- 3.3.0-alpha1

- WARNING: spamassassin-3.3.0+ no longer ships with its own rules. You must
    run sa-update to download rules before you use spamassassin. Failure to
    download rules means spamassassin always returns unfiltered. Should we
    ship a set of rules with spamassassin? Please discuss on
    fedora-devel-list.

.cvsignore

@@ -1 +1 @@
-Mail-SpamAssassin-3.2.5.tar.bz2
+Mail-SpamAssassin-3.3.0-alpha1.tar.bz2

Mail-SpamAssassin-3.3.0-missing-pre.patch

@@ -0,0 +1,250 @@
+diff -urN Mail-SpamAssassin-3.3.0.orig/rules/init.pre Mail-SpamAssassin-3.3.0/rules/init.pre
+--- Mail-SpamAssassin-3.3.0.orig/rules/init.pre	1969-12-31 19:00:00.000000000 -0500
++++ Mail-SpamAssassin-3.3.0/rules/init.pre	2009-07-06 18:56:58.599173705 -0400
+@@ -0,0 +1,36 @@
++# This is the right place to customize your installation of SpamAssassin.
++#
++# See 'perldoc Mail::SpamAssassin::Conf' for details of what can be
++# tweaked.
++#
++# This file contains plugin activation commands for plugins included
++# in SpamAssassin 3.0.x releases.  It will not be installed if you
++# already have a file in place called "init.pre".
++#
++# There are now multiple files read to enable plugins in the 
++# /etc/mail/spamassassin directory; previously only one, "init.pre" was 
++# read.  Now both "init.pre", "v310.pre", and any other files ending in
++# ".pre" will be read.  As future releases are made, new plugins will be
++# added to new files, named according to the release they're added in.
++###########################################################################
++
++# RelayCountry - add metadata for Bayes learning, marking the countries
++# a message was relayed through
++#
++# Note: This requires the IP::Country::Fast Perl module
++#
++# loadplugin Mail::SpamAssassin::Plugin::RelayCountry
++
++# URIDNSBL - look up URLs found in the message against several DNS
++# blocklists.
++#
++loadplugin Mail::SpamAssassin::Plugin::URIDNSBL
++
++# Hashcash - perform hashcash verification.
++#
++loadplugin Mail::SpamAssassin::Plugin::Hashcash
++
++# SPF - perform SPF verification.
++#
++loadplugin Mail::SpamAssassin::Plugin::SPF
++
+diff -urN Mail-SpamAssassin-3.3.0.orig/rules/v310.pre Mail-SpamAssassin-3.3.0/rules/v310.pre
+--- Mail-SpamAssassin-3.3.0.orig/rules/v310.pre	1969-12-31 19:00:00.000000000 -0500
++++ Mail-SpamAssassin-3.3.0/rules/v310.pre	2009-07-06 18:56:58.600173835 -0400
+@@ -0,0 +1,78 @@
++# This is the right place to customize your installation of SpamAssassin.
++#
++# See 'perldoc Mail::SpamAssassin::Conf' for details of what can be
++# tweaked.
++#
++# This file was installed during the installation of SpamAssassin 3.1.0,
++# and contains plugin loading commands for the new plugins added in that
++# release.  It will not be overwritten during future SpamAssassin installs,
++# so you can modify it to enable some disabled-by-default plugins below,
++# if you so wish.
++#
++# There are now multiple files read to enable plugins in the
++# /etc/mail/spamassassin directory; previously only one, "init.pre" was
++# read.  Now both "init.pre", "v310.pre", and any other files ending in
++# ".pre" will be read.  As future releases are made, new plugins will be
++# added to new files, named according to the release they're added in.
++###########################################################################
++
++# DCC - perform DCC message checks.
++#
++# DCC is disabled here because it is not open source.  See the DCC
++# license for more details.
++#
++#loadplugin Mail::SpamAssassin::Plugin::DCC
++
++# Pyzor - perform Pyzor message checks.
++#
++loadplugin Mail::SpamAssassin::Plugin::Pyzor
