Bug 23590 - spamassassin new security issues fixed upstream in 3.4.2
Summary: spamassassin new security issues fixed upstream in 3.4.2
Status: RESOLVED FIXED
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 6
Hardware: All Linux
Priority: Normal normal
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL:
Whiteboard: MGA6-32-OK MGA6-64-OK
Keywords: advisory, validated_update
Depends on:
Blocks:
 
Reported: 2018-09-17 02:55 CEST by David Walser
Modified: 2018-10-30 19:02 CET (History)
8 users (show)

See Also:
Source RPM: spamassassin-3.4.1-7.mga7.src.rpm
CVE:
Status comment:


Attachments

Description David Walser 2018-09-17 02:55:07 CEST
Spamassassin 3.4.2 has been announced, fixing several security issues:
https://www.openwall.com/lists/oss-security/2018/09/16/1
David Walser 2018-09-17 02:55:22 CEST

Whiteboard: (none) => MGA6TOO

Comment 1 Marja Van Waes 2018-09-18 14:01:49 CEST
Assigning to all packagers collectively, since there is no registered maintainer for this package.

CC'ing one committer.

CC: (none) => marja11, shlomif
Assignee: bugsquad => pkg-bugs

Comment 2 Bruno Cornec 2018-10-11 01:18:39 CEST
shlomif has pushed the 3.4.2 version to cauldron so that should be good for this branch.

CC: (none) => bruno

Comment 3 Bruno Cornec 2018-10-11 01:37:50 CEST
I pushed the same version in 6 core/updates_testing

Assignee: pkg-bugs => qa-bugs
Status: NEW => ASSIGNED

Comment 4 David Walser 2018-10-12 01:05:15 CEST
Advisory:
========================

Updated spamassassin package fixes security vulnerabilities:

A reliance on "." in @INC in one configuration script (CVE-2016-1238).

A denial of service vulnerability arises with certain unclosed tags in emails
that cause markup to be handled incorrectly leading to scan timeouts
(CVE-2017-15705).

A potential Remote Code Execution bug with the PDFInfo plugin (CVE-2018-11780).

A local user code injection in the meta rule syntax (CVE-2018-11781).

References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1238
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-15705
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-11780
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-11781
https://www.openwall.com/lists/oss-security/2018/09/16/1
========================

Updated packages in core/updates_testing:
========================
spamassassin-3.4.2-1.1.mga6
spamassassin-sa-compile-3.4.2-1.1.mga6
spamassassin-tools-3.4.2-1.1.mga6
spamassassin-spamd-3.4.2-1.1.mga6
spamassassin-spamc-3.4.2-1.1.mga6
perl-Mail-SpamAssassin-3.4.2-1.1.mga6
perl-Mail-SpamAssassin-Spamd-3.4.2-1.1.mga6

from spamassassin-3.4.2-1.1.mga6.src.rpm

Version: Cauldron => 6
Whiteboard: MGA6TOO => (none)

Comment 5 David Walser 2018-10-13 00:53:29 CEST
RedHat has issued an advisory for two of these issues on October 11:
https://access.redhat.com/errata/RHSA-2018:2916
Comment 6 David Walser 2018-10-15 23:11:40 CEST
Fedora has issued an advisory for this on September 23:
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/WQLOB65TXVE2WTAWI7HSIN5YFEPE5JCY/
Comment 7 PC LX 2018-10-19 12:08:12 CEST
Installed and tested but it seem to NOT be working.

TL;DR: spamassassin is not working. The spam score is zero and the test is "none" for all messages. The rules package is for version 3.4.1 and do not seem to work with version 3.4.2. Maybe updating the package "spamassassin-rules" will solve this issue.


System: Mageia 6, x86_64, Intel CPU.


After the update to version 3.4.2, I noticed that, for all messages, the spam score was always ZERO and the tests where always "none".
Before the update and after a downgrade to version 3.4.1, the messages have various scores and tests.

