Bug 33250

This is the advisory:
"Amavis before 2.12.3 and 2.13.x before 2.13.1, in part because of its use of MIME-tools, has an Interpretation Conflict (relative to some mail user agents) when there are multiple boundary parameters in a MIME email message. Consequently, there can be an incorrect check for banned files or malware."

And the patch URLs:
https://gitlab.com/amavis/amavis/commit/78c4b7076ebf1d711629a95860aae1bc0db5277a
Add CC_UNCHECKED,3 content category

https://gitlab.com/amavis/amavis/commit/d921bc5208ce5b4e8f3e387a1d4e1f8fa4e85008
Use MIME::Entity->ambiguous_content if available

https://gitlab.com/amavis/amavis/commit/c6c4a4c27c60194b68b617b7d3cfb033d6c587e2
Describe CVE-2024-28054
Unsure that this last is needed.

This package has been unchanged for very many years (2.11.0 8y!).
No visible maintainer, assigning globally.

Assignee: bugsquad => pkg-bugs

Suggested advisory:
========================

The updated package fixes a security vulnerability:

Amavis before 2.12.3 and 2.13.x before 2.13.1, in part because of its use of MIME-tools, has an Interpretation Conflict (relative to some mail user agents) when there are multiple boundary parameters in a MIME email message. Consequently, there can be an incorrect check for banned files or malware. (CVE-2024-28054)

References:
https://ubuntu.com/security/notices/USN-6790-1
========================

Updated package in core/updates_testing:
========================
amavisd-new-2.11.0-9.1.mga9

from SRPM:
amavisd-new-2.11.0-9.1.mga9.src.rpm

Status: NEW => ASSIGNED
Assignee: pkg-bugs => qa-bugs
Whiteboard: MGA9TOO => (none)
Version: Cauldron => 9
Status comment: Patch available from Ubuntu => (none)

Installed without issues but perhaps this need some know-how

systemctl start amavisd
Job for amavisd.service failed because the control process exited with error code.
See "systemctl status amavisd.service" and "journalctl -xeu amavisd.service" for details.

systemctl -l status amavisd
× amavisd.service - Amavisd-new is an interface between MTA and content checkers.
     Loaded: loaded (/usr/lib/systemd/system/amavisd.service; disabled; preset: disabled)
     Active: failed (Result: exit-code) since Fri 2024-05-31 20:31:45 CST; 16s ago
       Docs: http://www.ijs.si/software/amavisd/#doc
    Process: 458292 ExecStart=/usr/sbin/amavisd -c /etc/amavisd/amavisd.conf -P /run/amavis/amavis.pid (code=exited, status=255/EXCE>
        CPU: 768ms

may 31 20:31:45 phoenix systemd[1]: amavisd.service: Scheduled restart job, restart counter is at 5.
may 31 20:31:45 phoenix systemd[1]: Stopped amavisd.service.
may 31 20:31:45 phoenix systemd[1]: amavisd.service: Start request repeated too quickly.
may 31 20:31:45 phoenix systemd[1]: amavisd.service: Failed with result 'exit-code'.
may 31 20:31:45 phoenix systemd[1]: Failed to start amavisd.service.

journalctl -xeu amavisd.service

A start job for unit amavisd.service has finished with a failure.

The job identifier is 3188 and the job result is failed.
may 31 20:31:45 phoenix systemd[1]: amavisd.service: Scheduled restart job, restart counter is at 5.
Subject: Automatic restarting of a unit has been scheduled
Defined-By: systemd
Support: https://lists.freedesktop.org/mailman/listinfo/systemd-devel
 
Automatic restarting of the unit amavisd.service has been scheduled, as the result for the configured Restart= setting for the unit.
may 31 20:31:45 phoenix systemd[1]: Stopped amavisd.service.
Subject: A stop job for unit amavisd.service has finished
Defined-By: systemd
Support: https://lists.freedesktop.org/mailman/listinfo/systemd-devel
 
A stop job for unit amavisd.service has finished.
 
