Bug#778941: unblock: dovecot-antispam/2.0+20130912-2

To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: Bug#778941: unblock: dovecot-antispam/2.0+20130912-2
From: Ron <ron@debian.org>
Date: Sun, 22 Feb 2015 11:05:10 +1030
Message-id: <[🔎] 20150222003510.5560.45109.reportbug@hex.shelbyville.oz>
Reply-to: Ron <ron@debian.org>, 778941@bugs.debian.org

Package: release.debian.org
Severity: normal
User: release.debian.org@packages.debian.org
Usertags: unblock

Please unblock package dovecot-antispam

This one got reported to the security team who forwarded it to me,
so there's no bug currently open against the package for it.  The
security implications seem limited, but it is a real potential
crasher, with a trivially correct fix, so it seems appropriate to
get this change into the release.


diff -u dovecot-antispam-2.0+20130912/debian/changelog dovecot-antispam-2.0+20130912/debian/changelog
--- dovecot-antispam-2.0+20130912/debian/changelog
+++ dovecot-antispam-2.0+20130912/debian/changelog
@@ -1,3 +1,32 @@
+dovecot-antispam (2.0+20130912-2) unstable; urgency=medium
+
+  * Use the correct argc for pipe.ham_args
+
+    This fixes a typo bug, where if the number of arguments set for
+    antispam_pipe_program_spam_arg is not the same as what was set
+    for antispam_pipe_program_notspam_arg, then we'll either scribble
+    past the end of the allocated argv array, or populate it with
+    pointers to whatever followed the real ham_args.
+
+    Thanks to Peter Colberg who reported this, including a correct
+    patch to fix it, to the security team.  The security implications
+    of this seem somewhat limited, since you need to edit a config
+    file as root to create the bad situation, and there is no path
+    for remote injection of crafted data (whether it overflows or
+    underflows) if you do, the argv array will just get some 'random'
+    extra pointers to existing internal data.
+
+    However it does pose a potential problem for a legitimate user
+    who does legitimately need or want to pass a different number of
+    arguments for the spam and ham cases, since that could crash
+    dovecot, or confuse the hell out of their pipe program when it
+    gets some random extra arguments.  It's probably gone unnoticed
+    for this long because most uses will pass the same number of
+    arguments for both of them, but that's not a necessary condition
+    in the general case.
+
+ -- Ron Lee <ron@debian.org>  Sun, 22 Feb 2015 09:27:51 +1030
+
 dovecot-antispam (2.0+20130912-1) unstable; urgency=medium
 
   * Merge upstreamed patches from the upstream branch,
only in patch2:
unchanged:
--- dovecot-antispam-2.0+20130912.orig/pipe.c
+++ dovecot-antispam-2.0+20130912/pipe.c
@@ -46,7 +46,7 @@
 		break;
 	case CLASS_NOTSPAM:
 		dest = cfg->pipe.ham_args;
-		dest_num = cfg->pipe.spam_args_num;
+		dest_num = cfg->pipe.ham_args_num;
 		break;
 	}
 

unblock dovecot-antispam/2.0+20130912-2

Reply to:

Follow-Ups:
- Bug#778941: marked as done (unblock: dovecot-antispam/2.0+20130912-2)
  - From: owner@bugs.debian.org (Debian Bug Tracking System)

Prev by Date: NEW changes in stable-new
Next by Date: NEW changes in stable-new
Previous by thread: Bug#778935: marked as done (unblock: puppet-module-puppetlabs-postgresql/4.0.0-2)
Next by thread: Bug#778941: marked as done (unblock: dovecot-antispam/2.0+20130912-2)
Index(es):
- Date
- Thread