Attachment:
pgphIvbs_CdTn.pgp
Description: PGP message
diff -u bogofilter-1.1.7/debian/rules bogofilter-1.1.7/debian/rules --- bogofilter-1.1.7/debian/rules +++ bogofilter-1.1.7/debian/rules @@ -1,5 +1,7 @@ #!/usr/bin/make -f +include /usr/share/quilt/quilt.make + CFLAGS = -Wall -g INSTALL = install INSTALL_FILE = $(INSTALL) -p -o root -g root -m 644 @@ -21,7 +23,7 @@ #endif configure: configure-stamp -configure-stamp: +configure-stamp: patch $(checkdir) $(INSTALL) -d obj-db obj-qdbm obj-sqlite obj-tokyocabinet @@ -51,7 +53,7 @@ touch build-stamp -clean: checkroot +clean: checkroot unpatch $(checkdir) rm -f build-stamp configure-stamp debian/bogofilter.substvars \ debian/files debian/bogofilter-bdb.substvars \ diff -u bogofilter-1.1.7/debian/control bogofilter-1.1.7/debian/control --- bogofilter-1.1.7/debian/control +++ bogofilter-1.1.7/debian/control @@ -1,8 +1,8 @@ Source: bogofilter Section: mail Priority: optional -Maintainer: Clint Adams <schizo@debian.org> -Build-Depends: libdb-dev (>= 4.6.19-1), libgsl0-dev, libsqlite3-dev, libqdbm-dev, libtokyocabinet-dev +Maintainer: Serafeim Zanikolas <sez@debian.org> +Build-Depends: libdb-dev (>= 4.6.19-1), libgsl0-dev, libsqlite3-dev, libqdbm-dev, libtokyocabinet-dev, quilt Standards-Version: 3.7.3 Package: bogofilter diff -u bogofilter-1.1.7/debian/changelog bogofilter-1.1.7/debian/changelog --- bogofilter-1.1.7/debian/changelog +++ bogofilter-1.1.7/debian/changelog @@ -1,3 +1,14 @@ +bogofilter (1.1.7-1+lenny1) stable; urgency=high + + * Apply patch from Julius Plenz <plenz@cis.fu-berlin.de> to prevent possible + heap corruption due to a bug in the base64_decode function (CVE-2010-2494, + aka bogofilter-SA-2010-01). Setting urgency=high, but uploading to stable + because the issue does not warrant a DSA. closes: #588090. + * Build-Depend on quilt + * Update maintainer field in debian/control. + + -- Serafeim Zanikolas <sez@debian.org> Mon, 20 Sep 2010 08:35:46 +0000 + bogofilter (1.1.7-1) unstable; urgency=low * New upstream release. only in patch2: unchanged: --- bogofilter-1.1.7.orig/debian/patches/prevent-memory-corruption-in-base64_decode.diff +++ bogofilter-1.1.7/debian/patches/prevent-memory-corruption-in-base64_decode.diff @@ -0,0 +1,44 @@ +# Subject: fix for CVE-2010-2494 (aka bogofilter-SA-2010-01) +# Bug-Debian: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=588090 +# Author: Julius Plenz <plenz@cis.fu-berlin.de> +From 192fd9a149b318b87a01ed482fdf913feee1e2b5 Mon Sep 17 00:00:00 2001 +From: Julius Plenz <plenz@cis.fu-berlin.de> +Date: Wed, 16 Jun 2010 12:59:19 +0200 +Subject: [PATCH] bugfix: prevent memory corruption in base64_decode + +If a string starting with an equal-sign is passed to the base64_decode +function it triggers a memory corruption that in some cases makes +bogofilter crash. + +If the first character in word->text ist '=', then in base_64.c:50 +`shorten' will be set to 4, the loop ll 59-63 is skipped and the code + + d += 3 - shorten; + +will actually rewind the string-pointer d by one, thus causing the +function to write to a potentially invalid memory area in subsequent +calls. (Because *d at that point is the first character in the string.) +--- + src/base64.c | 6 ++++-- + 1 files changed, 4 insertions(+), 2 deletions(-) + +diff --git a/src/base64.c b/src/base64.c +index db72f9e..d20e4d9 100644 +--- a/src/base64.c ++++ b/src/base64.c +@@ -61,8 +61,10 @@ uint base64_decode(word_t *word) + d[i] = c; + v = v >> 8; + } +- d += 3 - shorten; +- count += 3 - shorten; ++ if(shorten != 4) { ++ d += 3 - shorten; ++ count += 3 - shorten; ++ } + } + /* XXX do we need this NUL byte? */ + if (word->leng) +-- +1.7.1 + only in patch2: unchanged: --- bogofilter-1.1.7.orig/debian/patches/series +++ bogofilter-1.1.7/debian/patches/series @@ -0,0 +1 @@ +prevent-memory-corruption-in-base64_decode.diff
Attachment:
bogofilter_1.1.7-1+lenny1.diff.gz
Description: Binary data