The job identifier is 3293 and the job result is done.
may 31 20:31:45 phoenix systemd[1]: amavisd.service: Start request repeated too quickly.
may 31 20:31:45 phoenix systemd[1]: amavisd.service: Failed with result 'exit-code'.
Subject: Unit failed
Defined-By: systemd
Support: https://lists.freedesktop.org/mailman/listinfo/systemd-devel

The unit amavisd.service has entered the 'failed' state with result 'exit-code'.
may 31 20:31:45 phoenix systemd[1]: Failed to start amavisd.service.
Subject: A start job for unit amavisd.service has failed
Defined-By: systemd
Support: https://lists.freedesktop.org/mailman/listinfo/systemd-devel
 
A start job for unit amavisd.service has finished with a failure.
 
The job identifier is 3293 and the job result is failed.
...skipping...
 A start job for unit amavisd.service has finished with a failure.
 
The job identifier is 3188 and the job result is failed.
may 31 20:31:45 phoenix systemd[1]: amavisd.service: Scheduled restart job, restart counter is at 5.
Subject: Automatic restarting of a unit has been scheduled
Defined-By: systemd
Support: https://lists.freedesktop.org/mailman/listinfo/systemd-devel
 
Automatic restarting of the unit amavisd.service has been scheduled, as the result for
the configured Restart= setting for the unit.
may 31 20:31:45 phoenix systemd[1]: Stopped amavisd.service.
Subject: A stop job for unit amavisd.service has finished
Defined-By: systemd
Support: https://lists.freedesktop.org/mailman/listinfo/systemd-devel

A stop job for unit amavisd.service has finished.
 
The job identifier is 3293 and the job result is done.
may 31 20:31:45 phoenix systemd[1]: amavisd.service: Start request repeated too quickly.
may 31 20:31:45 phoenix systemd[1]: amavisd.service: Failed with result 'exit-code'.
Subject: Unit failed
Defined-By: systemd
Support: https://lists.freedesktop.org/mailman/listinfo/systemd-devel
 
The unit amavisd.service has entered the 'failed' state with result 'exit-code'.
may 31 20:31:45 phoenix systemd[1]: Failed to start amavisd.service.
Subject: A start job for unit amavisd.service has failed
Defined-By: systemd
Support: https://lists.freedesktop.org/mailman/listinfo/systemd-devel

A start job for unit amavisd.service has finished with a failure.
 
The job identifier is 3293 and the job result is failed.

Keywords: (none) => feedback

Hi,

That is strange.  In my tests, either with a Cauldron VM or with a freshly created Mga9 VM, I got:
"""
[root@localhost ~]# systemctl start amavisd
[root@localhost ~]# systemctl status amavisd
● amavisd.service - Amavisd-new is an interface between MTA and content checkers.
     Loaded: loaded (/usr/lib/systemd/system/amavisd.service; disabled; preset: disabled)
     Active: active (running) since Mon 2024-06-03 14:21:49 CEST; 2min 35s ago
       Docs: http://www.ijs.si/software/amavisd/#doc
    Process: 15723 ExecStart=/usr/sbin/amavisd -c /etc/amavisd/amavisd.conf -P /run/amavis/amavis>
   Main PID: 16488 (/usr/sbin/amavi)
      Tasks: 4 (limit: 9522)
     Memory: 161.8M
        CPU: 2.540s
     CGroup: /system.slice/amavisd.service
             ├─16488 "/usr/sbin/amavisd (master)"
             ├─18396 "/usr/sbin/amavisd (virgin child)"
             ├─18397 "/usr/sbin/amavisd (virgin child)"
             └─18398 "/usr/sbin/amavisd (virgin child)"

juin 03 14:21:49 localhost amavis[16488]: No decoder for       .7z
juin 03 14:21:49 localhost amavis[16488]: No decoder for       .F
juin 03 14:21:49 localhost amavis[16488]: No decoder for       .arj
juin 03 14:21:49 localhost amavis[16488]: No decoder for       .iso
juin 03 14:21:49 localhost amavis[16488]: No decoder for       .jar
juin 03 14:21:49 localhost amavis[16488]: No decoder for       .lha
juin 03 14:21:49 localhost amavis[16488]: No decoder for       .lz4
juin 03 14:21:49 localhost amavis[16488]: No decoder for       .rar
juin 03 14:21:49 localhost amavis[16488]: No decoder for       .swf
juin 03 14:21:49 localhost amavis[16488]: Using primary internal av scanner code for ClamAV-clamd
"""

Best regards,

Nico.

