Added multiple upstream patches to fix various memory bugs

- Fixes "[abrt] bogofilter: yyrealloc(): bogofilter killed by SIGABRT" (#1246282)
- Fixes "why libdb4" (#1367329) by switching BR to libdb-devel (from db4-devel)
This commit is contained in:
Adrian Reber 2016-11-02 13:45:33 +01:00
parent 8a52d26ddf
commit 80a818b6fd
9 changed files with 393 additions and 5 deletions

View File

@ -1,7 +1,7 @@
Summary: Fast anti-spam filtering by Bayesian statistical analysis
Name: bogofilter
Version: 1.2.4
Release: 6%{?dist}
Release: 7%{?dist}
License: GPLv2
Group: Applications/Internet
URL: http://bogofilter.sourceforge.net/
@ -10,11 +10,24 @@ URL: http://bogofilter.sourceforge.net/
# but due to bug 912694 which identified three files with license
# problems the following steps are necessary to repack bogofilter
# wget http://downloads.sourceforge.net/bogofilter/bogofilter-1.2.4.tar.gz
# tar xf bogofilter-1.2.4.tar.gz
# tar xf bogofilter-1.2.4.tar.gz
# rm bogofilter-1.2.4/doc/bogofilter-SA-20[0-1][0,5]-0[1,2]
# tar cf bogofilter-1.2.4.repack.tar.gz bogofilter-1.2.4
Source: bogofilter-%{version}.repack.tar.gz
BuildRequires: flex db4-devel gsl-devel
# Patches are taken from upstreams SVN:
# svn checkout svn://svn.code.sf.net/p/bogofilter/code/trunk bogofilter-code
# cd bogofilter-code
# svndiff -c 6995 > patch.r6995
Patch1: patch.r6995
# patch.r7009 is adapted to apply without a previous patch
Patch2: patch.r7009
Patch3: patch.r7016
Patch4: patch.r7023
Patch5: patch.r7030
Patch6: patch.r7032
Patch7: patch.r7034
Patch8: patch.r7035
BuildRequires: flex libdb-devel gsl-devel
BuildRequires: /usr/bin/iconv
BuildRequires: perl-generators
@ -30,7 +43,6 @@ by sites that process a lot of mail.
%package bogoupgrade
Summary: Upgrades bogofilter database to current version
Group: Applications/Internet
Provides: bogoupgrade
Requires: %{name} = %{version}-%{release}
%description bogoupgrade
@ -43,13 +55,21 @@ main bogofilter package.
%prep
%setup -q
%patch1 -p1
%patch2 -p1
%patch3 -p1
%patch4 -p1
%patch5 -p1
%patch6 -p1
%patch7 -p1
%patch8 -p1
iconv -f iso-8859-1 -t utf-8 \
doc/bogofilter-faq-fr.html > doc/bogofilter-faq-fr.html.utf8
%{__mv} -f doc/bogofilter-faq-fr.html.utf8 \
doc/bogofilter-faq-fr.html
%build
CFLAGS="%{optflags} -I%{_includedir}/libdb4" LDFLAGS="-L%{_libdir}/libdb4" %configure --disable-rpath
%configure --disable-rpath
%{__make} %{?_smp_mflags}
%install
@ -83,6 +103,11 @@ CFLAGS="%{optflags} -I%{_includedir}/libdb4" LDFLAGS="-L%{_libdir}/libdb4" %conf
%exclude %{_mandir}/man1/bogoupgrade*
%changelog
* Thu Sep 22 2016 Adrian Reber <adrian@lisas.de> - 1.2.4-7
- Added multiple upstream patches to fix various memory bugs
- Fixes "[abrt] bogofilter: yyrealloc(): bogofilter killed by SIGABRT" (#1246282)
- Fixes "why libdb4" (#1367329) by switching BR to libdb-devel (from db4-devel)
* Mon Feb 22 2016 Orion Poplawski <orion@cora.nwra.com> - 1.2.4-6
- Rebuild for gsl 2.1

14
patch.r6995 Normal file
View File

@ -0,0 +1,14 @@
Index: bogofilter/NEWS
===================================================================
--- bogofilter/NEWS (revision 6994)
+++ bogofilter/NEWS (revision 6995)
@@ -46,7 +46,8 @@
svn checkout http://svn.code.sf.net/p/bogofilter/code/trunk bogofilter
And developers would use, replacing joe by their sf.net login:
- svn checkout --username=joe svn+ssh://m-a@svn.code.sf.net/p/bogofilter/code/trunk bogofilter
+ svn checkout --username=joe \
+ svn+ssh://svn.code.sf.net/p/bogofilter/code/trunk bogofilter
2012-12-03
* Add bogofilter-SA-2012-01 (CVE-2012-5468).

