Bug#686058: unblock: spamassassin/3.3.2-4

[Noah Meyerhans <noahm@debian.org>]

Package: release.debian.org
Severity: normal
User: release.debian.org@packages.debian.org
Usertags: unblock

Please unblock package spamassassin

spamassassin 3.3.2-4 fixes two r-c packaging bugs and also incorporates
a fix from upstream that causes spamassassin to fail to properly process
certain (potentially intentionally) malformed messages. Details of these
bugs:

683431: spamassassin depends on /usr/share/doc/spamassassin/GPG.KEY, in
violation of policy §12.3.

684373: spamassassin doesn't re-create /var/lib/spamassassin upon
re-install after purge.

684709: the last line of malformed MIME messages is ignored

unblock spamassassin/3.3.2-4

-- System Information:
Debian Release: wheezy/sid
  APT prefers unstable
  APT policy: (500, 'unstable')
Architecture: i386 (x86_64)

Kernel: Linux 3.2.0-3-amd64 (SMP w/2 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash

diff -Nru spamassassin-3.3.2/debian/changelog spamassassin-3.3.2/debian/changelog
--- spamassassin-3.3.2/debian/changelog	2012-06-14 23:00:17.000000000 -0700
+++ spamassassin-3.3.2/debian/changelog	2012-08-13 22:29:36.000000000 -0700
@@ -1,3 +1,26 @@
+spamassassin (3.3.2-4) unstable; urgency=low
+
+  * Incorporate upstream's fix for a bug where malformed multipart MIME
+    messages would bypass URIBL rules. (Closes: #684709)
+  * Update standards version to 3.9.3 (no changes)
+
+ -- Noah Meyerhans <noahm@debian.org>  Mon, 13 Aug 2012 21:37:11 -0700
+
+spamassassin (3.3.2-3.2) unstable; urgency=low
+
+  * Non-maintainer upload.
+  * debian/spamassassin.postinst: Create /var/lib/spamassassin.
+    Closes: #684373.
+
+ -- Bart Martens <bartm@debian.org>  Sat, 11 Aug 2012 17:29:42 +0000
+
+spamassassin (3.3.2-3.1) unstable; urgency=low
+
+  * Non-maintainer upload.
+  * move GPG.KEY out of /usr/share/doc per §12.3(Closes: #683431)
+
+ -- Shawn Landden <shawnlandden@gmail.com>  Sat, 04 Aug 2012 16:20:46 +0000
+
 spamassassin (3.3.2-3) unstable; urgency=low
 