(In reply to Nicolas Salguero from comment #4)
> Hi,
> 
> That is strange.  In my tests, either with a Cauldron VM or with a freshly
> created Mga9 VM, I got:
> """
> [root@localhost ~]# systemctl start amavisd
> [root@localhost ~]# systemctl status amavisd
> ● amavisd.service - Amavisd-new is an interface between MTA and content
> checkers.
>      Loaded: loaded (/usr/lib/systemd/system/amavisd.service; disabled;
> preset: disabled)
>      Active: active (running) since Mon 2024-06-03 14:21:49 CEST; 2min 35s
> ago
>        Docs: http://www.ijs.si/software/amavisd/#doc
>     Process: 15723 ExecStart=/usr/sbin/amavisd -c /etc/amavisd/amavisd.conf
> -P /run/amavis/amavis>
>    Main PID: 16488 (/usr/sbin/amavi)
>       Tasks: 4 (limit: 9522)
>      Memory: 161.8M
>         CPU: 2.540s
>      CGroup: /system.slice/amavisd.service
>              ├─16488 "/usr/sbin/amavisd (master)"
>              ├─18396 "/usr/sbin/amavisd (virgin child)"
>              ├─18397 "/usr/sbin/amavisd (virgin child)"
>              └─18398 "/usr/sbin/amavisd (virgin child)"
> 
> juin 03 14:21:49 localhost amavis[16488]: No decoder for       .7z
> juin 03 14:21:49 localhost amavis[16488]: No decoder for       .F
> juin 03 14:21:49 localhost amavis[16488]: No decoder for       .arj
> juin 03 14:21:49 localhost amavis[16488]: No decoder for       .iso
> juin 03 14:21:49 localhost amavis[16488]: No decoder for       .jar
> juin 03 14:21:49 localhost amavis[16488]: No decoder for       .lha
> juin 03 14:21:49 localhost amavis[16488]: No decoder for       .lz4
> juin 03 14:21:49 localhost amavis[16488]: No decoder for       .rar
> juin 03 14:21:49 localhost amavis[16488]: No decoder for       .swf
> juin 03 14:21:49 localhost amavis[16488]: Using primary internal av scanner
> code for ClamAV-clamd
> """
> 
> Best regards,
> 
> Nico.

I reinstall and reboot and the same, I see you have clamav service as well, something that I don't have
This could be a "The chair" issue if works for you should be good, but Thomas decide what to do

CC: (none) => andrewsfarm

Tested on VM

 systemctl start amavisd
 systemctl -l status amavisd
● amavisd.service - Amavisd-new is an interface between MTA and content checkers.
     Loaded: loaded (/usr/lib/systemd/system/amavisd.service; disabled; preset: disabled)
     Active: active (running) since Mon 2024-06-03 19:25:13 CST; 13s ago
       Docs: http://www.ijs.si/software/amavisd/#doc
    Process: 69718 ExecStart=/usr/sbin/amavisd -c /etc/amavisd/amavisd.conf -P /run/amavis/amavis.pid (code=exited, status=0/>
   Main PID: 69722 (/usr/sbin/amavi)
      Tasks: 4 (limit: 2352)
     Memory: 162.7M
        CPU: 3.464s
     CGroup: /system.slice/amavisd.service
             ├─69722 "/usr/sbin/amavisd (master)"
             ├─69822 "/usr/sbin/amavisd (virgin child)"
             ├─69823 "/usr/sbin/amavisd (virgin child)"
             └─69824 "/usr/sbin/amavisd (virgin child)"

jun 03 19:25:13 localhost amavis[69722]: No decoder for       .F
jun 03 19:25:13 localhost amavis[69722]: No decoder for       .arj
jun 03 19:25:13 localhost amavis[69722]: No decoder for       .iso
jun 03 19:25:13 localhost amavis[69722]: No decoder for       .jar
jun 03 19:25:13 localhost amavis[69722]: No decoder for       .lha
jun 03 19:25:13 localhost amavis[69722]: No decoder for       .lz4
jun 03 19:25:13 localhost amavis[69722]: No decoder for       .rar
jun 03 19:25:13 localhost amavis[69722]: No decoder for       .swf
jun 03 19:25:13 localhost amavis[69722]: Using primary internal av scanner code for ClamAV-clamd
jun 03 19:25:13 localhost systemd[1]: Started amavisd.service.

