-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

bogofilter-SA-2010-01

Topic:		heap corruption overrun in bogofilter/bogolexer

Announcement:	bogofilter-SA-2010-01
Writer:		Matthias Andree
Version:	1.0
CVE ID:		CVE-2010-2494
Announced:	2010-07-07
Category:	vulnerability
Type:		array index underflow/out of bounds write through invalid input
Impact:		heap corruption, application crash
Credits:	Julius Plenz
Danger:		medium
URL:		http://bogofilter.sourceforge.net/security/bogofilter-SA-2010-01

Affected:	bogofilter <= 1.2.1
		SVN checkouts before 2010-07-03 08:40 UTC

Not affected:	bogofilter 1.2.2

1. Background
=============

Bogofilter is a software package for classifying a message as spam or
non-spam.  It uses a data base to store words and must be trained
which messages are spam and non-spam. It uses the probabilities of
individual words for classifying the message.

Note that the bogofilter project is issuing security announcements only
for current "stable" releases, and not necessarily for past "stable"
releases.

2. Problem description
======================

Bogofilter's/bogolexer's base64 could overwrite memory before its heap
buffer if the base64 input started with an equals sign, such as through
misdeclaration of quoted-printable as base64.

3. Impact
=========

Vulnerable bogofilter and bogolexer applications can corrupt their heap and
crash. The consequences are dependent on the local configuration, memory
layout and operating system features.

4. Solution
===========

Upgrade your bogofilter to version 1.2.2 (or a newer release).
This version may not yet be available when this security announcement is
issued.

bogofilter is available from SourceForge:
<https://sourceforge.net/project/showfiles.php?group_id=62265>


Alternatively, this patch to 1.2.1 would fix the issue:
(Note that if you see "- -" at the beginnings of these lines,
you need to run this file through gnupg or pgp to strip the signature
and the "-"-escaping, or manually replace such line beginnings with
"-"). This is an SVN diff of base64.c between revisions 6766 and 6906
and comprises two change sets: 6904 and 6906.

- --- ./src/base64.c	2009/01/12 04:27:36	6766
+++ ./src/base64.c	2010/07/03 08:39:44	6906
@@ -61,8 +61,10 @@
 	    d[i] = c;
 	    v = v >> 8;
 	}
- -	d += 3 - shorten;
- -	count += 3 - shorten;
+    if(shorten != 4) {
+        d += 3 - shorten;
+        count += 3 - shorten;
+    }
     }
     /* XXX do we need this NUL byte? */
     if (word->leng)


A. Copyright, License and Warranty
==================================

(C) Copyright 2010 by Matthias Andree, <matthias.andree@gmx.de>.
Some rights reserved.

This work is licenced under the Creative Commons
Attribution-NonCommercial-NoDerivs 3.0 Unported License. To view a copy
of this licence, visit http://creativecommons.org/licenses/by-nc-nd/3.0/
or send a letter to Creative Commons, 171 Second Street, Suite 300, San
Francisco, California 94105, USA.

THIS WORK IS PROVIDED FREE OF CHARGE AND WITHOUT ANY WARRANTIES.
Use the information herein at your own risk.

END of bogofilter-SA-2010-01
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.12 (GNU/Linux)

iEYEARECAAYFAkwzlAkACgkQvmGDOQUufZU2RgCg8eOMJ3Ig3FCuB4M5QVhoG84f
dfgAoJY1HmuaARWOTueXPJBhCSidC1LK
=7zZI
-----END PGP SIGNATURE-----
