Bug#733622: bogofilter: Crash on several emails with realloc(): invalid next size
On Mon, 23 Nov 2020 12:53:59 -0800 Maxime Arthaud wrote: > On Thu, 7 May 2020 16:19:11 +0200 Matthias Andree > wrote: > > https://sourceforge.net/p/bogofilter/bugs/116/#52a0 > > > > i. e. this was fixed 91 commits before bogofilter-1.2.5.rc1. I > > don't know if the commit (Git > > cd33fc00802a75fe7b3b8a967bf879f7bc33c320) works standalone or only > > in context, and I'm not researching this because for me as > > upstream maintainer, this is done with the 1.2.5 release. > > => I think someone should package 1.2.5 for sid/unstable... more > > than half a year after its release. > > > I'm still seeing these errors 6 months later. Is something preventing > it from being pushed on buster? The package maintainer (https://packages.debian.org/sid/bogofilter) has not packaged 1.2.5 for sid. You could bother them, or try to assist them (somehow). As for buster, usually only the most severe bugs get fixed in the stable release. Generally that means security problems. I don't know who gets to decide. Once 1.2.5 gets into sid it can be put into backports.debian.org, if somebody does that. Regards, Karl Free Software: "You don't pay back, you pay forward." -- Robert A. Heinlein
Bug#733622: bogofilter: Crash on several emails with realloc(): invalid next size
On Thu, 7 May 2020 16:19:11 +0200 Matthias Andree wrote: > https://sourceforge.net/p/bogofilter/bugs/116/#52a0 > > i. e. this was fixed 91 commits before bogofilter-1.2.5.rc1. I don't > know if the commit (Git cd33fc00802a75fe7b3b8a967bf879f7bc33c320) works > standalone or only in context, and I'm not researching this because for > me as upstream maintainer, this is done with the 1.2.5 release. > > => I think someone should package 1.2.5 for sid/unstable... more than > half a year after its release. I'm still seeing these errors 6 months later. Is something preventing it from being pushed on buster? Best regards, -- Maxime Arthaud
Bug#733622: bogofilter: Crash on several emails with realloc(): invalid next size
https://sourceforge.net/p/bogofilter/bugs/116/#52a0 i. e. this was fixed 91 commits before bogofilter-1.2.5.rc1. I don't know if the commit (Git cd33fc00802a75fe7b3b8a967bf879f7bc33c320) works standalone or only in context, and I'm not researching this because for me as upstream maintainer, this is done with the 1.2.5 release. => I think someone should package 1.2.5 for sid/unstable... more than half a year after its release.
Bug#733622: bogofilter: Crash on several emails with realloc(): invalid next size
Package: bogofilter Version: 1.2.4+dfsg1-6 Followup-For: Bug #733622 I confirm this bug on jessie (1.2.4+dfsg1-3), and also in the current sid version (1.2.4+dfsg1-6), on amd64. I think my previous report wasn't delivered due to annexing a sample spam message, so instead I'm linking it: https://namakajiri.net/misc/breaks_bogofilter.spam.eml Here's the behavior I get: $ bogofilter -p < breaks_bogofilter.spam.eml *** Error in `bogofilter': realloc(): invalid next size: 0x7f70697dad60 *** Aborted # no problems detected with wordlist.db, which includes both spam and # ham tokens. $ bogoutil --db-verify ~/.bogofilter/wordlist.db # success. # a brand-new db still triggers the bug. The spam is base64-encoded HTML email, like most. I got it from postcat(1), after