++
++# Razor2 - perform Razor2 message checks.
++#
++loadplugin Mail::SpamAssassin::Plugin::Razor2
++
++# SpamCop - perform SpamCop message reporting
++#
++loadplugin Mail::SpamAssassin::Plugin::SpamCop
++
++# AntiVirus - some simple anti-virus checks, this is not a replacement
++# for an anti-virus filter like Clam AntiVirus
++#
++#loadplugin Mail::SpamAssassin::Plugin::AntiVirus
++
++# AWL - do auto-whitelist checks
++#
++#loadplugin Mail::SpamAssassin::Plugin::AWL
++
++# AutoLearnThreshold - threshold-based discriminator for Bayes auto-learning
++#
++loadplugin Mail::SpamAssassin::Plugin::AutoLearnThreshold
++
++# TextCat - language guesser
++#
++#loadplugin Mail::SpamAssassin::Plugin::TextCat
++
++# AccessDB - lookup from-addresses in access database
++#
++#loadplugin Mail::SpamAssassin::Plugin::AccessDB
++
++# WhitelistSubject - Whitelist/Blacklist certain subject regular expressions
++#
++loadplugin Mail::SpamAssassin::Plugin::WhiteListSubject
++
++###########################################################################
++# experimental plugins
++
++# DomainKeys - perform DomainKeys verification
++#
++# This plugin has been removed as of v3.3.0.  Use the DKIM plugin instead,
++# which supports both Domain Keys and DKIM.
++
++# MIMEHeader - apply regexp rules against MIME headers in the message
++#
++loadplugin Mail::SpamAssassin::Plugin::MIMEHeader
++
++# ReplaceTags
++#
++loadplugin Mail::SpamAssassin::Plugin::ReplaceTags
++
+diff -urN Mail-SpamAssassin-3.3.0.orig/rules/v312.pre Mail-SpamAssassin-3.3.0/rules/v312.pre
+--- Mail-SpamAssassin-3.3.0.orig/rules/v312.pre	1969-12-31 19:00:00.000000000 -0500
++++ Mail-SpamAssassin-3.3.0/rules/v312.pre	2009-07-06 18:56:58.600173835 -0400
+@@ -0,0 +1,29 @@
++# This is the right place to customize your installation of SpamAssassin.
++#
++# See 'perldoc Mail::SpamAssassin::Conf' for details of what can be
++# tweaked.
++#
++# This file was installed during the installation of SpamAssassin 3.1.2,
++# and contains plugin loading commands for the new plugins added in that
++# release.  It will not be overwritten during future SpamAssassin installs,
++# so you can modify it to enable some disabled-by-default plugins below,
++# if you so wish.
++#
++# There are now multiple files read to enable plugins in the
++# /etc/mail/spamassassin directory; previously only one, "init.pre" was
++# read.  Now both "init.pre", "v310.pre", and any other files ending in
++# ".pre" will be read.  As future releases are made, new plugins will be
++# added to new files, named according to the release they're added in.
++
++###########################################################################
++# experimental plugins
++
++# DKIM - perform DKIM verification
++#
++# Mail::DKIM module required for use, see INSTALL for more information.
++# 
++# Note that if C<Mail::DKIM> version 0.20 or later is installed, this
++# renders the DomainKeys plugin redundant.
++#
++loadplugin Mail::SpamAssassin::Plugin::DKIM
++
+diff -urN Mail-SpamAssassin-3.3.0.orig/rules/v320.pre Mail-SpamAssassin-3.3.0/rules/v320.pre
+--- Mail-SpamAssassin-3.3.0.orig/rules/v320.pre	1969-12-31 19:00:00.000000000 -0500
++++ Mail-SpamAssassin-3.3.0/rules/v320.pre	2009-07-06 18:56:58.600173835 -0400
+@@ -0,0 +1,64 @@
++# This is the right place to customize your installation of SpamAssassin.
++#
++# See 'perldoc Mail::SpamAssassin::Conf' for details of what can be
++# tweaked.
++#
++# This file was installed during the installation of SpamAssassin 3.2.0,
++# and contains plugin loading commands for the new plugins added in that