Look that something in my system is blocking this service, not idea what

Whiteboard: (none) => MGA9-64-OK
Keywords: feedback => (none)

Installed in an MGA9-64 Plasma VM with no issues.

[root@localhost ~]# systemctl start amavisd
[root@localhost ~]# systemctl status amavisd
● amavisd.service - Amavisd-new is an interface between MTA and content checkers.
     Loaded: loaded (/usr/lib/systemd/system/amavisd.service; disabled; preset: disabled)
     Active: active (running) since Mon 2024-06-03 21:25:05 EDT; 18s ago
       Docs: http://www.ijs.si/software/amavisd/#doc
    Process: 14248 ExecStart=/usr/sbin/amavisd -c /etc/amavisd/amavisd.conf -P /run/amavis/amavis.pid (code=exited, status=0/SUCCESS)
   Main PID: 14251 (/usr/sbin/amavi)
      Tasks: 4 (limit: 4690)
     Memory: 150.4M
        CPU: 2.853s
     CGroup: /system.slice/amavisd.service
             ├─14251 "/usr/sbin/amavisd (master)"
             ├─14254 "/usr/sbin/amavisd (virgin child)"
             ├─14255 "/usr/sbin/amavisd (virgin child)"
             └─14256 "/usr/sbin/amavisd (virgin child)"

Jun 03 21:25:04 localhost.localdomain systemd[1]: Starting amavisd.service...
Jun 03 21:25:05 localhost.localdomain amavis[14248]: starting. /usr/sbin/amavisd at localhost.twcny.rr.com amavisd-new-2.11.0 (20160426), Unicode aware, LANG="en_US.UTF-8"
Jun 03 21:25:05 localhost.localdomain amavis[14251]: Net::Server: Group Not Defined.  Defaulting to EGID '951 951'
Jun 03 21:25:05 localhost.localdomain amavis[14251]: Net::Server: User Not Defined.  Defaulting to EUID '955'
Jun 03 21:25:05 localhost.localdomain systemd[1]: Started amavisd.service.
Jun 03 21:25:05 localhost.localdomain amavis[14251]: No $altermime,         not using it
Jun 03 21:25:05 localhost.localdomain amavis[14251]: No ext program for   .lz4, tried: lz4c -d
Jun 03 21:25:05 localhost.localdomain amavis[14251]: No ext program for   .rar, tried: unrar, rar
Jun 03 21:25:05 localhost.localdomain amavis[14251]: No decoder for       .lz4
Jun 03 21:25:05 localhost.localdomain amavis[14251]: Using primary internal av scanner code for ClamAV-clamd

(ClamAV is NOT installed)

So my VM results are similar. Nico, did you happen to try this on real hardware? Perhaps it is something peculiar to a VM.

Removing the OK

Tested in RH mageia 9 i586 and fails as in x86_64

systemctl start amavisd
Job for amavisd.service failed because the control process exited with error code.
See "systemctl status amavisd.service" and "journalctl -xeu amavisd.service" for details.

systemctl -l status amavisd
● amavisd.service - Amavisd-new is an interface between MTA and content checkers.
     Loaded: loaded (/usr/lib/systemd/system/amavisd.service; disabled; preset: disabled)
     Active: activating (start) since Mon 2024-06-03 19:55:57 CST; 600ms ago
       Docs: http://www.ijs.si/software/amavisd/#doc
  Cntrl PID: 21160 (amavisd)
      Tasks: 1 (limit: 4748)
     Memory: 6.0M
        CPU: 333ms
     CGroup: /system.slice/amavisd.service
             └─21160 /usr/bin/perl -T /usr/sbin/amavisd -c /etc/amavisd/amavisd.conf -P /run/amavi>

