[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#695198: marked as done (pu: package bogofilter/1.2.2-2)

Your message dated Wed, 5 Dec 2012 13:45:51 +0100
with message-id <20121205124551.GC26998@mobee>
and subject line Re: Bug#695198: pu: package bogofilter/1.2.2-2
has caused the Debian Bug report #695198,
regarding pu: package bogofilter/1.2.2-2
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
695198: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=695198
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems
--- Begin Message --- 
Package: release.debian.org
Severity: serious
User: release.debian.org@packages.debian.org
Usertags: pu security

Hi,

Please pre-approve an upload to stable-security to update bogofilter for
http://security-tracker.debian.org/tracker/CVE-2012-5468

Here's the diff against the package in squeeze (which, other than targeting
stable-security, is the same as the one in unblock request #695139, for
wheezy).

Thanks,
sez

ps. I've verified that 1.2.2-2+squeeze1 is less than the wheezy release
1.2.2+dfsg1-1


diff --git a/debian/changelog b/debian/changelog
index eb7c512..6b93ab8 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,10 @@
+bogofilter (1.2.2-2+squeeze1) stable-security; urgency=high
+
+  * Cherry-pick fix and test for CVE-2012-5468 (aka bogofilter-SA-2012-01)
+    from upstream release 1.2.3. Setting urgency to high. closes: #695139.
+
+ -- Serafeim Zanikolas <sez@debian.org>  Tue, 04 Dec 2012 20:08:50 +0100
+
 bogofilter (1.2.2-2) unstable; urgency=high
 
   * Add debian/bogofilter-{bdb,sqlite,tokyocabinet}.preinst to remove
diff --git a/debian/patches/sa-2012-01-fix.diff b/debian/patches/sa-2012-01-fix.diff
new file mode 100644
index 0000000..3214560
--- /dev/null
+++ b/debian/patches/sa-2012-01-fix.diff
@@ -0,0 +1,70 @@
+# Description: apply fix and test for CVE-2012-5468 (aka bogofilter-SA-2012-01)
+# Bug-Debian: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=695139
+# Author: Matthias Andree
+# Last-Update: 2012-12-03
+--- a/src/iconvert.c
++++ b/src/iconvert.c
+@@ -76,7 +76,7 @@
+ 	outbuf = (char *)dst->t.u.text + dst->t.leng;
+ 	outbytesleft = dst->size - dst->read - dst->t.leng;
+ 
+-	if (outbytesleft == 0)
++	if (outbytesleft <= 0)
+ 	    break;
+ 
+ 	/*
+@@ -141,6 +141,10 @@
+ 	    switch (err) {
+ 	    case EILSEQ:		/* invalid multibyte sequence */
+ 	    case EINVAL:		/* incomplete multibyte sequence */
++		if(outbytesleft <= 0) {
++                    done = true;
++                    break;
++		}
+ 		/* copy 1 byte (or substitute a '?') */
+ 		if (!replace_nonascii_characters)
+ 		    *outbuf = *inbuf;
+--- a/src/tests/Makefile.am
++++ b/src/tests/Makefile.am
+@@ -45,6 +45,7 @@
+ 	t.multiple.tokens.head t.multiple.tokens.body t.multiple.tokens.min.mul \
+ 	$(ENCODING_TESTS) \
+ 	t.rfc2047_broken t.rfc2047_folded \
++	t.crash-invalid-base64 \
+ 	t.message_addr t.message_id t.queue_id
+ 
+ WORDLIST_TESTS = t.dump.load t.nonascii.replace t.maint t.robx t.regtest t.upgrade.subnet.prefix t.multiple.wordlists t.probe t.bf_compact
+--- /dev/null
++++ b/src/tests/t.crash-invalid-base64
+@@ -0,0 +1,21 @@
++#! /bin/sh
++
++. ${srcdir:=.}/t.frame
++
++# make sure that we do not crash on excessively long tokens
++# Test program by Julius Plenz, TU Berlin.
++perl -e '
++print <<EOF
++Content-Type: multipart/mixed;boundary="----=_20121014031204_57463"
++
++------=_20121014031204_57463
++Content-Type: text/plain; charset="utf-8"
++
++------=_20121014031204_57463
++Content-Transfer-Encoding: base64
++
++EOF
++;
++print(("vfvfvfvfvfvfvfvfvfvfvfvfvfvfvfvfvfvfvfvfvfvfvfvfvfvfvfvfvfvfvfvfvfvfvfvfvfvf\n")x600);
++print "------=_20121014031204_57463--";' \
++| $VAL $BOGOFILTER -p -e -C > /dev/null
+--- a/src/tests/Makefile.in
++++ b/src/tests/Makefile.in
+@@ -269,6 +269,7 @@
+ 	t.multiple.tokens.head t.multiple.tokens.body t.multiple.tokens.min.mul \
+ 	$(ENCODING_TESTS) \
+ 	t.rfc2047_broken t.rfc2047_folded \
++	t.crash-invalid-base64 \
+ 	t.message_addr t.message_id t.queue_id
+ 
+ WORDLIST_TESTS = t.dump.load t.nonascii.replace t.maint t.robx t.regtest t.upgrade.subnet.prefix t.multiple.wordlists t.probe t.bf_compact
diff --git a/debian/patches/series b/debian/patches/series
index 623fd92..cbc11bd 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -1 +1,2 @@
+sa-2012-01-fix.diff
 use-tar-instead-of-pax.diff


-- System Information:
Debian Release: wheezy/sid
  APT prefers unstable
  APT policy: (500, 'unstable'), (500, 'testing'), (1, 'experimental')
Architecture: i386 (i686)

Kernel: Linux 3.2.0-2-686-pae (SMP w/4 CPU cores)
Locale: LANG=en_GB.UTF-8, LC_CTYPE=en_GB.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash

--- End Message ---
--- Begin Message --- 
of course -- apologies for the noise

On Wed, Dec 05, 2012 at 12:29:41PM +0000, Adam D. Barratt wrote:
> Control: tags -1 + moreinfo
> 
> On 05.12.2012 11:27, Serafeim Zanikolas wrote:
> >Please pre-approve an upload to stable-security to update
> >bogofilter for
> >http://security-tracker.debian.org/tracker/CVE-2012-5468
> 
> If you really mean stable-security then you need to be talking to
> the security team...
> 
> Regards,
> 
> Adam
> 

-- 
Every great idea is worthless without someone to do the work. --Neil Williams

--- End Message ---
Reply to: