Bug#733622: bogofilter: Crash on several emails with realloc(): invalid next size

[Karl O. Pinc]

On Mon, 23 Nov 2020 12:53:59 -0800
Maxime Arthaud  wrote:

> On Thu, 7 May 2020 16:19:11 +0200 Matthias Andree 
>  wrote:
>  > https://sourceforge.net/p/bogofilter/bugs/116/#52a0
>  >
>  > i. e. this was fixed 91 commits before bogofilter-1.2.5.rc1. I
>  > don't know if the commit (Git
>  > cd33fc00802a75fe7b3b8a967bf879f7bc33c320) works standalone or only
>  > in context, and I'm not researching this because for me as
>  > upstream maintainer, this is done with the 1.2.5 release. 
>  > => I think someone should package 1.2.5 for sid/unstable... more
>  > than half a year after its release.  
> 
> 
> I'm still seeing these errors 6 months later. Is something preventing
> it from being pushed on buster?

The package maintainer (https://packages.debian.org/sid/bogofilter)
has not packaged 1.2.5 for sid.  You could bother them, or try
to assist them (somehow).

As for buster, usually only the most severe bugs get fixed
in the stable release.  Generally that means security problems.
I don't know who gets to decide.

Once 1.2.5 gets into sid it can be put into backports.debian.org,
if somebody does that.

Regards,

Karl 
Free Software:  "You don't pay back, you pay forward."
 -- Robert A. Heinlein

Bug#733622: bogofilter: Crash on several emails with realloc(): invalid next size

[Maxime Arthaud]

On Thu, 7 May 2020 16:19:11 +0200 Matthias Andree 
 wrote:

> https://sourceforge.net/p/bogofilter/bugs/116/#52a0
>
> i. e. this was fixed 91 commits before bogofilter-1.2.5.rc1. I don't
> know if the commit (Git cd33fc00802a75fe7b3b8a967bf879f7bc33c320) works
> standalone or only in context, and I'm not researching this because for
> me as upstream maintainer, this is done with the 1.2.5 release.
>
> => I think someone should package 1.2.5 for sid/unstable... more than
> half a year after its release.


I'm still seeing these errors 6 months later. Is something preventing it 
from being pushed on buster?



Best regards,

--
Maxime Arthaud

Bug#733622: bogofilter: Crash on several emails with realloc(): invalid next size

[Matthias Andree]

https://sourceforge.net/p/bogofilter/bugs/116/#52a0

i. e. this was fixed 91 commits before bogofilter-1.2.5.rc1. I don't
know if the commit (Git cd33fc00802a75fe7b3b8a967bf879f7bc33c320) works
standalone or only in context, and I'm not researching this because for
me as upstream maintainer, this is done with the 1.2.5 release.

=> I think someone should package 1.2.5 for sid/unstable... more than
half a year after its release.

Bug#733622: bogofilter: Crash on several emails with realloc(): invalid next size

[Leonardo Boiko]

Package: bogofilter
Version: 1.2.4+dfsg1-6
Followup-For: Bug #733622

I confirm this bug on jessie (1.2.4+dfsg1-3), and also in the current sid
version (1.2.4+dfsg1-6), on amd64.

I think my previous report wasn't delivered due to annexing a sample spam
message, so instead I'm linking it:
https://namakajiri.net/misc/breaks_bogofilter.spam.eml

Here's the behavior I get:

$ bogofilter -p < breaks_bogofilter.spam.eml

*** Error in `bogofilter': realloc(): invalid next size:
0x7f70697dad60 ***
Aborted

# no problems detected with wordlist.db, which includes both spam and
# ham tokens.
$ bogoutil --db-verify ~/.bogofilter/wordlist.db
# success.

# a brand-new db still triggers the bug.

The spam is base64-encoded HTML email, like most.  I got it from postcat(1),
after finding the realloc() messages in mail.log.   Spamassassin, Rspamd etc.
handle it just fine:

$ spamc --full < breaks_bogofilter.spam.txt

[...]
Content preview:  Netshoes.com.br Caso não consiga visualizar as 
imagens selecione
   "Sempre mostrar conteúdo" ou Acesse esse link. Você, que é 
cadastrado no

[...]
Content analysis details:   (8.3 points, 5.0 required)

pts rule name  description
 -- 
--
 1.9 URIBL_JP_SURBL Contains an URL listed in the JP SURBL 
blocklist
[URIs: descontocomqualidade.com.br]
 2.4 RAZOR2_CF_RANGE_E8_51_100 Razor2 gives engine 8 confidence level
[...]



