processing.
Waiting for patchinfo...
There is still no announcement from the bogofilter project. Again asked for the date of the announcement. security in cc and security-team in bcc. I'll provide an information update as soon as it is available.
CAN-2004-1007 the issue is public http://bogofilter.sourceforge.net/security/bogofilter-SA-2004-01
what about 9.1? 0.17.5 is vulnerable according to the advisory.
9.1 was shipped with 0.16.4. Patchinfo created.
Hmm, I wonder why the pdb says 0.17.5
approved
CVE-2004-1007: CVSS v2 Base Score: 5.0 (AV:N/AC:L/Au:N/C:N/I:N/A:P)