Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 666348 - <mail-filter/spamassassin-3.4.2-r2: multiple vulnerabilities (CVE-{2016-1238,2017-15705,2018-11780,2018-11781})
Summary: <mail-filter/spamassassin-3.4.2-r2: multiple vulnerabilities (CVE-{2016-1238,...
Status: RESOLVED FIXED
Alias: None
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal normal (vote)
Assignee: Gentoo Security
URL:
Whiteboard: B2 [glsa+ cve]
Keywords:
Depends on:
Blocks:
 
Reported: 2018-09-16 17:21 UTC by Hank Leininger
Modified: 2018-12-15 20:10 UTC (History)
7 users (show)

See Also:
Package list:
=mail-filter/spamassassin-3.4.2-r2
Runtime testing required: ---
stable-bot: sanity-check+


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Comment 1 Hank Leininger 2018-09-16 18:41:35 UTC
FWIW just bumping the latest 3.4.1 ebuild to 3.4.2 and emptying out PATCHES= seems to work fine.  Every one of those patches appears to be folded into upstream 3.4.2, with the exception of the last hunks of spamassassin-3.4.1-bug_7361.patch:

--- a/spamc/libspamc.c  2017-10-20 13:33:54.129653171 +1100
+++ b/spamc/libspamc.c  2017-10-20 13:36:09.429653849 +1100
@@ -1212,10 +1212,21 @@

     if (flags & SPAMC_USE_SSL) {
 #ifdef SPAMC_SSL
+#if OPENSSL_API_COMPAT >= 0x10100000L
+       OPENSSL_init_ssl(0, NULL);
+       meth = TLS_method();
+       ctx = SSL_CTX_new(meth);
+       if (flags & SPAMC_TLSV1) {
+           SSL_CTX_set_min_proto_version(ctx, TLS1_VERSION);
+       } else {
+           SSL_CTX_set_min_proto_version(ctx, SSL3_VERSION);
+       }
+#else
        SSLeay_add_ssl_algorithms();
        meth = SSLv23_client_method();
        SSL_load_error_strings();
        ctx = SSL_CTX_new(meth);
+#endif
 #else
        UNUSED_VARIABLE(ssl);
        UNUSED_VARIABLE(meth);
@@ -1599,10 +1610,17 @@

     if (flags & SPAMC_USE_SSL) {
 #ifdef SPAMC_SSL
+#if OPENSSL_API_COMPAT >= 0x10100000L
+       OPENSSL_init_ssl(0, NULL);
+       meth = TLS_method();
+       ctx = SSL_CTX_new(meth);
+       SSL_CTX_set_min_proto_version(ctx, SSL3_VERSION);
+#else
        SSLeay_add_ssl_algorithms();
        meth = SSLv23_client_method();
        SSL_load_error_strings();
        ctx = SSL_CTX_new(meth);
+#endif
 #else
        UNUSED_VARIABLE(ssl);
        UNUSED_VARIABLE(meth);


I cannot find a hunk like that in the upstream bug referenced (https://bz.apache.org/SpamAssassin/show_bug.cgi?id=7361).  Perhaps it was removed since.  I do not have an openssl-1.1.x system on which to test to see if that is in fact needed, but upstream seems to think it is not.
Comment 2 Michael Orlitzky gentoo-dev 2018-09-16 20:09:08 UTC
I wouldn't swear to it, but all of the patches that we use should be upstreamed. I'll commit the v3.4.2 with an empty PATCHES (after double-checking that they all fail to apply on v3.4.2) and we can see what happens.
Comment 3 Larry the Git Cow gentoo-dev 2018-09-18 02:47:34 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=0dbbc52674fccc8c21209fe42b9e66790369901f

commit 0dbbc52674fccc8c21209fe42b9e66790369901f
Author:     Michael Orlitzky <mjo@gentoo.org>
AuthorDate: 2018-09-18 02:05:09 +0000
Commit:     Michael Orlitzky <mjo@gentoo.org>
CommitDate: 2018-09-18 02:43:25 +0000

    mail-filter/spamassassin: new version 3.4.2.
    
