rpms/bogofilter
6
0
Fork 0
Code Issues Pull Requests Releases Activity

Applied 11 patches from Georg Sauthoff (#1676460)

Browse Source
This commit is contained in:
Adrian Reber 2019-02-13 09:12:49 +01:00
parent f4b8b6f1d0
commit 5055f4fee0
Failed to extract signature
12 changed files with 541 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

50
0001-Fix-memory-leak-when-creating-a-new-bdb-file-125.patch Normal file
View File

@ -0,0 +1,50 @@
From 861b6c058b36fafefcdca21be180fa44046db4a0 Mon Sep 17 00:00:00 2001
From: Georg Sauthoff <mail@georg.so>
Date: Mon, 11 Feb 2019 10:01:14 +0100
Subject: [PATCH 01/11] Fix memory leak when creating a new bdb file (#125)
cf. https://sourceforge.net/p/bogofilter/bugs/125/
---
src/datastore_db.c | 21 +++++++++++++++++++--
1 file changed, 19 insertions(+), 2 deletions(-)
diff --git a/src/datastore_db.c b/src/datastore_db.c
index 4b58462..d0bcfa1 100644
--- a/src/datastore_db.c
+++ b/src/datastore_db.c
@@ -630,13 +630,30 @@ retry_db_open:
if (ret != 0) {
err = (ret != ENOENT) || (opt_flags == DB_RDONLY);
if (!err) {
- if (
+ ret =
#if DB_EQUAL(4,1)
- (ret = DB_SET_FLAGS(dbp, DB_CHKSUM_SHA1)) != 0 ||
+ (DB_SET_FLAGS(dbp, DB_CHKSUM_SHA1)) != 0 ||
#endif
#if DB_AT_LEAST(4,2)
(ret = DB_SET_FLAGS(dbp, DB_CHKSUM)) != 0 ||
#endif
+ 0;
+ if (!ret) {
+ dbp->close(dbp, 0);
+ if ((ret = db_create (&dbp, dbe, 0)) != 0) {
+ print_error(__FILE__, __LINE__, "(db) db_create, err: %d, %s",
+ ret, db_strerror(ret));
+ goto open_err;
+ }
+ handle->dbp = dbp;
+#ifdef ENABLE_MEMDEBUG
+ if (eTransaction == T_DISABLED)
+ dbp->set_alloc(dbp, md_malloc, md_realloc, md_free);
+ else
+ dbe->set_alloc(dbe, md_malloc, md_realloc, md_free);
+#endif
+ }
+ if (ret ||
(ret = DB_OPEN(dbp, bfp, NULL, dbtype, opt_flags | DB_CREATE | DB_EXCL | retryflag, DS_MODE)))
err = true;
if (!err)
--
2.20.1

30
0002-Fix-out-of-bounds-read-in-spanword-126.patch Normal file
View File

@ -0,0 +1,30 @@
From 63317a12e89040badf0cc82d82a8b6f64703cd6d Mon Sep 17 00:00:00 2001
From: Georg Sauthoff <mail@georg.so>
Date: Mon, 11 Feb 2019 10:02:21 +0100
Subject: [PATCH 02/11] Fix out-of-bounds read in spanword (#126)
cf. https://sourceforge.net/p/bogofilter/bugs/126/
---
src/wordlists.c | 6 ++++--
1 file changed, 4 insertions(+), 2 deletions(-)
diff --git a/src/wordlists.c b/src/wordlists.c
index 735af34..a5d529e 100644
--- a/src/wordlists.c
+++ b/src/wordlists.c
@@ -307,8 +307,10 @@ static char *spanword(char *p)
{
const char *delim = ", \t";
p += strcspn(p, delim); /* skip to end of word */
- *p++ = '\0';
- p += strspn(p, " \t"); /* skip trailing whitespace */
+ if (*p) {
+ *p++ = '\0';
+ p += strspn(p, " \t"); /* skip trailing whitespace */
+ }
return p;
}
--
2.20.1

