Back to dovecot-antispam PTS page

Accepted dovecot-antispam 2.0+20130912-2 (source amd64) into unstable

To: debian-devel-changes@lists.debian.org
Subject: Accepted dovecot-antispam 2.0+20130912-2 (source amd64) into unstable
From: Ron Lee <ron@debian.org>
Date: Sat, 21 Feb 2015 23:33:32 +0000
Mail-followup-to: debian-devel@lists.debian.org
Message-id: <E1YPJYC-0000hO-Qr@franck.debian.org>
Reply-to: debian-devel@lists.debian.org

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.8
Date: Sun, 22 Feb 2015 09:27:51 +1030
Source: dovecot-antispam
Binary: dovecot-antispam
Architecture: source amd64
Version: 2.0+20130912-2
Distribution: unstable
Urgency: medium
Maintainer: Ron Lee <ron@debian.org>
Changed-By: Ron Lee <ron@debian.org>
Description:
 dovecot-antispam - Dovecot plugins for training spam filters
Changes:
 dovecot-antispam (2.0+20130912-2) unstable; urgency=medium
 .
   * Use the correct argc for pipe.ham_args
 .
     This fixes a typo bug, where if the number of arguments set for
     antispam_pipe_program_spam_arg is not the same as what was set
     for antispam_pipe_program_notspam_arg, then we'll either scribble
     past the end of the allocated argv array, or populate it with
     pointers to whatever followed the real ham_args.
 .
     Thanks to Peter Colberg who reported this, including a correct
     patch to fix it, to the security team.  The security implications
     of this seem somewhat limited, since you need to edit a config
     file as root to create the bad situation, and there is no path
     for remote injection of crafted data (whether it overflows or
     underflows) if you do, the argv array will just get some 'random'
     extra pointers to existing internal data.
 .
     However it does pose a potential problem for a legitimate user
     who does legitimately need or want to pass a different number of
     arguments for the spam and ham cases, since that could crash
     dovecot, or confuse the hell out of their pipe program when it
     gets some random extra arguments.  It's probably gone unnoticed
     for this long because most uses will pass the same number of
     arguments for both of them, but that's not a necessary condition
     in the general case.
Checksums-Sha1:
 f3158989ea5b777b0174bc3c7cf235bf69f8b0cb 1968 dovecot-antispam_2.0+20130912-2.dsc
 776a45f61a6f4f191dcc8832924a8865cf5754e7 3848 dovecot-antispam_2.0+20130912-2.diff.gz
 dee152aa7270e6377a3edfcf7934ea582dd075c6 20884 dovecot-antispam_2.0+20130912-2_amd64.deb
Checksums-Sha256:
 df0dae7b194b14f7bab0ae5ae9fd2edea590c22a6b93bef886c3d8f73bdc4d88 1968 dovecot-antispam_2.0+20130912-2.dsc
 6e93dfcdce0439ac38c539932c4845998381273e6ed22daaeaeb5bf7cd0bcfbf 3848 dovecot-antispam_2.0+20130912-2.diff.gz
 b609453dbc935ee3c1ded6202559502031f856debc3ebe038f03fcba09d61c2e 20884 dovecot-antispam_2.0+20130912-2_amd64.deb
Files:
 a1904446c64034f3562a2c11659e9cde 1968 mail optional dovecot-antispam_2.0+20130912-2.dsc
 4eae885cfabb6689dcb5baa7f2d413cb 3848 mail optional dovecot-antispam_2.0+20130912-2.diff.gz
 031565fed995a4d796a14453f19d7d43 20884 mail optional dovecot-antispam_2.0+20130912-2_amd64.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIcBAEBAgAGBQJU6REFAAoJECSWn9pgwHEsiHQQAKhT+g2YhsbI7v13vu0rNYky
oiCE9dDiRZb+Z11WTkUwIJ3hZnE1tQdvb8N7VFB7dw2DYVH7Aq8ug3dhzNWLsefT
WBCJMYPQemWzn+/mLFB5jYLg1JMxAgCNDoFkI9/yh2vztHMczpCjg8u+V30bD9pc
7t8M1Urz+v7lljiL6GgjmOLPqwHvBOZ97kAgaorffz6WeLuseK5YBfkmTMAwjR4h
yIDoYvH5SV9wjMSsKwiFJhgwkU9BQoKcOUrti34FK26kzivrZ5pQqvJN0SgmMGLO
wnuX/rMsgenzo5dgPhY1/SMKIilvjszT1fobliGoKWrrngfGvFDiBvff/NpxNCI6
WDbbRDPoNJs+DY+hBvaoQY6a0OuEIFfAxY9zPDUpHK/sYjkx2vISaEpjZwcQ4T6W
hVwEHPGnIBCnwFyK4HO+hkVn+5FBO6oHndj9lSplA3aI2GuUyLIfux2nhbnbW0zA
2RcXn90kc8SBMjrFVvWX2M0uKWvGf6SJrEJaXjFHFBtJG5QOWjY2jtyLxEm6QxP8
56Jr0OmATThEnMe++feVCyju0c1ADPjvyyV661GjFZh0DSi7m8JN3Jio6mL1arvE
e16n7Bg0ZGgmSNpDZ80XJR9Ax0674ZmWagXk8wLrjNg1abaeFaukZLCsPqvZAdFb
QvZUZOUN8bODNiNpwQe3
=j3CN
-----END PGP SIGNATURE-----