Hello community, here is the log from the commit of package spamassassin for openSUSE:Leap:15.2 checked in at 2020-04-08 12:47:59 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Leap:15.2/spamassassin (Old) and /work/SRC/openSUSE:Leap:15.2/.spamassassin.new.3248 (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "spamassassin" Wed Apr 8 12:47:59 2020 rev:32 rq:790067 version:unknown Changes: -------- --- /work/SRC/openSUSE:Leap:15.2/spamassassin/spamassassin.changes 2020-01-15 16:03:35.331930817 +0100 +++ /work/SRC/openSUSE:Leap:15.2/.spamassassin.new.3248/spamassassin.changes 2020-04-08 12:48:05.526333644 +0200 @@ -1,0 +2,23 @@ +Tue Mar 24 13:55:11 UTC 2020 - Peter Varkoly <[email protected]> + +- CVE-2020-1930: Nefarious rule configuration (.cf) files can be + configured to run system commands (bsc#1162197) +- CVE-2020-1931: Nefarious rule configuration (.cf) files can be + configured to run system commands with warnings (bsc#1162200) + Apply upstream patches: + CVE-2020-1930.diff + CVE-2020-1931.diff + +------------------------------------------------------------------- +Wed Jul 24 10:54:20 UTC 2019 - Peter Varkoly <[email protected]> + +- CVE-2018-11805: spamassassin: CVE Level issue with Rule Files + (bsc#1118987) +- spamassassin 3.3.2 and Perl 5.18.0: Altering hash requires + restarting loop else UNDEFINED behavior. + (bsc#862963) +- Added Upstream patches + CVE-Level-issue-with-Rule-Files.patch + Altering-hash-requires-restarting-loop.patch + +------------------------------------------------------------------- New: ---- Altering-hash-requires-restarting-loop.patch CVE-2020-1930.diff CVE-2020-1931.diff CVE-Level-issue-with-Rule-Files.patch ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ spamassassin.spec ++++++ --- /var/tmp/diff_new_pack.n7Oz6f/_old 2020-04-08 12:48:06.486334128 +0200 +++ /var/tmp/diff_new_pack.n7Oz6f/_new 2020-04-08 12:48:06.490334130 +0200 @@ -54,6 +54,12 @@ Patch3: patch-SQL_ASCII_SORT Patch6: bnc#582111.diff Patch10: iXhash2-meta-rules.patch +# PATCH-FIX-UPSTREAM 6937 - 3.3.2 and Perl 5.18.0: Altering hash requires restarting loop else UNDEFINED behavior. +Patch11: Altering-hash-requires-restarting-loop.patch +# PATCH-FIX-UPSTREAM 7647 - CVE-2018-11805: spamassassin: CVE Level issue with Rule Files +Patch12: CVE-Level-issue-with-Rule-Files.patch +Patch13: CVE-2020-1930.diff +Patch14: CVE-2020-1931.diff BuildRoot: %{_tmppath}/%{name}-%{version}-build %{perl_requires} PreReq: %fillup_prereq @@ -176,6 +182,10 @@ %patch3 -p0 %patch6 -p0 %patch10 -p0 +%patch11 -p1 +%patch12 -p0 +%patch13 -p0 +%patch14 -p0 %build if [ -e t/data/whitelists/winxpnews.com ]; then ++++++ Altering-hash-requires-restarting-loop.patch ++++++ diff -urp Mail-SpamAssassin-3.4.0-orig/lib/Mail/SpamAssassin/AsyncLoop.pm Mail-SpamAssassin-3.4.0/lib/Mail/SpamAssassin/AsyncLoop.pm --- Mail-SpamAssassin-3.4.0-orig/lib/Mail/SpamAssassin/AsyncLoop.pm 2014-02-07 09:36:28.000000000 +0100 +++ Mail-SpamAssassin-3.4.0/lib/Mail/SpamAssassin/AsyncLoop.pm 2014-02-13 17:21:40.915266502 +0100 @@ -428,7 +428,14 @@ sub complete_lookups { my $r = $self->{total_queries_completed} / $self->{total_queries_started}; my $r2 = $r * $r; # 0..1 my $max_deadline; - while (my($key,$ent) = each %$pending) { + # A callback routine may generate another DNS query, which may insert + # an entry into the %$pending hash thus invalidating the each() context. + # So, make sure that callbacks are not called while the each() context + # is open, or avoid using each(). [Bug 6937] + # + # while (my($key,$ent) = each %$pending) { + foreach my $key (keys %$pending) { + my $ent = $pending->{$key}; my $t_init = $ent->{timeout_initial}; my $dt = $t_init - ($t_init - $ent->{timeout_min}) * $r2; my $deadline = $ent->{start_time} + $dt; @@ -543,7 +550,8 @@ sub abort_remaining_lookups { my $foundcnt = 0; my $now = time; - while (my($key,$ent) = each %$pending) { + foreach my $key (keys %$pending) { + my $ent = $pending->{$key}; dbg("async: aborting after %.3f s, %s: %s", $now - $ent->{start_time}, (defined $ent->{timeout_initial} && diff -urp Mail-SpamAssassin-3.4.0-orig/lib/Mail/SpamAssassin/Message.pm Mail-SpamAssassin-3.4.0/lib/Mail/SpamAssassin/Message.pm --- Mail-SpamAssassin-3.4.0-orig/lib/Mail/SpamAssassin/Message.pm 2014-02-07 09:36:28.000000000 +0100 +++ Mail-SpamAssassin-3.4.0/lib/Mail/SpamAssassin/Message.pm 