Package: release.debian.org Severity: normal User: release.debian.org@packages.debian.org Usertags: unblock Please unblock package spamassassin spamassassin 3.3.2-4 fixes two r-c packaging bugs and also incorporates a fix from upstream that causes spamassassin to fail to properly process certain (potentially intentionally) malformed messages. Details of these bugs: 683431: spamassassin depends on /usr/share/doc/spamassassin/GPG.KEY, in violation of policy §12.3. 684373: spamassassin doesn't re-create /var/lib/spamassassin upon re-install after purge. 684709: the last line of malformed MIME messages is ignored unblock spamassassin/3.3.2-4 -- System Information: Debian Release: wheezy/sid APT prefers unstable APT policy: (500, 'unstable') Architecture: i386 (x86_64) Kernel: Linux 3.2.0-3-amd64 (SMP w/2 CPU cores) Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash
diff -Nru spamassassin-3.3.2/debian/changelog spamassassin-3.3.2/debian/changelog --- spamassassin-3.3.2/debian/changelog 2012-06-14 23:00:17.000000000 -0700 +++ spamassassin-3.3.2/debian/changelog 2012-08-13 22:29:36.000000000 -0700 @@ -1,3 +1,26 @@ +spamassassin (3.3.2-4) unstable; urgency=low + + * Incorporate upstream's fix for a bug where malformed multipart MIME + messages would bypass URIBL rules. (Closes: #684709) + * Update standards version to 3.9.3 (no changes) + + -- Noah Meyerhans <noahm@debian.org> Mon, 13 Aug 2012 21:37:11 -0700 + +spamassassin (3.3.2-3.2) unstable; urgency=low + + * Non-maintainer upload. + * debian/spamassassin.postinst: Create /var/lib/spamassassin. + Closes: #684373. + + -- Bart Martens <bartm@debian.org> Sat, 11 Aug 2012 17:29:42 +0000 + +spamassassin (3.3.2-3.1) unstable; urgency=low + + * Non-maintainer upload. + * move GPG.KEY out of /usr/share/doc per §12.3(Closes: #683431) + + -- Shawn Landden <shawnlandden@gmail.com> Sat, 04 Aug 2012 16:20:46 +0000 + spamassassin (3.3.2-3) unstable; urgency=low * Run sa-update and sa-compile as a non-root user. diff -Nru spamassassin-3.3.2/debian/control spamassassin-3.3.2/debian/control --- spamassassin-3.3.2/debian/control 2012-06-14 23:59:48.000000000 -0700 +++ spamassassin-3.3.2/debian/control 2012-08-13 22:27:52.000000000 -0700 @@ -6,7 +6,7 @@ Build-Depends: debhelper (>= 7), perl, libssl-dev, libhtml-parser-perl (>= 3.24), libnet-dns-perl (>= 0.34), libnetaddr-ip-perl, hardening-wrapper -Standards-Version: 3.9.2 +Standards-Version: 3.9.3 Homepage: http://www.spamassassin.org/ Vcs-Svn: svn://svn.debian.org/svn/collab-maint/deb-maint/spamassassin/trunk Vcs-Browser: http://svn.debian.org/viewsvn/collab-maint/deb-maint/spamassassin/trunk/ diff -Nru spamassassin-3.3.2/debian/patches/60_bug_684709 spamassassin-3.3.2/debian/patches/60_bug_684709 --- spamassassin-3.3.2/debian/patches/60_bug_684709 1969-12-31 16:00:00.000000000 -0800 +++ spamassassin-3.3.2/debian/patches/60_bug_684709 2012-08-13 21:36:26.000000000 -0700 @@ -0,0 +1,45 @@ +Index: spamassassin-3.3.2/lib/Mail/SpamAssassin/Message.pm +=================================================================== +--- spamassassin-3.3.2.orig/lib/Mail/SpamAssassin/Message.pm 2011-06-06 16:59:17.000000000 -0700 ++++ spamassassin-3.3.2/lib/Mail/SpamAssassin/Message.pm 2012-08-13 21:36:04.000000000 -0700 +@@ -794,14 +794,30 @@ + my $in_body = 0; + my $header; + my $part_array; ++ my $found_end_boundary; + + my $line_count = @{$body}; + foreach ( @{$body} ) { + # if we're on the last body line, or we find any boundary marker, + # deal with the mime part +- if ( --$line_count == 0 || (defined $boundary && /^--\Q$boundary\E(?:--)?