Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 778002 (CVE-2020-1946) - <mail-filter/spamassassin-3.4.5: malicious .cf file can run system commands (CVE-2020-1946)
Summary: <mail-filter/spamassassin-3.4.5: malicious .cf file can run system commands (...
Status: RESOLVED FIXED
Alias: CVE-2020-1946
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal normal (vote)
Assignee: Gentoo Security
URL: https://mail-archives.apache.org/mod_...
Whiteboard: B2 [glsa+ cve]
Keywords: PullRequest
Depends on:
Blocks:
 
Reported: 2021-03-24 17:39 UTC by Hank Leininger
Modified: 2021-05-26 09:51 UTC (History)
3 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Hank Leininger 2021-03-24 17:39:43 UTC
From ${URL}:

"Apache SpamAssassin 3.4.5 was recently released [1], and fixes an issue of security note where malicious rule configuration (.cf) files can be configured to run system commands.

In Apache SpamAssassin before 3.4.5, exploits can be injected in a number of scenarios. In addition to upgrading to SA 3.4.5, users should only use update channels or 3rd party .cf files from trusted places."

FWIW just copying the latest ebuild to -3.4.5 seems to build and run fine.
Comment 1 John Helmert III gentoo-dev Security 2021-03-24 17:59:31 UTC
Thank you for the report! Maintainer, please bump.
Comment 2 Philippe Chaintreuil 2021-03-24 19:14:37 UTC
Added Github PR.  Just a copy of the previous stable ebuild.  It installs and runs for me.
Comment 3 Larry the Git Cow gentoo-dev 2021-03-24 22:00:58 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=6d466c6e5e0afe7d03d65b326c88476dddb70b80

commit 6d466c6e5e0afe7d03d65b326c88476dddb70b80
Author:     Philippe Chaintreuil <gentoo_bugs_peep@parallaxshift.com>
AuthorDate: 2021-03-24 18:36:30 +0000
Commit:     Sam James <sam@gentoo.org>
CommitDate: 2021-03-24 21:32:49 +0000

    mail-filter/spamassassin: Bump to 3.4.5
    
    Copy of 3.4.4-r4 and ~ all arches.
    
    Bug: https://bugs.gentoo.org/778002
    Closes: 20107
    Package-Manager: Portage-3.0.13, Repoman-3.0.2
    Signed-off-by: Philippe Chaintreuil <gentoo_bugs_peep@parallaxshift.com>
    Closes: https://github.com/gentoo/gentoo/pull/20107
    Signed-off-by: Sam James <sam@gentoo.org>

 mail-filter/spamassassin/Manifest                  |   1 +
 mail-filter/spamassassin/spamassassin-3.4.5.ebuild | 315 +++++++++++++++++++++
 2 files changed, 316 insertions(+)
Comment 4 John Helmert III gentoo-dev Security 2021-03-25 02:42:13 UTC
Thank you! Please let us know when ready to stable.
Comment 5 Benny Pedersen 2021-03-25 09:55:24 UTC
acct-user-spamd does not change spamd homedir

in shell its resolved with 

usermod --home /var/lib/spamd spamd
Comment 6 Philippe Chaintreuil 2021-03-25 12:49:02 UTC
(In reply to Benny Pedersen from comment #5)
> acct-user-spamd does not change spamd homedir
> 
> in shell its resolved with 
> 
> usermod --home /var/lib/spamd spamd

Benny, do you mind making another bug for that?

That code's shared with all the other ebuilds in the tree right now, so it's beyond the scope of this security focused bug.
Comment 7 Benny Pedersen 2021-03-27 14:13:48 UTC
https://bugs.gentoo.org/778734
Comment 8 Sam James archtester gentoo-dev Security 2021-04-12 17:23:26 UTC
Shall we stable?
Comment 9 Philippe Chaintreuil 2021-04-12 18:08:47 UTC
As proxy-maintainer, I'd vote we should stabilize.
Comment 10 John Helmert III gentoo-dev Security 2021-04-12 18:12:29 UTC
(In reply to Philippe Chaintreuil from comment #9)
> As proxy-maintainer, I'd vote we should stabilize.

Thanks! Proceeding.
Comment 11 Tomáš Mózes 2021-04-13 06:11:19 UTC
By the way, Apache SpamAssassin 3.4.6 fixes two small but potentially annoying bugs in 3.4.5
Comment 12 Philippe Chaintreuil 2021-04-13 11:01:39 UTC
Just added https://github.com/gentoo/gentoo/pull/20361 for 3.4.6.  (And started running it locally.)

Thanks for the heads up Tomáš.
Comment 13 Sam James archtester gentoo-dev Security 2021-04-13 16:02:51 UTC
amd64 done
Comment 14 Sam James archtester gentoo-dev Security 2021-04-13 16:03:51 UTC
x86 done
Comment 15 Sam James archtester gentoo-dev Security 2021-04-13 16:06:05 UTC
arm64 done
Comment 16 Sam James archtester gentoo-dev Security 2021-04-13 16:06:15 UTC
arm done
Comment 17 Sam James archtester gentoo-dev Security 2021-04-14 16:26:48 UTC
ppc64 done
Comment 18 Sam James archtester gentoo-dev Security 2021-04-14 22:06:58 UTC
ppc done
Comment 19 Rolf Eike Beer archtester 2021-04-15 18:49:27 UTC
sparc stable
Comment 20 John Helmert III gentoo-dev Security 2021-04-15 18:53:55 UTC
Please cleanup.
Comment 21 Larry the Git Cow gentoo-dev 2021-04-21 00:08:54 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=18851f8cf38243ad057795d6e71de8ac8cbd2135

commit 18851f8cf38243ad057795d6e71de8ac8cbd2135
Author:     Philippe Chaintreuil <gentoo_bugs_peep@parallaxshift.com>
AuthorDate: 2021-04-18 14:27:58 +0000
Commit:     John Helmert III <ajak@gentoo.org>
CommitDate: 2021-04-21 00:04:36 +0000

    mail-filter/spamassassin: Cleanup <3.4.5
    
    Cleanup versions effected by CVE-2020-1946.
    
    Bug: https://bugs.gentoo.org/778002
    Package-Manager: Portage-3.0.17, Repoman-3.0.2
    Signed-off-by: Philippe Chaintreuil <gentoo_bugs_peep@parallaxshift.com>
    Closes: https://github.com/gentoo/gentoo/pull/20441
    Signed-off-by: John Helmert III <ajak@gentoo.org>

 mail-filter/spamassassin/Manifest                  |   1 -
 .../spamassassin/spamassassin-3.4.4-r4.ebuild      | 315 --------------------
 .../spamassassin/spamassassin-3.4.4-r5.ebuild      | 319 ---------------------
 3 files changed, 635 deletions(-)
Comment 22 Thomas Deutschmann gentoo-dev Security 2021-05-24 01:29:48 UTC
New GLSA request filed.
Comment 23 GLSAMaker/CVETool Bot gentoo-dev 2021-05-26 09:51:56 UTC
This issue was resolved and addressed in
 GLSA 202105-26 at https://security.gentoo.org/glsa/202105-26
by GLSA coordinator Thomas Deutschmann (whissi).