From 80a818b6fde463ebfd868dd203a60b9cc3529527 Mon Sep 17 00:00:00 2001 From: Adrian Reber Date: Wed, 2 Nov 2016 13:45:33 +0100 Subject: [PATCH] Added multiple upstream patches to fix various memory bugs - Fixes "[abrt] bogofilter: yyrealloc(): bogofilter killed by SIGABRT" (#1246282) - Fixes "why libdb4" (#1367329) by switching BR to libdb-devel (from db4-devel) --- bogofilter.spec | 35 +++++++++++-- patch.r6995 | 14 ++++++ patch.r7009 | 16 ++++++ patch.r7016 | 127 ++++++++++++++++++++++++++++++++++++++++++++++++ patch.r7023 | 83 +++++++++++++++++++++++++++++++ patch.r7030 | 48 ++++++++++++++++++ patch.r7032 | 19 ++++++++ patch.r7034 | 16 ++++++ patch.r7035 | 40 +++++++++++++++ 9 files changed, 393 insertions(+), 5 deletions(-) create mode 100644 patch.r6995 create mode 100644 patch.r7009 create mode 100644 patch.r7016 create mode 100644 patch.r7023 create mode 100644 patch.r7030 create mode 100644 patch.r7032 create mode 100644 patch.r7034 create mode 100644 patch.r7035 diff --git a/bogofilter.spec b/bogofilter.spec index 8c9a573..f53f933 100644 --- a/bogofilter.spec +++ b/bogofilter.spec @@ -1,7 +1,7 @@ Summary: Fast anti-spam filtering by Bayesian statistical analysis Name: bogofilter Version: 1.2.4 -Release: 6%{?dist} +Release: 7%{?dist} License: GPLv2 Group: Applications/Internet URL: http://bogofilter.sourceforge.net/ @@ -10,11 +10,24 @@ URL: http://bogofilter.sourceforge.net/ # but due to bug 912694 which identified three files with license # problems the following steps are necessary to repack bogofilter # wget http://downloads.sourceforge.net/bogofilter/bogofilter-1.2.4.tar.gz -# tar xf bogofilter-1.2.4.tar.gz +# tar xf bogofilter-1.2.4.tar.gz # rm bogofilter-1.2.4/doc/bogofilter-SA-20[0-1][0,5]-0[1,2] # tar cf bogofilter-1.2.4.repack.tar.gz bogofilter-1.2.4 Source: bogofilter-%{version}.repack.tar.gz -BuildRequires: flex db4-devel gsl-devel +# Patches are taken from upstreams SVN: +# svn checkout svn://svn.code.sf.net/p/bogofilter/code/trunk bogofilter-code +# cd bogofilter-code +# svndiff -c 6995 > patch.r6995 +Patch1: patch.r6995 +# patch.r7009 is adapted to apply without a previous patch +Patch2: patch.r7009 +Patch3: patch.r7016 +Patch4: patch.r7023 +Patch5: patch.r7030 +Patch6: patch.r7032 +Patch7: patch.r7034 +Patch8: patch.r7035 +BuildRequires: flex libdb-devel gsl-devel BuildRequires: /usr/bin/iconv BuildRequires: perl-generators @@ -30,7 +43,6 @@ by sites that process a lot of mail. %package bogoupgrade Summary: Upgrades bogofilter database to current version Group: Applications/Internet -Provides: bogoupgrade Requires: %{name} = %{version}-%{release} %description bogoupgrade @@ -43,13 +55,21 @@ main bogofilter package. %prep %setup -q +%patch1 -p1 +%patch2 -p1 +%patch3 -p1 +%patch4 -p1 +%patch5 -p1 +%patch6 -p1 +%patch7 -p1 +%patch8 -p1 iconv -f iso-8859-1 -t utf-8 \ doc/bogofilter-faq-fr.html > doc/bogofilter-faq-fr.html.utf8 %{__mv} -f doc/bogofilter-faq-fr.html.utf8 \ doc/bogofilter-faq-fr.html %build -CFLAGS="%{optflags} -I%{_includedir}/libdb4" LDFLAGS="-L%{_libdir}/libdb4" %configure --disable-rpath +%configure --disable-rpath %{__make} %{?