Before update:
=======================================
X-Spam-Checker-Version: SpamAssassin 3.4.1 (2015-04-28) on marte.home
X-Spam-Status: No, score=-1.5 required=5.0 tests=BAYES_00,HTML_MESSAGE,
	T_DKIM_INVALID autolearn=ham autolearn_force=no version=3.4.1
=======================================

After update:
=======================================
X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on marte.home
X-Spam-Status: No, score=0.0 required=5.0 tests=none autolearn=ham autolearn_force=no version=3.4.2
=======================================

After downgrade:
=======================================
X-Spam-Checker-Version: SpamAssassin 3.4.1 (2015-04-28) on marte.home
X-Spam-Status: No, score=-1.5 required=5.0 tests=BAYES_00,HTML_MESSAGE,
	T_DKIM_INVALID autolearn=ham autolearn_force=no version=3.4.1
---------------------------------------
X-Spam-Checker-Version: SpamAssassin 3.4.1 (2015-04-28) on marte.home
X-Spam-Status: No, score=2.2 required=5.0 tests=BAYES_50,HTML_MESSAGE,
	MIME_HTML_ONLY,RP_MATCHES_RCVD,T_OBFU_PDF_ATTACH autolearn=no
	autolearn_force=no version=3.4.1
=======================================

To try and debug the issue, I locked at the spam rules with spamassassin's lint feature and the result is as follows:
=======================================
$ spamassassin --lint
Oct 19 10:37:13.214 [8266] warn: config: configuration file "/usr/share/spamassassin/20_advance_fee.cf" requires version 3.004001 of SpamAssassin, but this is code version 3.004002. Maybe you need to use the -C switch, or remove the old config files? Skipping this file at /usr/lib/perl5/vendor_perl/5.22.3/Mail/SpamAssassin/Conf/Parser.pm line 407.
Oct 19 10:37:13.214 [8266] warn: config: configuration file "/usr/share/spamassassin/20_advance_fee.cf" requires version 3.004001 of SpamAssassin, but this is code version 3.004002. Maybe you need to use the -C switch, or remove the old config files? Skipping this file
Oct 19 10:37:13.230 [8266] warn: config: configuration file "/usr/share/spamassassin/20_body_tests.cf" requires version 3.004001 of SpamAssassin, but this is code version 3.004002. Maybe you need to use the -C switch, or remove the old config files? Skipping this file at /usr/lib/perl5/vendor_perl/5.22.3/Mail/SpamAssassin/Conf/Parser.pm line 407.
Oct 19 10:37:13.230 [8266] warn: config: configuration file "/usr/share/spamassassin/20_body_tests.cf" requires version 3.004001 of SpamAssassin, but this is code version 3.004002. Maybe you need to use the -C switch, or remove the old config files? Skipping this file
Oct 19 10:37:13.231 [8266] warn: config: configuration file "/usr/share/spamassassin/20_compensate.cf" requires version 3.004001 of SpamAssassin, but this is code version 3.004002. Maybe you need to use the -C switch, or remove the old config files? Skipping this file at /usr/lib/perl5/vendor_perl/5.22.3/Mail/SpamAssassin/Conf/Parser.pm line 407.
Oct 19 10:37:13.231 [8266] warn: config: configuration file "/usr/share/spamassassin/20_compensate.cf" requires version 3.004001 of SpamAssassin, but this is code version 3.004002. Maybe you need to use the -C switch, or remove the old config files? Skipping this file
Oct 19 10:37:13.231 [8266] warn: config: configuration file "/usr/share/spamassassin/20_dnsbl_tests.cf" requires version 3.004001 of SpamAssassin, but this is code version 3.004002. Maybe you need to use the -C switch, or remove the old config files? Skipping this file at /usr/lib/perl5/vendor_perl/5.22.3/Mail/SpamAssassin/Conf/Parser.pm line 407.
Oct 19 10:37:13.231 [8266] warn: config: configuration file "/usr/share/spamassassin/20_dnsbl_tests.cf" requires version 3.004001 of SpamAssassin, but this is code version 3.004002. Maybe you need to use the -C switch, or remove the old config files? Skipping this file
Oct 19 10:37:13.233 [8266] warn: config: configuration file "/usr/share/spamassassin/20_drugs.cf" requires version 3.004001 of SpamAssassin, but this is code version 3.004002. Maybe you need to use the -C switch, or remove the old config files? Skipping this file at /usr/lib/perl5/vendor_perl/5.22.3/Mail/SpamAssassin/Conf/Parser.pm line 407.