jun 03 19:55:59 cefiro amavisd[21160]:   You must explicitly assign a FQDN of this host to variabl>
jun 03 19:55:59 cefiro amavisd[21160]:   in amavisd.conf, or fix what uname(3) provides as a host'>
jun 03 19:55:59 cefiro systemd[1]: amavisd.service: Control process exited, code=exited, status=25>
jun 03 19:55:59 cefiro systemd[1]: amavisd.service: Failed with result 'exit-code'.
jun 03 19:55:59 cefiro systemd[1]: Failed to start amavisd.service.
jun 03 19:55:59 cefiro systemd[1]: amavisd.service: Consumed 2.049s CPU time.
jun 03 19:56:00 cefiro systemd[1]: amavisd.service: Scheduled restart job, restart counter is at 7>
jun 03 19:56:00 cefiro systemd[1]: Stopped amavisd.service.
jun 03 19:56:00 cefiro systemd[1]: amavisd.service: Consumed 2.049s CPU time.
jun 03 19:56:00 cefiro systemd[1]: Starting amavisd.service...
jun 03 19:56:02 cefiro amavisd[21367]:   The value of variable $myhostname is "cefiro", but should>
jun 03 19:56:02 cefiro amavisd[21367]:   a fully qualified domain name; perhaps uname(3) did not p>
jun 03 19:56:02 cefiro amavisd[21367]:   You must explicitly assign a FQDN of this host to variabl>
jun 03 19:56:02 cefiro amavisd[21367]:   in amavisd.conf, or fix what uname(3) provides as a host'>
jun 03 19:56:02 cefiro systemd[1]: amavisd.service: Control process exited, code=exited, status=25>
jun 03 19:56:02 cefiro systemd[1]: amavisd.service: Failed with result 'exit-code'.


journalctl -xeu amavisd.service
 Defined-By: systemd
 Support: https://lists.freedesktop.org/mailman/listinfo/systemd-devel

Automatic restarting of the unit amavisd.service has been scheduled, as the result for the configured Restart= setting for the unit.
jun 03 19:57:36 cefiro systemd[1]: Stopped amavisd.service.
 Subject: A stop job for unit amavisd.service has finished
Defined-By: systemd
 Support: https://lists.freedesktop.org/mailman/listinfo/systemd-devel
 
 A stop job for unit amavisd.service has finished.
 
The job identifier is 13477 and the job result is done.
jun 03 19:57:36 cefiro systemd[1]: amavisd.service: Consumed 5.403s CPU time.
 Subject: Resources consumed by unit runtime
Defined-By: systemd
 Support: https://lists.freedesktop.org/mailman/listinfo/systemd-devel

The unit amavisd.service completed and consumed the indicated resources.
jun 03 19:57:36 cefiro systemd[1]: Starting amavisd.service...
Subject: A start job for unit amavisd.service has begun execution
Defined-By: systemd
Support: https://lists.freedesktop.org/mailman/listinfo/systemd-devel
 
A start job for unit amavisd.service has begun execution.

The job identifier is 13477.
...skipping...
 Defined-By: systemd
Support: https://lists.freedesktop.org/mailman/listinfo/systemd-devel

Automatic restarting of the unit amavisd.service has been scheduled, as the result for the configured Restart= setting for the unit.
jun 03 19:57:36 cefiro systemd[1]: Stopped amavisd.service.
 Subject: A stop job for unit amavisd.service has finished
 Defined-By: systemd
 Support: https://lists.freedesktop.org/mailman/listinfo/systemd-devel
 
 A stop job for unit amavisd.service has finished.
 
 The job identifier is 13477 and the job result is done.
jun 03 19:57:36 cefiro systemd[1]: amavisd.service: Consumed 5.403s CPU time.
 Subject: Resources consumed by unit runtime
 Defined-By: systemd
 Support: https://lists.freedesktop.org/mailman/listinfo/systemd-devel
 
 The unit amavisd.service completed and consumed the indicated resources.
jun 03 19:57:36 cefiro systemd[1]: Starting amavisd.service...
 Subject: A start job for unit amavisd.service has begun execution
Defined-By: systemd
Support: https://lists.freedesktop.org/mailman/listinfo/systemd-devel
 
 A start job for unit amavisd.service has begun execution.
 
