Bug#695189: marked as done (unblock: bogofilter/1.2.2+dfsg1-2)

[owner@bugs.debian.org (Debian Bug Tracking System)]

Your message dated Thu, 06 Dec 2012 22:08:20 +0000
with message-id <1354831700.8381.10.camel@jacala.jungle.funky-badger.org>
and subject line Re: Bug#695189: unblock: bogofilter/1.2.2+dfsg1-2
has caused the Debian Bug report #695189,
regarding unblock: bogofilter/1.2.2+dfsg1-2
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
695189: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=695189
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems

--- Begin Message ---

• To: Debian Bug Tracking System <submit@bugs.debian.org>
• Subject: unblock: bogofilter/1.2.2+dfsg1-2
• From: Serafeim Zanikolas <sez@debian.org>
• Date: Wed, 05 Dec 2012 08:14:12 +0100
• Message-id: <[🔎] 20121205071412.10619.47535.reportbug@mobee>

Package: release.debian.org
Severity: normal
User: release.debian.org@packages.debian.org
Usertags: unblock

Please unblock package bogofilter to apply a fix for
http://security-tracker.debian.org/tracker/CVE-2012-5468

Here's the diff against the package in testing:

diff --git a/debian/changelog b/debian/changelog
index cba2961..edb917e 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,10 @@
+bogofilter (1.2.2+dfsg1-2) unstable; urgency=high
+
+  * Cherry-pick fix and test for CVE-2012-5468 (aka bogofilter-SA-2012-01)
+    from upstream release 1.2.3. Setting urgency to high. closes: #695139.
+
+ -- Serafeim Zanikolas <sez@debian.org>  Tue, 04 Dec 2012 20:08:50 +0100
+
 bogofilter (1.2.2+dfsg1-1) unstable; urgency=low
 
   * Rebuild with repackaged source to exclude non-DFSG-free licensed security
diff --git a/debian/patches/sa-2012-01-fix.diff b/debian/patches/sa-2012-01-fix.diff
new file mode 100644
index 0000000..3214560
--- /dev/null
+++ b/debian/patches/sa-2012-01-fix.diff
@@ -0,0 +1,70 @@
+# Description: apply fix and test for CVE-2012-5468 (aka bogofilter-SA-2012-01)
+# Bug-Debian: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=695139
+# Author: Matthias Andree
+# Last-Update: 2012-12-03
+--- a/src/iconvert.c
++++ b/src/iconvert.c
+@@ -76,7 +76,7 @@
+ 	outbuf = (char *)dst->t.u.text + dst->t.leng;
+ 	outbytesleft = dst->size - dst->read - dst->t.leng;
+ 
+-	if (outbytesleft == 0)
++	if (outbytesleft <= 0)
+ 	    break;
+ 
+ 	/*
+@@ -141,6 +141,10 @@
+ 	    switch (err) {
+ 	    case EILSEQ:		/* invalid multibyte sequence */
+ 	    case EINVAL:		/* incomplete multibyte sequence */
++		if(outbytesleft <= 0) {
++                    done = true;
++                    break;
++		}
+ 		/* copy 1 byte (or substitute a '?') */
+ 		if (!replace_nonascii_characters)
+ 		    *outbuf = *inbuf;
+--- a/src/tests/Makefile.am
++++ b/src/tests/Makefile.am
+@@ -45,6 +45,7 @@
+ 	t.multiple.tokens.head t.multiple.tokens.body t.multiple.tokens.min.mul \
+ 	$(ENCODING_TESTS) \
+ 	t.rfc2047_broken t.rfc2047_folded \
++	t.crash-invalid-base64 \
+ 	t.message_addr t.message_id t.queue_id
+ 
+ WORDLIST_TESTS = t.dump.load t.nonascii.replace t.maint t.robx t.regtest t.upgrade.subnet.prefix t.multiple.wordlists t.probe t.bf_compact
+--- /dev/null
++++ b/src/tests/t.crash-invalid-base64
+@@ -0,0 +1,21 @@
++#! /bin/sh
++
++. ${srcdir:=.}/t.frame
++
++# make sure that we do not crash on excessively long tokens
++# Test program by Julius Plenz, TU Berlin.
++perl -e '
++print <<EOF
++Content-Type: multipart/mixed;boundary="----=_20121014031204_57463"
++
++------=_20121014031204_57463
++Content-Type: text/plain; charset="utf-8"
++
++------=_20121014031204_57463
++Content-Transfer-Encoding: base64
++
++EOF
++;
++print(("vfvfvfvfvfvfvfvfvfvfvfvfvfvfvfvfvfvfvfvfvfvfvfvfvfvfvfvfvfvfvfvfvfvfvfvfvfvf\n")x600);
++print "------=_20121014031204_57463--";' \
++| $VAL $BOGOFILTER -p -e -C > /dev/null
+--- a/src/tests/Makefile.in
++++ b/src/tests/Makefile.in
+@@ -269,6 +269,7 @@
+ 	t.multiple.tokens.head t.multiple.tokens.body t.multiple.tokens.min.mul \
+ 	$(ENCODING_TESTS) \
+ 	t.rfc2047_broken t.rfc2047_folded \
++	t.crash-invalid-base64 \
+ 	t.message_addr t.message_id t.queue_id
+ 
+ WORDLIST_TESTS = t.dump.load t.nonascii.replace t.maint t.robx t.regtest t.upgrade.subnet.prefix t.multiple.wordlists t.probe t.bf_compact
diff --git a/debian/patches/series b/debian/patches/series
index 623fd92..cbc11bd 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -1 +1,2 @@
+sa-2012-01-fix.diff
 use-tar-instead-of-pax.diff


unblock bogofilter/1.2.2+dfsg1-2

-- System Information:
Debian Release: wheezy/sid
  APT prefers unstable
  APT policy: (500, 'unstable'), (500, 'testing'), (1, 'experimental')
Architecture: i386 (i686)

Kernel: Linux 3.2.0-2-686-pae (SMP w/4 CPU cores)
Locale: LANG=en_GB.UTF-8, LC_CTYPE=en_GB.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash

--- End Message ---

--- Begin Message ---

• To: Serafeim Zanikolas <sez@debian.org>, 695189-done@bugs.debian.org
• Subject: Re: Bug#695189: unblock: bogofilter/1.2.2+dfsg1-2
• From: "Adam D. Barratt" <adam@adam-barratt.org.uk>
• Date: Thu, 06 Dec 2012 22:08:20 +0000
• Message-id: <1354831700.8381.10.camel@jacala.jungle.funky-badger.org>
• In-reply-to: <[🔎] 20121205071412.10619.47535.reportbug@mobee>
• References: <[🔎] 20121205071412.10619.47535.reportbug@mobee>

On Wed, 2012-12-05 at 08:14 +0100, Serafeim Zanikolas wrote:
> Please unblock package bogofilter to apply a fix for
> http://security-tracker.debian.org/tracker/CVE-2012-5468

Unblocked; thanks.

Regards,

Adam

--- End Message ---