    This new version incorporates a ton of fixes that have piled on top of
    v3.4.1 over the past few years. As a result, we are able to drop all
    of our PATCHES in the new ebuild. The new version also addresses four
    security vulnerabilities:
    
      * CVE-2016-1238
      * CVE-2017-15705
      * CVE-2018-11780
      * CVE-2018-11781
    
    Sadly, there is a new failure in the test suite (upstream bug 7622) so
    I've added RESTRICT=test for now.
    
    Stabilization of this version should already be fast-tracked for the
    security issues mentioned above, but just in case, the release notes
    have the following to say:
    
      If you do not update to 3.4.2, you will be stuck at the last ruleset
      with SHA-1 signatures in the near future.
    
    Bug: https://bugs.gentoo.org/666348
    Bug: https://bz.apache.org/SpamAssassin/show_bug.cgi?id=7622
    Package-Manager: Portage-2.3.40, Repoman-2.3.9

 mail-filter/spamassassin/Manifest                  |   1 +
 mail-filter/spamassassin/spamassassin-3.4.2.ebuild | 242 +++++++++++++++++++++
 2 files changed, 243 insertions(+)
Comment 4 Larry the Git Cow gentoo-dev 2018-09-18 18:39:12 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=27b0dc92ffcd4001fcc8489be7cd48029f259c3d

commit 27b0dc92ffcd4001fcc8489be7cd48029f259c3d
Author:     Michael Orlitzky <mjo@gentoo.org>
AuthorDate: 2018-09-18 18:28:21 +0000
Commit:     Michael Orlitzky <mjo@gentoo.org>
CommitDate: 2018-09-18 18:38:12 +0000

    mail-filter/spamassassin: disable a network test and drop RESTRICT=test.
    
    I originally added RESTRICT=test to spamassassin-3.4.2.ebuild because
    a test was failing, I didn't know why, and we needed to get the new
    version out to address multiple CVEs. It turns out that the one
    failing test is not respecting the fact that network access should be
    disabled in the test suite (upstream bug 7622).
    
    In the new revision, we kill that one test in src_prepare(). The rest
    of the tests should pass, so RESTRICT=test has been removed.
    
    Bug: https://bugs.gentoo.org/666348
    Bug: https://bz.apache.org/SpamAssassin/show_bug.cgi?id=7622
    Package-Manager: Portage-2.3.40, Repoman-2.3.9

 .../{spamassassin-3.4.2.ebuild => spamassassin-3.4.2-r1.ebuild}   | 8 +++++---
 1 file changed, 5 insertions(+), 3 deletions(-)
Comment 5 Tomáš Mózes 2018-09-19 11:44:41 UTC
Updated to 3.4.2-r1 in production, seems to work fine, thanks @mjo.
Comment 6 Michael Orlitzky gentoo-dev 2018-09-19 14:23:02 UTC
I also updated yesterday and ran it overnight on our main MX. There is some annoying log spam, e.g.

  Sep 19 10:17:46 mx1 amavis[9235]: (09235-17) SA info: dns: new_dns_packet: 
  domain is utf8 flagged: ns4.dnsmadeeasy.com

but that's harmless and everything else is working as expected.

It's not ideal that this security release also contains three years of bugfixes and new features, but hey: if the CVEs made them get 3.4.2 out the door, I'll take it =)

Unless the other maintainers object, I'd be OK with stabilizing this ASAP, not just for the security issues but because sa-update is going to stop working in older versions after a few months. Even if there are new bugs in 3.4.2, we don't have much of a choice but to encounter & fix them.
Comment 7 Tomáš Mózes 2018-09-19 14:30:19 UTC
Agreed, let's wait a few days and start stabilization :)
Comment 8 Michael Orlitzky gentoo-dev 2018-10-18 01:50:05 UTC
I added a patch a few days ago to kill that log spam. I don't see any other major problems, so I think we can stabilize it now.
Comment 9 Agostino Sarubbo gentoo-dev 2018-10-18 07:36:13 UTC
amd64 stable
Comment 10 Philippe Chaintreuil 2018-10-18 10:29:37 UTC
Should bug #666576 keep this from being stabilized?
Comment 11 Thomas Deutschmann gentoo-dev 2018-10-18 11:32:09 UTC
x86 stable
Comment 12 Michael Orlitzky gentoo-dev 2018-10-18 11:39:22 UTC
(In reply to Philippe Chaintreuil from comment #10)
> Should bug #666576 keep this from being stabilized?

