bogofilter-sa-2005-01

一个C语言写的快速贝叶斯垃圾邮件过滤工具

bogofilter-SA-2005-01

Topic:		heap buffer overrun in bogofilter/bogolexer 0.93.5 - 0.96.2

Announcement:	bogofilter-SA-2005-01
Writer:		Matthias Andree
Version:	1.00
CVE ID:		CVE-2005-4591
Announced:	2006-01-02
Category:	vulnerability
Type:		buffer overrun through malformed input
Impact:		heap corruption, application crash
Credits:	David Relson, Clint Adams
Danger:		medium
URL:		http://bogofilter.sourceforge.net/security/bogofilter-SA-2005-01

Affected:	bogofilter 0.96.2
		bogofilter 0.95.2
		bogofilter 0.94.14
		bogofilter 0.94.12
		all "current" versions from 0.93.5 to 0.96.2 inclusively
		CVS between 2005-01-09T17:32Z and 2005-10-22T00:51Z
		CVS between 2005-12-31T10:22Z and 2005-12-31T12:45Z

Not affected:	bogofilter 0.96.3 "current" (released 2005-10-26)
		bogofilter 0.96.6           (released 2005-11-19)
		bogofilter 1.0.0            (released 2005-12-01)
		bogofilter 1.0.1            (released 2006-01-01)

1. Background
=============

Bogofilter is a software package for classifying a message as spam or
non-spam.  It uses a data base to store words and must be trained
which messages are spam and non-spam. It uses the probabilities of
individual words for classifying the message.

Note that the bogofilter project is issuing security announcements only
for current "stable" releases, and not necessarily for past "stable"
releases.

2. Problem description
======================

When using Unicode databases (default in more recent bogofilter
installations), upon encountering invalid input sequences, bogofilter or
bogolexer could overrun a malloc()'d buffer, corrupting the heap, while
converting character sets. Bogofilter would usually be processing
untrusted data received from the network at that time.

This problem was aggravated by an unrelated bug that made bogofilter
process binary attachments as though they were text, and attempt charset
conversion on them.  Given the MIME default character set, US-ASCII, all
input octets in the range 0x80...0xff were considered invalid input
sequences and could trigger the heap corruption.

The faulty code was first released with bogofilter "current" 0.93.5,
initially under the aegis of "./configure --enable-iconv", which was
later renamed "--enable-unicode" and enabled by default.

3. Impact
=========

Vulnerable bogofilter and bogolexer applications corrupt their heap and
crash. The consequences are dependent on the local configuration which
is up to the user; in common configurations, messages would be placed
back in the mail queue and ultimately be returned to the sender when the
mail queue lifetime expired, or they might be processed as though
bogofilter had classified them as "ham".

The bogofilter maintainers are not aware of exploits against this
vulnerability in the wild.

4. Solution
===========

Upgrade your bogofilter to version 1.0.1 (or a newer release).

bogofilter is available from SourceForge:

<https://sourceforge.net/project/showfiles.php?group_id=62265>

A. Copyright, License and Warranty
==================================

(C) Copyright 2005 - 2006 by Matthias Andree, <matthias.andree@gmx.de>.
Some rights reserved.

This work is licensed under the Creative Commons
Attribution-NonCommercial-NoDerivs German License. To view a copy of
this license, visit http://creativecommons.org/licenses/by-nc-nd/2.0/de/
or send a letter to Creative Commons; 559 Nathan Abbott Way;
Stanford, California 94305; USA.

THIS WORK IS PROVIDED FREE OF CHARGE AND WITHOUT ANY WARRANTIES.
Use the information herein at your own risk.

END of bogofilter-SA-2005-01