++# release.  It will not be overwritten during future SpamAssassin installs,
++# so you can modify it to enable some disabled-by-default plugins below,
++# if you so wish.
++#
++# There are now multiple files read to enable plugins in the
++# /etc/mail/spamassassin directory; previously only one, "init.pre" was
++# read.  Now both "init.pre", "v310.pre", and any other files ending in
++# ".pre" will be read.  As future releases are made, new plugins will be
++# added to new files, named according to the release they're added in.
++###########################################################################
++
++# Check - Provides main check functionality
++#
++loadplugin Mail::SpamAssassin::Plugin::Check
++
++# HTTPSMismatch - find URI mismatches between href and anchor text
++#
++loadplugin Mail::SpamAssassin::Plugin::HTTPSMismatch
++
++# URIDetail - test URIs using detailed URI information
++#
++loadplugin Mail::SpamAssassin::Plugin::URIDetail
++
++# Shortcircuit - stop evaluation early if high-accuracy rules fire
++# 
++# loadplugin Mail::SpamAssassin::Plugin::Shortcircuit
++
++# Plugins which used to be EvalTests.pm
++# broken out into separate plugins
++loadplugin Mail::SpamAssassin::Plugin::Bayes
++loadplugin Mail::SpamAssassin::Plugin::BodyEval
++loadplugin Mail::SpamAssassin::Plugin::DNSEval
++loadplugin Mail::SpamAssassin::Plugin::HTMLEval
++loadplugin Mail::SpamAssassin::Plugin::HeaderEval
++loadplugin Mail::SpamAssassin::Plugin::MIMEEval
++loadplugin Mail::SpamAssassin::Plugin::RelayEval
++loadplugin Mail::SpamAssassin::Plugin::URIEval
++loadplugin Mail::SpamAssassin::Plugin::WLBLEval
++
++# VBounce - anti-bounce-message rules, see rules/20_vbounce.cf
++#
++loadplugin Mail::SpamAssassin::Plugin::VBounce
++
++# Rule2XSBody - speedup by compilation of ruleset to native code
++#
++# loadplugin Mail::SpamAssassin::Plugin::Rule2XSBody
++
++# ASN - Look up the Autonomous System Number of the connecting IP
++# and create a header containing ASN data for bayes tokenization.
++# See plugin's POD docs for usage info.
++#
++# loadplugin Mail::SpamAssassin::Plugin::ASN
++
++# ImageInfo - rules to match metadata of image attachments
++#
++loadplugin Mail::SpamAssassin::Plugin::ImageInfo
++
+diff -urN Mail-SpamAssassin-3.3.0.orig/rules/v330.pre Mail-SpamAssassin-3.3.0/rules/v330.pre
+--- Mail-SpamAssassin-3.3.0.orig/rules/v330.pre	1969-12-31 19:00:00.000000000 -0500
++++ Mail-SpamAssassin-3.3.0/rules/v330.pre	2009-07-06 18:56:58.600173835 -0400
+@@ -0,0 +1,23 @@
++# This is the right place to customize your installation of SpamAssassin.
++#
++# See 'perldoc Mail::SpamAssassin::Conf' for details of what can be
++# tweaked.
++#
++# This file was installed during the installation of SpamAssassin 3.3.0,
++# and contains plugin loading commands for the new plugins added in that
++# release.  It will not be overwritten during future SpamAssassin installs,
++# so you can modify it to enable some disabled-by-default plugins below,
++# if you so wish.
++#
++# There are now multiple files read to enable plugins in the
++# /etc/mail/spamassassin directory; previously only one, "init.pre" was
++# read.  Now both "init.pre", "v310.pre", and any other files ending in
++# ".pre" will be read.  As future releases are made, new plugins will be
++# added to new files, named according to the release they're added in.
++###########################################################################
++
++# PhishTag - allows sites to rewrite suspect phish-mail URLs
++# (Note: this requires configuration, see http://umut.topkara.org/PhishTag)
++#
++#loadplugin Mail::SpamAssassin::Plugin::PhishTag
++

