Version in base suite: 3.4.2-1 Version in overlay suite: 3.4.2-1+deb10u1 Base version: spamassassin_3.4.2-1+deb10u1 Target version: spamassassin_3.4.2-1+deb10u2 Base file: /srv/ftp-master.debian.org/ftp/pool/main/s/spamassassin/spamassassin_3.4.2-1+deb10u1.dsc Target file: /srv/ftp-master.debian.org/policy/pool/main/s/spamassassin/spamassassin_3.4.2-1+deb10u2.dsc changelog | 9 + patches/CVE-2020-1930 | 41 ++++++++ patches/CVE-2020-1931 | 46 +++++++++ patches/series | 4 patches/spamd_tests_use_rsa2048_self-signed_cert | 107 +++++++++++++++++++++++ patches/spamd_tests_use_unprivileged_port.diff | 41 ++++++++ 6 files changed, 248 insertions(+) diff -Nru spamassassin-3.4.2/debian/changelog spamassassin-3.4.2/debian/changelog --- spamassassin-3.4.2/debian/changelog 2019-12-13 04:26:44.000000000 +0000 +++ spamassassin-3.4.2/debian/changelog 2020-01-30 16:50:54.000000000 +0000 @@ -1,3 +1,12 @@ +spamassassin (3.4.2-1+deb10u2) buster-security; urgency=medium + + * Security update to address + - CVE-2020-1930. Arbitrary code execution via malicious rule files. + - CVE-2020-1931. Arbitrary code execution via malicious rule files. + (Closes: #950258) + + -- Noah Meyerhans Thu, 30 Jan 2020 08:50:54 -0800 + spamassassin (3.4.2-1+deb10u1) buster-security; urgency=high * Security update to address CVE-2018-11805. Malicious rule or configuration diff -Nru spamassassin-3.4.2/debian/patches/CVE-2020-1930 spamassassin-3.4.2/debian/patches/CVE-2020-1930 --- spamassassin-3.4.2/debian/patches/CVE-2020-1930 1970-01-01 00:00:00.000000000 +0000 +++ spamassassin-3.4.2/debian/patches/CVE-2020-1930 2020-01-30 16:50:54.000000000 +0000 @@ -0,0 +1,41 @@ +Index: spamassassin/lib/Mail/SpamAssassin/Plugin/OneLineBodyRuleType.pm +=================================================================== +--- spamassassin.orig/lib/Mail/SpamAssassin/Plugin/OneLineBodyRuleType.pm ++++ spamassassin/lib/Mail/SpamAssassin/Plugin/OneLineBodyRuleType.pm +@@ -89,17 +89,19 @@ sub do_one_line_body_tests { + loop_body => sub + { + my ($self, $pms, $conf, $rulename, $pat, %opts) = @_; +- $pat = untaint_var($pat); +- my $sub; ++ my $sub = ' ++ my ($self, $line) = @_; ++ my $qrptr = $self->{main}->{conf}->{test_qrs}; ++ '; + + if (($conf->{tflags}->{$rulename}||'') =~ /\bmultiple\b/) + { + # avoid [perl #86784] bug (fixed in 5.13.x), access the arg through ref +- $sub = ' +- my $lref = \$_[1]; ++ $sub .= ' ++ my $lref = \$line; + pos $$lref = 0; + '.