AFAIK upstream is still planning to break updates for 3.4.1, so we don't have much of a choice, but...

I think bug #666576 comes down to "it sucks that they piled two years of feature updates into a point release, but they did." Even when that gets addressed upstream, the fix will probably only be a note in the changelog that says "upgrade your database." Users will still need to realize that 3.4.1 -> 3.4.2 is a major upgrade and that will probably only happen when they try to run it and notice that their databases need upgrading. We could add an elog that displays after the fact, I guess, but by then it doesn't really do you much good.
Comment 13 Larry the Git Cow gentoo-dev 2018-10-18 11:44:50 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=d1f932bc99ca56b177f4cdbc9e794c4914f80682

commit d1f932bc99ca56b177f4cdbc9e794c4914f80682
Author:     Tobias Klausmann <klausman@gentoo.org>
AuthorDate: 2018-10-18 11:44:01 +0000
Commit:     Tobias Klausmann <klausman@gentoo.org>
CommitDate: 2018-10-18 11:44:01 +0000

    mail-filter/spamassassin-3.4.2-r2: alpha stable
    
    Bug: http://bugs.gentoo.org/666348
    Signed-off-by: Tobias Klausmann <klausman@gentoo.org>

 mail-filter/spamassassin/spamassassin-3.4.2-r2.ebuild | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)
Comment 14 Tobias Klausmann (RETIRED) gentoo-dev 2018-10-18 11:46:03 UTC
Stable on alpha.
Comment 15 Philippe Chaintreuil 2018-10-18 12:45:13 UTC
I'd be fine with just adding an elog.

Patching their aws .sql files would be nice as well, but users who are upgrading are basically going to have to run an ALTER command anyway (or drop the table and re-add, losing all their data).

The MySQL command is:

ALTER TABLE awl ADD last_hit timestamp NOT NULL default CURRENT_TIMESTAMP ON UPDATE CURRENT_TIMESTAMP;

I don't have a PgSQL install around to test, but my stab at it's would be:

ALTER TABLE awl ADD COLUMN last_hit timestamp NOT NULL default CURRENT_TIMESTAMP;
Comment 16 Michał Górny archtester Gentoo Infrastructure gentoo-dev Security 2018-10-18 13:23:48 UTC
Also you can use pkg_pretend to have it printed early (with a chance to abort the merge).
Comment 17 Sergei Trofimovich (RETIRED) gentoo-dev 2018-10-20 12:28:33 UTC
ia64 stable
Comment 18 Sergei Trofimovich (RETIRED) gentoo-dev 2018-10-20 13:52:10 UTC
ppc stable
Comment 19 Rolf Eike Beer archtester 2018-10-23 21:08:23 UTC
sparc stable
Comment 20 Sergei Trofimovich (RETIRED) gentoo-dev 2018-10-26 22:14:22 UTC
hppa stable
Comment 21 Markus Meier gentoo-dev 2018-10-31 17:17:46 UTC
arm stable
Comment 22 ernsteiswuerfel archtester 2018-12-09 12:43:28 UTC
Looking good on ppc64.

