Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 445908 (CVE-2012-5468) - <mail-filter/bogofilter-1.2.3: heap corruption (CVE-2012-5468)
Summary: <mail-filter/bogofilter-1.2.3: heap corruption (CVE-2012-5468)
Status: RESOLVED FIXED
Alias: CVE-2012-5468
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal minor (vote)
Assignee: Gentoo Security
URL: http://bogofilter.sourceforge.net/sec...
Whiteboard: B3 [noglsa]
Keywords:
Depends on:
Blocks:
 
Reported: 2012-12-04 10:08 UTC by Agostino Sarubbo
Modified: 2012-12-17 03:34 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Agostino Sarubbo gentoo-dev 2012-12-04 10:08:35 UTC 
From $URL :

2. Problem description
======================

Julius Plenz figured out that bogofilter's/bogolexer's base64 could
overwrite heap memory in the character set conversion in certain
pathological cases of invalid base64 code that decodes to incomplete
multibyte characters.

3. Impact
=========

Vulnerable bogofilter/bogolexer applications can corrupt their heap and crash.

4. Solution
===========

Upgrade your bogofilter to version 1.2.3 (or a newer release).

bogofilter is available from SourceForge:
<https://sourceforge.net/project/showfiles.php?group_id=62265>
Comment 1 Eray Aslan gentoo-dev 2012-12-04 10:28:06 UTC 
+*bogofilter-1.2.3 (04 Dec 2012)
+
+  04 Dec 2012; Eray Aslan <eras@gentoo.org> +bogofilter-1.2.3.ebuild:
+  Security bump - bug #445908
+

Should be good for stabilization.  Thank you.
Comment 2 Agostino Sarubbo gentoo-dev 2012-12-04 10:40:38 UTC 
Arches, please test and mark stable:
=mail-filter/bogofilter-1.2.3
Target keywords : "alpha amd64 arm hppa ia64 ppc ppc64 sh sparc x86"
Comment 3 Agostino Sarubbo gentoo-dev 2012-12-04 13:27:43 UTC 
amd64 stable
Comment 4 Agostino Sarubbo gentoo-dev 2012-12-04 13:28:38 UTC 
x86 stable
Comment 5 Agostino Sarubbo gentoo-dev 2012-12-04 13:29:35 UTC 
ppc stable
Comment 6 Agostino Sarubbo gentoo-dev 2012-12-04 13:30:30 UTC 
ppc64 stable
Comment 7 Jeroen Roovers (RETIRED) gentoo-dev 2012-12-04 18:28:13 UTC 
Stable for HPPA.
Comment 8 Anthony Basile gentoo-dev 2012-12-05 01:03:16 UTC 
stable arm
Comment 9 Raúl Porcel (RETIRED) gentoo-dev 2012-12-15 17:44:03 UTC 
alpha/ia64/sh/sparc stable
Comment 10 Sean Amoss (RETIRED) gentoo-dev Security 2012-12-16 15:23:02 UTC 
Thanks, everyone.

GLSA vote: no.
Comment 11 Stefan Behte (RETIRED) gentoo-dev Security 2012-12-16 21:45:00 UTC 
Vote: YES.
Comment 12 Tim Sammut (RETIRED) gentoo-dev 2012-12-17 03:34:12 UTC 
GLSA Vote: no, too. closing noglsa.