Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 94722 - mail-filter/spamassassin-3.*: Denial of Service (CAN-2005-1266)
Summary: mail-filter/spamassassin-3.*: Denial of Service (CAN-2005-1266)
Alias: None
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Other
: High normal (vote)
Assignee: Gentoo Security
Whiteboard: A3 [glsa] jaervosz
: 96355 (view as bug list)
Depends on:
Reported: 2005-06-01 04:45 UTC by Thierry Carrez (RETIRED)
Modified: 2005-06-20 23:23 UTC (History)
4 users (show)

See Also:
Package list:
Runtime testing required: ---


Note You need to log in before you can comment on or make changes to this bug.
Description Thierry Carrez (RETIRED) gentoo-dev 2005-06-01 04:45:05 UTC
By supplying a malicious message to spamassassin (with a very long content-type header and no boundaries) you can cause it to overly consume resources and therefore perform Denial of Service on the hosting server.

Upstream is readying a 3.0.4 that will include the fix.
Comment 1 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2005-06-07 21:56:28 UTC
3.0.4 released. Micheal please bump. Opening when there is an official 
security announcement. 
Comment 2 Michael Cummings (RETIRED) gentoo-dev 2005-06-08 05:19:09 UTC
Ebuild posted, testing now on sparc (ran fine on my x86, but there's no mail 
coming through that box). Proceed with keywording requests :) 
Comment 3 Thierry Carrez (RETIRED) gentoo-dev 2005-06-08 05:51:02 UTC
There are indications that the DoS is still possible using 3.0.4. I think it's
urgent to wait.
Comment 4 Michael Cummings (RETIRED) gentoo-dev 2005-06-08 05:55:05 UTC
sometimes it doesn't pay to be on the ball. do you want the package pulled, 
masked, or anything like that? 
Comment 5 Thierry Carrez (RETIRED) gentoo-dev 2005-06-08 06:04:57 UTC
No, keep it in :
1- It's just a rumor that has still to be confirmed by the SA team
2- It's not worse than the previous versions
3- Testing of the extra-security newthings in 3.0.4 can begin in ~
Comment 6 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2005-06-08 09:20:07 UTC
Seems to be a false alarm. 
Arches please test and mark stable. Security issue is still not public so    
calling arch liaisons. Please CC any relevant arch team members if necessary.  
Comment 7 Simon Stelling (RETIRED) gentoo-dev 2005-06-08 11:26:06 UTC
amd64 stable
Comment 8 Michael Hanselmann (hansmi) (RETIRED) gentoo-dev 2005-06-08 11:28:18 UTC
Stable on ppc.
Comment 9 Gustavo Zacarias (RETIRED) gentoo-dev 2005-06-08 11:50:34 UTC
stable on sparc.
Comment 10 Thierry Carrez (RETIRED) gentoo-dev 2005-06-08 13:25:09 UTC
Release set to 20050615
Comment 11 Malte S. Stretz 2005-06-09 05:50:58 UTC
To clear up the rumor:  We found out that Razor2 suffers from a similar bug.   
We notified the Razor developers and the vendor-sec embargo was extended by a  
week (till 2005-06-15 20.00 UTC). 
The issue in our own code is tracked as bug 4171 in our bugzilla, the 
discussion went on on our security mailinglist (open for committers only).  If 
anybody want to get added to bug 4171, please tell me.  If you need details 
about the Razor bug, I can ask whether I may give you a copy of the mail Justin 
sent to them. 
Comment 12 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2005-06-10 04:42:05 UTC
Thx for clearing that up Malte, please add me to the bug and I'll update the 
GLSA draft accordingly. 
Comment 13 Thierry Carrez (RETIRED) gentoo-dev 2005-06-16 09:23:38 UTC
I guess we /could/ open the bugs now, even if I don't see anything published yet...

tester, kloeri: please test and mark spamassassin stable
Comment 14 Bryan Østergaard (RETIRED) gentoo-dev 2005-06-16 16:06:12 UTC
Stable on alpha + ia64.
Comment 15 Thierry Carrez (RETIRED) gentoo-dev 2005-06-17 01:33:50 UTC
corsair: ppc64 needs some lovin too.
Comment 16 Thierry Carrez (RETIRED) gentoo-dev 2005-06-17 02:47:40 UTC
Opening, adding arch aliases, removing individual archtesters.

x86, hppa, ppc64: please test and mark 3.0.4 stable.
Comment 17 Thierry Carrez (RETIRED) gentoo-dev 2005-06-17 02:57:05 UTC
*** Bug 96355 has been marked as a duplicate of this bug. ***
Comment 18 Markus Rothe (RETIRED) gentoo-dev 2005-06-17 04:45:44 UTC
stable on ppc64
Comment 19 Tobias Weisserth 2005-06-17 04:49:38 UTC
See also