   * Run sa-update and sa-compile as a non-root user. 
diff -Nru spamassassin-3.3.2/debian/control spamassassin-3.3.2/debian/control
--- spamassassin-3.3.2/debian/control	2012-06-14 23:59:48.000000000 -0700
+++ spamassassin-3.3.2/debian/control	2012-08-13 22:27:52.000000000 -0700
@@ -6,7 +6,7 @@
 Build-Depends: debhelper (>= 7), perl, libssl-dev,
  libhtml-parser-perl (>= 3.24), libnet-dns-perl (>= 0.34), libnetaddr-ip-perl,
  hardening-wrapper
-Standards-Version: 3.9.2
+Standards-Version: 3.9.3
 Homepage: http://www.spamassassin.org/
 Vcs-Svn: svn://svn.debian.org/svn/collab-maint/deb-maint/spamassassin/trunk
 Vcs-Browser: http://svn.debian.org/viewsvn/collab-maint/deb-maint/spamassassin/trunk/
diff -Nru spamassassin-3.3.2/debian/patches/60_bug_684709 spamassassin-3.3.2/debian/patches/60_bug_684709
--- spamassassin-3.3.2/debian/patches/60_bug_684709	1969-12-31 16:00:00.000000000 -0800
+++ spamassassin-3.3.2/debian/patches/60_bug_684709	2012-08-13 21:36:26.000000000 -0700
@@ -0,0 +1,45 @@
+Index: spamassassin-3.3.2/lib/Mail/SpamAssassin/Message.pm
+===================================================================
+--- spamassassin-3.3.2.orig/lib/Mail/SpamAssassin/Message.pm	2011-06-06 16:59:17.000000000 -0700
++++ spamassassin-3.3.2/lib/Mail/SpamAssassin/Message.pm	2012-08-13 21:36:04.000000000 -0700
+@@ -794,14 +794,30 @@
+   my $in_body = 0;
+   my $header;
+   my $part_array;
++  my $found_end_boundary;
+ 
+   my $line_count = @{$body};
+   foreach ( @{$body} ) {
+     # if we're on the last body line, or we find any boundary marker,
+     # deal with the mime part
+-    if ( --$line_count == 0 || (defined $boundary && /^--\Q$boundary\E(?:--)?\s*$/) ) {
++    $found_end_boundary = defined $boundary && /^--\Q$boundary\E(?:--)?\s*$/;
++    if ( --$line_count == 0 || $found_end_boundary ) {
+       my $line = $_; # remember the last line
+ 
++      # If at last line and no end boundary found, the line belongs to body
++      # TODO:
++      #  Is $self->{mime_boundary_state}->{$boundary}-- needed here?
++      #  Could "missing end boundary" be a useful rule? Mark it somewhere?
++      #  If SA processed truncated message from amavis etc, this could also
++      #  be hit legimately..
++      if (!$found_end_boundary) {
++        # TODO: This is duplicate code from few pages down below..
++        while (length ($_) > MAX_BODY_LINE_LENGTH) {
++          push (@{$part_array}, substr($_, 0, MAX_BODY_LINE_LENGTH)."\n");
++          substr($_, 0, MAX_BODY_LINE_LENGTH) = '';
++        }
++        push ( @{$part_array}, $_ );
++      }
+       # per rfc 1521, the CRLF before the boundary is part of the boundary:
+       # NOTE: The CRLF preceding the encapsulation line is conceptually
+       # attached to the boundary so that it is possible to have a part
+@@ -810,7 +826,7 @@
+       # CRLFs preceding the encapsulation line, the first of which is part
+       # of the preceding body part, and the second of which is part of the
+       # encapsulation boundary.
+-      if ($part_array) {
++      elsif ($part_array) {
+         chomp( $part_array->[-1] );  # trim the CRLF that's part of the boundary
+         splice @{$part_array}, -1 if ( $part_array->[-1] eq '' ); # blank line for the boundary only ...
+       }
diff -Nru spamassassin-3.3.2/debian/patches/series spamassassin-3.3.2/debian/patches/series
--- spamassassin-3.3.2/debian/patches/series	2012-06-13 23:03:58.000000000 -0700
+++ spamassassin-3.3.2/debian/patches/series	2012-08-13 21:35:04.000000000 -0700
@@ -3,5 +3,6 @@
 30_edit_README
 50_sa-learn_fix_empty_list_handling
 55_disable_nagios_epm
+60_bug_684709
 85_disable_SSLv2
 90_pod_cleanup
diff -Nru spamassassin-3.3.2/debian/rules spamassassin-3.3.2/debian/rules
--- spamassassin-3.3.2/debian/rules	2012-06-14 23:52:38.000000000 -0700
+++ spamassassin-3.3.2/debian/rules	2012-08-01 21:30:09.000000000 -0700
@@ -112,7 +112,8 @@
 
 #	dh_installdocs isn't flexible enough to install all the docs to the right place
 #	Do it here!
-	cp debian/copyright debian/GPG.KEY		debian/spamassassin/usr/share/doc/spamassassin/
+	cp debian/GPG.KEY				debian/spamassassin/usr/share/spamassassin/
+	cp debian/copyright				debian/spamassassin/usr/share/doc/spamassassin/
 	cp debian/spamassassin.README.Debian		debian/spamassassin/usr/share/doc/spamassassin/README.Debian
 	cp CREDITS README TRADEMARK UPGRADE USAGE NOTICE 	debian/spamassassin/usr/share/doc/spamassassin/
 	cp ldap/README 					debian/spamassassin/usr/share/doc/spamassassin/README.ldap
diff -Nru spamassassin-3.3.2/debian/spamassassin.postinst spamassassin-3.3.2/debian/spamassassin.postinst
--- spamassassin-3.3.2/debian/spamassassin.postinst	2012-06-13 22:58:26.000000000 -0700
+++ spamassassin-3.3.2/debian/spamassassin.postinst	2012-08-11 10:32:43.000000000 -0700
@@ -16,6 +16,8 @@
         if ! getent passwd debian-spamd > /dev/null ; then
             adduser --system --group --shell /bin/sh --disabled-password \
                 --home /var/lib/spamassassin debian-spamd
+        else
+            mkdir -p /var/lib/spamassassin
         fi
         # Fix permissions of spamassassin; A no-op on new installs, lets 
         # debian-spamd claim ownership of spamassassin updates on upgrades.
@@ -26,7 +28,7 @@
         install -d -o debian-spamd -g debian-spamd -m 700 /var/lib/spamassassin/sa-update-keys
 
     su debian-spamd -c "sa-update --gpghomedir /var/lib/spamassassin/sa-update-keys \
-        --import /usr/share/doc/spamassassin/GPG.KEY"
+        --import /usr/share/spamassassin/GPG.KEY"
 
     sa_compile
 fi

Attachment: signature.asc
Description: Digital signature