35
0003-Fix-memory-leak-already-fixed-in-trunk.patch Normal file
View File

@ -0,0 +1,35 @@
From 1e4e4d2ea197c89c2f441a87d62e397f0e139f2e Mon Sep 17 00:00:00 2001
From: Georg Sauthoff <mail@georg.so>
Date: Mon, 11 Feb 2019 10:03:20 +0100
Subject: [PATCH 03/11] Fix memory leak (already fixed in trunk)
cf. https://sourceforge.net/p/bogofilter/code/HEAD/tree/trunk/bogofilter/src/wordlists.c#l360
---
src/wordlists.c | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
diff --git a/src/wordlists.c b/src/wordlists.c
index a5d529e..717dc80 100644
--- a/src/wordlists.c
+++ b/src/wordlists.c
@@ -329,7 +329,8 @@ bool configure_wordlist(const char *val)
char* filename;
int precedence;
- char *tmp = xstrdup(val);
+ char *t = xstrdup(val);
+ char *tmp = t;
ch= tmp[0]; /* save wordlist type (good/spam) */
tmp = spanword(tmp);
@@ -357,6 +358,7 @@ bool configure_wordlist(const char *val)
(void)spanword(tmp);
init_wordlist(listname, filename, precedence, type);
+ xfree(t);
return true;
}
--
2.20.1

46
0004-Fix-msg-id-out-of-bounds-read-118.patch Normal file
View File

@ -0,0 +1,46 @@
From 7f4fbcb3a52aa5b0b83aef57bddb33fdd9d5b82e Mon Sep 17 00:00:00 2001
From: Georg Sauthoff <mail@georg.so>
Date: Fri, 8 Feb 2019 10:50:40 +0100
Subject: [PATCH 04/11] Fix msg-id out-of-bounds read (#118)
cf. https://sourceforge.net/p/bogofilter/bugs/118/
---
src/token.c | 8 +++++---
1 file changed, 5 insertions(+), 3 deletions(-)
diff --git a/src/token.c b/src/token.c
index 3ac43c1..686ddd0 100644
--- a/src/token.c
+++ b/src/token.c
@@ -33,6 +33,7 @@ AUTHOR:
word_t *msg_addr; /* First IP Address in Received: statement */
word_t *msg_id; /* Message ID */
+static size_t max_msg_id_len;
word_t *queue_id; /* Message's first queue ID */
static token_t save_class = NONE;
@@ -573,7 +574,8 @@ void token_init(void)
msg_addr = word_new( NULL, max_token_len );
/* Message ID */
- msg_id = word_new( NULL, max_token_len * 3 );
+ max_msg_id_len = max_token_len * 3;
+ msg_id = word_new( NULL, max_msg_id_len );
/* Message's first queue ID */
queue_id = word_new( NULL, max_token_len );
@@ -667,8 +669,8 @@ void set_tag(const char *text)
void set_msg_id(byte *text, uint leng)
{
- (void) leng; /* suppress compiler warning */
- token_set( msg_id, text, msg_id->leng );
+ uint n = min(leng, max_msg_id_len);
+ token_set( msg_id, text, n );
}
#define WFREE(n) word_free(n); n = NULL
--
2.20.1

26
0005-Fix-mime-cleanup-memory-leak-119.patch Normal file
View File

@ -0,0 +1,26 @@
From 9b9f5113d9fa4292f769f416d824e42a40a57c6f Mon Sep 17 00:00:00 2001
From: Georg Sauthoff <mail@georg.so>
Date: Fri, 8 Feb 2019 10:52:08 +0100
Subject: [PATCH 05/11] Fix mime cleanup memory leak (#119)
cf. https://sourceforge.net/p/bogofilter/bugs/119/
---
src/mime.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/src/mime.c b/src/mime.c
index 8edaebf..8964b1a 100644
--- a/src/mime.c
+++ b/src/mime.c
@@ -204,7 +204,7 @@ void mime_cleanup()
if (msg_state == NULL)
return;
- while (mime_stack_top->parent)
+ while (msg_state->parent)
mime_pop();
mime_pop();
msg_state = NULL;
--
2.20.1

