http://bogofilter.sourceforge.net/security/bogofilter-SA-2005-01 http://bogofilter.sourceforge.net/security/bogofilter-SA-2005-02 bogofilter-SA-2005-01 Topic: heap buffer overrun in bogofilter/bogolexer 0.93.5 - 0.96.2 Announcement: bogofilter-SA-2005-01 Writer: Matthias Andree Version: 1.00 CVE ID: CVE-2005-4591 Announced: 2006-01-02 Category: vulnerability Type: buffer overrun through malformed input Impact: heap corruption, application crash Credits: David Relson, Clint Adams Danger: medium URL: http://bogofilter.sourceforge.net/security/bogofilter-SA-2005-01 Affected: bogofilter 0.96.2 bogofilter 0.95.2 bogofilter 0.94.14 bogofilter 0.94.12 all "current" versions from 0.93.5 to 0.96.2 inclusively CVS between 2005-01-09T17:32Z and 2005-10-22T00:51Z CVS between 2005-12-31T10:22Z and 2005-12-31T12:45Z Not affected: bogofilter 0.96.3 "current" (released 2005-10-26) bogofilter 0.96.6 (released 2005-11-19) bogofilter 1.0.0 (released 2005-12-01) bogofilter 1.0.1 (released 2006-01-01) 1. Background ============= Bogofilter is a software package for classifying a message as spam or non-spam. It uses a data base to store words and must be trained which messages are spam and non-spam. It uses the probabilities of individual words for classifying the message. Note that the bogofilter project is issuing security announcements only for current "stable" releases, and not necessarily for past "stable" releases. 2. Problem description ====================== When using Unicode databases (default in more recent bogofilter installations), upon encountering invalid input sequences, bogofilter or bogolexer could overrun a malloc()'d buffer, corrupting the heap, while converting character sets. Bogofilter would usually be processing untrusted data received from the network at that time. This problem was aggravated by an unrelated bug that made bogofilter process binary attachments as though they were text, and attempt charset conversion on them. Given the MIME default character set, US-ASCII, all input octets in the range 0x80...0xff were considered invalid input sequences and could trigger the heap corruption. The faulty code was first released with bogofilter "current" 0.93.5, initially under the aegis of "./configure --enable-iconv", which was later renamed "--enable-unicode" and enabled by default. 3. Impact ========= Vulnerable bogofilter and bogolexer applications corrupt their heap and crash. The consequences are dependent on the local configuration which is up to the user; in common configurations, messages would be placed back in the mail queue and ultimately be returned to the sender when the mail queue lifetime expired, or they might be processed as though bogofilter had classified them as "ham". The bogofilter maintainers are not aware of exploits against this vulnerability in the wild. 4. Solution =========== Upgrade your bogofilter to version 1.0.1 (or a newer release). bogofilter is available from SourceForge: <https://sourceforge.net/project/showfiles.php?group_id=62265> A. Copyright, License and Warranty ================================== (C) Copyright 2005 - 2006 by Matthias Andree, <matthias.andree@gmx.de>. Some rights reserved. This work is licensed under the Creative Commons Attribution-NonCommercial-NoDerivs German License. To view a copy of this license, visit http://creativecommons.org/licenses/by-nc-nd/2.0/de/ or send a letter to Creative Commons; 559 Nathan Abbott Way; Stanford, California 94305; USA. THIS WORK IS PROVIDED FREE OF CHARGE AND WITHOUT ANY WARRANTIES. Use the information herein at your own risk. END of bogofilter-SA-2005-01 bogofilter-SA-2005-02 Topic: heap buffer overrun in bogofilter/bogolexer 0.96.2 Announcement: bogofilter-SA-2005-02 Writer: Matthias Andree Version: 1.00 CVE ID: CVE-2005-4592 Announced: 2006-01-02 Category: vulnerability Type: buffer overrun through long input Impact: heap corruption, application crash Credits: David Relson, Clint Adams Danger: medium URL: http://bogofilter.sourceforge.net/security/bogofilter-SA-2005-02 Affected: bogofilter 0.96.2 CVS between 2005-09-08T02:49Z and 2005-10-23T15:16Z Not affected: bogofilter 0.96.3 "current" (released 2005-10-26) bogofilter 0.96.6 (released 2005-11-19) bogofilter 1.0.0 (released 2005-12-01) bogofilter 1.0.1 (released 2006-01-01) 1. Background ============= Bogofilter is a software package for classifying a message as spam or non-spam. It uses a data base to store words and must be trained which messages are spam and non-spam. It uses the probabilities of individual words for classifying the message. Note that the bogofilter project is issuing security announcements only for current "stable" releases, and not necessarily for past "stable" releases. 2. Problem description ====================== Bogofilter's/bogolexer's input handling in version 0.96.2 was not keeping track of its output buffers properly and could overrun a heap buffer if the input contained words whose length exceeded 16,384 bytes, the size of flex's input buffer. A "word" here refers to a contiguous run of input octets that was not '_' and did not match at least one of ispunct(), iscntrl() or isspace(). 3. Impact ========= Vulnerable bogofilter and bogolexer applications corrupt their heap and crash. The consequences are dependent on the local configuration which is up to the user; in common configurations, messages would be placed back in the mail queue and ultimately be returned to the sender when the mail queue lifetime expired, or they might be processed as though bogofilter had classified them as "ham". The bogofilter maintainers are not aware of exploits against this vulnerability in the wild. 4. Solution =========== Upgrade your bogofilter to version 1.0.1 (or a newer release). bogofilter is available from SourceForge: <https://sourceforge.net/project/showfiles.php?group_id=62265> A. Copyright, License and Warranty ================================== (C) Copyright 2005 - 2006 by Matthias Andree, <matthias.andree@gmx.de>. Some rights reserved. This work is licensed under the Creative Commons Attribution-NonCommercial-NoDerivs German License. To view a copy of this license, visit http://creativecommons.org/licenses/by-nc-nd/2.0/de/ or send a letter to Creative Commons; 559 Nathan Abbott Way; Stanford, California 94305; USA. THIS WORK IS PROVIDED FREE OF CHARGE AND WITHOUT ANY WARRANTIES. Use the information herein at your own risk. END of bogofilter-SA-2005-02
net-mail, do you want to bump to an unaffected 0.96.X version or should we stable the 1.0.1 version already in portage?
The latest stable version in the tree is 0.92.8. This version is very old but not affected.
ok, i hope you are right, i thought they just didn't go back far enough in history to reach our version. closing as invalid.
*** Bug 136990 has been marked as a duplicate of this bug. ***