Mail-SpamAssassin-3.3.0-perl-bug-taint.patch

@@ -0,0 +1,163 @@
+Index: lib/Mail/SpamAssassin/PerMsgStatus.pm
+===================================================================
+--- lib/Mail/SpamAssassin/PerMsgStatus.pm	(revision 791769)
++++ lib/Mail/SpamAssassin/PerMsgStatus.pm	(working copy)
+@@ -2200,11 +2200,13 @@
+   # default ruletype, if not specified:
+   $params{ruletype} ||= 'unknown';
+ 
++  my $rule_descr = $self->{conf}->get_description_for_rule($rule);
++  $rule_descr = $rule  if !defined $rule_descr || $rule_descr eq '';
+   $self->_handle_hit($rule,
+             $score,
+             $area,
+             $params{ruletype},
+-            $self->{conf}->get_description_for_rule($rule) || $rule);
++            $rule_descr);
+ 
+   # take care of duplicate rules, too (bug 5206)
+   my $dups = $self->{conf}->{duplicate_rules}->{$rule};
+Index: lib/Mail/SpamAssassin/Conf.pm
+===================================================================
+--- lib/Mail/SpamAssassin/Conf.pm	(revision 791769)
++++ lib/Mail/SpamAssassin/Conf.pm	(working copy)
+@@ -3571,7 +3571,11 @@
+ 
+ sub get_description_for_rule {
+   my ($self, $rule) = @_;
+-  return $self->{descriptions}->{$rule};
++  # as silly as it looks, localized $1 here prevents an outer $1 from getting
++  # tainted by the expression or assignment in the next line, bug 6148
++  local($1);
++  my $rule_descr = $self->{descriptions}->{$rule};
++  return $rule_descr;
+ }
+ 
+ ###########################################################################
+Index: sa-update.raw
+===================================================================
+--- sa-update.raw	(revision 791769)
++++ sa-update.raw	(working copy)
+@@ -47,6 +47,7 @@
+ use Config;
+ use strict;
+ use warnings;
++use re 'taint';
+ 
+ BEGIN {                          # see comments in "spamassassin.raw" for doco
+   my @bin = File::Spec->splitpath($0);
+@@ -221,10 +222,7 @@
+ # we're not a setuid script, we trust them
+ foreach my $optkey (keys %opt) {
+   next if ref $opt{$optkey};
+-  my $untaint = $opt{$optkey};
+-  next unless defined $untaint;
+-  $untaint =~ /^(.*)$/;
+-  $opt{$optkey} = $1;
++  Mail::SpamAssassin::Util::untaint_var(\$opt{$optkey});
+ }
+ 
+ ##############################################################################
+@@ -344,9 +342,9 @@
+ 
+ # untaint the channel listing
+ for(my $ind = 0; $ind < @channels; $ind++) {
+-  local ($1); # bug 5061: prevent random taint flagging of $1
++  local($1); # bug 5061: prevent random taint flagging of $1
+   if ($channels[$ind] =~ /^([a-zA-Z0-9._-]+)$/) {
+-    $channels[$ind] = $1;
++    Mail::SpamAssassin::Util::untaint_var(\$channels[$ind]);
+   }
+   else {
+     dbg("channel: skipping invalid channel: $channels[$ind]");
+@@ -416,6 +414,7 @@
+   my $currentV = -1;
+   if (open(CF, $CFFile)) {
+     while(<CF>) {
++      local($1,$2);
+       last unless /^# UPDATE\s+([A-Za-z]+)\s+(\S+)/;
+       my($type, $value) = (lc $1,$2);
+ 
+@@ -435,6 +434,7 @@
+     my $DNSQ = "$RevSAVersion.$channel";
+ 
+     my $dnsV = join(' ', do_txt_query($DNSQ));
++    local($1);
+     if (defined $dnsV && $dnsV =~ /^(\d+)/) {
+       $newV = $1 if (!defined $newV || $1 > $newV);
+       dbg("dns: $DNSQ => $dnsV, parsed as $1");
+@@ -464,6 +464,7 @@
+   } else {  # $instfile
+     # the /.*/ ensures we use the 3-digit string nearest to the end of string, otherwise
+     # we might pick up something from the middle of the directory path
++    local($1);
+     if ($instfile !~ /(?:.*\D|^)(\d{3,})/) {        
+       # this is a requirement
+       die "channel: $channel: --install file $instfile does not contain a 3-digit version number!\n";
+@@ -632,8 +633,10 @@
+   # Validate the SHA1 signature before going forward with more complicated
+   # operations.
+   # The SHA1 file may be "signature filename" ala sha1sum, just use the signature
+-  $SHA1 =~ /^([a-fA-F0-9]{40})/;
+-  $SHA1 = $1 || 'INVALID';
++  { local($1);
++    $SHA1 =~ /^([a-fA-F0-9]{40})/;
++    $SHA1 = $1 || 'INVALID';
++  }
+   my $digest = sha1_hex($content);
+   dbg("sha1: verification wanted: $SHA1");
+   dbg("sha1: verification result: $digest");
+@@ -690,6 +693,7 @@
+         warn $GNUPG."\n";        # report bad news
+       }
+ 
++      local($1);
+       if ($GNUPG =~ /^\Q[GNUPG:]\E NO_PUBKEY \S+(\S{8})$/) {
+         $missingkeys .= $1." ";
+       }
+@@ -887,9 +891,7 @@
+         my @files = ();
+         while(my $file = readdir(DIR)) {
+ 	  next if $file eq '.' || $file eq '..';
+-	  local ($1);	# avoid random taint flagging of $1
+-          $file =~ /^(.+)$/;       # untaint
+-          $file = $1;
++          Mail::SpamAssassin::Util::untaint_var(\$file);
+           my $path = File::Spec->catfile($UPDDir, $file);
+           next unless (-f $path);   # shouldn't ever happen
+           push(@files, $file);
+@@ -1039,6 +1041,7 @@
+   foreach my $file (@files) {
+     next if ($file =~ /^\/$/);  # ignore dirs
+ 
++    local($1);
+     $file =~ /^([-\.\,\/a-zA-Z0-9_]+)$/;
+     my $outfname = $1;
+     $outfname =~ s/\.\.\//__\//gs;      # avoid "../" dir traversal attacks
+@@ -1050,6 +1053,7 @@
+ 
+       if ($outfname =~ /\.(?:pre|cf)$/) {
+         # replace macros in the update files if it's a .pre or .cf
++        local($1);
+         $content =~ s/\@\@([^\@]+)\@\@/$MACRO_VALUES{$1} || "\@\@$1\@\@"/ge;
+ 
+         # also, if --allowplugins is not specified, comment out
+@@ -1089,6 +1093,7 @@
+   if ($RR) {
+     foreach my $rr ($RR->answer) {
+       my $text = $rr->rdatastr;
++      local($1);
+       $text =~ /^"(.*)"$/;
+       push @result, $1;
+     }
+@@ -1311,9 +1316,7 @@
+   }
+   while(my $file = readdir(DIR)) {
+     next if $file eq '.' || $file eq '..';
+-    local ($1); # bug 5216: prevent random taint flagging of $1
+-    $file =~ /^(.+)$/;       # untaint
+-    $file = $1;
++    Mail::SpamAssassin::Util::untaint_var(\$file);
+ 
+     my $path = File::Spec->catfile($dir, $file);
+     next unless (-f $path);