finding the realloc() messages in mail.log. Spamassassin, Rspamd etc. handle it just fine: $ spamc --full < breaks_bogofilter.spam.txt [...] Content preview: Netshoes.com.br Caso não consiga visualizar as imagens selecione "Sempre mostrar conteúdo" ou Acesse esse link. Você, que é cadastrado no [...] Content analysis details: (8.3 points, 5.0 required) pts rule name description -- -- 1.9 URIBL_JP_SURBL Contains an URL listed in the JP SURBL blocklist [URIs: descontocomqualidade.com.br] 2.4 RAZOR2_CF_RANGE_E8_51_100 Razor2 gives engine 8 confidence level [...] -- System Information: Debian Release: 8.5 APT prefers stable-updates APT policy: (500, 'stable-updates'), (500, 'stable') Architecture: amd64 (x86_64) Kernel: Linux 3.16.0-4-amd64 (SMP w/4 CPU cores) Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Init: systemd (via /run/systemd/system) Versions of packages bogofilter depends on: ii bogofilter-bdb [bogofilter-db] 1.2.4+dfsg1-6 ii bogofilter-common 1.2.4+dfsg1-6 bogofilter recommends no packages. bogofilter suggests no packages. -- no debconf information
Bug#733622: bogofilter: Crash on several emails with realloc(): invalid next size
A good news, On debian sid they is no problem. root@b484630d40e2:~/bogofilter-1.2.4/src# ./bogofilter -v -u -I mbox.PB X-Bogosity: Unsure, tests=bogofilter, spamicity=0.52, version=1.2.4 On Wed, 22 Oct 2014 14:49:12 +0200 Mathieu Goulinwrote: > Hy, > > I'm able to reproduce the bug with the trunk version of bogofilter. It > seam's to be a problem in memory management when converting string in utf8. > > When i build bogofilter with configure option "--disable-unicode", > bogofilter don't crash. > > *The result with gdb:* > *** Error in `/root/bogofilter-code/bogofilter/src/bogofilter': realloc(): > invalid next size: 0x00662e50 *** > > Program received signal SIGABRT, Aborted. > 0x76d3d077 in __GI_raise (sig=sig@entry=6) at > ../nptl/sysdeps/unix/sysv/linux/raise.c:56 > 56 ../nptl/sysdeps/unix/sysv/linux/raise.c: No such file or directory. > (gdb) bt > #0 0x76d3d077 in __GI_raise (sig=sig@entry=6) at > ../nptl/sysdeps/unix/sysv/linux/raise.c:56 > #1 0x76d3e458 in __GI_abort () at abort.c:89 > #2 0x76d7afb4 in __libc_message (do_abort=do_abort@entry=1, > fmt=fmt@entry=0x76e6dbc0 "*** Error in `%s': %s: 0x%s ***\n") at > ../sysdeps/posix/libc_fatal.c:175 > #3 0x76d8078e in malloc_printerr (action=1, str=0x76e69d82 > "realloc(): invalid next size", ptr=) at malloc.c:4996 > #4 0x76d8356b in _int_realloc (av=av@entry=0x770aa620 > , oldp=oldp@entry=0x662e40, oldsize=oldsize@entry=32928, > nb=nb@entry=32976) at malloc.c:4234 > #5 0x76d84569 in __GI___libc_realloc (oldmem=0x662e50, > bytes=32968) at malloc.c:3029 > #6 0x0040a830 in yyrealloc (size=, ptr= out>) at lexer_v3.c:4044 > #7 yy_get_next_buffer () at lexer_v3.c:3204 > #8 yylex () at lexer_v3.c:3005 > #9 0x0040f5ca in parse_new_token (token=0x7fffead0) at > token.c:206 > #10 get_token (token=token@entry=0x7fffead0) at token.c:153 > #11 0x00405f31 in collect_words (wh=wh@entry=0x63e740) at > collect.c:48 > #12 0x004029e6 in bogofilter (argc=argc@entry=0, argv= out>) at bogofilter.c:97 > #13 0x00404957 in bogomain (argc=argc@entry=4, > argv=argv@entry=0x7fffec88) > at bogomain.c:67 > #14 0x004027a4 in main (argc=4, argv=0x7fffec88) at main.c:31 > > > *The result with valgrind :* > > ==4663== Invalid