Bug 28673 - spamassassin new security issue CVE-2020-1946
Summary: spamassassin new security issue CVE-2020-1946
Status: RESOLVED FIXED
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 8
Hardware: All Linux
Priority: Normal normal
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL:
Whiteboard: MGA7TOO MGA7-64-OK MGA8-64-OK
Keywords: advisory, validated_update
Depends on:
Blocks:
 
Reported: 2021-03-29 14:13 CEST by Nicolas Salguero
Modified: 2021-04-12 22:02 CEST (History)
4 users (show)

See Also:
Source RPM: spamassassin-3.4.4-3.mga8.src.rpm, spamassassin-rules-3.4.4-2.mga8.src.rpm
CVE: CVE-2020-1946
Status comment:


Attachments

Description Nicolas Salguero 2021-03-29 14:13:00 CEST
Apache has released SpamAssassin 3.4.5 on March 24, fixing a security issue:
https://spamassassin.apache.org/news.html
https://svn.apache.org/repos/asf/spamassassin/branches/3.4/build/announcements/3.4.5.txt
https://www.openwall.com/lists/oss-security/2021/03/24/3

Mageia 7 and 8 are also affected.
Nicolas Salguero 2021-03-29 14:15:10 CEST

CVE: (none) => CVE-2020-1946
Source RPM: (none) => spamassassin-3.4.4-3.mga8.src.rpm, spamassassin-rules-3.4.4-2.mga8.src.rpm
Whiteboard: (none) => MGA8TOO, MGA7TOO

Comment 1 Nicolas Salguero 2021-03-29 15:22:19 CEST
Suggested advisory:
========================

The updated packages fix a security vulnerability:

In Apache SpamAssassin before 3.4.5, malicious rule configuration (.cf) files can be configured to run system commands without any output or errors. With this, exploits can be injected in a number of scenarios. In addition to upgrading to SA version 3.4.5, users should only use update channels or 3rd party .cf files from trusted places. (CVE-2020-1946)

References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-1946
https://spamassassin.apache.org/news.html
https://svn.apache.org/repos/asf/spamassassin/branches/3.4/build/announcements/3.4.5.txt
https://www.openwall.com/lists/oss-security/2021/03/24/3
========================

Updated packages in 7/core/updates_testing:
========================
spamassassin-3.4.5-1.mga7
spamassassin-sa-compile-3.4.5-1.mga7
spamassassin-tools-3.4.5-1.mga7
spamassassin-spamd-3.4.5-1.mga7
spamassassin-spamc-3.4.5-1.mga7
perl-Mail-SpamAssassin-3.4.5-1.mga7
perl-Mail-SpamAssassin-Spamd-3.4.5-1.mga7
spamassassin-rules-3.4.5-1.mga7

from SRPMS:
spamassassin-3.4.5-1.mga7.src.rpm
spamassassin-rules-3.4.5-1.mga7.src.rpm

Updated packages in 8/core/updates_testing:
========================
spamassassin-3.4.5-1.mga8
spamassassin-sa-compile-3.4.5-1.mga8
spamassassin-tools-3.4.5-1.mga8
spamassassin-spamd-3.4.5-1.mga8
spamassassin-spamc-3.4.5-1.mga8
perl-Mail-SpamAssassin-3.4.5-1.mga8
perl-Mail-SpamAssassin-Spamd-3.4.5-1.mga8
spamassassin-rules-3.4.5-1.mga8

from SRPMS:
spamassassin-3.4.5-1.mga8.src.rpm
spamassassin-rules-3.4.5-1.mga8.src.rpm

Status: NEW => ASSIGNED
Whiteboard: MGA8TOO, MGA7TOO => MGA7TOO
Assignee: bugsquad => qa-bugs
Version: Cauldron => 8

Comment 2 PC LX 2021-03-31 15:14:25 CEST
Installed and tested without issues.

Tested on a good number of ham and spam messages, in a setup with fetchmail, dovecot and roundcubemail.
Used email clients: kmail, trojita, roundcubemail and failemail (Android).
All seems to be working as expected.