27
0006-Fix-fgetsl-abort-120.patch Normal file
View File

@ -0,0 +1,27 @@
From 76f398b072a805f02dc057eb896391c6ad63a78a Mon Sep 17 00:00:00 2001
From: Georg Sauthoff <mail@georg.so>
Date: Fri, 8 Feb 2019 10:53:53 +0100
Subject: [PATCH 06/11] Fix fgetsl abort (#120)
https://sourceforge.net/p/bogofilter/bugs/120/
---
src/fgetsl.c | 3 +++
1 file changed, 3 insertions(+)
diff --git a/src/fgetsl.c b/src/fgetsl.c
index 630585f..166246f 100644
--- a/src/fgetsl.c
+++ b/src/fgetsl.c
@@ -26,6 +26,9 @@ int xfgetsl(char *buf, int max_size, FILE *in, bool no_nul_terminate)
char *end = buf + max_size; /* Physical end of buffer */
char *fin = end - (no_nul_terminate ? 0 : 1); /* Last available byte */
+ if (cp == fin && no_nul_terminate)
+ return 0;
+
if (cp >= fin) {
fprintf(stderr, "Invalid buffer size, exiting.\n");
abort();
--
2.20.1

69
0007-Fix-gconv-assert-overlap-buffers-121.patch Normal file
View File

@ -0,0 +1,69 @@
From 4ebbd6a1c3bcf5a1240413d1447ecf2f1699fc7b Mon Sep 17 00:00:00 2001
From: Georg Sauthoff <mail@georg.so>
Date: Fri, 8 Feb 2019 10:54:46 +0100
Subject: [PATCH 07/11] Fix gconv assert overlap buffers (#121)
cf. https://sourceforge.net/p/bogofilter/bugs/121/
---
src/iconvert.c | 7 ++++++-
src/lexer.c | 4 +++-
2 files changed, 9 insertions(+), 2 deletions(-)
diff --git a/src/iconvert.c b/src/iconvert.c
index 731ce03..14585b4 100644
--- a/src/iconvert.c
+++ b/src/iconvert.c
@@ -31,7 +31,7 @@ AUTHOR:
#include <stdlib.h>
#include <errno.h>
-
+#include <assert.h>
#include "buff.h"
#include "iconvert.h"
@@ -163,6 +163,9 @@ static void convert(iconv_t xd, buff_t *restrict src, buff_t *restrict dst)
break;
default:
+ // Linux man page states that other error codes may occur
+ // thus, safer to leave that loop on unknown error, right?
+ done = true;
break;
}
}
@@ -190,6 +193,7 @@ static void copy(buff_t *restrict src, buff_t *restrict dst)
void iconvert(buff_t *restrict src, buff_t *restrict dst)
{
+ assert(src->t.u.text != dst->t.u.text);
if (cd == NULL)
copy(src, dst);
else
@@ -198,6 +202,7 @@ void iconvert(buff_t *restrict src, buff_t *restrict dst)
void iconvert_cd(iconv_t xd, buff_t *restrict src, buff_t *restrict dst)
{
+ assert(src->t.u.text != dst->t.u.text);
if (xd == (iconv_t)-1)
copy(src, dst);
else
diff --git a/src/lexer.c b/src/lexer.c
index ba58d25..0e3e7c7 100644
--- a/src/lexer.c
+++ b/src/lexer.c
@@ -231,8 +231,10 @@ static int get_decoded_line(buff_t *buff)
* a message truncation which we try to avoid by simply
* returning the original input buffer (which has positive
* length) instead. */
- if(buff->t.leng == 0)
+ if(buff->t.leng == 0) {
memcpy(buff, linebuff, sizeof(*buff));
+ *linebuff = (const buff_t){0};
+ }
/*
* iconvert, treating multi-byte sequences, can shrink or enlarge
--
2.20.1

25
0008-Fix-out-of-bounds-read-already-fixed-upstream.patch Normal file
View File