 The job identifier is 13477.

This is not working on real systems

The only weird I note is i select postfix when I have to select between postfix and sendmail, and get warnings about not have execution rights in

`/var/spool/postfix/lib/libcap.so.2' and  `/var/spool/postfix/usr/lib/libcap.so.2.52'

Whiteboard: MGA9-64-OK => (none)
Keywords: (none) => feedback

And no problem here on real 64-bit hardware. It's a puzzle, all right.

(In reply to Thomas Andrews from comment #9)
> And no problem here on real 64-bit hardware. It's a puzzle, all right.

Your host name is like  myhost.my.domain , because my host are just myhost, and I find that can be one cause of this fail

https://github.com/modoboa/modoboa-installer/issues/264

The other is this https://forums.rockylinux.org/t/rocky-linux-9-3-amavisd-fails-to-start-failed-with-result-exit-code/12574/3

(In reply to katnatek from comment #10)
> (In reply to Thomas Andrews from comment #9)
> > And no problem here on real 64-bit hardware. It's a puzzle, all right.
> 
> Your host name is like  myhost.my.domain , because my host are just myhost,
> and I find that can be one cause of this fail
> 
> https://github.com/modoboa/modoboa-installer/issues/264
> 
> The other is this
> https://forums.rockylinux.org/t/rocky-linux-9-3-amavisd-fails-to-start-
> failed-with-result-exit-code/12574/3

I see in your test you have localhost.localdomain, quite sure the hostnames are the cause of my issues

Theory confirmed, I change a few my hostname and reinstall

systemctl start amavisd
systemctl -l status amavisd
● amavisd.service - Amavisd-new is an interface between MTA and content checkers.
     Loaded: loaded (/usr/lib/systemd/system/amavisd.service; disabled; preset: disabled)
     Active: active (running) since Tue 2024-06-04 10:16:03 CST; 33s ago
       Docs: http://www.ijs.si/software/amavisd/#doc
    Process: 30566 ExecStart=/usr/sbin/amavisd -c /etc/amavisd/amavisd.conf -P /run/amavis/amavis.pid (code=exited, status=0/SUCCESS)
   Main PID: 32238 (/usr/sbin/amavi)
      Tasks: 4 (limit: 6905)
     Memory: 162.7M
        CPU: 3.041s
     CGroup: /system.slice/amavisd.service
             ├─32238 "/usr/sbin/amavisd (master)"
             ├─32439 "/usr/sbin/amavisd (virgin child)"
             ├─32440 "/usr/sbin/amavisd (virgin child)"
             └─32441 "/usr/sbin/amavisd (virgin child)"

jun 04 10:15:57 jgrey.phoenix systemd[1]: Starting amavisd.service...
jun 04 10:16:00 jgrey.phoenix amavis[30566]: starting. /usr/sbin/amavisd at jgrey.phoenix amavisd-new-2.11.0 (20160426), Unicode awa>
jun 04 10:16:03 jgrey.phoenix amavis[32238]: Net::Server: Group Not Defined.  Defaulting to EGID '946 946'
jun 04 10:16:03 jgrey.phoenix amavis[32238]: Net::Server: User Not Defined.  Defaulting to EUID '952'
jun 04 10:16:03 jgrey.phoenix systemd[1]: Started amavisd.service.
jun 04 10:16:03 jgrey.phoenix amavis[32238]: No $altermime,         not using it
jun 04 10:16:03 jgrey.phoenix amavis[32238]: No ext program for   .lz4, tried: lz4c -d
jun 04 10:16:03 jgrey.phoenix amavis[32238]: No decoder for       .lz4
jun 04 10:16:03 jgrey.phoenix amavis[32238]: Using primary internal av scanner code for ClamAV-clamd

Keywords: feedback => (none)
Whiteboard: (none) => MGA9-64-OK

Validating.

Keywords: (none) => validated_update
CC: (none) => sysadmin-bugs

An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2024-0212.html

Resolution: (none) => FIXED
Status: ASSIGNED => RESOLVED