-- System Information:
Debian Release: 8.5
  APT prefers stable-updates
  APT policy: (500, 'stable-updates'), (500, 'stable')
Architecture: amd64 (x86_64)

Kernel: Linux 3.16.0-4-amd64 (SMP w/4 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)

Versions of packages bogofilter depends on:
ii  bogofilter-bdb [bogofilter-db]  1.2.4+dfsg1-6
ii  bogofilter-common   1.2.4+dfsg1-6

bogofilter recommends no packages.

bogofilter suggests no packages.

-- no debconf information

Bug#733622: bogofilter: Crash on several emails with realloc(): invalid next size

[Mathieu GOULIN]

A good news,

On debian sid they is no problem.

root@b484630d40e2:~/bogofilter-1.2.4/src# ./bogofilter -v -u -I mbox.PB
X-Bogosity: Unsure, tests=bogofilter, spamicity=0.52, version=1.2.4


On Wed, 22 Oct 2014 14:49:12 +0200 Mathieu Goulin 
 wrote:

> Hy,
>
> I'm able to reproduce the bug with the trunk version of bogofilter. It
> seam's to be a problem in memory management when converting string in 
utf8.

>
> When i build bogofilter with configure option "--disable-unicode",
> bogofilter don't crash.
>
> *The result with gdb:*
> *** Error in `/root/bogofilter-code/bogofilter/src/bogofilter': 
realloc():

> invalid next size: 0x00662e50 ***
>
> Program received signal SIGABRT, Aborted.
> 0x76d3d077 in __GI_raise (sig=sig@entry=6) at
> ../nptl/sysdeps/unix/sysv/linux/raise.c:56
> 56 ../nptl/sysdeps/unix/sysv/linux/raise.c: No such file or directory.
> (gdb) bt
> #0 0x76d3d077 in __GI_raise (sig=sig@entry=6) at
> ../nptl/sysdeps/unix/sysv/linux/raise.c:56
> #1 0x76d3e458 in __GI_abort () at abort.c:89
> #2 0x76d7afb4 in __libc_message (do_abort=do_abort@entry=1,
> fmt=fmt@entry=0x76e6dbc0 "*** Error in `%s': %s: 0x%s ***\n") at
> ../sysdeps/posix/libc_fatal.c:175
> #3 0x76d8078e in malloc_printerr (action=1, str=0x76e69d82
> "realloc(): invalid next size", ptr=) at malloc.c:4996
> #4 0x76d8356b in _int_realloc (av=av@entry=0x770aa620
> , oldp=oldp@entry=0x662e40, oldsize=oldsize@entry=32928,
> nb=nb@entry=32976) at malloc.c:4234
> #5 0x76d84569 in __GI___libc_realloc (oldmem=0x662e50,
> bytes=32968) at malloc.c:3029
> #6 0x0040a830 in yyrealloc (size=, ptr= out>) at lexer_v3.c:4044
> #7 yy_get_next_buffer () at lexer_v3.c:3204
> #8 yylex () at lexer_v3.c:3005
> #9 0x0040f5ca in parse_new_token (token=0x7fffead0) at
> token.c:206
> #10 get_token (token=token@entry=0x7fffead0) at token.c:153
> #11 0x00405f31 in collect_words (wh=wh@entry=0x63e740) at
> collect.c:48
> #12 0x004029e6 in bogofilter (argc=argc@entry=0, argv= out>) at bogofilter.c:97
> #13 0x00404957 in bogomain (argc=argc@entry=4,
> argv=argv@entry=0x7fffec88)
> at bogomain.c:67
> #14 0x004027a4 in main (argc=4, argv=0x7fffec88) at main.c:31
>
>
> *The result with valgrind :*
>
> ==4663== Invalid write of size 1
> ==4663== at 0x5B8815C: internal_utf8_loop (loop.c:331)
> ==4663== by 0x5B8815C: __gconv_transform_internal_utf8 (skeleton.c:611)
> ==4663== by 0x5B88D98: __gconv_transform_utf8_internal (skeleton.c:674)
> ==4663== by 0x5B83DB9: __gconv (gconv.c:79)
> ==4663== by 0x5B83358: iconv (iconv.c:52)
> ==4663== by 0x41BFC7: convert (iconvert.c:91)
> ==4663== by 0x41C1DD: iconvert (iconvert.c:196)
> ==4663== by 0x409977: get_decoded_line (lexer.c:226)
> ==4663== by 0x409C19: yyinput (lexer.c:327)
> ==4663== by 0x40BE46: yy_get_next_buffer (lexer_v3.c:3176)