_smp_mflags} %install @@ -83,6 +103,11 @@ CFLAGS="%{optflags} -I%{_includedir}/libdb4" LDFLAGS="-L%{_libdir}/libdb4" %conf %exclude %{_mandir}/man1/bogoupgrade* %changelog +* Thu Sep 22 2016 Adrian Reber - 1.2.4-7 +- Added multiple upstream patches to fix various memory bugs +- Fixes "[abrt] bogofilter: yyrealloc(): bogofilter killed by SIGABRT" (#1246282) +- Fixes "why libdb4" (#1367329) by switching BR to libdb-devel (from db4-devel) + * Mon Feb 22 2016 Orion Poplawski - 1.2.4-6 - Rebuild for gsl 2.1 diff --git a/patch.r6995 b/patch.r6995 new file mode 100644 index 0000000..a451a13 --- /dev/null +++ b/patch.r6995 @@ -0,0 +1,14 @@ +Index: bogofilter/NEWS +=================================================================== +--- bogofilter/NEWS (revision 6994) ++++ bogofilter/NEWS (revision 6995) +@@ -46,7 +46,8 @@ + svn checkout http://svn.code.sf.net/p/bogofilter/code/trunk bogofilter + + And developers would use, replacing joe by their sf.net login: +- svn checkout --username=joe svn+ssh://m-a@svn.code.sf.net/p/bogofilter/code/trunk bogofilter ++ svn checkout --username=joe \ ++ svn+ssh://svn.code.sf.net/p/bogofilter/code/trunk bogofilter + + 2012-12-03 + * Add bogofilter-SA-2012-01 (CVE-2012-5468). diff --git a/patch.r7009 b/patch.r7009 new file mode 100644 index 0000000..f5c16a7 --- /dev/null +++ b/patch.r7009 @@ -0,0 +1,16 @@ +Index: bogofilter/NEWS +=================================================================== +--- bogofilter/NEWS (revision 7008) ++++ bogofilter/NEWS (revision 7009) +@@ -15,6 +15,11 @@ + + ------------------------------------------------------------------------------- + ++ 2013-11-30 ++ ++ * Updated autoconf/automake stuff so that tests work properly with ++ automake versions that default to running parallel-tests. ++ + 1.2.4 2013-07-01 (released) + + 2013-06-28 diff --git a/patch.r7016 b/patch.r7016 new file mode 100644 index 0000000..9560d45 --- /dev/null +++ b/patch.r7016 @@ -0,0 +1,127 @@ +Index: bogofilter/AUTHORS +=================================================================== +--- bogofilter/AUTHORS (revision 7015) ++++ bogofilter/AUTHORS (revision 7016) +@@ -55,3 +55,4 @@ + Marco Bozzolan + Paul Mangan + Roman Trunov ++Julius Plenz +Index: bogofilter/src/tests/inputs/t.passthrough-truncation-in.gz +=================================================================== +Cannot display: file marked as a binary type. +svn:mime-type = application/octet-stream +Index: bogofilter/src/tests/inputs/t.passthrough-truncation-in.gz +=================================================================== +--- bogofilter/src/tests/inputs/t.passthrough-truncation-in.gz (nonexistent) ++++ bogofilter/src/tests/inputs/t.passthrough-truncation-in.gz (revision 7016) + +Property changes on: bogofilter/src/tests/inputs/t.passthrough-truncation-in.gz +___________________________________________________________________ +Added: svn:mime-type +## -0,0 +1 ## ++application/octet-stream +\ No newline at end of property +Index: bogofilter/src/tests/t.passthrough-truncation +=================================================================== +--- bogofilter/src/tests/t.passthrough-truncation (nonexistent) ++++ bogofilter/src/tests/t.passthrough-truncation (revision 7016) +@@ -0,0 +1,19 @@ ++#! /bin/sh ++ ++. ${srcdir:=.