$self->hash_line_for_rule($pms, $rulename).' +- while ($$lref =~ '.$pat.'g) { ++ while ($$lref =~ /$qrptr->{q{'.$rulename.'}}/go) { + my $self = $_[0]; + $self->got_hit(q{'.$rulename.'}, "BODY: ", ruletype => "one_line_body"); + '. $self->hit_rule_plugin_code($pms, $rulename, "one_line_body", +@@ -108,9 +110,9 @@ sub do_one_line_body_tests { + '; + + } else { +- $sub = ' ++ $sub .= ' + '.$self->hash_line_for_rule($pms, $rulename).' +- if ($_[1] =~ '.$pat.') { ++ if ($line =~ /$qrptr->{q{'.$rulename.'}}/o) { + my $self = $_[0]; + $self->got_hit(q{'.$rulename.'}, "BODY: ", ruletype => "one_line_body"); + '. $self->hit_rule_plugin_code($pms, $rulename, "one_line_body", "return 1") . ' diff -Nru spamassassin-3.4.2/debian/patches/CVE-2020-1931 spamassassin-3.4.2/debian/patches/CVE-2020-1931 --- spamassassin-3.4.2/debian/patches/CVE-2020-1931 1970-01-01 00:00:00.000000000 +0000 +++ spamassassin-3.4.2/debian/patches/CVE-2020-1931 2020-01-30 16:50:54.000000000 +0000 @@ -0,0 +1,46 @@ +Index: spamassassin/lib/Mail/SpamAssassin/Conf.pm +=================================================================== +--- spamassassin.orig/lib/Mail/SpamAssassin/Conf.pm ++++ spamassassin/lib/Mail/SpamAssassin/Conf.pm +@@ -3403,6 +3403,20 @@ internally, and should not be used. + setting => 'priority', + is_priv => 1, + type => $CONF_TYPE_HASH_KEY_VALUE, ++ code => sub { ++ my ($self, $key, $value, $line) = @_; ++ my ($rulename, $priority) = split(/\s+/, $value, 2); ++ unless (defined $priority) { ++ return $MISSING_REQUIRED_VALUE; ++ } ++ unless ($rulename =~ IS_RULENAME) { ++ return $INVALID_VALUE; ++ } ++ unless ($priority =~ /^-?\d+$/) { ++ return $INVALID_VALUE; ++ } ++ $self->{priority}->{$rulename} = $priority; ++ } + }); + + =back +Index: spamassassin/lib/Mail/SpamAssassin/Constants.pm +=================================================================== +--- spamassassin.orig/lib/Mail/SpamAssassin/Constants.pm ++++ spamassassin/lib/Mail/SpamAssassin/Constants.pm +@@ -43,7 +43,7 @@ BEGIN { + HARVEST_DNSBL_PRIORITY MBX_SEPARATOR + MAX_BODY_LINE_LENGTH MAX_HEADER_KEY_LENGTH MAX_HEADER_VALUE_LENGTH + MAX_HEADER_LENGTH ARITH_EXPRESSION_LEXER AI_TIME_UNKNOWN +- CHARSETS_LIKELY_TO_FP_AS_CAPS MAX_URI_LENGTH RULENAME_RE ++ CHARSETS_LIKELY_TO_FP_AS_CAPS MAX_URI_LENGTH RULENAME_RE IS_RULENAME + ); + + %EXPORT_TAGS = ( +@@ -404,5 +404,7 @@ use constant CHARSETS_LIKELY_TO_FP_AS_CA + + # Allowed rulename format + use