On Fri, Feb 22, 2013 at 14:01:45 +0100, Thomas Preud'homme wrote: > Package: release.debian.org > Severity: normal > User: release.debian....@packages.debian.org > Usertags: unblock > > Please unblock package dspam > > [Sorry Jonathan for the duplicate] > > Current dspam is affected by a corruption of message headers when > releasing from quarantine. This has for effect that mails are lost when > releasing from quarantine. A patch has been commited upstream but there > is some concern about buffer overflow. Hence, although the patch was > initially backported in sid, it was subsequently removed. See [1] for > the previous discussion. > > [1] http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=698701#32 > > Today I've been working on a patch to solve the problem without security > concern. The patch is not pretty, I know it, but it should do its job. > > The patch makes sure recipient points to an area of size at least 256 > bytes. It wasn't always the case initially. The list of place where > recipient pointer is set is: > > % egrep -RIn "recipient[^s]*=" src > src/dspam.c:503: ATX->recipient = CTX->username; > src/dspam.c:948: ATX->recipient=args; > src/dspam.c:1675: ATX->recipient = node_rcpt->ptr; > src/dspam.c:1683: ATX->recipient = node_nt->ptr; > src/dspam.c:1694: ATX->recipient = mailbox; > > mailbox and args are of respective size 256 and 1024 bytes. > node_rcpt->ptr and node_nt->ptr on the other hand are exactly the size > of the string. They are allocated when calling nt_add (which call > nt_node_create). > > Thus, the approach is to copy node_rcpt->ptr and node_nt->ptr into an > array of size 256 as well and this size can be used to limit the strlcpy > when copying CTX->username to ATX->recipient. I don't like to hardcode > the size but didn't find anything better for now. I'll forward upstream > and let him find a long term solution. > > See attached debdiff for details. > That debdiff is for 3.10.2 in sid. Do you have one for 3.10.1?
Thanks, Julien
signature.asc
Description: Digital signature