Changelog
dovecot-antispam (2.0+20130912-2) unstable; urgency=medium
* Use the correct argc for pipe.ham_args
This fixes a typo bug, where if the number of arguments set for
antispam_pipe_program_spam_arg is not the same as what was set
for antispam_pipe_program_notspam_arg, then we'll either scribble
past the end of the allocated argv array, or populate it with
pointers to whatever followed the real ham_args.
Thanks to Peter Colberg who reported this, including a correct
patch to fix it, to the security team. The security implications
of this seem somewhat limited, since you need to edit a config
file as root to create the bad situation, and there is no path
for remote injection of crafted data (whether it overflows or
underflows) if you do, the argv array will just get some 'random'
extra pointers to existing internal data.
However it does pose a potential problem for a legitimate user
who does legitimately need or want to pass a different number of
arguments for the spam and ham cases, since that could crash
dovecot, or confuse the hell out of their pipe program when it
gets some random extra arguments. It's probably gone unnoticed
for this long because most uses will pass the same number of
arguments for both of them, but that's not a necessary condition
in the general case.
-- Ron Lee <email address hidden> Sun, 22 Feb 2015 09:27:51 +1030