Oct 19 10:37:13.233 [8266] warn: config: configuration file "/usr/share/spamassassin/20_drugs.cf" requires version 3.004001 of SpamAssassin, but this is code version 3.004002. Maybe you need to use the -C switch, or remove the old config files? Skipping this file
Oct 19 10:37:13.235 [8266] warn: config: configuration file "/usr/share/spamassassin/20_dynrdns.cf" requires version 3.004001 of SpamAssassin, but this is code version 3.004002. Maybe you need to use the -C switch, or remove the old config files? Skipping this file at /usr/lib/perl5/vendor_perl/5.22.3/Mail/SpamAssassin/Conf/Parser.pm line 407.
Oct 19 10:37:13.235 [8266] warn: config: configuration file "/usr/share/spamassassin/20_dynrdns.cf" requires version 3.004001 of SpamAssassin, but this is code version 3.004002. Maybe you need to use the -C switch, or remove the old config files? Skipping this file
Oct 19 10:37:13.236 [8266] warn: config: configuration file "/usr/share/spamassassin/20_fake_helo_tests.cf" requires version 3.004001 of SpamAssassin, but this is code version 3.004002. Maybe you need to use the -C switch, or remove the old config files? Skipping this file at /usr/lib/perl5/vendor_perl/5.22.3/Mail/SpamAssassin/Conf/Parser.pm line 407.
Oct 19 10:37:13.236 [8266] warn: config: configuration file "/usr/share/spamassassin/20_fake_helo_tests.cf" requires version 3.004001 of SpamAssassin, but this is code version 3.004002. Maybe you need to use the -C switch, or remove the old config files? Skipping this file
Oct 19 10:37:13.260 [8266] warn: config: configuration file "/usr/share/spamassassin/20_head_tests.cf" requires version 3.004001 of SpamAssassin, but this is code version 3.004002. Maybe you need to use the -C switch, or remove the old config files? Skipping this file at /usr/lib/perl5/vendor_perl/5.22.3/Mail/SpamAssassin/Conf/Parser.pm line 407.
Oct 19 10:37:13.260 [8266] warn: config: configuration file "/usr/share/spamassassin/20_head_tests.cf" requires version 3.004001 of SpamAssassin, but this is code version 3.004002. Maybe you need to use the -C switch, or remove the old config files? Skipping this file
Oct 19 10:37:13.263 [8266] warn: config: configuration file "/usr/share/spamassassin/20_html_tests.cf" requires version 3.004001 of SpamAssassin, but this is code version 3.004002. Maybe you need to use the -C switch, or remove the old config files? Skipping this file at /usr/lib/perl5/vendor_perl/5.22.3/Mail/SpamAssassin/Conf/Parser.pm line 407.
Oct 19 10:37:13.263 [8266] warn: config: configuration file "/usr/share/spamassassin/20_html_tests.cf" requires version 3.004001 of SpamAssassin, but this is code version 3.004002. Maybe you need to use the -C switch, or remove the old config files? Skipping this file
Oct 19 10:37:13.268 [8266] warn: config: configuration file "/usr/share/spamassassin/20_meta_tests.cf" requires version 3.004001 of SpamAssassin, but this is code version 3.004002. Maybe you need to use the -C switch, or remove the old config files? Skipping this file at /usr/lib/perl5/vendor_perl/5.22.3/Mail/SpamAssassin/Conf/Parser.pm line 407.
Oct 19 10:37:13.268 [8266] warn: config: configuration file "/usr/share/spamassassin/20_meta_tests.cf" requires version 3.004001 of SpamAssassin, but this is code version 3.004002. Maybe you need to use the -C switch, or remove the old config files? Skipping this file
Oct 19 10:37:13.269 [8266] warn: config: configuration file "/usr/share/spamassassin/20_net_tests.cf" requires version 3.004001 of SpamAssassin, but this is code version 3.004002. Maybe you need to use the -C switch, or remove the old config files? Skipping this file at /usr/lib/perl5/vendor_perl/5.22.3/Mail/SpamAssassin/Conf/Parser.pm line 407.
