Bug 8376 - bogofilter new security issue CVE-2012-5468
: bogofilter new security issue CVE-2012-5468
Status: RESOLVED FIXED
Product: Mageia
Classification: Unclassified
Component: Security
: 2
: i586 Linux
: Normal Severity: major
: ---
Assigned To: QA Team
:
: http://lwn.net/Vulnerabilities/528912/
: has_procedure mga2-64-OK MGA2-32-OK
: validated_update
:
:
  Show dependency treegraph
 
Reported: 2012-12-12 20:46 CET by David Walser
Modified: 2013-01-03 17:10 CET (History)
3 users (show)

See Also:
Source RPM: bogofilter-1.2.2-2.mga1.src.rpm
CVE:


Attachments
script to create PoC (497 bytes, application/x-sh)
2012-12-13 11:48 CET, claire robinson
Details

Description David Walser 2012-12-12 20:46:31 CET
Debian has issued an advisory on December 11:
http://www.debian.org/security/2012/dsa-2585

Cauldron is not affected as it was fixed upstream in 1.2.3, which we have.

Patched package uploaded for Mageia 2.

Advisory:
========================

Updated bogofilter package fixes security vulnerability:

In bogofilter before 1.2.3, bogofilter's/bogolexer's base64 could
overwrite heap memory in the character set conversion in certain
pathological cases of invalid base64 code that decodes to incomplete
multibyte characters (CVE-2012-5468).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-5468
http://bogofilter.sourceforge.net/security/bogofilter-SA-2012-01
http://www.debian.org/security/2012/dsa-2585
========================

Updated packages in core/updates_testing:
========================
bogofilter-1.2.2-2.1.mga2

from bogofilter-1.2.2-2.1.mga2.src.rpm
Comment 1 claire robinson 2012-12-13 11:17:06 CET
Was the test for this included in the build David?

http://bogofilter.svn.sourceforge.net/viewvc/bogofilter?view=revision&revision=6975
Comment 2 claire robinson 2012-12-13 11:48:48 CET
Created attachment 3240 [details]
script to create PoC

Testing complete mga2 64 using the attached script.

Adapted from the build test http://bogofilter.svn.sourceforge.net/viewvc/bogofilter/trunk/bogofilter/src/tests/t.crash-invalid-base64?revision=6975&pathrev=6975

bogofilter complains about not having a wordlist when first started so created one with..

$ bogofilter -s
viagra
porn
ctrl-c
ctrl-c

Ran the adapted script attached here to create spam.txt

Before
------
$ bogofilter -I spam.txt
*** glibc detected *** bogofilter: realloc(): invalid next size: 0x00000000018161b0 ***

Had to close the terminal to quit, it didn't respond to ctrl-c

After
-----
$ bogofilter -I spam.txt
$

Returns to a prompt without error.
Comment 3 David Walser 2012-12-13 14:54:14 CET
(In reply to comment #1)
> Was the test for this included in the build David?
> 
> http://bogofilter.svn.sourceforge.net/viewvc/bogofilter?view=revision&revision=6975

No, good find.  Would you like me to add it?
Comment 4 claire robinson 2012-12-13 15:06:39 CET
May as well I think David, it's easy to test so repeating shouldn't cause any delay.
Comment 5 David Walser 2012-12-13 21:47:38 CET
Test added, but there's a build system issue and I don't know if it'll ever finish.  If it does, it'll be bogofilter-1.2.2-2.1.mga2.
Comment 6 Dave Hodgins 2012-12-14 01:55:07 CET
Seems the poc only causes a problem on 64 bit systems.  On i586, it works ok
both before and after the update.

Could someone from the sysadmin team push the srpm
bogofilter-1.2.2-2.1.mga2.src.rpm
from Mageia 2 Core Updates Testing to Core Updates.

Advisory: Updated bogofilter package fixes security vulnerability:

In bogofilter before 1.2.3, bogofilter's/bogolexer's base64 could
overwrite heap memory in the character set conversion in certain
pathological cases of invalid base64 code that decodes to incomplete
multibyte characters (CVE-2012-5468).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-5468
http://bogofilter.sourceforge.net/security/bogofilter-SA-2012-01
http://www.debian.org/security/2012/dsa-2585

https://bugs.mageia.org/show_bug.cgi?id=8376
Comment 7 Thomas Backlund 2012-12-14 02:04:26 CET
bogofilter-1.2.2-2.2.mga2 finally got built/uploaded some 1,5 h ago after a "gazillion" chroot install rounds...

So I guess the validation is not valid anymore...
Comment 8 claire robinson 2012-12-14 14:09:37 CET
retested mga2 64 OK
Comment 9 Dave Hodgins 2012-12-14 23:51:09 CET
Testing complete on Mageia 2 i586.

Could someone from the sysadmin team push the srpm
bogofilter-1.2.2-2.2.mga2.src.rpm
from Mageia 2 Core Updates Testing to Core Updates.

Advisory: Updated bogofilter package fixes security vulnerability:

In bogofilter before 1.2.3, bogofilter's/bogolexer's base64 could
overwrite heap memory in the character set conversion in certain
pathological cases of invalid base64 code that decodes to incomplete
multibyte characters (CVE-2012-5468).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-5468
http://bogofilter.sourceforge.net/security/bogofilter-SA-2012-01
http://www.debian.org/security/2012/dsa-2585

https://bugs.mageia.org/show_bug.cgi?id=8376
Comment 10 Thomas Backlund 2012-12-20 23:20:17 CET
Update pushed:
https://wiki.mageia.org/en/Support/Advisories/MGASA-2012-0363
Comment 11 David Walser 2013-01-03 17:10:41 CET
Patch checked into Mageia 1 SVN.

Note You need to log in before you can comment on or make changes to this bug.