======================================================
X-Spam-Checker-Version: SpamAssassin 3.4.5 (2021-03-20) on marte.local
X-Spam-Flag: YES
X-Spam-Level: *********
X-Spam-Status: Yes, score=9.0 required=5.0 tests=BAYES_99,BAYES_999,
	HTML_MESSAGE,T_REMOTE_IMAGE autolearn=no autolearn_force=no
	version=3.4.5
X-Spam-Report: 
	*  4.0 BAYES_99 BODY: Bayes spam probability is 99 to 100%
	*      [score: 1.0000]
	*  5.0 BAYES_999 BODY: Bayes spam probability is 99.9 to 100%
	*      [score: 1.0000]
	*  0.0 HTML_MESSAGE BODY: HTML included in message
	*  0.0 T_REMOTE_IMAGE Message contains an external image
======================================================


System: Mageia 7, x86_64, Plasma DE, LXQt DE, Intel CPU, nVidia GPU using nvidia-current proprietary driver.

$ uname -a
Linux marte 5.10.25-desktop-1.mga7 #1 SMP Sat Mar 20 17:16:25 UTC 2021 x86_64 x86_64 x86_64 GNU/Linux
$ rpm -qa | grep -i spamassassin
spamassassin-rules-3.4.5-1.mga7
spamassassin-3.4.5-1.mga7
perl-Mail-SpamAssassin-3.4.5-1.mga7

CC: (none) => mageia
Whiteboard: MGA7TOO => MGA7TOO MGA7-64-OK

Comment 3 Thomas Andrews 2021-04-12 01:15:39 CEST
Tested in a 64-bit MGA8 Plasma vbox guest.

Installed spamassassin packages and dependencies. Then used the above package list in qarepo:

The following 7 packages are going to be installed:

- perl-Mail-SpamAssassin-3.4.5-1.mga8.x86_64
- perl-Mail-SpamAssassin-Spamd-3.4.5-1.mga8.x86_64
- spamassassin-3.4.5-1.mga8.x86_64
- spamassassin-rules-3.4.5-1.mga8.noarch
- spamassassin-spamc-3.4.5-1.mga8.x86_64
- spamassassin-spamd-3.4.5-1.mga8.x86_64
- spamassassin-tools-3.4.5-1.mga8.x86_64

No installation issues. After, tried a minimal test to see if the service would start:

# systemctl start spamd.service
# systemctl status spamd.service
● spamd.service - Spamassassin daemon
     Loaded: loaded (/usr/lib/systemd/system/spamd.service; disabled; vendor preset: disabled)
     Active: active (running) since Sun 2021-04-11 19:09:26 EDT; 27s ago
   Main PID: 24096 (spamd)
      Tasks: 3 (limit: 4697)
     Memory: 100.4M
        CPU: 1.702s
     CGroup: /system.slice/spamd.service
             ├─24096 /usr/bin/perl -T -w /usr/bin/spamd
             ├─24103 spamd child
             └─24104 spamd child

Apr 11 19:09:26 localhost.localdomain systemd[1]: Started Spamassassin daemon.
Apr 11 19:09:29 localhost.localdomain spamd[24096]: spamd: server started on IO::Socket::IP [::1]:783, IO::Socket::IP [127.0.0.1]:783 (running version 3.4.5)
Apr 11 19:09:29 localhost.localdomain spamd[24096]: spamd: server pid: 24096
Apr 11 19:09:29 localhost.localdomain spamd[24096]: spamd: server successfully spawned child process, pid 24103
Apr 11 19:09:29 localhost.localdomain spamd[24096]: spamd: server successfully spawned child process, pid 24104
Apr 11 19:09:29 localhost.localdomain spamd[24096]: prefork: child states: IS
Apr 11 19:09:29 localhost.localdomain spamd[24096]: prefork: child states: II

Since the MGA7 update is the same version and has already been tested for functionality, I'm going to give this an MGA8 OK on a clean install and my very minimal test.

Validating. Advisory in Comment 1.

CC: (none) => andrewsfarm, sysadmin-bugs
Whiteboard: MGA7TOO MGA7-64-OK => MGA7TOO MGA7-64-OK MGA8-64-OK
Keywords: (none) => validated_update

Aurelien Oudelet 2021-04-12 16:20:04 CEST

CC: (none) => ouaurelien
Keywords: (none) => advisory

Comment 4 Mageia Robot 2021-04-12 22:02:28 CEST
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2021-0182.html

Resolution: (none) => FIXED
Status: ASSIGNED => RESOLVED


Note You need to log in before you can comment on or make changes to this bug.