@ -0,0 +1,25 @@
From 8f8973aeecd4c3a34efce5cd0a23287cadaf439f Mon Sep 17 00:00:00 2001
From: Georg Sauthoff <mail@georg.so>
Date: Fri, 8 Feb 2019 11:20:19 +0100
Subject: [PATCH 08/11] Fix out-of-bounds read (already fixed upstream)
cf. https://sourceforge.net/p/bogofilter/code/HEAD/tree/trunk/bogofilter/src/lexer.c#l144
---
src/lexer.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/src/lexer.c b/src/lexer.c
index 0e3e7c7..63bd4cb 100644
--- a/src/lexer.c
+++ b/src/lexer.c
@@ -140,6 +140,7 @@ static int yy_get_new_line(buff_t *buff)
&& count != EOF
/* don't skip if inside message/rfc822 */
&& msg_state->parent == NULL
+ && buff->t.leng >= hdrlen
&& memcmp(buff->t.u.text,spam_header_name,hdrlen) == 0) {
count = skip_folded_line(buff);
}
--
2.20.1

74
0009-Fix-buffer-overflow-in-add_buff-122.patch Normal file
View File

@ -0,0 +1,74 @@
From 25412109321aa575647f21b7b8b9f11634071f26 Mon Sep 17 00:00:00 2001
From: Georg Sauthoff <mail@georg.so>
Date: Fri, 8 Feb 2019 14:57:51 +0100
Subject: [PATCH 09/11] Fix buffer overflow in add_buff (#122)
cf. https://sourceforge.net/p/bogofilter/bugs/122/
---
src/buff.c | 2 +-
src/lexer.c | 10 +++++++---
2 files changed, 8 insertions(+), 4 deletions(-)
diff --git a/src/buff.c b/src/buff.c
index 5342cd2..c325945 100644
--- a/src/buff.c
+++ b/src/buff.c
@@ -58,7 +58,7 @@ int buff_add(buff_t *self, word_t *in)
int readcnt = in->leng;
uint new_size = self->t.leng + in->leng;
if (new_size > self->size) {
- self->t.u.text = xrealloc(self->t.u.text, new_size);
+ self->t.u.text = xrealloc(self->t.u.text, new_size + D);
self->size = new_size;
}
self->read = readpos;
diff --git a/src/lexer.c b/src/lexer.c
index 63bd4cb..60692b6 100644
--- a/src/lexer.c
+++ b/src/lexer.c
@@ -152,12 +152,14 @@ static int get_decoded_line(buff_t *buff)
{
int count;
buff_t *linebuff;
+ // since msg_state might change during calls
+ bool mime_dont_decode = msg_state->mime_dont_decode;
#ifdef DISABLE_UNICODE
linebuff = buff;
#else
if (encoding == E_RAW ||
- msg_state->mime_dont_decode ) {
+ mime_dont_decode ) {
linebuff = buff;
}
else {
@@ -180,6 +182,8 @@ static int get_decoded_line(buff_t *buff)
}
#endif
+ // note that this call might invoke got_mimeboundary() thus
+ // changing the global msg_state variable
count = yy_get_new_line(linebuff);
if (count == EOF) {
@@ -200,7 +204,7 @@ static int get_decoded_line(buff_t *buff)
textblock_add(linebuff->t.u.text+linebuff->read, (size_t) count);
if ( !msg_header &&
- !msg_state->mime_dont_decode &&
+ !mime_dont_decode &&
msg_state->mime_type != MIME_TYPE_UNKNOWN)
{
word_t temp;
@@ -221,7 +225,7 @@ static int get_decoded_line(buff_t *buff)
#ifndef DISABLE_UNICODE
if (encoding == E_UNICODE &&
- !msg_state->mime_dont_decode &&
+ !mime_dont_decode &&
count > 0)
{
iconvert(linebuff, buff);
--
2.20.1