Bug#733622: bogofilter: Crash on several emails with realloc(): invalid next size

[Mathieu Goulin]

Hy,

I'm able to reproduce the bug with the trunk version of bogofilter. It
seam's to be a problem in memory management when converting string in utf8.

When i build bogofilter with configure option --disable-unicode,
bogofilter don't crash.

*The result with gdb:*
*** Error in `/root/bogofilter-code/bogofilter/src/bogofilter': realloc():
invalid next size: 0x00662e50 ***

Program received signal SIGABRT, Aborted.
0x76d3d077 in __GI_raise (sig=sig@entry=6) at
../nptl/sysdeps/unix/sysv/linux/raise.c:56
56  ../nptl/sysdeps/unix/sysv/linux/raise.c: No such file or directory.
(gdb) bt
#0  0x76d3d077 in __GI_raise (sig=sig@entry=6) at
../nptl/sysdeps/unix/sysv/linux/raise.c:56
#1  0x76d3e458 in __GI_abort () at abort.c:89
#2  0x76d7afb4 in __libc_message (do_abort=do_abort@entry=1,
fmt=fmt@entry=0x76e6dbc0 *** Error in `%s': %s: 0x%s ***\n) at
../sysdeps/posix/libc_fatal.c:175
#3  0x76d8078e in malloc_printerr (action=1, str=0x76e69d82
realloc(): invalid next size, ptr=optimized out) at malloc.c:4996
#4  0x76d8356b in _int_realloc (av=av@entry=0x770aa620
main_arena, oldp=oldp@entry=0x662e40, oldsize=oldsize@entry=32928,
nb=nb@entry=32976) at malloc.c:4234
#5  0x76d84569 in __GI___libc_realloc (oldmem=0x662e50,
bytes=32968) at malloc.c:3029
#6  0x0040a830 in yyrealloc (size=optimized out, ptr=optimized
out) at lexer_v3.c:4044
#7  yy_get_next_buffer () at lexer_v3.c:3204
#8  yylex () at lexer_v3.c:3005
#9  0x0040f5ca in parse_new_token (token=0x7fffead0) at
token.c:206
#10 get_token (token=token@entry=0x7fffead0) at token.c:153
#11 0x00405f31 in collect_words (wh=wh@entry=0x63e740) at
collect.c:48
#12 0x004029e6 in bogofilter (argc=argc@entry=0, argv=optimized
out) at bogofilter.c:97
#13 0x00404957 in bogomain (argc=argc@entry=4,
argv=argv@entry=0x7fffec88)
at bogomain.c:67
#14 0x004027a4 in main (argc=4, argv=0x7fffec88) at main.c:31


*The result with valgrind :*

==4663== Invalid write of size 1
==4663==at 0x5B8815C: internal_utf8_loop (loop.c:331)
==4663==by 0x5B8815C: __gconv_transform_internal_utf8 (skeleton.c:611)
==4663==by 0x5B88D98: __gconv_transform_utf8_internal (skeleton.c:674)
==4663==by 0x5B83DB9: __gconv (gconv.c:79)
==4663==by 0x5B83358: iconv (iconv.c:52)
==4663==by 0x41BFC7: convert (iconvert.c:91)
==4663==by 0x41C1DD: iconvert (iconvert.c:196)
==4663==by 0x409977: get_decoded_line (lexer.c:226)
==4663==by 0x409C19: yyinput (lexer.c:327)
==4663==by 0x40BE46: yy_get_next_buffer (lexer_v3.c:3176)
==4663==by 0x40BA71: yylex (lexer_v3.c:3005)
==4663==by 0x413D5A: parse_new_token (token.c:206)
==4663==by 0x413BB2: get_token (token.c:153)
==4663==  Address 0x6211390 is 16 bytes after a block of size 32,976 in
arena client

Regard's
-- Mathieu Goulin