From ${URL}: "Apache SpamAssassin 3.4.5 was recently released [1], and fixes an issue of security note where malicious rule configuration (.cf) files can be configured to run system commands. In Apache SpamAssassin before 3.4.5, exploits can be injected in a number of scenarios. In addition to upgrading to SA 3.4.5, users should only use update channels or 3rd party .cf files from trusted places." FWIW just copying the latest ebuild to -3.4.5 seems to build and run fine.
Thank you for the report! Maintainer, please bump.
Added Github PR. Just a copy of the previous stable ebuild. It installs and runs for me.
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=6d466c6e5e0afe7d03d65b326c88476dddb70b80 commit 6d466c6e5e0afe7d03d65b326c88476dddb70b80 Author: Philippe Chaintreuil <gentoo_bugs_peep@parallaxshift.com> AuthorDate: 2021-03-24 18:36:30 +0000 Commit: Sam James <sam@gentoo.org> CommitDate: 2021-03-24 21:32:49 +0000 mail-filter/spamassassin: Bump to 3.4.5 Copy of 3.4.4-r4 and ~ all arches. Bug: https://bugs.gentoo.org/778002 Closes: 20107 Package-Manager: Portage-3.0.13, Repoman-3.0.2 Signed-off-by: Philippe Chaintreuil <gentoo_bugs_peep@parallaxshift.com> Closes: https://github.com/gentoo/gentoo/pull/20107 Signed-off-by: Sam James <sam@gentoo.org> mail-filter/spamassassin/Manifest | 1 + mail-filter/spamassassin/spamassassin-3.4.5.ebuild | 315 +++++++++++++++++++++ 2 files changed, 316 insertions(+)
Thank you! Please let us know when ready to stable.
acct-user-spamd does not change spamd homedir in shell its resolved with usermod --home /var/lib/spamd spamd
(In reply to Benny Pedersen from comment #5) > acct-user-spamd does not change spamd homedir > > in shell its resolved with > > usermod --home /var/lib/spamd spamd Benny, do you mind making another bug for that? That code's shared with all the other ebuilds in the tree right now, so it's beyond the scope of this security focused bug.
https://bugs.gentoo.org/778734
Shall we stable?
As proxy-maintainer, I'd vote we should stabilize.
(In reply to Philippe Chaintreuil from comment #9) > As proxy-maintainer, I'd vote we should stabilize. Thanks! Proceeding.
By the way, Apache SpamAssassin 3.4.6 fixes two small but potentially annoying bugs in 3.4.5
Just added https://github.com/gentoo/gentoo/pull/20361 for 3.4.6. (And started running it locally.) Thanks for the heads up Tomáš.
amd64 done
x86 done
arm64 done
arm done
ppc64 done
ppc done
sparc stable
Please cleanup.
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=18851f8cf38243ad057795d6e71de8ac8cbd2135 commit 18851f8cf38243ad057795d6e71de8ac8cbd2135 Author: Philippe Chaintreuil <gentoo_bugs_peep@parallaxshift.com> AuthorDate: 2021-04-18 14:27:58 +0000 Commit: John Helmert III <ajak@gentoo.org> CommitDate: 2021-04-21 00:04:36 +0000 mail-filter/spamassassin: Cleanup <3.4.5 Cleanup versions effected by CVE-2020-1946. Bug: https://bugs.gentoo.org/778002 Package-Manager: Portage-3.0.17, Repoman-3.0.2 Signed-off-by: Philippe Chaintreuil <gentoo_bugs_peep@parallaxshift.com> Closes: https://github.com/gentoo/gentoo/pull/20441 Signed-off-by: John Helmert III <ajak@gentoo.org> mail-filter/spamassassin/Manifest | 1 - .../spamassassin/spamassassin-3.4.4-r4.ebuild | 315 -------------------- .../spamassassin/spamassassin-3.4.4-r5.ebuild | 319 --------------------- 3 files changed, 635 deletions(-)
New GLSA request filed.
This issue was resolved and addressed in GLSA 202105-26 at https://security.gentoo.org/glsa/202105-26 by GLSA coordinator Thomas Deutschmann (whissi).