# cat spamassassin-666348.report 
USE tests started on Sa 8. Dez 20:59:02 CET 2018

FEATURES=' test' USE='' succeeded for =mail-filter/spamassassin-3.4.2-r2
USE='-berkdb -cron -ipv6 -ldap libressl -mysql -postgres -qmail -sqlite -ssl' succeeded for =mail-filter/spamassassin-3.4.2-r2
USE='berkdb -cron -ipv6 -ldap libressl -mysql postgres -qmail -sqlite -ssl' succeeded for =mail-filter/spamassassin-3.4.2-r2
USE='-berkdb -cron -ipv6 -ldap -libressl -mysql postgres -qmail sqlite -ssl' succeeded for =mail-filter/spamassassin-3.4.2-r2
USE='-berkdb -cron ipv6 -ldap -libressl mysql -postgres qmail sqlite -ssl' succeeded for =mail-filter/spamassassin-3.4.2-r2
USE='berkdb cron -ipv6 -ldap libressl -mysql postgres qmail sqlite -ssl' succeeded for =mail-filter/spamassassin-3.4.2-r2
USE='-berkdb -cron ipv6 ldap -libressl -mysql -postgres -qmail -sqlite ssl' succeeded for =mail-filter/spamassassin-3.4.2-r2
USE='-berkdb cron ipv6 -ldap -libressl -mysql -postgres qmail -sqlite ssl' succeeded for =mail-filter/spamassassin-3.4.2-r2
USE='berkdb cron ipv6 ldap -libressl -mysql -postgres qmail -sqlite ssl' succeeded for =mail-filter/spamassassin-3.4.2-r2
USE='berkdb cron -ipv6 -ldap libressl -mysql -postgres qmail -sqlite ssl' : blocked packages (probably) for =mail-filter/spamassassin-3.4.2-r2
USE='berkdb -cron ipv6 -ldap libressl -mysql -postgres qmail -sqlite ssl' : blocked packages (probably) for =mail-filter/spamassassin-3.4.2-r2
USE='-berkdb -cron ipv6 -ldap libressl mysql -postgres -qmail sqlite ssl' : blocked packages (probably) for =mail-filter/spamassassin-3.4.2-r2
USE='berkdb -cron -ipv6 -ldap -libressl -mysql -postgres qmail sqlite ssl' succeeded for =mail-filter/spamassassin-3.4.2-r2

revdep tests started on So 9. Dez 13:40:07 CET 2018

FEATURES=' test' USE='spamassassin' succeeded for net-mail/vpopmail
FEATURES=' test' USE='spamassassin' succeeded for mail-filter/amavisd-new
Comment 23 Larry the Git Cow gentoo-dev 2018-12-11 10:19:35 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=dc7e9cb73adc438aa7fc4c7b8ea090f9d9cdcd14

commit dc7e9cb73adc438aa7fc4c7b8ea090f9d9cdcd14
Author:     Mikle Kolyada <zlogene@gentoo.org>
AuthorDate: 2018-12-11 10:19:10 +0000
Commit:     Mikle Kolyada <zlogene@gentoo.org>
CommitDate: 2018-12-11 10:19:30 +0000

    mail-filter/spamassassin: Security cleanup
    
    Bug: https://bugs.gentoo.org/666348
    Signed-off-by: Mikle Kolyada <zlogene@gentoo.org>
    Package-Manager: Portage-2.3.51, Repoman-2.3.11

 mail-filter/spamassassin/Manifest                  |   1 -
 .../files/spamassassin-3.4.1-bug_7199.patch        | 280 ------------
 .../files/spamassassin-3.4.1-bug_7208.patch        |  31 --
 .../files/spamassassin-3.4.1-bug_7223.patch        |  14 -
 .../files/spamassassin-3.4.1-bug_7231-extra.patch  | 140 ------
 .../files/spamassassin-3.4.1-bug_7231.patch        |  29 --
 .../files/spamassassin-3.4.1-bug_7265.patch        |  88 ----
 .../files/spamassassin-3.4.1-bug_7361.patch        | 491 ---------------------
 .../files/spamassassin-3.4.1-bug_7404.patch        |  23 -
 .../files/spamassassin-3.4.1-bug_7462.patch        | 198 ---------
 .../files/spamassassin-3.4.1-perl526.patch         |  14 -
 .../spamassassin/spamassassin-3.4.1-r19.ebuild     | 251 -----------
 .../spamassassin/spamassassin-3.4.1-r20.ebuild     | 251 -----------
 .../spamassassin/spamassassin-3.4.1-r21.ebuild     | 252 -----------
 14 files changed, 2063 deletions(-)
Comment 24 Aaron Bauman Gentoo Infrastructure gentoo-dev Security 2018-12-12 22:42:32 UTC
GLSA filed.
Comment 25 GLSAMaker/CVETool Bot gentoo-dev 2018-12-15 20:10:58 UTC
This issue was resolved and addressed in
 GLSA 201812-07 at https://security.gentoo.org/glsa/201812-07
by GLSA coordinator Aaron Bauman (b-man).