By supplying a malicious message to spamassassin (with a very long content-type header and no boundaries) you can cause it to overly consume resources and therefore perform Denial of Service on the hosting server. Upstream is readying a 3.0.4 that will include the fix.
3.0.4 released. Micheal please bump. Opening when there is an official security announcement.
Ebuild posted, testing now on sparc (ran fine on my x86, but there's no mail coming through that box). Proceed with keywording requests :)
There are indications that the DoS is still possible using 3.0.4. I think it's urgent to wait.
sometimes it doesn't pay to be on the ball. do you want the package pulled, masked, or anything like that?
No, keep it in : 1- It's just a rumor that has still to be confirmed by the SA team 2- It's not worse than the previous versions 3- Testing of the extra-security newthings in 3.0.4 can begin in ~
Seems to be a false alarm. Arches please test and mark stable. Security issue is still not public so calling arch liaisons. Please CC any relevant arch team members if necessary.
amd64 stable
Stable on ppc.
stable on sparc.
Release set to 20050615
To clear up the rumor: We found out that Razor2 suffers from a similar bug. We notified the Razor developers and the vendor-sec embargo was extended by a week (till 2005-06-15 20.00 UTC). The issue in our own code is tracked as bug 4171 in our bugzilla, the discussion went on on our security mailinglist (open for committers only). If anybody want to get added to bug 4171, please tell me. If you need details about the Razor bug, I can ask whether I may give you a copy of the mail Justin sent to them.
Thx for clearing that up Malte, please add me to the bug and I'll update the GLSA draft accordingly.
I guess we /could/ open the bugs now, even if I don't see anything published yet... tester, kloeri: please test and mark spamassassin stable
Stable on alpha + ia64.
corsair: ppc64 needs some lovin too.
Opening, adding arch aliases, removing individual archtesters. x86, hppa, ppc64: please test and mark 3.0.4 stable.
*** Bug 96355 has been marked as a duplicate of this bug. ***
stable on ppc64
See also http://marc.theaimsgroup.com/?l=spamassassin-announce&m=111886630726077&w=2 We should make 3.0.4 available in Portage for all architectures since there is a big chance people are already exploiting this. It's been on Heise already so there's probably not much time left.
Stable on hppa
stable on x86
I cannot reproduce this with <spamassassin-3.0.3 with 3.0.0: malformed: 0m37.744s non-malformed: 0m7.341s Doesnt seem unreasonable considering the size: 5039 /home/taviso/malformed.txt 35 /home/taviso/non-malformed.txt but with 3.0.3: malformed: 3m56.351s non-malformed: 0m4.173s if only 3.0.3 is affected we dont need a glsa on this.
Holding off GLSA until we get this sorted out.
From the announcement: | Apache SpamAssassin 3.0.4 was recently released [0], and fixes a denial | of service vulnerability in versions 3.0.1, 3.0.2, and 3.0.3. ^^^^^^^^^^^^^^^^^^^^^^^ :) 3.0.0 was never vulnerable as the bug was introduced with a patch to fix some other bug (AFAIK it was actually a backport from trunk).
Malte, could you provide a testcase that demonstrates this problem in 3.0.1 or 3.0.2, as i mentioned in my comment "I cannot reproduce this with <spamassassin- 3.0.3", i.e. I have tried 3.0.0, 3.0.1, 3.0.2 and 3.0.3 and could not reproduce this in any version less than 3.0.3.
Sorry, currently I can't give you our exploit as we don't want it to spread too much (spammer are dumb but we know what script kiddies can do when they have the code available). But here are my numbers: mss@otherland ~/tmp/sa $ ls Mail-SpamAssassin-3.0.0 Mail-SpamAssassin-3.0.1 Mail-SpamAssassin-3.0.2 Mail-SpamAssassin-3.0.3 Mail-SpamAssassin-3.0.4 sa-exploit mss@otherland ~/tmp/sa $ for d in Mail-SpamAssassin-3.0.*; do pushd $d; time ./spamassassin -D -L < ../sa-exploit &> ../$d.log; popd; done ~/tmp/sa/Mail-SpamAssassin-3.0.0 ~/tmp/sa real 0m2.709s user 0m2.017s sys 0m0.262s ~/tmp/sa ~/tmp/sa/Mail-SpamAssassin-3.0.1 ~/tmp/sa real 2m4.609s user 1m37.279s sys 0m0.403s ~/tmp/sa ~/tmp/sa/Mail-SpamAssassin-3.0.2 ~/tmp/sa real 2m37.257s user 1m38.722s sys 0m1.183s ~/tmp/sa ~/tmp/sa/Mail-SpamAssassin-3.0.3 ~/tmp/sa real 2m27.973s user 1m38.770s sys 0m0.769s ~/tmp/sa ~/tmp/sa/Mail-SpamAssassin-3.0.4 ~/tmp/sa real 0m2.894s user 0m2.086s sys 0m0.233s ~/tmp/sa
Malte, I've been unsuccessful in constructing an exploit to replicate this bug, i have found another path to bug 72109 though :) $ perl -e 'print "content-type: ", "hello;\n\t" x 0xfff' | spamassassin Segmentation fault Would it be possible to send me the exploit privately?
Okay, using the testcase from upstream i can replicate Malte's results, 3.0.{1, 2,3} definitely affected.
Combining GLSA with bug #95492. Security please rereview.
GLSA 200506-17