write of size 1 > ==4663== at 0x5B8815C: internal_utf8_loop (loop.c:331) > ==4663== by 0x5B8815C: __gconv_transform_internal_utf8 (skeleton.c:611) > ==4663== by 0x5B88D98: __gconv_transform_utf8_internal (skeleton.c:674) > ==4663== by 0x5B83DB9: __gconv (gconv.c:79) > ==4663== by 0x5B83358: iconv (iconv.c:52) > ==4663== by 0x41BFC7: convert (iconvert.c:91) > ==4663== by 0x41C1DD: iconvert (iconvert.c:196) > ==4663== by 0x409977: get_decoded_line (lexer.c:226) > ==4663== by 0x409C19: yyinput (lexer.c:327) > ==4663== by 0x40BE46: yy_get_next_buffer (lexer_v3.c:3176)
Bug#733622: bogofilter: Crash on several emails with realloc(): invalid next size
Hy, I'm able to reproduce the bug with the trunk version of bogofilter. It seam's to be a problem in memory management when converting string in utf8. When i build bogofilter with configure option --disable-unicode, bogofilter don't crash. *The result with gdb:* *** Error in `/root/bogofilter-code/bogofilter/src/bogofilter': realloc(): invalid next size: 0x00662e50 *** Program received signal SIGABRT, Aborted. 0x76d3d077 in __GI_raise (sig=sig@entry=6) at ../nptl/sysdeps/unix/sysv/linux/raise.c:56 56 ../nptl/sysdeps/unix/sysv/linux/raise.c: No such file or directory. (gdb) bt #0 0x76d3d077 in __GI_raise (sig=sig@entry=6) at ../nptl/sysdeps/unix/sysv/linux/raise.c:56 #1 0x76d3e458 in __GI_abort () at abort.c:89 #2 0x76d7afb4 in __libc_message (do_abort=do_abort@entry=1, fmt=fmt@entry=0x76e6dbc0 *** Error in `%s': %s: 0x%s ***\n) at ../sysdeps/posix/libc_fatal.c:175 #3 0x76d8078e in malloc_printerr (action=1, str=0x76e69d82 realloc(): invalid next size, ptr=optimized out) at malloc.c:4996 #4 0x76d8356b in _int_realloc (av=av@entry=0x770aa620 main_arena, oldp=oldp@entry=0x662e40, oldsize=oldsize@entry=32928, nb=nb@entry=32976) at malloc.c:4234 #5 0x76d84569 in __GI___libc_realloc (oldmem=0x662e50, bytes=32968) at malloc.c:3029 #6 0x0040a830 in yyrealloc (size=optimized out, ptr=optimized out) at lexer_v3.c:4044 #7 yy_get_next_buffer () at lexer_v3.c:3204 #8 yylex () at lexer_v3.c:3005 #9 0x0040f5ca in parse_new_token (token=0x7fffead0) at token.c:206 #10 get_token (token=token@entry=0x7fffead0) at token.c:153 #11 0x00405f31 in collect_words (wh=wh@entry=0x63e740) at collect.c:48 #12 0x004029e6 in bogofilter (argc=argc@entry=0, argv=optimized out) at bogofilter.c:97 #13 0x00404957 in bogomain (argc=argc@entry=4, argv=argv@entry=0x7fffec88) at bogomain.c:67 #14 0x004027a4 in main (argc=4, argv=0x7fffec88) at main.c:31 *The result with valgrind :* ==4663== Invalid write of size 1 ==4663==at 0x5B8815C: internal_utf8_loop (loop.c:331) ==4663==by 0x5B8815C: __gconv_transform_internal_utf8 (skeleton.c:611) ==4663==by 0x5B88D98: __gconv_transform_utf8_internal (skeleton.c:674) ==4663==by 0x5B83DB9: __gconv (gconv.c:79) ==4663==by 0x5B83358: iconv (iconv.c:52) ==4663==by 0x41BFC7: convert (iconvert.c:91) ==4663==by 0x41C1DD: iconvert (iconvert.c:196) ==4663==by 0x409977: get_decoded_line (lexer.c:226) ==4663==by 0x409C19: yyinput (lexer.c:327) ==4663==by 0x40BE46: yy_get_next_buffer (lexer_v3.c:3176) ==4663==by 0x40BA71: yylex (lexer_v3.c:3005) ==4663==by 0x413D5A: parse_new_token (token.c:206) ==4663==by 0x413BB2: get_token (token.c:153) ==4663== Address 0x6211390 is 16 bytes after a block of size 32,976 in arena client Regard's -- Mathieu Goulin