Visit our newest sister site!
Hundreds of free aircraft flight manuals
Civilian • Historical • Military • Declassified • FREE!


TUCoPS :: Linux :: Apps N-Z :: lnx5951.htm

SpamAssassin's spamc program in BSMTP mode could be tricked for remote execution



25th Jan 2003 [SBWID-5951]
COMMAND

	SpamAssassin's spamc program in BSMTP mode could be tricked  for  remote
	execution

SYSTEMS AFFECTED

	SpamAssassin versions from 2.40 to 2.43 are affected

PROBLEM

	Timo Sirainen [tss@iki.fi] says :
	
	Attacker may be able to execute arbitrary code by  sending  a  specially
	crafted e-mail to a system using SpamAssassin's spamc program  in  BSMTP
	mode (-B option).
	
	Exim users especially should check if they're affected,  the  -B  option
	is used in several Exim+SpamAssassin HOWTOs.
	
	The problem is with escaping '.' characters at the beginning  of  lines.
	Off-by-one bounds checking error allows writing  '.'  character  past  a
	buffer, overwriting the stack frame address. Depending  on  system  this
	may  be  exploitable.  Pre-built  Debian  unstable/x86  package   wasn't
	vulnerable, my self compiled was.

SOLUTION

	Get release 2.50 when available
	
	 Patch:
	 ======
	
	diff -ru spamassassin-2.43-old/spamd/libspamc.c
	
	spamassassin-2.43/spamd/libspamc.c
	--- spamassassin-2.43-old/spamd/libspamc.c	2002-10-15 18:22:49.000000000 +0300
	+++ spamassassin-2.43/spamd/libspamc.c	2002-12-27 20:19:36.000000000 +0200
	@@ -309,7 +309,7 @@
	       case MESSAGE_BSMTP:
	         total=full_write(fd, m->pre, m->pre_len);
	         for(i=0; i<m->out_len; ){
	-            for(j=0; i<m->out_len && j<sizeof(buffer)/sizeof(*buffer)-1; ){
	+            for(j=0; i<m->out_len && j<sizeof(buffer)/sizeof(*buffer)-2; ){
	                 if(i+1<m->out_len && m->out[i]=='\n' && m->out[i+1]=='.'){
	                     buffer[j++]=m->out[i++];
	                     buffer[j++]=m->out[i++];
	


TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2014 AOH