Page MenuHomePhabricator

Review Debian update: spamassasin
Closed, ResolvedPublic

Description

DebDiff Report spamassassin: 3.4.2-1+deb10u2 -> 3.4.2-1+deb10u3
diff -Nru spamassassin-3.4.2/debian/changelog spamassassin-3.4.2/debian/changelog
--- spamassassin-3.4.2/debian/changelog 2020-01-30 17:50:54.000000000 +0100
+++ spamassassin-3.4.2/debian/changelog 2021-03-26 23:04:43.000000000 +0100
@@ -1,3 +1,10 @@
+spamassassin (3.4.2-1+deb10u3) buster-security; urgency=high
+
+  * Import upstream fix for CVE-2020-1946: arbitrary code execution via
+    malicious rule files. (Closes: #985962)
+
+ -- Noah Meyerhans <noahm@debian.org>  Fri, 26 Mar 2021 15:04:43 -0700
+
 spamassassin (3.4.2-1+deb10u2) buster-security; urgency=medium
 
   * Security update to address
diff -Nru spamassassin-3.4.2/debian/patches/CVE-2020-1946.patch spamassassin-3.4.2/debian/patches/CVE-2020-1946.patch
--- spamassassin-3.4.2/debian/patches/CVE-2020-1946.patch       1970-01-01 01:00:00.000000000 +0100
+++ spamassassin-3.4.2/debian/patches/CVE-2020-1946.patch       2021-03-26 23:04:43.000000000 +0100
@@ -0,0 +1,31 @@
+Description: Fix header rule parsing
+Origin: upstream, https://svn.apache.org/viewvc/spamassassin/branches/3.4/lib/Mail/SpamAssassin/Conf/Parser.pm?r1=1864416&r2=1876381&pathrev=1876381
+Applied-Upstream: 3.4.5
---
This patch header follows DEP-3: http://dep.debian.net/deps/dep3/
Index: spamassassin/lib/Mail/SpamAssassin/Conf/Parser.pm
===================================================================
--- spamassassin.orig/lib/Mail/SpamAssassin/Conf/Parser.pm
+++ spamassassin/lib/Mail/SpamAssassin/Conf/Parser.pm
@@ -1238,9 +1238,9 @@ sub add_test {
     # no re "strict";  # since perl 5.21.8: Ranges of ASCII printables...
     if ($text =~ /^exists:(.*)/) {
       my $hdr = $1;
-      # never evaled, so can be quite generous with the name
       # check :addr etc header options
-      if ($hdr !~ /^[^:\s]+:?$/) {
+      # $hdr used in eval text, validate carefully
+      if ($hdr !~ /^[\w.-]+:?$/) {
         $self->lint_warn("config: invalid head test $name header: $hdr");
         return;
       }
@@ -1248,7 +1248,8 @@ sub add_test {
       $conf->{test_opt_header}->{$name} = $hdr;
       $conf->{test_opt_exists}->{$name} = 1;
     } else {
-      if ($text !~ /^([^:\s]+(?:\:|(?:\:[a-z]+){1,2})?)\s*([=!]~)\s*(.+)$/) {
+      # $hdr used in eval text, validate carefully
+      if ($text !~ /^([\w.-]+(?:\:|(?:\:[a-z]+){1,2})?)\s*([=!]~)\s*(.+)$/) {
         $self->lint_warn("config: invalid head test $name: $text");
         return;
       }
diff -Nru spamassassin-3.4.2/debian/patches/series spamassassin-3.4.2/debian/patches/series
--- spamassassin-3.4.2/debian/patches/series    2020-01-30 17:50:54.000000000 +0100
+++ spamassassin-3.4.2/debian/patches/series    2021-03-26 23:04:43.000000000 +0100
@@ -10,3 +10,4 @@
 CVE-2020-1931
 spamd_tests_use_unprivileged_port.diff
 spamd_tests_use_rsa2048_self-signed_cert
+CVE-2020-1946.patch
Bug Report
CVE Report

Event Timeline

Update matches upstream patches

Mentioned in SAL (#wikimedia-operations) [2021-03-30T12:55:24Z] <jbond42> update spamassasin on lists,otrs and mx T278820

jbond claimed this task.

The update has now been deployed