89
0010-Fix-fill_buf-heap-buffer-overflow-123.patch Normal file
View File

@ -0,0 +1,89 @@
From db3f056da3b16afa09bf807c717664689d35bdcb Mon Sep 17 00:00:00 2001
From: Georg Sauthoff <mail@georg.so>
Date: Fri, 8 Feb 2019 19:12:29 +0100
Subject: [PATCH 10/11] Fix fill_buf heap-buffer-overflow (#123)
cf. https://sourceforge.net/p/bogofilter/bugs/123/
---
src/lexer.c | 27 +++++++++++++++------------
1 file changed, 15 insertions(+), 12 deletions(-)
diff --git a/src/lexer.c b/src/lexer.c
index 60692b6..b7b4b3b 100644
--- a/src/lexer.c
+++ b/src/lexer.c
@@ -11,6 +11,7 @@
#include <ctype.h>
#include <stdlib.h>
+#include <assert.h>
#include "base64.h"
#include "bogoconfig.h"
@@ -234,18 +235,16 @@ static int get_decoded_line(buff_t *buff)
* no more bytes left to read, even though before the iconvert
* call we had a positive number of bytes. This *will* lead to
* a message truncation which we try to avoid by simply
- * returning the original input buffer (which has positive
- * length) instead. */
+ * returning another in-band error code. */
if(buff->t.leng == 0) {
- memcpy(buff, linebuff, sizeof(*buff));
- *linebuff = (const buff_t){0};
+ count = -2;
+ } else {
+ /*
+ * iconvert, treating multi-byte sequences, can shrink or enlarge
+ * the output compared to its input. Correct count.
+ */
+ count = buff->t.leng;
}
-
- /*
- * iconvert, treating multi-byte sequences, can shrink or enlarge
- * the output compared to its input. Correct count.
- */
- count = buff->t.leng;
}
#endif
@@ -299,7 +298,9 @@ int buff_fill(buff_t *buff, size_t used, size_t need)
while (size - leng > 2 && need > leng - used) {
/* too few, read more */
int add = get_decoded_line(buff);
+ // get_decoded_line never returns EOF!?!
if (add == EOF) return EOF;
+ if (add == -2) continue;
if (add == 0) break ;
cnt += add;
leng += add;
@@ -332,8 +333,8 @@ int yyinput(byte *buf, size_t used, size_t size)
*/
while ((cnt = get_decoded_line(&buff)) != 0) {
-
- count += cnt;
+ if (cnt > 0)
+ count += cnt;
/* Note: some malformed messages can cause xfgetsl() to report
** "Invalid buffer size, exiting." and then abort. This
@@ -365,6 +366,7 @@ int yyinput(byte *buf, size_t used, size_t size)
if (msg_state &&
msg_state->mime_dont_decode &&
(msg_state->mime_disposition != MIME_DISPOSITION_UNKNOWN)) {
+ assert(count <= (int)size);
return (count == EOF ? 0 : count); /* not decode at all */
}
@@ -386,6 +388,7 @@ int yyinput(byte *buf, size_t used, size_t size)
if (DEBUG_LEXER(2))
fprintf(dbgout, "*** yyinput(\"%-.*s\", %lu, %lu) = %d\n", count, buf, (unsigned long)used, (unsigned long)size, count);
+ assert(count <= (int)size);
return (count == EOF ? 0 : count);
}
--
2.20.1

34
0011-Fix-buffer-overflow-after-long-tokens-124.patch Normal file
View File

@ -0,0 +1,34 @@
From 452cfd60f89c9258f97af16b9c3496aa1aa293b0 Mon Sep 17 00:00:00 2001
From: Georg Sauthoff <mail@georg.so>
Date: Fri, 8 Feb 2019 23:25:41 +0100
Subject: [PATCH 11/11] Fix buffer-overflow after long tokens (#124)
cf. https://sourceforge.net/p/bogofilter/bugs/124/
---
src/lexer.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/src/lexer.c b/src/lexer.c
index b7b4b3b..77a88d4 100644
--- a/src/lexer.c
+++ b/src/lexer.c
@@ -260,6 +260,7 @@ static int get_decoded_line(buff_t *buff)
byte *buf = buff->t.u.text;
if (memcmp(buf + count - 2, CRLF, 2) == 0) {
count --;
+ --buff->t.leng;
*(buf + count - 1) = (byte) '\n';
}
}
@@ -334,7 +335,7 @@ int yyinput(byte *buf, size_t used, size_t size)
while ((cnt = get_decoded_line(&buff)) != 0) {
if (cnt > 0)
- count += cnt;
+ count = buff.t.leng;
/* Note: some malformed messages can cause xfgetsl() to report
** "Invalid buffer size, exiting." and then abort. This
--
2.20.1