2014-02-13 17:21:51.731346856 +0100 @@ -611,7 +611,7 @@ sub finish { while (my $part = shift @toclean) { # bug 5557: windows requires tmp file be closed before it can be rm'd if (ref $part->{'raw'} eq 'GLOB') { - close($part->{'raw'}) or die "error closing input file: $!"; + close($part->{'raw'}) or warn "error closing input file: $!"; } # bug 5858: avoid memory leak with deep MIME structure ++++++ CVE-2020-1930.diff ++++++ Index: lib/Mail/SpamAssassin/Plugin/OneLineBodyRuleType.pm =================================================================== --- lib/Mail/SpamAssassin/Plugin/OneLineBodyRuleType.pm (revision 1872750) +++ lib/Mail/SpamAssassin/Plugin/OneLineBodyRuleType.pm (working copy) @@ -89,17 +89,18 @@ loop_body => sub { my ($self, $pms, $conf, $rulename, $pat, %opts) = @_; - $pat = untaint_var($pat); - my $sub; + my $sub = ' + my $qrptr = $self->{main}->{conf}->{test_qrs}; + '; if (($conf->{tflags}->{$rulename}||'') =~ /\bmultiple\b/) { # avoid [perl #86784] bug (fixed in 5.13.x), access the arg through ref - $sub = ' + $sub .= ' my $lref = \$_[1]; pos $$lref = 0; '.$self->hash_line_for_rule($pms, $rulename).' - while ($$lref =~ '.$pat.'g) { + while ($$lref =~ /$qrptr->{q{'.$rulename.'}}/go) { my $self = $_[0]; $self->got_hit(q{'.$rulename.'}, "BODY: ", ruletype => "one_line_body"); '. $self->hit_rule_plugin_code($pms, $rulename, "one_line_body", @@ -108,9 +109,9 @@ '; } else { - $sub = ' + $sub .= ' '.$self->hash_line_for_rule($pms, $rulename).' - if ($_[1] =~ '.$pat.') { + if ($_[1] =~ /$qrptr->{q{'.$rulename.'}}/o) { my $self = $_[0]; $self->got_hit(q{'.$rulename.'}, "BODY: ", ruletype => "one_line_body"); '. $self->hit_rule_plugin_code($pms, $rulename, "one_line_body", "return 1") . ' ++++++ CVE-2020-1931.diff ++++++ Index: lib/Mail/SpamAssassin/Conf.pm =================================================================== --- lib/Mail/SpamAssassin/Conf.pm (revision 1872750) +++ lib/Mail/SpamAssassin/Conf.pm (working copy) @@ -3496,6 +3496,20 @@ setting => 'priority', is_priv => 1, type => $CONF_TYPE_HASH_KEY_VALUE, + code => sub { + my ($self, $key, $value, $line) = @_; + my ($rulename, $priority) = split(/\s+/, $value, 2); + unless (defined $priority) { + return $MISSING_REQUIRED_VALUE; + } + unless ($rulename =~ IS_RULENAME) { + return $INVALID_VALUE; + } + unless ($priority =~ /^-?\d+$/) { + return $INVALID_VALUE; + } + $self->{priority}->{$rulename} = $priority; + } }); =back --- lib/Mail/SpamAssassin/Plugin/Check.pm.orig 2020-03-24 14:30:34.597938332 +0100 +++ lib/Mail/SpamAssassin/Plugin/Check.pm 2020-03-24 14:43:26.084199675 +0100 @@ -551,7 +551,7 @@ foreach my $token (@tokens) { # ... rulename? - if ($token =~ /^${RULENAME_RE}\z/) { + if ($token =~ IS_RULENAME) { # the " || 0" formulation is to avoid "use of uninitialized value" # warnings; this is better than adding a 0 to a hash for every # rule referred to in a meta... --- lib/Mail/SpamAssassin/Conf/Parser.pm.orig 2020-03-24 14:30:45.598084233 +0100 +++ lib/Mail/SpamAssassin/Conf/Parser.pm 2020-03-24 14:45:51.122129352 +0100 @@ -1190,7 +1190,7 @@ my $conf = $self->{conf}; # Don't allow invalid names ... - if ($name !~ /^${RULENAME_RE}$/) { + if ($name !~ IS_RULENAME) { $self->lint_warn("config: error: rule '$name' has invalid characters ". "(not Alphanumeric + Underscore + starting with a non-digit)\n", $name); return; @@ -1351,7 +1351,7 @@ # Go through each token in the meta rule foreach my $token (@tokens) { # If the token is a syntactically legal rule name, make it zero - if ($token =~ /^${RULENAME_RE}\z/s) { + if ($token =~ IS_RULENAME) { $meta .= "0 "; } # if it is a number or a string of 1 or 2 punctuation characters (i.e. operators) tack it onto the degenerate rule --- lib/Mail/SpamAssassin/Constants.pm.orig 2020-03-24 14:30:54.586203447 +0100 +++ lib/Mail/SpamAssassin/Constants.pm 2020-03-24 14:47:05.279115983 +0100 @@ -44,6 +44,7 @@ MAX_BODY_LINE_LENGTH MAX_HEADER_KEY_LENGTH MAX_HEADER_VALUE_LENGTH MAX_HEADER_LENGTH ARITH_EXPRESSION_LEXER AI_TIME_UNKNOWN CHARSETS_LIKELY_TO_FP_AS_CAPS MAX_URI_LENGTH RULENAME_RE + IS_RULENAME ); %EXPORT_TAGS = ( @@ -405,4 +406,7 @@ # Allowed rulename format use constant RULENAME_RE => qr([_a-zA-Z][_a-zA-Z0-9]{0,127}); +# Exact match +use constant IS_RULENAME => qr/^${\(RULENAME_RE)}$/; + 1; ++++++ CVE-Level-issue-with-Rule-Files.patch ++++++ ++++ 2784 lines (skipped)
