-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 bogofilter-SA-2010-01 Topic: heap corruption overrun in bogofilter/bogolexer Announcement: bogofilter-SA-2010-01 Writer: Matthias Andree Version: 1.0 CVE ID: CVE-2010-2494 Announced: 2010-07-07 Category: vulnerability Type: array index underflow/out of bounds write through invalid input Impact: heap corruption, application crash Credits: Julius Plenz Danger: medium URL: http://bogofilter.sourceforge.net/security/bogofilter-SA-2010-01 Affected: bogofilter <= 1.2.1 SVN checkouts before 2010-07-03 08:40 UTC Not affected: bogofilter 1.2.2 1. Background ============= Bogofilter is a software package for classifying a message as spam or non-spam. It uses a data base to store words and must be trained which messages are spam and non-spam. It uses the probabilities of individual words for classifying the message. Note that the bogofilter project is issuing security announcements only for current "stable" releases, and not necessarily for past "stable" releases. 2. Problem description ====================== Bogofilter's/bogolexer's base64 could overwrite memory before its heap buffer if the base64 input started with an equals sign, such as through misdeclaration of quoted-printable as base64. 3. Impact ========= Vulnerable bogofilter and bogolexer applications can corrupt their heap and crash. The consequences are dependent on the local configuration, memory layout and operating system features. 4. Solution =========== Upgrade your bogofilter to version 1.2.2 (or a newer release). This version may not yet be available when this security announcement is issued. bogofilter is available from SourceForge: Alternatively, this patch to 1.2.1 would fix the issue: (Note that if you see "- -" at the beginnings of these lines, you need to run this file through gnupg or pgp to strip the signature and the "-"-escaping, or manually replace such line beginnings with "-"). This is an SVN diff of base64.c between revisions 6766 and 6906 and comprises two change sets: 6904 and 6906. - --- ./src/base64.c 2009/01/12 04:27:36 6766 +++ ./src/base64.c 2010/07/03 08:39:44 6906 @@ -61,8 +61,10 @@ d[i] = c; v = v >> 8; } - - d += 3 - shorten; - - count += 3 - shorten; + if(shorten != 4) { + d += 3 - shorten; + count += 3 - shorten; + } } /* XXX do we need this NUL byte? */ if (word->leng) A. Copyright, License and Warranty ================================== (C) Copyright 2010 by Matthias Andree, . Some rights reserved. This work is dual-licensed under the Creative Commons Attribution-NoDerivs 3.0 Germany License (CC BY-ND 3.0), and the GNU General Public License, v3, or later. To view a copy of the Creative Commons Attribution-NoDerivs 3.0 Germany license, visit http://creativecommons.org/licenses/by-nd/3.0/de/deed.en or send a letter to: Creative Commons 444 Castro Street Suite 900 MOUNTAIN VIEW, CALIFORNIA 94041 USA This program is free software: you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation, either version 3 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received a copy of the GNU General Public License along with this program, in the file ../gpl-3.0.txt. If not, see . THIS WORK IS PROVIDED FREE OF CHARGE AND WITHOUT ANY WARRANTIES. Use the information herein at your own risk. END of bogofilter-SA-2010-01 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.11 (GNU/Linux) iEYEARECAAYFAlHYI0gACgkQvmGDOQUufZXgDACguN6Ynz7582DCoO0+zd/KkRl7 iMsAoIQVNjLuu+Q2CUWRBk99WLsnAi1/ =Swjv -----END PGP SIGNATURE-----