Summary: | <mail-filter/spamassassin-3.4.5: malicious .cf file can run system commands (CVE-2020-1946) | ||
---|---|---|---|
Product: | Gentoo Security | Reporter: | Hank Leininger <hlein> |
Component: | Vulnerabilities | Assignee: | Gentoo Security <security> |
Status: | RESOLVED FIXED | ||
Severity: | normal | CC: | gentoo_bugs_peep, hydrapolic, proxy-maint |
Priority: | Normal | Keywords: | PullRequest |
Version: | unspecified | ||
Hardware: | All | ||
OS: | Linux | ||
URL: | https://mail-archives.apache.org/mod_mbox/spamassassin-announce/202103.mbox/%3C241c47dc-467f-c622-c8ab-e06df159b475%40apache.org%3E | ||
See Also: |
https://github.com/gentoo/gentoo/pull/20107 https://github.com/gentoo/gentoo/pull/20441 |
||
Whiteboard: | B2 [glsa+ cve] | ||
Package list: | Runtime testing required: | --- |
Description
Hank Leininger
2021-03-24 17:39:43 UTC
Thank you for the report! Maintainer, please bump. Added Github PR. Just a copy of the previous stable ebuild. It installs and runs for me. The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=6d466c6e5e0afe7d03d65b326c88476dddb70b80 commit 6d466c6e5e0afe7d03d65b326c88476dddb70b80 Author: Philippe Chaintreuil <gentoo_bugs_peep@parallaxshift.com> AuthorDate: 2021-03-24 18:36:30 +0000 Commit: Sam James <sam@gentoo.org> CommitDate: 2021-03-24 21:32:49 +0000 mail-filter/spamassassin: Bump to 3.4.5 Copy of 3.4.4-r4 and ~ all arches. Bug: https://bugs.gentoo.org/778002 Closes: 20107 Package-Manager: Portage-3.0.13, Repoman-3.0.2 Signed-off-by: Philippe Chaintreuil <gentoo_bugs_peep@parallaxshift.com> Closes: https://github.com/gentoo/gentoo/pull/20107 Signed-off-by: Sam James <sam@gentoo.org> mail-filter/spamassassin/Manifest | 1 + mail-filter/spamassassin/spamassassin-3.4.5.ebuild | 315 +++++++++++++++++++++ 2 files changed, 316 insertions(+) Thank you! Please let us know when ready to stable. acct-user-spamd does not change spamd homedir in shell its resolved with usermod --home /var/lib/spamd spamd (In reply to Benny Pedersen from comment #5) > acct-user-spamd does not change spamd homedir > > in shell its resolved with > > usermod --home /var/lib/spamd spamd Benny, do you mind making another bug for that? That code's shared with all the other ebuilds in the tree right now, so it's beyond the scope of this security focused bug. Shall we stable? As proxy-maintainer, I'd vote we should stabilize. (In reply to Philippe Chaintreuil from comment #9) > As proxy-maintainer, I'd vote we should stabilize. Thanks! Proceeding. By the way, Apache SpamAssassin 3.4.6 fixes two small but potentially annoying bugs in 3.4.5 Just added https://github.com/gentoo/gentoo/pull/20361 for 3.4.6. (And started running it locally.) Thanks for the heads up Tomáš. amd64 done x86 done arm64 done arm done ppc64 done ppc done sparc stable Please cleanup. The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=18851f8cf38243ad057795d6e71de8ac8cbd2135 commit 18851f8cf38243ad057795d6e71de8ac8cbd2135 Author: Philippe Chaintreuil <gentoo_bugs_peep@parallaxshift.com> AuthorDate: 2021-04-18 14:27:58 +0000 Commit: John Helmert III <ajak@gentoo.org> CommitDate: 2021-04-21 00:04:36 +0000 mail-filter/spamassassin: Cleanup <3.4.5 Cleanup versions effected by CVE-2020-1946. Bug: https://bugs.gentoo.org/778002 Package-Manager: Portage-3.0.17, Repoman-3.0.2 Signed-off-by: Philippe Chaintreuil <gentoo_bugs_peep@parallaxshift.com> Closes: https://github.com/gentoo/gentoo/pull/20441 Signed-off-by: John Helmert III <ajak@gentoo.org> mail-filter/spamassassin/Manifest | 1 - .../spamassassin/spamassassin-3.4.4-r4.ebuild | 315 -------------------- .../spamassassin/spamassassin-3.4.4-r5.ebuild | 319 --------------------- 3 files changed, 635 deletions(-) New GLSA request filed. This issue was resolved and addressed in GLSA 202105-26 at https://security.gentoo.org/glsa/202105-26 by GLSA coordinator Thomas Deutschmann (whissi). |