DebDiff Report spamassassin: 3.4.2-1+deb10u2 -> 3.4.2-1+deb10u3
diff -Nru spamassassin-3.4.2/debian/changelog spamassassin-3.4.2/debian/changelog --- spamassassin-3.4.2/debian/changelog 2020-01-30 17:50:54.000000000 +0100 +++ spamassassin-3.4.2/debian/changelog 2021-03-26 23:04:43.000000000 +0100 @@ -1,3 +1,10 @@ +spamassassin (3.4.2-1+deb10u3) buster-security; urgency=high + + * Import upstream fix for CVE-2020-1946: arbitrary code execution via + malicious rule files. (Closes: #985962) + + -- Noah Meyerhans <noahm@debian.org> Fri, 26 Mar 2021 15:04:43 -0700 + spamassassin (3.4.2-1+deb10u2) buster-security; urgency=medium * Security update to address diff -Nru spamassassin-3.4.2/debian/patches/CVE-2020-1946.patch spamassassin-3.4.2/debian/patches/CVE-2020-1946.patch --- spamassassin-3.4.2/debian/patches/CVE-2020-1946.patch 1970-01-01 01:00:00.000000000 +0100 +++ spamassassin-3.4.2/debian/patches/CVE-2020-1946.patch 2021-03-26 23:04:43.000000000 +0100 @@ -0,0 +1,31 @@ +Description: Fix header rule parsing +Origin: upstream, https://svn.apache.org/viewvc/spamassassin/branches/3.4/lib/Mail/SpamAssassin/Conf/Parser.pm?r1=1864416&r2=1876381&pathrev=1876381 +Applied-Upstream: 3.4.5 --- This patch header follows DEP-3: http://dep.debian.net/deps/dep3/ Index: spamassassin/lib/Mail/SpamAssassin/Conf/Parser.pm =================================================================== --- spamassassin.orig/lib/Mail/SpamAssassin/Conf/Parser.pm +++ spamassassin/lib/Mail/SpamAssassin/Conf/Parser.pm @@ -1238,9 +1238,9 @@ sub add_test { # no re "strict"; # since perl 5.21.8: Ranges of ASCII printables... if ($text =~ /^exists:(.*)/) { my $hdr = $1; - # never evaled, so can be quite generous with the name # check :addr etc header options - if ($hdr !~ /^[^:\s]+:?$/) { + # $hdr used in eval text, validate carefully + if ($hdr !~ /^[\w.-]+:?$/) { $self->lint_warn("config: invalid head test $name header: $hdr"); return; } @@ -1248,7 +1248,8 @@ sub add_test { $conf->{test_opt_header}->{$name} = $hdr; $conf->{test_opt_exists}->{$name} = 1; } else { - if ($text !~ /^([^:\s]+(?:\:|(?:\:[a-z]+){1,2})?)\s*([=!]~)\s*(.+)$/) { + # $hdr used in eval text, validate carefully + if ($text !~ /^([\w.-]+(?:\:|(?:\:[a-z]+){1,2})?)\s*([=!]~)\s*(.+)$/) { $self->lint_warn("config: invalid head test $name: $text"); return; } diff -Nru spamassassin-3.4.2/debian/patches/series spamassassin-3.4.2/debian/patches/series --- spamassassin-3.4.2/debian/patches/series 2020-01-30 17:50:54.000000000 +0100 +++ spamassassin-3.4.2/debian/patches/series 2021-03-26 23:04:43.000000000 +0100 @@ -10,3 +10,4 @@ CVE-2020-1931 spamd_tests_use_unprivileged_port.diff spamd_tests_use_rsa2048_self-signed_cert +CVE-2020-1946.patch
Bug Report
- 2021-03-29 00:21:02: [[[https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=986064 | 986064]]] spamassassin: Security update failed tue to error in post-installation script
CVE Report
- CVE-2020-1946: [local] In Apache SpamAssassin before 3.4.5, malicious rule configuration (.cf) files can be configured to run system commands without any output or errors. With this, exploits can be injected in a number of scenarios. In addition to upgrading to SA version 3.4.5, users should only use update channels or 3rd party .cf files from trusted places.