\s*$/) ) { ++ $found_end_boundary = defined $boundary && /^--\Q$boundary\E(?:--)?\s*$/; ++ if ( --$line_count == 0 || $found_end_boundary ) { + my $line = $_; # remember the last line + ++ # If at last line and no end boundary found, the line belongs to body ++ # TODO: ++ # Is $self->{mime_boundary_state}->{$boundary}-- needed here? ++ # Could "missing end boundary" be a useful rule? Mark it somewhere? ++ # If SA processed truncated message from amavis etc, this could also ++ # be hit legimately.. ++ if (!$found_end_boundary) { ++ # TODO: This is duplicate code from few pages down below.. ++ while (length ($_) > MAX_BODY_LINE_LENGTH) { ++ push (@{$part_array}, substr($_, 0, MAX_BODY_LINE_LENGTH)."\n"); ++ substr($_, 0, MAX_BODY_LINE_LENGTH) = ''; ++ } ++ push ( @{$part_array}, $_ ); ++ } + # per rfc 1521, the CRLF before the boundary is part of the boundary: + # NOTE: The CRLF preceding the encapsulation line is conceptually + # attached to the boundary so that it is possible to have a part +@@ -810,7 +826,7 @@ + # CRLFs preceding the encapsulation line, the first of which is part + # of the preceding body part, and the second of which is part of the + # encapsulation boundary. +- if ($part_array) { ++ elsif ($part_array) { + chomp( $part_array->[-1] ); # trim the CRLF that's part of the boundary + splice @{$part_array}, -1 if ( $part_array->[-1] eq '' ); # blank line for the boundary only ... + } diff -Nru spamassassin-3.3.2/debian/patches/series spamassassin-3.3.2/debian/patches/series --- spamassassin-3.3.2/debian/patches/series 2012-06-13 23:03:58.000000000 -0700 +++ spamassassin-3.3.2/debian/patches/series 2012-08-13 21:35:04.000000000 -0700 @@ -3,5 +3,6 @@ 30_edit_README 50_sa-learn_fix_empty_list_handling 55_disable_nagios_epm +60_bug_684709 85_disable_SSLv2 90_pod_cleanup diff -Nru spamassassin-3.3.2/debian/rules spamassassin-3.3.2/debian/rules --- spamassassin-3.3.2/debian/rules 2012-06-14 23:52:38.000000000 -0700 +++ spamassassin-3.3.2/debian/rules 2012-08-01 21:30:09.000000000 -0700 @@ -112,7 +112,8 @@ # dh_installdocs isn't flexible enough to install all the docs to the right place # Do it here! - cp debian/copyright debian/GPG.KEY debian/spamassassin/usr/share/doc/spamassassin/ + cp debian/GPG.KEY debian/spamassassin/usr/share/spamassassin/ + cp debian/copyright debian/spamassassin/usr/share/doc/spamassassin/ cp debian/spamassassin.README.Debian debian/spamassassin/usr/share/doc/spamassassin/README.Debian cp CREDITS README TRADEMARK UPGRADE USAGE NOTICE debian/spamassassin/usr/share/doc/spamassassin/ cp ldap/README debian/spamassassin/usr/share/doc/spamassassin/README.ldap diff -Nru spamassassin-3.3.2/debian/spamassassin.postinst spamassassin-3.3.2/debian/spamassassin.postinst --- spamassassin-3.3.2/debian/spamassassin.postinst 2012-06-13 22:58:26.000000000 -0700 +++ spamassassin-3.3.2/debian/spamassassin.postinst 2012-08-11 10:32:43.000000000 -0700 @@ -16,6 +16,8 @@ if ! getent passwd debian-spamd > /dev/null ; then adduser --system --group --shell /bin/sh --disabled-password \ --home /var/lib/spamassassin debian-spamd + else + mkdir -p /var/lib/spamassassin fi # Fix permissions of spamassassin; A no-op on new installs, lets # debian-spamd claim ownership of spamassassin updates on upgrades. @@ -26,7 +28,7 @@ install -d -o debian-spamd -g debian-spamd -m 700 /var/lib/spamassassin/sa-update-keys su debian-spamd -c "sa-update --gpghomedir /var/lib/spamassassin/sa-update-keys \ - --import /usr/share/doc/spamassassin/GPG.KEY" + --import /usr/share/spamassassin/GPG.KEY" sa_compile fi
Attachment:
signature.asc
Description: Digital signature