Home page logo
/

oss-sec logo oss-sec mailing list archives

CVE-2012-5468: bogofilter-SA-2012-01
From: Matthias Andree <matthias.andree () gmx de>
Date: Tue, 04 Dec 2012 00:02:24 +0100

bogofilter-SA-2012-01

Topic:          heap corruption overrun in bogofilter/bogolexer

Announcement:   bogofilter-SA-2012-01
Writer:         Matthias Andree
Version:        1.0
CVE ID:         CVE-2012-5468
Announced:      2012-12-03
Category:       vulnerability
Type:           out of bounds write through invalid input
Impact:         heap corruption, application crash
Credits:        Julius Plenz (FU Berlin, Germany)
Danger:         medium
URL:            http://bogofilter.sourceforge.net/security/bogofilter-SA-2012-01

Affected:       bogofilter <= 1.2.2
                SVN checkouts before 2012-10-19 UTC (-r6972)

Not affected:   bogofilter 1.2.3 (r6973) and newer

1. Background
=============

Bogofilter is a software package for classifying a message as spam or
non-spam.  It uses a data base to store words and must be trained
which messages are spam and non-spam. It uses the probabilities of
individual words for classifying the message.

Note that the bogofilter project is issuing security announcements only
for current "stable" releases, and not necessarily for past "stable"
releases.

2. Problem description
======================

Julius Plenz figured out that bogofilter's/bogolexer's base64 could
overwrite heap memory in the character set conversion in certain
pathological cases of invalid base64 code that decodes to incomplete
multibyte characters.

3. Impact
=========

Vulnerable bogofilter/bogolexer applications can corrupt their heap and
crash.

4. Solution
===========

Upgrade your bogofilter to version 1.2.3 (or a newer release).

bogofilter is available from SourceForge:
<https://sourceforge.net/project/showfiles.php?group_id=62265>


A. Copyright, License and Warranty
==================================

(C) Copyright 2012 by Matthias Andree, <matthias.andree () gmx de>.
Some rights reserved.

This work is licensed under the
Creative Commons Attribution-NoDerivs 3.0 Germany License (CC BY-ND 3.0).

To view a copy of this license, visit
http://creativecommons.org/licenses/by-nd/3.0/de/deed.en
or send a letter to:

Creative Commons
444 Castro Street
Suite 900
MOUNTAIN VIEW, CALIFORNIA 94041
USA


THIS WORK IS PROVIDED FREE OF CHARGE AND WITHOUT ANY WARRANTIES.
Use the information herein at your own risk.

END of bogofilter-SA-2012-01

Attachment: signature.asc
Description: OpenPGP digital signature


  By Date           By Thread  

Current thread:
  • CVE-2012-5468: bogofilter-SA-2012-01 Matthias Andree (Dec 03)
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]