Date: Tue, 04 Dec 2012 00:02:24 +0100 From: Matthias Andree <matthias.andree@....de> To: oss-security@...ts.openwall.com Subject: CVE-2012-5468: bogofilter-SA-2012-01 bogofilter-SA-2012-01 Topic: heap corruption overrun in bogofilter/bogolexer Announcement: bogofilter-SA-2012-01 Writer: Matthias Andree Version: 1.0 CVE ID: CVE-2012-5468 Announced: 2012-12-03 Category: vulnerability Type: out of bounds write through invalid input Impact: heap corruption, application crash Credits: Julius Plenz (FU Berlin, Germany) Danger: medium URL: http://bogofilter.sourceforge.net/security/bogofilter-SA-2012-01 Affected: bogofilter <= 1.2.2 SVN checkouts before 2012-10-19 UTC (-r6972) Not affected: bogofilter 1.2.3 (r6973) and newer 1. Background ============= Bogofilter is a software package for classifying a message as spam or non-spam. It uses a data base to store words and must be trained which messages are spam and non-spam. It uses the probabilities of individual words for classifying the message. Note that the bogofilter project is issuing security announcements only for current "stable" releases, and not necessarily for past "stable" releases. 2. Problem description ====================== Julius Plenz figured out that bogofilter's/bogolexer's base64 could overwrite heap memory in the character set conversion in certain pathological cases of invalid base64 code that decodes to incomplete multibyte characters. 3. Impact ========= Vulnerable bogofilter/bogolexer applications can corrupt their heap and crash. 4. Solution =========== Upgrade your bogofilter to version 1.2.3 (or a newer release). bogofilter is available from SourceForge: <https://sourceforge.net/project/showfiles.php?group_id=62265> A. Copyright, License and Warranty ================================== (C) Copyright 2012 by Matthias Andree, <matthias.andree@....de>. Some rights reserved. This work is licensed under the Creative Commons Attribution-NoDerivs 3.0 Germany License (CC BY-ND 3.0). To view a copy of this license, visit http://creativecommons.org/licenses/by-nd/3.0/de/deed.en or send a letter to: Creative Commons 444 Castro Street Suite 900 MOUNTAIN VIEW, CALIFORNIA 94041 USA THIS WORK IS PROVIDED FREE OF CHARGE AND WITHOUT ANY WARRANTIES. Use the information herein at your own risk. END of bogofilter-SA-2012-01 Download attachment "signature.asc" of type "application/pgp-signature" (199 bytes)
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.