Ubuntu
spamprobe package

Spamprobe segfaults on bad mime input

Bug #85033 reported by Jakob Østergaard
4
Affects Status Importance Assigned to Milestone
spamprobe (Ubuntu)
Fix Released
Undecided
Unassigned
Dapper
Invalid
Undecided
Unassigned

Bug Description

Binary package hint: spamprobe

In version 1.2a-1 from Ubuntu (and vanilla 1.2a) spamprobe can segfault on certain Mime input.

The bug is in MimeDecoder.cc, around line 88:
 unsigned int index = (unsigned)ch;
 if (BASE64_CHARS[index] >= 0) {

ch is a signed char. If ch is negative, the (unsigned) cast will first zero-extend the negative char to a negative int, and thereafter treat it as unsigned, causing 'index' to be a very very large integer. BASE64_CHARS only holds 256 entries and using 'index' as index in this array causes the segfault.

The proper fix is to write:
 unsigned int index = (unsigned char)ch;
 if (BASE64_CHARS[index] >= 0) {

This completely fixes the problem.

Please note that spamprobe version 1.4 contains another fix for this problem which, in my oppinion, is overly convoluted and only fixes the real problem "by accident". I would recommend that the simple solution above is added to the Ubuntu 1.2a spamprobe package.

Revision history for this message
Dan O'Huiginn (daniel-ohuiginn) wrote :

Thanks for this report, and your proposed fix.

Version 1.4 of spamprobe is in edgy and feisty. If you feel this vitally needs to be fixed in Dapper you can try requesting a backport by following the process at https://help.ubuntu.com/community/UbuntuBackports, to get version 1.4 backported to Dapper. However, I'm not sure this would meet the criterial laid out there.

If you'd like to change the 1.4 code to use your fix, you'll need to raise the issue with the upstream developers.

Changed in spamprobe:
status: Unconfirmed → Rejected
Revision history for this message
Jakob Østergaard (joe-evalesco) wrote :

Thank you for the reply!

I think you misunderstood my intentions. I guess I confused matters by pointing to the broken fix in 1.4. Let's forget everything about 1.4, Edgy and Feisty, and start over :)

This is the problem:
 Version 1.2a currently shipped with Dapper will segfault on bad mime input.

This is the impact:
 Anyone can DoS a mail system running Dapper and Spamprobe by sending bad mime data (the mailer will, in common setups, queue the message that caused the segfault and re-try the delivery to spamprobe for a long long time).

This is the solution:
 I sent a patch which fixes 1.2a.

Can we include that solution (or any other solution) so that 1.2a in Dapper works?

Revision history for this message
Dan O'Huiginn (daniel-ohuiginn) wrote :

Thanks again, Jakob, and sorry for the confusion. I'm subscribing the backports team to this, to see whether they consider this important enough to get fixed in dapper.To do that, we would have to either:

1) get a backport of the version currently in feisty (1.4). This will make it available for any Dapper users who have enabled the backports repository

or 2) make a Stable Release Update, based on your patch. This will make it available to all users.

The rules for Stable Release Updates are pretty strict (see https://wiki.ubuntu.com/StableReleaseUpdates):

Stable release updates will, in general, only be issued in order to fix high-impact bugs. Examples of such bugs include:
    * Bugs which may, under realistic circumstances, directly cause a security vulnerability
    * Bugs which represent severe regressions from the previous release of Ubuntu
    * Bugs which may, under realistic circumstances, directly cause a loss of user data

Changed in spamprobe:
status: Rejected → Unconfirmed
Revision history for this message
Sarah Kowalik (hobbsee-deactivatedaccount) wrote :

marking as only affecting dapper - everything else has 1.4*

Changed in spamprobe:
status: New → Fix Released
Revision history for this message
JC Hulce (soaringsky) wrote :

Thank you for reporting this bug to Ubuntu. The version of Ubuntu referenced in this issue has reached end of life, and the issue is fixed in newer versions of Ubuntu. Therefore, I am closing the Dapper task.
Please see this document for currently supported Ubuntu releases:
https://wiki.ubuntu.com/Releases

Changed in spamprobe (Ubuntu Dapper):
status: New → Invalid
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.