Oct 19 10:37:13.269 [8266] warn: config: configuration file "/usr/share/spamassassin/20_net_tests.cf" requires version 3.004001 of SpamAssassin, but this is code version 3.004002. Maybe you need to use the -C switch, or remove the old config files? Skipping this file
Oct 19 10:37:13.271 [8266] warn: config: configuration file "/usr/share/spamassassin/20_phrases.cf" requires version 3.004001 of SpamAssassin, but this is code version 3.004002. Maybe you need to use the -C switch, or remove the old config files? Skipping this file at /usr/lib/perl5/vendor_perl/5.22.3/Mail/SpamAssassin/Conf/Parser.pm line 407.
Oct 19 10:37:13.271 [8266] warn: config: configuration file "/usr/share/spamassassin/20_phrases.cf" requires version 3.004001 of SpamAssassin, but this is code version 3.004002. Maybe you need to use the -C switch, or remove the old config files? Skipping this file
Oct 19 10:37:13.272 [8266] warn: config: configuration file "/usr/share/spamassassin/20_porn.cf" requires version 3.004001 of SpamAssassin, but this is code version 3.004002. Maybe you need to use the -C switch, or remove the old config files? Skipping this file at /usr/lib/perl5/vendor_perl/5.22.3/Mail/SpamAssassin/Conf/Parser.pm line 407.
Oct 19 10:37:13.272 [8266] warn: config: configuration file "/usr/share/spamassassin/20_porn.cf" requires version 3.004001 of SpamAssassin, but this is code version 3.004002. Maybe you need to use the -C switch, or remove the old config files? Skipping this file
Oct 19 10:37:13.282 [8266] warn: config: configuration file "/usr/share/spamassassin/20_uri_tests.cf" requires version 3.004001 of SpamAssassin, but this is code version 3.004002. Maybe you need to use the -C switch, or remove the old config files? Skipping this file at /usr/lib/perl5/vendor_perl/5.22.3/Mail/SpamAssassin/Conf/Parser.pm line 407.
Oct 19 10:37:13.282 [8266] warn: config: configuration file "/usr/share/spamassassin/20_uri_tests.cf" requires version 3.004001 of SpamAssassin, but this is code version 3.004002. Maybe you need to use the -C switch, or remove the old config files? Skipping this file
Oct 19 10:37:13.295 [8266] warn: config: configuration file "/usr/share/spamassassin/23_bayes.cf" requires version 3.004001 of SpamAssassin, but this is code version 3.004002. Maybe you need to use the -C switch, or remove the old config files? Skipping this file at /usr/lib/perl5/vendor_perl/5.22.3/Mail/SpamAssassin/Conf/Parser.pm line 407.
Oct 19 10:37:13.295 [8266] warn: config: configuration file "/usr/share/spamassassin/23_bayes.cf" requires version 3.004001 of SpamAssassin, but this is code version 3.004002. Maybe you need to use the -C switch, or remove the old config files? Skipping this file
Oct 19 10:37:13.367 [8266] warn: config: configuration file "/usr/share/spamassassin/72_active.cf" requires version 3.004001 of SpamAssassin, but this is code version 3.004002. Maybe you need to use the -C switch, or remove the old config files? Skipping this file at /usr/lib/perl5/vendor_perl/5.22.3/Mail/SpamAssassin/Conf/Parser.pm line 407.
Oct 19 10:37:13.367 [8266] warn: config: configuration file "/usr/share/spamassassin/72_active.cf" requires version 3.004001 of SpamAssassin, but this is code version 3.004002. Maybe you need to use the -C switch, or remove the old config files? Skipping this file
Oct 19 10:37:13.426 [8266] warn: config: configuration file "/usr/share/spamassassin/73_sandbox_manual_scores.cf" requires version 3.004001 of SpamAssassin, but this is code version 3.004002. Maybe you need to use the -C switch, or remove the old config files? Skipping this file at /usr/lib/perl5/vendor_perl/5.22.3/Mail/SpamAssassin/Conf/Parser.pm line 407.
Oct 19 10:37:13.426 [8266] warn: config: configuration file "/usr/share/spamassassin/73_sandbox_manual_scores.cf" requires version 3.004001 of SpamAssassin, but this is code version 3.004002. Maybe you need to use the -C switch, or remove the old config files? Skipping this file
Oct 19 10:37:13.583 [8266] warn: lint: 17 issues detected, please rerun with debug enabled for more information
=======================================

