Bug 8376

Summary: bogofilter new security issue CVE-2012-5468
Product: Mageia Reporter: David Walser <luigiwalser>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact:
Severity: major    
Priority: Normal CC: davidwhodgins, sysadmin-bugs, tmb
Version: 2Keywords: validated_update
Target Milestone: ---   
Hardware: i586   
OS: Linux   
URL: http://lwn.net/Vulnerabilities/528912/
Whiteboard: has_procedure mga2-64-OK MGA2-32-OK
Source RPM: bogofilter-1.2.2-2.mga1.src.rpm CVE:
Status comment:
Attachments: script to create PoC

Description David Walser 2012-12-12 20:46:31 CET 
Debian has issued an advisory on December 11:
http://www.debian.org/security/2012/dsa-2585

Cauldron is not affected as it was fixed upstream in 1.2.3, which we have.

Patched package uploaded for Mageia 2.

Advisory:
========================

Updated bogofilter package fixes security vulnerability:

In bogofilter before 1.2.3, bogofilter's/bogolexer's base64 could
overwrite heap memory in the character set conversion in certain
pathological cases of invalid base64 code that decodes to incomplete
multibyte characters (CVE-2012-5468).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-5468
http://bogofilter.sourceforge.net/security/bogofilter-SA-2012-01
http://www.debian.org/security/2012/dsa-2585
========================

Updated packages in core/updates_testing:
========================
bogofilter-1.2.2-2.1.mga2

from bogofilter-1.2.2-2.1.mga2.src.rpm
Comment 1 claire robinson 2012-12-13 11:17:06 CET 
Was the test for this included in the build David?

http://bogofilter.svn.sourceforge.net/viewvc/bogofilter?view=revision&revision=6975
Comment 2 claire robinson 2012-12-13 11:48:48 CET 
Created attachment 3240 [details]
script to create PoC

Testing complete mga2 64 using the attached script.

Adapted from the build test http://bogofilter.svn.sourceforge.net/viewvc/bogofilter/trunk/bogofilter/src/tests/t.crash-invalid-base64?revision=6975&pathrev=6975

bogofilter complains about not having a wordlist when first started so created one with..

$ bogofilter -s
viagra
porn
ctrl-c
ctrl-c

Ran the adapted script attached here to create spam.txt

Before
------
$ bogofilter -I spam.txt
*** glibc detected *** bogofilter: realloc(): invalid next size: 0x00000000018161b0 ***

Had to close the terminal to quit, it didn't respond to ctrl-c

After
-----
$ bogofilter -I spam.txt
$

Returns to a prompt without error.
claire robinson 2012-12-13 11:49:14 CET

Whiteboard: (none) => has_procedure mga2-64-OK

Comment 3 David Walser 2012-12-13 14:54:14 CET 
(In reply to comment #1)
> Was the test for this included in the build David?
> 
> http://bogofilter.svn.sourceforge.net/viewvc/bogofilter?view=revision&revision=6975

No, good find.  Would you like me to add it?
Comment 4 claire robinson 2012-12-13 15:06:39 CET 
May as well I think David, it's easy to test so repeating shouldn't cause any delay.
Comment 5 David Walser 2012-12-13 21:47:38 CET 
Test added, but there's a build system issue and I don't know if it'll ever finish.  If it does, it'll be bogofilter-1.2.2-2.1.mga2.
Comment 6 Dave Hodgins 2012-12-14 01:55:07 CET 
Seems the poc only causes a problem on 64 bit systems.  On i586, it works ok
both before and after the update.

Could someone from the sysadmin team push the srpm
bogofilter-1.2.2-2.1.mga2.src.rpm
from Mageia 2 Core Updates Testing to Core Updates.

Advisory: Updated bogofilter package fixes security vulnerability:

In bogofilter before 1.2.3, bogofilter's/bogolexer's base64 could
overwrite heap memory in the character set conversion in certain
pathological cases of invalid base64 code that decodes to incomplete
multibyte characters (CVE-2012-5468).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-5468
http://bogofilter.sourceforge.net/security/bogofilter-SA-2012-01
http://www.debian.org/security/2012/dsa-2585

https://bugs.mageia.org/show_bug.cgi?id=8376

Keywords: (none) => validated_update
CC: (none) => davidwhodgins, sysadmin-bugs
Whiteboard: has_procedure mga2-64-OK => has_procedure mga2-64-OK MGA2-32-OK

Comment 7 Thomas Backlund 2012-12-14 02:04:26 CET 
bogofilter-1.2.2-2.2.mga2 finally got built/uploaded some 1,5 h ago after a "gazillion" chroot install rounds...

So I guess the validation is not valid anymore...

CC: (none) => tmb

claire robinson 2012-12-14 08:45:49 CET

Keywords: validated_update => (none)
Whiteboard: has_procedure mga2-64-OK MGA2-32-OK => has_procedure

Comment 8 claire robinson 2012-12-14 14:09:37 CET 
retested mga2 64 OK

Whiteboard: has_procedure => has_procedure mga2-64-OK

Comment 9 Dave Hodgins 2012-12-14 23:51:09 CET 
Testing complete on Mageia 2 i586.

Could someone from the sysadmin team push the srpm
bogofilter-1.2.2-2.2.mga2.src.rpm
from Mageia 2 Core Updates Testing to Core Updates.

Advisory: Updated bogofilter package fixes security vulnerability:

In bogofilter before 1.2.3, bogofilter's/bogolexer's base64 could
overwrite heap memory in the character set conversion in certain
pathological cases of invalid base64 code that decodes to incomplete
multibyte characters (CVE-2012-5468).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-5468
http://bogofilter.sourceforge.net/security/bogofilter-SA-2012-01
http://www.debian.org/security/2012/dsa-2585

https://bugs.mageia.org/show_bug.cgi?id=8376

Keywords: (none) => validated_update
Whiteboard: has_procedure mga2-64-OK => has_procedure mga2-64-OK MGA2-32-OK

Comment 10 Thomas Backlund 2012-12-20 23:20:17 CET 
Update pushed:
https://wiki.mageia.org/en/Support/Advisories/MGASA-2012-0363

Status: NEW => RESOLVED
Resolution: (none) => FIXED

Comment 11 David Walser 2013-01-03 17:10:41 CET 
Patch checked into Mageia 1 SVN.