16
patch.r7009 Normal file
View File

@ -0,0 +1,16 @@
Index: bogofilter/NEWS
===================================================================
--- bogofilter/NEWS (revision 7008)
+++ bogofilter/NEWS (revision 7009)
@@ -15,6 +15,11 @@
-------------------------------------------------------------------------------
+ 2013-11-30
+
+ * Updated autoconf/automake stuff so that tests work properly with
+ automake versions that default to running parallel-tests.
+
1.2.4 2013-07-01 (released)
2013-06-28

127
patch.r7016 Normal file
View File

@ -0,0 +1,127 @@
Index: bogofilter/AUTHORS
===================================================================
--- bogofilter/AUTHORS (revision 7015)
+++ bogofilter/AUTHORS (revision 7016)
@@ -55,3 +55,4 @@
Marco Bozzolan
Paul Mangan
Roman Trunov
+Julius Plenz
Index: bogofilter/src/tests/inputs/t.passthrough-truncation-in.gz
===================================================================
Cannot display: file marked as a binary type.
svn:mime-type = application/octet-stream
Index: bogofilter/src/tests/inputs/t.passthrough-truncation-in.gz
===================================================================
--- bogofilter/src/tests/inputs/t.passthrough-truncation-in.gz (nonexistent)
+++ bogofilter/src/tests/inputs/t.passthrough-truncation-in.gz (revision 7016)
Property changes on: bogofilter/src/tests/inputs/t.passthrough-truncation-in.gz
___________________________________________________________________
Added: svn:mime-type
## -0,0 +1 ##
+application/octet-stream
\ No newline at end of property
Index: bogofilter/src/tests/t.passthrough-truncation
===================================================================
--- bogofilter/src/tests/t.passthrough-truncation (nonexistent)
+++ bogofilter/src/tests/t.passthrough-truncation (revision 7016)
@@ -0,0 +1,19 @@
+#! /bin/sh
+
+. ${srcdir:=.}/t.frame
+
+# t.passthrough-hb
+#
+# test for correct passthrough of misdeclared MIME parts
+# test case provided by Julius Plenz, July 2014.
+
+gzip -c -d <"$srcdir/inputs/t.passthrough-truncation-in.gz" >"$TMPDIR/input"
+$BOGOFILTER -e -p -C < "$TMPDIR/input" \
+| $GREP -v "^X-Bogosity: Unsure," > "$TMPDIR/output"
+
+if [ $verbose -eq 0 ]; then
+ cmp "$TMPDIR/input" "$TMPDIR/output"
+else
+ set +e
+ diff $DIFF_BRIEF "$TMPDIR/input" "$TMPDIR/output"
+fi
Property changes on: bogofilter/src/tests/t.passthrough-truncation
___________________________________________________________________
Added: svn:executable
## -0,0 +1 ##
+*
\ No newline at end of property
Index: bogofilter/src/tests/Makefile.am
===================================================================
--- bogofilter/src/tests/Makefile.am (revision 7015)
+++ bogofilter/src/tests/Makefile.am (revision 7016)
@@ -35,7 +35,7 @@
t.ignore_spam_header \
t.nullstatsprefix \
t.integrity t.integrity2 t.integrity3 \
- t.passthrough-hb \
+ t.passthrough-hb t.passthrough-truncation \
t.escaped.html t.escaped.url \
t.base64 t.split t.parsing \
t.lexer t.lexer.mbx t.lexer.qpcr t.lexer.eoh \
@@ -97,6 +97,7 @@
inputs/msg.split.dr.0118.base64 \
inputs/msg.split.gs.0119.text \
inputs/spam.mbx \
+ inputs/t.passthrough-truncation-in.gz \
outputs/MH.out \
outputs/bogolex.out \
outputs/bulkmode.out \
Index: bogofilter/src/lexer.c
===================================================================
--- bogofilter/src/lexer.c (revision 7015)
+++ bogofilter/src/lexer.c (revision 7016)
@@ -220,15 +220,25 @@
#ifndef DISABLE_UNICODE
if (encoding == E_UNICODE &&
- !msg_state->mime_dont_decode)
+ !msg_state->mime_dont_decode &&
+ count > 0)
{
iconvert(linebuff, buff);
+
+ /* If we return count = 0 here, the caller will think we have
+ * no more bytes left to read, even though before the iconvert
+ * call we had a positive number of bytes. This *will* lead to
+ * a message truncation which we try to avoid by simply
+ * returning the original input buffer (which has positive
+ * length) instead. */
+ if(buff->t.leng == 0)
+ memcpy(buff, linebuff, sizeof(*buff));
+
/*
* iconvert, treating multi-byte sequences, can shrink or enlarge
* the output compared to its input. Correct count.
*/
- if (count > 0)
- count = buff->t.leng;
+ count = buff->t.leng;
}
#endif
Index: bogofilter/NEWS
===================================================================
--- bogofilter/NEWS (revision 7015)
+++ bogofilter/NEWS (revision 7016)
@@ -15,6 +15,13 @@
-------------------------------------------------------------------------------
+ 2014-07-10
+
+ * Take patch from Julius Plenz to fix a bug in the charset converter
+ that causes truncation of messages in pass-through mode in rare
+ circumstances, for instance, if binary data is misdeclared as
+ text/html. Also add his test case, t.passthrough-truncation.
+
2013-11-30
* Updated autoconf/automake stuff so that tests work properly with