It seems the rules for "version 3.004001" are not used by "version 3.004002". Maybe this could be solved by also updating the rules package with the rules for the updated version.

$ uname -a
Linux marte 4.14.70-desktop-2.mga6 #1 SMP Thu Sep 20 22:05:46 UTC 2018 x86_64 x86_64 x86_64 GNU/Linux
$ # AFTER UPDATE
$ rpm -qa | grep -i spamassassin | sort
perl-Mail-SpamAssassin-3.4.2-1.1.mga6
spamassassin-3.4.2-1.1.mga6
spamassassin-rules-3.4.1-1.mga6
$ # AFTER DOWNGRADE
$ rpm -qa | grep -i spamassassin | sort
perl-Mail-SpamAssassin-3.4.1-3.mga6
spamassassin-3.4.1-3.mga6
spamassassin-rules-3.4.1-1.mga6

CC: (none) => mageia

Comment 8 Bruno Cornec 2018-10-19 17:16:57 CEST
I have updated spamassassin-rules for both mga6 and cauldron and it build locally. However it doesn't pass on the build system with that error:

channel: no 'mirrors.updates.spamassassin.org' record found, channel failed

I tried to mitigate that with tips from the spamassassin forum without much luck up to now. Still searching. I really dislike no-reproduceable builds made of on the fly download, it has all kind of possibilities to fail :-( Will see if I can replace that with something more stable.

I have also modified spamassassin spec file to force the dep on spamassassin-rules 3.4.2 as it seems needed (hopefully test will confirm). [Q: I wonder what is the usage of the bootstrap mechanism in the spec file however. I think it coul d be removed but didn't want to touch for now]

So test should be done with spamassassin-rules-3.4.2-1.1.mga6 and spamassassin-3.4.2-1.2.mga6 as soon as build works on build system.
Comment 9 David Walser 2018-10-20 00:36:56 CEST
spamassassin-3.4.2-1.2.mga6
spamassassin-sa-compile-3.4.2-1.2.mga6
spamassassin-tools-3.4.2-1.2.mga6
spamassassin-spamd-3.4.2-1.2.mga6
spamassassin-spamc-3.4.2-1.2.mga6
perl-Mail-SpamAssassin-3.4.2-1.2.mga6
perl-Mail-SpamAssassin-Spamd-3.4.2-1.2.mga6

still waiting on spamassassin-rules.

Keywords: (none) => feedback

Comment 10 Bruno Cornec 2018-10-20 20:10:11 CEST
Ok, so I used the standard way of building packages by just refering to the source file that should be used, and pushing it into SVN. Much more reliable IMHO.

I still have to solve a circular dep between spamassassin and spamassassin-rules so it can be tested. Will update that BR as soon as it's solved (also asked help on the dev ML for that)
Comment 11 Bruno Cornec 2018-10-21 18:44:26 CEST
Seems to be now solved for cauldron. Packages uploaded: spamassassin-3.4.2-5.mga7 and spamassassin-rules-3.4.2-2.mga7
Comment 12 Bruno Cornec 2018-10-21 21:07:57 CEST
Upload in progress for mga6 as well:
- spamassassin-rules-3.4.2-1.1.mga6
- spamassassin-3.4.2-1.5.mga6
Comment 13 PC LX 2018-10-21 21:50:28 CEST
Installed and tested without issues.

Seems to be working. Messages are being tagged and spam seems to be detected adequately.

