Version in base suite: 3.4.2-1+deb10u2

Base version: spamassassin_3.4.2-1+deb10u2
Target version: spamassassin_3.4.2-1+deb10u3
Base file: /srv/ftp-master.debian.org/ftp/pool/main/s/spamassassin/spamassassin_3.4.2-1+deb10u2.dsc
Target file: /srv/ftp-master.debian.org/policy/pool/main/s/spamassassin/spamassassin_3.4.2-1+deb10u3.dsc

 changelog                   |    7 +++++++
 patches/CVE-2020-1946.patch |   31 +++++++++++++++++++++++++++++++
 patches/series              |    1 +
 3 files changed, 39 insertions(+)

diff -Nru spamassassin-3.4.2/debian/changelog spamassassin-3.4.2/debian/changelog
--- spamassassin-3.4.2/debian/changelog	2020-01-30 16:50:54.000000000 +0000
+++ spamassassin-3.4.2/debian/changelog	2021-03-26 22:04:43.000000000 +0000
@@ -1,3 +1,10 @@
+spamassassin (3.4.2-1+deb10u3) buster-security; urgency=high
+
+  * Import upstream fix for CVE-2020-1946: arbitrary code execution via
+    malicious rule files. (Closes: #985962)
+
+ -- Noah Meyerhans <noahm@debian.org>  Fri, 26 Mar 2021 15:04:43 -0700
+
 spamassassin (3.4.2-1+deb10u2) buster-security; urgency=medium
 
   * Security update to address
diff -Nru spamassassin-3.4.2/debian/patches/CVE-2020-1946.patch spamassassin-3.4.2/debian/patches/CVE-2020-1946.patch
--- spamassassin-3.4.2/debian/patches/CVE-2020-1946.patch	1970-01-01 00:00:00.000000000 +0000
+++ spamassassin-3.4.2/debian/patches/CVE-2020-1946.patch	2021-03-26 22:04:43.000000000 +0000
@@ -0,0 +1,31 @@
+Description: Fix header rule parsing
+Origin: upstream, https://svn.apache.org/viewvc/spamassassin/branches/3.4/lib/Mail/SpamAssassin/Conf/Parser.pm?r1=1864416&r2=1876381&pathrev=1876381
+Applied-Upstream: 3.4.5
+---
+This patch header follows DEP-3: http://dep.debian.net/deps/dep3/
+Index: spamassassin/lib/Mail/SpamAssassin/Conf/Parser.pm
+===================================================================
+--- spamassassin.orig/lib/Mail/SpamAssassin/Conf/Parser.pm
++++ spamassassin/lib/Mail/SpamAssassin/Conf/Parser.pm
+@@ -1238,9 +1238,9 @@ sub add_test {
+     # no re "strict";  # since perl 5.21.8: Ranges of ASCII printables...
+     if ($text =~ /^exists:(.*)/) {
+       my $hdr = $1;
+-      # never evaled, so can be quite generous with the name
+       # check :addr etc header options
+-      if ($hdr !~ /^[^:\s]+:?$/) {
++      # $hdr used in eval text, validate carefully
++      if ($hdr !~ /^[\w.-]+:?$/) {
+         $self->lint_warn("config: invalid head test $name header: $hdr");
+         return;
+       }
+@@ -1248,7 +1248,8 @@ sub add_test {
+       $conf->{test_opt_header}->{$name} = $hdr;
+       $conf->{test_opt_exists}->{$name} = 1;
+     } else {
+-      if ($text !~ /^([^:\s]+(?:\:|(?:\:[a-z]+){1,2})?)\s*([=!]~)\s*(.+)$/) {
++      # $hdr used in eval text, validate carefully
++      if ($text !~ /^([\w.-]+(?:\:|(?:\:[a-z]+){1,2})?)\s*([=!]~)\s*(.+)$/) {
+         $self->lint_warn("config: invalid head test $name: $text");
+         return;
+       }
diff -Nru spamassassin-3.4.2/debian/patches/series spamassassin-3.4.2/debian/patches/series
--- spamassassin-3.4.2/debian/patches/series	2020-01-30 16:50:54.000000000 +0000
+++ spamassassin-3.4.2/debian/patches/series	2021-03-26 22:04:43.000000000 +0000
@@ -10,3 +10,4 @@
 CVE-2020-1931
 spamd_tests_use_unprivileged_port.diff
 spamd_tests_use_rsa2048_self-signed_cert
+CVE-2020-1946.patch