We should make 3.0.4 available in Portage for all architectures since there is a
big chance people are already exploiting this. It's been on Heise already so
there's probably not much time left.
Comment 20 René Nussbaumer (RETIRED) gentoo-dev 2005-06-17 08:03:19 UTC
Stable on hppa
Comment 21 Thomas Matthijs (RETIRED) gentoo-dev 2005-06-18 02:06:55 UTC
stable on x86
Comment 22 Tavis Ormandy (RETIRED) gentoo-dev 2005-06-19 09:12:24 UTC
I cannot reproduce this with <spamassassin-3.0.3

with 3.0.0:

malformed: 0m37.744s
non-malformed: 0m7.341s

Doesnt seem unreasonable considering the size:

5039 /home/taviso/malformed.txt
  35 /home/taviso/non-malformed.txt

but with 3.0.3:

malformed: 3m56.351s
non-malformed: 0m4.173s

if only 3.0.3 is affected we dont need a glsa on this.
Comment 23 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2005-06-19 09:19:30 UTC
Holding off GLSA until we get this sorted out. 
Comment 24 Malte S. Stretz 2005-06-19 11:12:26 UTC
From the announcement:  
| Apache SpamAssassin 3.0.4 was recently released [0], and fixes a denial  
| of service vulnerability in versions 3.0.1, 3.0.2, and 3.0.3.  
                                       ^^^^^^^^^^^^^^^^^^^^^^^ :)  
3.0.0 was never vulnerable as the bug was introduced with a patch to fix some  
other bug (AFAIK it was actually a backport from trunk).  
Comment 25 Tavis Ormandy (RETIRED) gentoo-dev 2005-06-19 11:37:08 UTC
Malte, could you provide a testcase that demonstrates this problem in 3.0.1 or 
3.0.2, as i mentioned in my comment "I cannot reproduce this with <spamassassin-
3.0.3", i.e. I have tried 3.0.0, 3.0.1, 3.0.2 and 3.0.3 and could not reproduce 
this in any version less than 3.0.3.
Comment 26 Malte S. Stretz 2005-06-19 12:44:35 UTC
Sorry, currently I can't give you our exploit as we don't want it to spread too 
much (spammer are dumb but we know what script kiddies can do when they have 
the code available).  But here are my numbers: 
mss@otherland ~/tmp/sa $ ls 
Mail-SpamAssassin-3.0.0  Mail-SpamAssassin-3.0.1  Mail-SpamAssassin-3.0.2  
Mail-SpamAssassin-3.0.3  Mail-SpamAssassin-3.0.4  sa-exploit 
mss@otherland ~/tmp/sa $ for d in Mail-SpamAssassin-3.0.*; do pushd $d; 
time ./spamassassin -D -L < ../sa-exploit &> ../$d.log; popd; done 
~/tmp/sa/Mail-SpamAssassin-3.0.0 ~/tmp/sa 
real    0m2.709s 
user    0m2.017s 
sys     0m0.262s 
~/tmp/sa/Mail-SpamAssassin-3.0.1 ~/tmp/sa 
real    2m4.609s 
user    1m37.279s 
sys     0m0.403s 
~/tmp/sa/Mail-SpamAssassin-3.0.2 ~/tmp/sa 
real    2m37.257s 
user    1m38.722s 
sys     0m1.183s 
~/tmp/sa/Mail-SpamAssassin-3.0.3 ~/tmp/sa 
real    2m27.973s 
user    1m38.770s 
sys     0m0.769s 
~/tmp/sa/Mail-SpamAssassin-3.0.4 ~/tmp/sa 
real    0m2.894s 
user    0m2.086s 
sys     0m0.233s 
Comment 27 Tavis Ormandy (RETIRED) gentoo-dev 2005-06-19 13:48:55 UTC
Malte, I've been unsuccessful in constructing an exploit to replicate this bug, 
i have found another path to bug 72109 though :)

$ perl -e 'print "content-type: ", "hello;\n\t" x 0xfff' | spamassassin
Segmentation fault

Would it be possible to send me the exploit privately?
Comment 28 Tavis Ormandy (RETIRED) gentoo-dev 2005-06-19 15:04:56 UTC
Okay, using the testcase from upstream i can replicate Malte's results, 3.0.{1,
2,3} definitely affected.
Comment 29 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2005-06-19 21:51:21 UTC
Combining GLSA with bug #95492. Security please rereview. 
Comment 30 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2005-06-20 23:23:32 UTC
GLSA 200506-17