37
bogofilter.spec
View File

@ -1,7 +1,7 @@
Summary: Fast anti-spam filtering by Bayesian statistical analysis
Name: bogofilter
Version: 1.2.4
Release: 15%{?dist}
Release: 16%{?dist}
License: GPLv2
URL: http://bogofilter.sourceforge.net/
# Source: http://downloads.sourceforge.net/bogofilter/bogofilter-%{version}.tar.gz
@ -26,6 +26,27 @@ Patch5: patch.r7030
Patch6: patch.r7032
Patch7: patch.r7034
Patch8: patch.r7035
# The following patches are from https://bugzilla.redhat.com/show_bug.cgi?id=1676460
# https://sourceforge.net/p/bogofilter/bugs/125/
Patch9: 0001-Fix-memory-leak-when-creating-a-new-bdb-file-125.patch
# https://sourceforge.net/p/bogofilter/bugs/126/
Patch10: 0002-Fix-out-of-bounds-read-in-spanword-126.patch
Patch11: 0003-Fix-memory-leak-already-fixed-in-trunk.patch
# https://sourceforge.net/p/bogofilter/bugs/118/
Patch12: 0004-Fix-msg-id-out-of-bounds-read-118.patch
# https://sourceforge.net/p/bogofilter/bugs/119/
Patch13: 0005-Fix-mime-cleanup-memory-leak-119.patch
# https://sourceforge.net/p/bogofilter/bugs/120/
Patch14: 0006-Fix-fgetsl-abort-120.patch
# https://sourceforge.net/p/bogofilter/bugs/121/
Patch15: 0007-Fix-gconv-assert-overlap-buffers-121.patch
Patch16: 0008-Fix-out-of-bounds-read-already-fixed-upstream.patch
# https://sourceforge.net/p/bogofilter/bugs/122/
Patch17: 0009-Fix-buffer-overflow-in-add_buff-122.patch
# https://sourceforge.net/p/bogofilter/bugs/123/
Patch18: 0010-Fix-fill_buf-heap-buffer-overflow-123.patch
# https://sourceforge.net/p/bogofilter/bugs/124/
Patch19: 0011-Fix-buffer-overflow-after-long-tokens-124.patch
BuildRequires: gcc
BuildRequires: flex libdb-devel gsl-devel
BuildRequires: /usr/bin/iconv
@ -62,6 +83,17 @@ main bogofilter package.
%patch6 -p1
%patch7 -p1
%patch8 -p1
%patch9 -p1
%patch10 -p1
%patch11 -p1
%patch12 -p1
%patch13 -p1
%patch14 -p1
%patch15 -p1
%patch16 -p1
%patch17 -p1
%patch18 -p1
%patch19 -p1
iconv -f iso-8859-1 -t utf-8 \
doc/bogofilter-faq-fr.html > doc/bogofilter-faq-fr.html.utf8
%{__mv} -f doc/bogofilter-faq-fr.html.utf8 \
@ -103,6 +135,9 @@ iconv -f iso-8859-1 -t utf-8 \
%exclude %{_mandir}/man1/bogoupgrade*
%changelog
* Wed Feb 13 2019 Adrian Reber <adrian@lisas.de> - 1.2.4-16
- Applied 11 patches from Georg Sauthoff (#1676460)
* Thu Jan 31 2019 Fedora Release Engineering <releng@fedoraproject.org> - 1.2.4-15
- Rebuilt for https://fedoraproject.org/wiki/Fedora_30_Mass_Rebuild