}/t.frame ++ ++# t.passthrough-hb ++# ++# test for correct passthrough of misdeclared MIME parts ++# test case provided by Julius Plenz, July 2014. ++ ++gzip -c -d <"$srcdir/inputs/t.passthrough-truncation-in.gz" >"$TMPDIR/input" ++$BOGOFILTER -e -p -C < "$TMPDIR/input" \ ++| $GREP -v "^X-Bogosity: Unsure," > "$TMPDIR/output" ++ ++if [ $verbose -eq 0 ]; then ++ cmp "$TMPDIR/input" "$TMPDIR/output" ++else ++ set +e ++ diff $DIFF_BRIEF "$TMPDIR/input" "$TMPDIR/output" ++fi + +Property changes on: bogofilter/src/tests/t.passthrough-truncation +___________________________________________________________________ +Added: svn:executable +## -0,0 +1 ## ++* +\ No newline at end of property +Index: bogofilter/src/tests/Makefile.am +=================================================================== +--- bogofilter/src/tests/Makefile.am (revision 7015) ++++ bogofilter/src/tests/Makefile.am (revision 7016) +@@ -35,7 +35,7 @@ + t.ignore_spam_header \ + t.nullstatsprefix \ + t.integrity t.integrity2 t.integrity3 \ +- t.passthrough-hb \ ++ t.passthrough-hb t.passthrough-truncation \ + t.escaped.html t.escaped.url \ + t.base64 t.split t.parsing \ + t.lexer t.lexer.mbx t.lexer.qpcr t.lexer.eoh \ +@@ -97,6 +97,7 @@ + inputs/msg.split.dr.0118.base64 \ + inputs/msg.split.gs.0119.text \ + inputs/spam.mbx \ ++ inputs/t.passthrough-truncation-in.gz \ + outputs/MH.out \ + outputs/bogolex.out \ + outputs/bulkmode.out \ +Index: bogofilter/src/lexer.c +=================================================================== +--- bogofilter/src/lexer.c (revision 7015) ++++ bogofilter/src/lexer.c (revision 7016) +@@ -220,15 +220,25 @@ + + #ifndef DISABLE_UNICODE + if (encoding == E_UNICODE && +- !msg_state->mime_dont_decode) ++ !msg_state->mime_dont_decode && ++ count > 0) + { + iconvert(linebuff, buff); ++ ++ /* If we return count = 0 here, the caller will think we have ++ * no more bytes left to read, even though before the iconvert ++ * call we had a positive number of bytes. This *will* lead to ++ * a message truncation which we try to avoid by simply ++ * returning the original input buffer (which has positive ++ * length) instead. */ ++ if(buff->t.leng == 0) ++ memcpy(buff, linebuff, sizeof(*buff)); ++ + /* + * iconvert, treating multi-byte sequences, can shrink or enlarge + * the output compared to its input. Correct count. + */ +- if (count > 0) +- count = buff->t.leng; ++ count = buff->t.leng; + } + #endif + +Index: bogofilter/NEWS +=================================================================== +--- bogofilter/NEWS (revision 7015) ++++ bogofilter/NEWS (revision 7016) +@@ -15,6 +15,13 @@ + + ------------------------------------------------------------------------------- + ++ 2014-07-10 ++ ++ * Take patch from Julius Plenz to fix a bug in the charset converter ++ that causes truncation of messages in pass-through mode in rare ++ circumstances, for instance, if binary data is misdeclared as ++ text/html. Also add his test case, t.passthrough-truncation. ++ + 2013-11-30 + + * Updated autoconf/automake stuff so that tests work properly with diff --git a/patch.r7023 b/patch.r7023 new file mode 100644 index 0000000..b02f5e8 --- /dev/null +++ b/patch.r7023 @@ -0,0 +1,83 @@ +Index: bogofilter/src/mime.c +=================================================================== +--- bogofilter/src/mime.c (revision 7022) ++++ bogofilter/src/mime.c (revision 7023) +@@ -279,6 +279,25 @@ + mime_push(parent); + } + ++static bool is_final_boundary( ++ const byte *ins, ++ size_t inlen, ++ size_t blen ++) ++{ ++ if (inlen >= 5 ++ && inlen >= blen + 2 ++ && ins[0] == '-' ++ && ins[1] == '-' ++ && ins[blen+2] == '-' ++ && ins[blen+3] == '-') ++ { ++ return true; ++ } ++ return false; ++} ++ ++ + /** + * Check if the line given in \a boundary is a boundary of one of the + * outer MIME containers and store the results in \a b. +@@ -301,28 +320,18 @@ + (buf[blen - 1] == '\r' || buf[blen - 1] == '\n')) + blen--; + +- /* skip initial -- */ +- buf += 2; +- blen -= 2; +- +- /* skip and note ending --, if any */ +- if (blen > 2 && buf[blen - 1] == '-' && buf[blen - 2] == '-') { +- b->is_final = true; +- blen -= 2; +- } else { +- b->is_final = false; +- } +- + /* search stack for matching boundary, in reverse order */ + for (ptr = mime_stack_bot; ptr != NULL; ptr = ptr->parent) + { + if (is_mime_container(ptr) + && ptr->boundary != NULL +- && ptr->boundary_len == blen +- && (memcmp(ptr->boundary, buf, blen) == 0)) ++ && (ptr->boundary_len + 2 == blen ++ || ptr->boundary_len + 4 == blen) ++ && (memcmp(ptr->boundary, buf + 2, ptr->boundary_len) == 0)) + { + b->depth = ptr->depth; + b->is_valid = true; ++ b->is_final = is_final_boundary(buf, blen, ptr->boundary_len); + break; + } + } +Index: bogofilter/NEWS +=================================================================== +--- bogofilter/NEWS (revision 7022) ++++ bogofilter/NEWS (revision 7023) +@@ -15,6 +15,15 @@ + + ------------------------------------------------------------------------------- + ++ 2015-02-25 ++ ++ * Fix the lexer to handle MIME multipart messages properly when the ++ boundary ended in "--". The parser would previously never find the ++ MIME parts because it mistook all boundaries ending in two dashes to ++ be the final boundary of the multipart, rather than checking if the ++ two dashes were extra. ++ Reported by Matt Garretson to the bogofilter mailing list today. ++ + 2014-07-10 + + * Take patch from Julius Plenz to fix a bug in the charset converter diff --git a/patch.r7030 b/patch.r7030 new file mode 100644 index 0000000..1465e8a --- /dev/null +++ b/patch.r7030 @@ -0,0 +1,48 @@ +Index: bogofilter/src/lexer.c +=================================================================== +--- bogofilter/src/lexer.c (revision 7029) ++++ bogofilter/src/lexer.c (revision 7030) +@@ -329,7 +329,7 @@ + count += cnt; + + /* Note: some malformed messages can cause xfgetsl() to report +- ** "Invalid buffer size, exiting." ** and then abort. This ++ ** "Invalid buffer size, exiting." and then abort. This + ** can happen when the parser is in html mode and there's a + ** leading '<' but no closing '>'. + ** +@@ -343,9 +343,12 @@ + + if (count >= MAX_TOKEN_LEN * 2 && + long_token(buff.t.u.text, (uint) count)) { +- uint start = buff.t.leng - count; +- uint length = count - max_token_len; +- buff_shift(&buff, start, length); ++ /* Make sure not to shift bytes outside the buffer */ ++ if (buff.t.leng >= (uint) count) { ++ uint start = buff.t.leng - count; ++ uint length = count - max_token_len; ++ buff_shift(&buff, start, length); ++ } + count = buff.t.leng; + } + else +Index: bogofilter/NEWS +=================================================================== +--- bogofilter/NEWS (revision 7029) ++++ bogofilter/NEWS (revision 7030) +@@ -15,6 +15,14 @@ + + ------------------------------------------------------------------------------- + ++ 2015-02-28 ++ ++ * Fix the lexer to not try to delete parts from HTML tokens if it is ++ reading garbage (for instance, binary files misdeclared as HTML). ++ This was exposed on Fedora 20 and 21 but not Ubuntu 14.04 (x86_64), ++ and is possibly related to its newer flex 2.5.37 that may have ++ changed the way it uses yyinput() a bit. Reported by Matt Garretson. ++ + 2015-02-25 + + * Fix the lexer to handle MIME multipart messages properly when the diff --git a/patch.r7032 b/patch.r7032 new file mode 100644 index 0000000..eaba3ad --- /dev/null +++ b/patch.r7032 @@ -0,0 +1,19 @@ +Index: bogofilter/src/maint.c +=================================================================== +--- bogofilter/src/maint.c (revision 7031) ++++ bogofilter/src/maint.c (revision 7032) +@@ -118,11 +118,11 @@ + bool discard; + + if (token->u.text[0] == '.') { /* keep .ENCODING, .MSG_COUNT, and .ROBX */ +- if (strcmp((const char *)token->u.text, MSG_COUNT) == 0) ++ if (0 == word_cmps(token, MSG_COUNT)) + return false; +- if (strcmp((const char *)token->u.text, ROBX_W) == 0) ++ if (0 == word_cmps(token, ROBX_W)) + return false; +- if (strcmp((const char *)token->u.text, WORDLIST_ENCODING) == 0) ++ if (0 == word_cmps(token, WORDLIST_ENCODING)) + return false; + } + diff --git a/patch.r7034 b/patch.r7034 new file mode 100644 index 0000000..790b901 --- /dev/null +++ b/patch.r7034 @@ -0,0 +1,16 @@ +Index: bogofilter/NEWS +=================================================================== +--- bogofilter/NEWS (revision 7033) ++++ bogofilter/NEWS (revision 7034) +@@ -15,6 +15,11 @@ + + ------------------------------------------------------------------------------- + ++ 2015-10-10 ++ ++ * Fix an out-of-bounds memory read in maint.c's discard_token(). ++ Found with clang 3.6's address sanitizer. ++ + 2015-02-28 + + * Fix the lexer to not try to delete parts from HTML tokens if it is diff --git a/patch.r7035 b/patch.r7035 new file mode 100644 index 0000000..6ef6f81 --- /dev/null +++ b/patch.r7035 @@ -0,0 +1,40 @@ +Index: bogofilter/src/wordlists.c +=================================================================== +--- bogofilter/src/wordlists.c (revision 7034) ++++ bogofilter/src/wordlists.c (revision 7035) +@@ -265,9 +265,6 @@ + xfree(i); + } + +- if (commit) +- word_lists = NULL; +- + return err; + } + +Index: bogofilter/src/wordlists_base.c +=================================================================== +--- bogofilter/src/wordlists_base.c (revision 7034) ++++ bogofilter/src/wordlists_base.c (revision 7035) +@@ -134,6 +134,8 @@ + list = free_wordlistnode(list); + } + ++ word_lists = NULL; ++ + bogohome_cleanup(); + } + +Index: bogofilter/NEWS +=================================================================== +--- bogofilter/NEWS (revision 7034) ++++ bogofilter/NEWS (revision 7035) +@@ -17,6 +17,8 @@ + + 2015-10-10 + ++ * Fix a memory leak in close_wordlists(). ++ + * Fix an out-of-bounds memory read in maint.c's discard_token(). + Found with clang 3.6's address sanitizer. +