83
patch.r7023 Normal file
View File

@ -0,0 +1,83 @@
Index: bogofilter/src/mime.c
===================================================================
--- bogofilter/src/mime.c (revision 7022)
+++ bogofilter/src/mime.c (revision 7023)
@@ -279,6 +279,25 @@
mime_push(parent);
}
+static bool is_final_boundary(
+ const byte *ins,
+ size_t inlen,
+ size_t blen
+)
+{
+ if (inlen >= 5
+ && inlen >= blen + 2
+ && ins[0] == '-'
+ && ins[1] == '-'
+ && ins[blen+2] == '-'
+ && ins[blen+3] == '-')
+ {
+ return true;
+ }
+ return false;
+}
+
+
/**
* Check if the line given in \a boundary is a boundary of one of the
* outer MIME containers and store the results in \a b.
@@ -301,28 +320,18 @@
(buf[blen - 1] == '\r' || buf[blen - 1] == '\n'))
blen--;
- /* skip initial -- */
- buf += 2;
- blen -= 2;
-
- /* skip and note ending --, if any */
- if (blen > 2 && buf[blen - 1] == '-' && buf[blen - 2] == '-') {
- b->is_final = true;
- blen -= 2;
- } else {
- b->is_final = false;
- }
-
/* search stack for matching boundary, in reverse order */
for (ptr = mime_stack_bot; ptr != NULL; ptr = ptr->parent)
{
if (is_mime_container(ptr)
&& ptr->boundary != NULL
- && ptr->boundary_len == blen
- && (memcmp(ptr->boundary, buf, blen) == 0))
+ && (ptr->boundary_len + 2 == blen
+ || ptr->boundary_len + 4 == blen)
+ && (memcmp(ptr->boundary, buf + 2, ptr->boundary_len) == 0))
{
b->depth = ptr->depth;
b->is_valid = true;
+ b->is_final = is_final_boundary(buf, blen, ptr->boundary_len);
break;
}
}
Index: bogofilter/NEWS
===================================================================
--- bogofilter/NEWS (revision 7022)
+++ bogofilter/NEWS (revision 7023)
@@ -15,6 +15,15 @@
-------------------------------------------------------------------------------
+ 2015-02-25
+
+ * Fix the lexer to handle MIME multipart messages properly when the
+ boundary ended in "--". The parser would previously never find the
+ MIME parts because it mistook all boundaries ending in two dashes to
+ be the final boundary of the multipart, rather than checking if the
+ two dashes were extra.
+ Reported by Matt Garretson to the bogofilter mailing list today.
+
2014-07-10
* Take patch from Julius Plenz to fix a bug in the charset converter