sources

@@ -1 +1 @@
-695f9107b240383e48df8938f2de334e  Mail-SpamAssassin-3.2.5.tar.bz2
+04141392e1f20ea4a91bb63937351c65  Mail-SpamAssassin-3.3.0-alpha1.tar.bz2

spamassassin.spec

@@ -40,12 +40,13 @@
 
 Summary: Spam filter for email which can be invoked from mail delivery agents
 Name: spamassassin
-Version: 3.2.5
+Version: 3.3.0
-Release: 5%{?dist}
+%define prename alpha1
+Release: 0.1.alpha1%{?dist}
 License: ASL 2.0
 Group: Applications/Internet
 URL: http://spamassassin.apache.org/
-Source0: http://www.apache.org/dist/%{name}/%{real_name}-%{version}.tar.bz2
+Source0: http://www.apache.org/dist/%{name}/%{real_name}-%{version}-%{prename}.tar.bz2
 Source2: redhat_local.cf
 Source3: spamassassin-default.rc
 Source4: spamassassin-spamc.rc
@@ -57,7 +58,8 @@ Source10: spamassassin-helper.sh
 # Patches 0-99 are RH specific
 # none yet
 # Patches 100+ are SVN backports (DO NOT REUSE!)
-#Patch100: Mail-SpamAssassin-3.2.2-bug5574-setuid.patch
+Patch100: Mail-SpamAssassin-3.3.0-missing-pre.patch
+Patch101: Mail-SpamAssassin-3.3.0-perl-bug-taint.patch
 # end of patches
 Requires: perl(:MODULE_COMPAT_%(eval "`%{__perl} -V:version`"; echo $version))
 Buildroot: %{_tmppath}/%{name}-root
@@ -68,6 +70,7 @@ BuildRequires: perl >= 2:5.8.0
 BuildRequires: perl(Net::DNS)
 BuildRequires: perl(Time::HiRes)
 BuildRequires: perl(HTML::Parser)
+BuildRequires: perl(NetAddr::IP)
 BuildRequires: openssl-devel
 
 Requires: perl(HTTP::Date)
@@ -119,7 +122,8 @@ To filter spam for all users, add that line to /etc/procmailrc
 # Patches 0-99 are RH specific
 # none yet
 # Patches 100+ are SVN backports (DO NOT REUSE!)
-#%patch100 -p0
+%patch100 -p1
+%patch101 -p0
 # end of patches
 
 %build
@@ -222,6 +226,14 @@ fi
 exit 0
 
 %changelog
+* Mon Jul 06 2009 Warren Togami <wtogami@redhat.com> - 3.3.0-0.1.alpha1
+- 3.3.0-alpha1
+- WARNING: spamassassin-3.3.0+ no longer ships with rules.
+  You must run sa-update to download rules before you use spamassassin.
+  Failure to download rules means spamassassin always returns unfiltered.
+  Should we ship a set of rules with spamassassin?  Please discuss on 
+  fedora-devel-list.
+
 * Wed Feb 25 2009 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 3.2.5-5
 - Rebuilt for https://fedoraproject.org/wiki/Fedora_11_Mass_Rebuild