Attachment:
pgphIvbs_CdTn.pgp
Description: PGP message
diff -u bogofilter-1.1.7/debian/rules bogofilter-1.1.7/debian/rules
--- bogofilter-1.1.7/debian/rules
+++ bogofilter-1.1.7/debian/rules
@@ -1,5 +1,7 @@
#!/usr/bin/make -f
+include /usr/share/quilt/quilt.make
+
CFLAGS = -Wall -g
INSTALL = install
INSTALL_FILE = $(INSTALL) -p -o root -g root -m 644
@@ -21,7 +23,7 @@
#endif
configure: configure-stamp
-configure-stamp:
+configure-stamp: patch
$(checkdir)
$(INSTALL) -d obj-db obj-qdbm obj-sqlite obj-tokyocabinet
@@ -51,7 +53,7 @@
touch build-stamp
-clean: checkroot
+clean: checkroot unpatch
$(checkdir)
rm -f build-stamp configure-stamp debian/bogofilter.substvars \
debian/files debian/bogofilter-bdb.substvars \
diff -u bogofilter-1.1.7/debian/control bogofilter-1.1.7/debian/control
--- bogofilter-1.1.7/debian/control
+++ bogofilter-1.1.7/debian/control
@@ -1,8 +1,8 @@
Source: bogofilter
Section: mail
Priority: optional
-Maintainer: Clint Adams <schizo@debian.org>
-Build-Depends: libdb-dev (>= 4.6.19-1), libgsl0-dev, libsqlite3-dev, libqdbm-dev, libtokyocabinet-dev
+Maintainer: Serafeim Zanikolas <sez@debian.org>
+Build-Depends: libdb-dev (>= 4.6.19-1), libgsl0-dev, libsqlite3-dev, libqdbm-dev, libtokyocabinet-dev, quilt
Standards-Version: 3.7.3
Package: bogofilter
diff -u bogofilter-1.1.7/debian/changelog bogofilter-1.1.7/debian/changelog
--- bogofilter-1.1.7/debian/changelog
+++ bogofilter-1.1.7/debian/changelog
@@ -1,3 +1,14 @@
+bogofilter (1.1.7-1+lenny1) stable; urgency=high
+
+ * Apply patch from Julius Plenz <plenz@cis.fu-berlin.de> to prevent possible
+ heap corruption due to a bug in the base64_decode function (CVE-2010-2494,
+ aka bogofilter-SA-2010-01). Setting urgency=high, but uploading to stable
+ because the issue does not warrant a DSA. closes: #588090.
+ * Build-Depend on quilt
+ * Update maintainer field in debian/control.
+
+ -- Serafeim Zanikolas <sez@debian.org> Mon, 20 Sep 2010 08:35:46 +0000
+
bogofilter (1.1.7-1) unstable; urgency=low
* New upstream release.
only in patch2:
unchanged:
--- bogofilter-1.1.7.orig/debian/patches/prevent-memory-corruption-in-base64_decode.diff
+++ bogofilter-1.1.7/debian/patches/prevent-memory-corruption-in-base64_decode.diff
@@ -0,0 +1,44 @@
+# Subject: fix for CVE-2010-2494 (aka bogofilter-SA-2010-01)
+# Bug-Debian: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=588090
+# Author: Julius Plenz <plenz@cis.fu-berlin.de>
+From 192fd9a149b318b87a01ed482fdf913feee1e2b5 Mon Sep 17 00:00:00 2001
+From: Julius Plenz <plenz@cis.fu-berlin.de>
+Date: Wed, 16 Jun 2010 12:59:19 +0200
+Subject: [PATCH] bugfix: prevent memory corruption in base64_decode
+
+If a string starting with an equal-sign is passed to the base64_decode
+function it triggers a memory corruption that in some cases makes
+bogofilter crash.
+
+If the first character in word->text ist '=', then in base_64.c:50
+`shorten' will be set to 4, the loop ll 59-63 is skipped and the code
+
+ d += 3 - shorten;
+
+will actually rewind the string-pointer d by one, thus causing the
+function to write to a potentially invalid memory area in subsequent
+calls. (Because *d at that point is the first character in the string.)
+---
+ src/base64.c | 6 ++++--
+ 1 files changed, 4 insertions(+), 2 deletions(-)
+
+diff --git a/src/base64.c b/src/base64.c
+index db72f9e..d20e4d9 100644
+--- a/src/base64.c
++++ b/src/base64.c
+@@ -61,8 +61,10 @@ uint base64_decode(word_t *word)
+ d[i] = c;
+ v = v >> 8;
+ }
+- d += 3 - shorten;
+- count += 3 - shorten;
++ if(shorten != 4) {
++ d += 3 - shorten;
++ count += 3 - shorten;
++ }
+ }
+ /* XXX do we need this NUL byte? */
+ if (word->leng)
+--
+1.7.1
+
only in patch2:
unchanged:
--- bogofilter-1.1.7.orig/debian/patches/series
+++ bogofilter-1.1.7/debian/patches/series
@@ -0,0 +1 @@
+prevent-memory-corruption-in-base64_decode.diff
Attachment:
bogofilter_1.1.7-1+lenny1.diff.gz
Description: Binary data