48
patch.r7030 Normal file
View File

@ -0,0 +1,48 @@
Index: bogofilter/src/lexer.c
===================================================================
--- bogofilter/src/lexer.c (revision 7029)
+++ bogofilter/src/lexer.c (revision 7030)
@@ -329,7 +329,7 @@
count += cnt;
/* Note: some malformed messages can cause xfgetsl() to report
- ** "Invalid buffer size, exiting." ** and then abort. This
+ ** "Invalid buffer size, exiting." and then abort. This
** can happen when the parser is in html mode and there's a
** leading '<' but no closing '>'.
**
@@ -343,9 +343,12 @@
if (count >= MAX_TOKEN_LEN * 2 &&
long_token(buff.t.u.text, (uint) count)) {
- uint start = buff.t.leng - count;
- uint length = count - max_token_len;
- buff_shift(&buff, start, length);
+ /* Make sure not to shift bytes outside the buffer */
+ if (buff.t.leng >= (uint) count) {
+ uint start = buff.t.leng - count;
+ uint length = count - max_token_len;
+ buff_shift(&buff, start, length);
+ }
count = buff.t.leng;
}
else
Index: bogofilter/NEWS
===================================================================
--- bogofilter/NEWS (revision 7029)
+++ bogofilter/NEWS (revision 7030)
@@ -15,6 +15,14 @@
-------------------------------------------------------------------------------
+ 2015-02-28
+
+ * Fix the lexer to not try to delete parts from HTML tokens if it is
+ reading garbage (for instance, binary files misdeclared as HTML).
+ This was exposed on Fedora 20 and 21 but not Ubuntu 14.04 (x86_64),
+ and is possibly related to its newer flex 2.5.37 that may have
+ changed the way it uses yyinput() a bit. Reported by Matt Garretson.
+
2015-02-25
* Fix the lexer to handle MIME multipart messages properly when the

19
patch.r7032 Normal file
View File

@ -0,0 +1,19 @@
Index: bogofilter/src/maint.c
===================================================================
--- bogofilter/src/maint.c (revision 7031)
+++ bogofilter/src/maint.c (revision 7032)
@@ -118,11 +118,11 @@
bool discard;
if (token->u.text[0] == '.') { /* keep .ENCODING, .MSG_COUNT, and .ROBX */
- if (strcmp((const char *)token->u.text, MSG_COUNT) == 0)
+ if (0 == word_cmps(token, MSG_COUNT))
return false;
- if (strcmp((const char *)token->u.text, ROBX_W) == 0)
+ if (0 == word_cmps(token, ROBX_W))
return false;
- if (strcmp((const char *)token->u.text, WORDLIST_ENCODING) == 0)
+ if (0 == word_cmps(token, WORDLIST_ENCODING))
return false;
}

16
patch.r7034 Normal file
View File

@ -0,0 +1,16 @@
Index: bogofilter/NEWS
===================================================================
--- bogofilter/NEWS (revision 7033)
+++ bogofilter/NEWS (revision 7034)
@@ -15,6 +15,11 @@
-------------------------------------------------------------------------------
+ 2015-10-10
+
+ * Fix an out-of-bounds memory read in maint.c's discard_token().
+ Found with clang 3.6's address sanitizer.
+
2015-02-28
* Fix the lexer to not try to delete parts from HTML tokens if it is

40
patch.r7035 Normal file
View File

@ -0,0 +1,40 @@
Index: bogofilter/src/wordlists.c
===================================================================
--- bogofilter/src/wordlists.c (revision 7034)
+++ bogofilter/src/wordlists.c (revision 7035)
@@ -265,9 +265,6 @@
xfree(i);
}
- if (commit)
- word_lists = NULL;
-
return err;
}
Index: bogofilter/src/wordlists_base.c
===================================================================
--- bogofilter/src/wordlists_base.c (revision 7034)
+++ bogofilter/src/wordlists_base.c (revision 7035)
@@ -134,6 +134,8 @@
list = free_wordlistnode(list);
}
+ word_lists = NULL;
+
bogohome_cleanup();
}
Index: bogofilter/NEWS
===================================================================
--- bogofilter/NEWS (revision 7034)
+++ bogofilter/NEWS (revision 7035)
@@ -17,6 +17,8 @@
2015-10-10
+ * Fix a memory leak in close_wordlists().
+
* Fix an out-of-bounds memory read in maint.c's discard_token().
Found with clang 3.6's address sanitizer.