constant RULENAME_RE => qr([_a-zA-Z][_a-zA-Z0-9]{0,127}); ++# Exact match ++use constant IS_RULENAME => qr/^${\(RULENAME_RE)}$/; + + 1; diff -Nru spamassassin-3.4.2/debian/patches/series spamassassin-3.4.2/debian/patches/series --- spamassassin-3.4.2/debian/patches/series 2019-12-13 04:26:44.000000000 +0000 +++ spamassassin-3.4.2/debian/patches/series 2020-01-30 16:50:54.000000000 +0000 @@ -6,3 +6,7 @@ bug_766718-net-dns-vers CVE-2018-11805 CVE-2019-12420 +CVE-2020-1930 +CVE-2020-1931 +spamd_tests_use_unprivileged_port.diff +spamd_tests_use_rsa2048_self-signed_cert diff -Nru spamassassin-3.4.2/debian/patches/spamd_tests_use_rsa2048_self-signed_cert spamassassin-3.4.2/debian/patches/spamd_tests_use_rsa2048_self-signed_cert --- spamassassin-3.4.2/debian/patches/spamd_tests_use_rsa2048_self-signed_cert 1970-01-01 00:00:00.000000000 +0000 +++ spamassassin-3.4.2/debian/patches/spamd_tests_use_rsa2048_self-signed_cert 2020-01-30 16:50:54.000000000 +0000 @@ -0,0 +1,107 @@ +Description: update the self-signed x509 cert used for tests + The spamassassin sources embed a self-signed x509 certificate used by the test + suite to validate connectivity with spamc. Versions of openssl on Debian won't + load 1024 bits by default, so we replace the original certificate with a 2048 + bit one, maintaining the rest of the DN parameters unchanged. +Author: Noah Meyerhans +--- +This patch header follows DEP-3: http://dep.debian.net/deps/dep3/ +Index: spamassassin/t/data/etc/testhost.cert +=================================================================== +--- spamassassin.orig/t/data/etc/testhost.cert ++++ spamassassin/t/data/etc/testhost.cert +@@ -1,23 +1,25 @@ + -----BEGIN CERTIFICATE----- +-MIIDyjCCAzOgAwIBAgIBADANBgkqhkiG9w0BAQUFADCBpTELMAkGA1UEBhMCU0Ex +-CzAJBgNVBAgTAlNBMRowGAYDVQQHExFTcGFtQXNzYXNzaW4gQ2l0eTEVMBMGA1UE +-ChMMU3BhbUFzc2Fzc2luMRkwFwYDVQQLExBGT1IgVEVTVElORyBPTkxZMRIwEAYD +-VQQDEwlsb2NhbGhvc3QxJzAlBgkqhkiG9w0BCQEWGHNwYW1hc3Nhc3NpbkBleGFt +-cGxlLmNvbTAeFw0wNDA3MDkyMTE4NDdaFw0yNDA3MTQyMTE4NDdaMIGlMQswCQYD +-VQQGEwJTQTELMAkGA1UECBMCU0ExGjAYBgNVBAcTEVNwYW1Bc3Nhc3NpbiBDaXR5 +-MRUwEwYDVQQKEwxTcGFtQXNzYXNzaW4xGTAXBgNVBAsTEEZPUiBURVNUSU5HIE9O +-TFkxEjAQBgNVBAMTCWxvY2FsaG9zdDEnMCUGCSqGSIb3DQEJARYYc3BhbWFzc2Fz +-c2luQGV4YW1wbGUuY29tMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQC1l6To +-Fxkyc2glblqZYFq/BWFSMKh9LsouTVowuxC7yQkEENBjeQ4paHUFsi49s0RnabsA +-D1c56O8BBT0C89CMiCubRbv/KyHMDut5Nt0brWKS+VRWHgN9T5eYOy3wKPwbc7bm +-sPdgt5bOCS78F0luL5T6DPcf5mgE7XAv8qp+mwIDAQABo4IBBjCCAQIwHQYDVR0O +-BBYEFGJWfa4QHDeC9Wn3UNLIaf7prjmUMIHSBgNVHSMEgcowgceAFGJWfa4QHDeC +-9Wn3UNLIaf7prjmUoYGrpIGoMIGlMQswCQYDVQQGEwJTQTELMAkGA1UECBMCU0Ex +-GjAYBgNVBAcTEVNwYW1Bc3Nhc3NpbiBDaXR5MRUwEwYDVQQKEwxTcGFtQXNzYXNz +-aW4xGTAXBgNVBAsTEEZPUiBURVNUSU5HIE9OTFkxEjAQBgNVBAMTCWxvY2FsaG9z +-dDEnMCUGCSqGSIb3DQEJARYYc3BhbWFzc2Fzc2luQGV4YW1wbGUuY29tggEAMAwG +-A1UdEwQFMAMBAf8wDQYJKoZIhvcNAQEFBQADgYEAsKbOfgXZlBm1rQlM6W2Nxf5g +-r3QA67liZjVxhIb9chvreCttoe3IkHRSM4axToeKo+x7IV6ceXnqMc5chnu2lUmH +-2z7m3IYRYmIOaXroXZcfqX/P4HMw9NOphpEZ4yNsvKSl2n3h3bJ3ErqxMgghlTGD +-KYC+xKTFTsPjOE53Jh8= ++MIIELTCCAxWgAwIBAgIUWe1Dsgh8qyoaLqOKjTU6D2kf7xMwDQYJKoZIhvcNAQEL ++BQAwgaUxCzAJBgNVBAYTAlNBMQswCQYDVQQIDAJTQTEaMBgGA1UEBwwRU3BhbUFz ++c2Fzc2luIENpdHkxFTATBgNVBAoMDFNwYW1Bc3Nhc3NpbjEZMBcGA1UECwwQRk9S ++IFRFU1RJTkcgT05MWTESMBAGA1UEAwwJbG9jYWxob3N0MScwJQYJKoZIhvcNAQkB ++FhhzcGFtYXNzYXNzaW5AZXhhbXBsZS5jb20wHhcNMjAwMTE2MjIzNTMzWhcNMjAw ++MjE1MjIzNTMzWjCBpTELMAkGA1UEBhMCU0ExCzAJBgNVBAgMAlNBMRowGAYDVQQH ++DBFTcGFtQXNzYXNzaW4gQ2l0eTEVMBMGA1UECgwMU3BhbUFzc2Fzc2luMRkwFwYD ++VQQLDBBGT1IgVEVTVElORyBPTkxZMRIwEAYDVQQDDAlsb2NhbGhvc3QxJzAlBgkq ++hkiG9w0BCQEWGHNwYW1hc3Nhc3NpbkBleGFtcGxlLmNvbTCCASIwDQYJKoZIhvcN ++AQEBBQADggEPADCCAQoCggEBALo+Fswwcj8FSO660PI1iqCStF3g971Wx84ZXZMW ++SgBlKVWDp/K6IFeq1yZ4Peb6J+GZocLQL2g7GrvN0NAl6Ns02umYrXcv+1dJfcwx ++2f7G664DccKrtOo3SvtWjtKrHQgl6b9BC8U08rPHKLmcWYnLII9cofZacYRi+A6R ++ZYkwoEsrGEKIuNYqZxkQVmlq7kazRm1NL9F8dnpH0v/fqkCRYj9UnS0czqmZM4AB ++YJYcu8zIr3z0VssADVtDpl4CwQhGa26a+jHk8+7mH41JWqC0GtggxrRz+tpRKop6 ++IZEedM8F5BAINKXJziv4K2qpPmn7097GBDFSeY12yMOkkosCAwEAAaNTMFEwHQYD ++VR0OBBYEFBQgjISUo2fQIA5c/SWJogR6wTr/MB8GA1UdIwQYMBaAFBQgjISUo2fQ ++IA5c/SWJogR6wTr/MA8GA1UdEwEB/wQFMAMBAf8wDQYJKoZIhvcNAQELBQADggEB ++ALUD+7d/TYHUhd2wZxS5Th2q+WUfoYMf5q8gYv9cRUq5OWgZ9i1+dDzBHin5Qo/T ++GKOm4se1/XvU4FaFf2Wl9zzy2RYaNLCx3sV4L0a7F2N8MBnvsjCjKH4FCS0Ba9A3 ++1fCG7Ar5mRISTjD3fLm6z5gpkcv7FCok3qTY5qC7Cs0OVomIdGRAcSX3TJ+OpFOx ++0O79yU1WwuBXuXZ6IPATwYRIsLG8OLhr/X+Q7/eqxV0i2MHtqR+sly3Q7s5dWDKr ++/7xTBeDHQjmwV/g2Ww6Iqjg7j2JkbRbbxuH3y6IYnPyovtjo9+tAg4/x4/2KWuxP ++mgRrSw3DxQM5sSCaqPl8UUs= + -----END CERTIFICATE----- +Index: spamassassin/t/data/etc/testhost.key +=================================================================== +--- spamassassin.orig/t/data/etc/testhost.key ++++ spamassassin/t/data/etc/testhost.key +@@ -1,15 +1,28 @@ +------BEGIN RSA PRIVATE