====================================
X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on marte.home
X-Spam-Status: No, score=1.0 required=5.0 tests=BAYES_00,BODY_SINGLE_WORD,
	T_DKIM_INVALID autolearn=no autolearn_force=no version=3.4.2
====================================

$ uname -a
Linux marte 4.14.76-desktop-1.mga6 #1 SMP Sat Oct 13 23:34:21 UTC 2018 x86_64 x86_64 x86_64 GNU/Linux
$ rpm -qa | grep -i spamassassin | sort
perl-Mail-SpamAssassin-3.4.2-1.4.mga6
spamassassin-3.4.2-1.4.mga6
spamassassin-rules-3.4.2-1.1.mga6
Comment 14 David Walser 2018-10-21 22:46:19 CEST
Updated packages in core/updates_testing:
========================
spamassassin-3.4.2-1.5.mga6
spamassassin-sa-compile-3.4.2-1.5.mga6
spamassassin-tools-3.4.2-1.5.mga6
spamassassin-spamd-3.4.2-1.5.mga6
spamassassin-spamc-3.4.2-1.5.mga6
perl-Mail-SpamAssassin-3.4.2-1.5.mga6
perl-Mail-SpamAssassin-Spamd-3.4.2-1.5.mga6
spamassassin-rules-3.4.2-1.1.mga6

from SRPMS:
spamassassin-3.4.2-1.5.mga6.src.rpm
spamassassin-rules-3.4.2-1.1.mga6.src.rpm

Keywords: feedback => (none)

Comment 15 Herman Viaene 2018-10-24 10:40:13 CEST
MGA6-32 MATE on IBM Thinkpad R50e
No installation issues.
# systemctl start spamd
# systemctl -l status spamd
● spamd.service - Spamassassin daemon
   Loaded: loaded (/usr/lib/systemd/system/spamd.service; enabled; vendor preset: enabled)
   Active: active (running) since wo 2018-10-24 10:16:06 CEST; 7s ago
  Process: 27873 ExecStart=/usr/bin/spamd --pidfile /run/spamd.pid $SPAMDOPTIONS (code=exited
 Main PID: 27888 (spamd)
   CGroup: /system.slice/spamd.service
           ├─27888 /usr/bin/perl -T -w /usr/bin/spamd --pidfile /run/spamd.pid -d -c -m5 -H -
           ├─27949 spamd chil
           └─27950 spamd chil

okt 24 10:15:55 xxx.yyyy.zzz systemd[1]: Starting Spamassassin daemon...
okt 24 10:16:06 xxx.yyy.zzz systemd[1]: Started Spamassassin daemon.
Figured out how to set thunderbird to use spamassassin in mozilla site, seems OK.
Found test message in https://spamassassin.apache.org/gtube/, tried to send it to my gmail account, but I never receive it, guessing gmail filters it out? Investigating further.

CC: (none) => herman.viaene

Comment 16 Herman Viaene 2018-10-24 10:59:59 CEST
Refering to bug 19491, had my hotmail account activated on test laptop with thunderbird. Spam messag does not get thru either, plain message is received OK.
Comment 17 PC LX 2018-10-29 16:43:05 CET
A few people have already tested this update and I have used this update for over a week without issues so I'm going to mark it as OK (x86_64 from comment #13 and x86 from comment #15 and comment #16).

Please unOK it if you think appropriate.

Whiteboard: (none) => MGA6-32-OK MGA6-64-OK

Comment 18 Thomas Andrews 2018-10-30 03:56:29 CET
Looks good to me. Validating. Final package list in Comment 14, suggested advisory in Comment 4.

Keywords: (none) => validated_update
CC: (none) => andrewsfarm, sysadmin-bugs

Thomas Backlund 2018-10-30 17:58:53 CET

CC: (none) => tmb
Keywords: (none) => advisory

Comment 19 Mageia Robot 2018-10-30 19:02:55 CET
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2018-0425.html

Resolution: (none) => FIXED
Status: ASSIGNED => RESOLVED


Note You need to log in before you can comment on or make changes to this bug.