KEY----- +-MIICXQIBAAKBgQC1l6ToFxkyc2glblqZYFq/BWFSMKh9LsouTVowuxC7yQkEENBj +-eQ4paHUFsi49s0RnabsAD1c56O8BBT0C89CMiCubRbv/KyHMDut5Nt0brWKS+VRW +-HgN9T5eYOy3wKPwbc7bmsPdgt5bOCS78F0luL5T6DPcf5mgE7XAv8qp+mwIDAQAB +-AoGAXyirQvAvxQ9TCSJuGaezhhxkpnRXJtppGqBwXc75ct5jehzxht79+9cAU87O +-ioixlNuEIgDn/bHB5TAAi9aGduwz9hsv4NpNQ89/z7tmRKq43QFpf9hFHxZ3Q4e9 +-Hmey7ZsJ3/TpqFNfhH0IkLy6fA5+iClss3b2/6BbqqL8drkCQQDb9TSAJW56LnY2 +-aRtImgEyoeg2iEgV98SuDvNNUpTYvG0pkFolFlhb49w5KCmKqOtPA+etc/K2vRJf +-8zkfz/BnAkEA01kVZoojg/am0K184Qfotxr7+t8Rjxn4k4g6Eq7ryth/Uicffixx +-9E9sp2aadEW+Lt5pao+BsIwxxtLhphkPrQJBALQi1KQ+A4Q8mMNmwNlshp6Yyjwe +-0Cpth72ksM0aXJxDdIMdnTXSXvqiWbDVm2/bdxp28D21P4k4vtulrZrICPECQQDP +-RzhQ57wrSXWThgLK5KndIy7sfWhIM81yTBHAjyOcPraoSMx/P3HHjTnf+CYVUO1U +-JDe5FeO41dZfzCUYdM3FAkA8IXYe74FVG9VM9yzZYbZHaS17TCyztkqagIuUBfDe +-g0frip4VCEHvh+qDk678GZ1tMJ30utuTx6JgXJ5HeuFi +------END RSA PRIVATE KEY----- ++-----BEGIN PRIVATE KEY----- ++MIIEvgIBADANBgkqhkiG9w0BAQEFAASCBKgwggSkAgEAAoIBAQC6PhbMMHI/BUju ++utDyNYqgkrRd4Pe9VsfOGV2TFkoAZSlVg6fyuiBXqtcmeD3m+ifhmaHC0C9oOxq7 ++zdDQJejbNNrpmK13L/tXSX3MMdn+xuuuA3HCq7TqN0r7Vo7Sqx0IJem/QQvFNPKz ++xyi5nFmJyyCPXKH2WnGEYvgOkWWJMKBLKxhCiLjWKmcZEFZpau5Gs0ZtTS/RfHZ6 ++R9L/36pAkWI/VJ0tHM6pmTOAAWCWHLvMyK989FbLAA1bQ6ZeAsEIRmtumvox5PPu ++5h+NSVqgtBrYIMa0c/raUSqKeiGRHnTPBeQQCDSlyc4r+CtqqT5p+9PexgQxUnmN ++dsjDpJKLAgMBAAECggEBALfMcKlAom8JYymemnh+WHoRbgk77KIh03vVUqDHHW74 ++Zutqy8Ni5mo+QqhHgCfD9rnQ6XAeDrsZoU94VbwlvYEfz287au22H6DL+WccR5wF ++ai/IXGuXEysWOFyE1tyXXEZfTCigI+KSV3cOdGWBJGg1W8O/0mMSbPcOyOlvmjnh ++YH5YSLLrrMeZ2R1cPzltYVV8E2rwmXBJSecOhE+Qhbh5Ua8aA4E+Xz8F0DPZB43l ++3+G3+QFofK/KXKZOhF6ghjTi2DEmo6Ig6QwR+37OhJ865fgkn69trcDJ7jp9bjL4 ++JX35G+MrcN8vuQF89B7qw1jj4Wxif+VbLfLW6boHhRECgYEA59ZSYwYRNilaMfMb ++f8HlyRsTzdmO1Bt/SXa7jFsvyFeWyMCAOr9kTXs7dBxmhEYsuPVYrlkiB7TqjtTC ++NGog+CoQTxx/XayeqVLjB+t6AkP1+xKPZA6Cd9OXIvOMjxdiUpQ4I310PIVGgxdM ++Ve6/kjm03gBpZzM9FgWmAyEcghMCgYEAzadADvtmz/HQGxdQWB0+j5DDb1nEzvnf ++OlXnMluJmSniWPXdGhKtIYcCH7kwzw6IHXEZwwgJlnpb6mG+7pf3eM4nLSGEvX4k ++0h+/F+Xp2d+QkrpB1uf9xPmMH4jasGzUfHuGUgZcJMOqJkTw122QpTIpDTJflrIZ ++WYQxwoIY/KkCgYA8UzNa2vBNlJMInkaQhsag/q+3h523qXQEjKWejveu/MOadySm ++pLiXxLIis2UllBD9C7JIo57MPJIwGkJyWw87I87clwC5QjqCurOiku5Lep2d+CVh ++lrjyLxeLm63+acpGzJSS/4joWpGPeNd/IMGubd+XSKoklVuWyF97PvlpCwKBgHWh ++SsTHC+G5YN1+Eli0MYqQtRjF8gqpZgPKCvoE3cmb6XoU96joMdtRi+d1V/O3Tif4 ++/1FNEZ7e0iBYVIvIpKaW1FW+LFzvAESoH/edbItQkzM6ElrIS6EVVA7diqkLNucV ++CJl2RdJJkNNe75tpcijrbgu8Wmyp5lILiSLGo2AxAoGBANHzb1rb0P0DiLgSqfN6 ++kFrsPggWEvDvYqEc6kQngrr1db/xzZGh2C0X5tdHI/El4ADYoWD/o8O6gQRzKzZo ++89pCsTJXaniNIiyyWU5peu3tRZVljbuTsjnVFfx5wqM1SaM3kqrH7Mk0xPapKuWB ++cF5lfEFvQuC0lJhvjRAu1hxN ++-----END PRIVATE KEY----- diff -Nru spamassassin-3.4.2/debian/patches/spamd_tests_use_unprivileged_port.diff spamassassin-3.4.2/debian/patches/spamd_tests_use_unprivileged_port.diff --- spamassassin-3.4.2/debian/patches/spamd_tests_use_unprivileged_port.diff 1970-01-01 00:00:00.000000000 +0000 +++ spamassassin-3.4.2/debian/patches/spamd_tests_use_unprivileged_port.diff 2020-01-30 16:50:54.000000000 +0000 @@ -0,0 +1,41 @@ +Description: Allow TLS tests to run as non-root user + The spamd TLS tests involve starting spamd and binding to a TCP port. Spamd's + default TCP port is 783, and this is not overridden in the test, so the test + must run as root in order for the bind() call to work. Since the specific port + isn't important for the test, we'll override it here to use a non-privileged + port. +Author: Noah Meyerhans +Bug: https://bz.apache.org/SpamAssassin/show_bug.cgi?id=7763 +--- +This patch header follows DEP-3: http://dep.debian.net/deps/dep3/ +diff --git a/t/spamd_ssl.t b/t/spamd_ssl.t +index 6a97d7c..2ca41d4 100755 +--- a/t/spamd_ssl.t ++++ b/t/spamd_ssl.t +@@ -24,7 +24,7 @@ q{ This must be the very last line}, 'lastline', + + ); + +-ok (sdrun ("-L --ssl --server-key data/etc/testhost.key --server-cert data/etc/testhost.cert", +- "--ssl < data/spam/001", ++ok (sdrun ("-L --ssl --server-key data/etc/testhost.key --server-cert data/etc/testhost.cert --port 1783", ++ "--port 1783 --ssl < data/spam/001", + \&patterns_run_cb)); + ok_all_patterns(); +diff --git a/t/spamd_ssl_accept_fail.t b/t/spamd_ssl_accept_fail.t +index 9fc697e..3512bec 100755 +--- a/t/spamd_ssl_accept_fail.t ++++ b/t/spamd_ssl_accept_fail.t +@@ -25,9 +25,9 @@ q{ This must be the very last line}, 'lastline', + + ); + +-ok (start_spamd ("-L --ssl --server-key data/etc/testhost.key --server-cert data/etc/testhost.cert")); +-ok (spamcrun ("< data/spam/001", \&patterns_run_cb)); +-ok (spamcrun ("--ssl < data/spam/001", \&patterns_run_cb)); ++ok (start_spamd ("-L --ssl --server-key data/etc/testhost.key --server-cert data/etc/testhost.cert --port 1783")); ++ok (spamcrun ("--port 1783 < data/spam/001", \&patterns_run_cb)); ++ok (spamcrun ("--port 1783 --ssl < data/spam/001", \&patterns_run_cb)); + ok (stop_spamd ()); + + ok_all_patterns();