Overview Details

File _patchinfo of Package patchinfo

<patchinfo incident="28">
  <packager>lmuelle</packager>
  <issue tracker="cve" id="CVE-2010-2494">Multiple buffer underflows in the base64 decoder in base64.c in (1) bogofilter and (2) bogolexer in bogofilter before 1.2.2 allow remote attackers to cause a denial of service (heap memory corruption and application crash) via an e-mail message with inval</issue>
  <issue tracker="bnc" id="792939">VUL-0: CVE-2012-5468: bogofilter: heap corruption in base64 decoder</issue>
  <category>security</category>
  <rating>important</rating>
  <summary>update for bogofilter</summary>
  <description>- Update to version 1.2.3.
  * Update configure.ac to avoid autoconf 2.68 warnings, by
    (a) quoting the first AC_RUN_IFELSE argument, an
        AC_LANG_PROGRAM(), with [ ], and
    (b) providing an explicit "true" assumption for Berkeley DB
        capabilities to avoid cross-compilation warnings.
  * Security bugfix; (bnc#792939),
    Fix a heap corruption in base64 decoder on invalid input.
    http://bogofilter.sourceforge.net/security/bogofilter-SA-2012-01
  * Added bogofilter-faq-bg.html, a Bulgarian translation of the FAQ.
  * Mark "Berkeley DB 5.1.19: (August 27, 2010)" supported.
- Update to version 1.2.2.
  * Use a better PRNG for random sleeps. That is arc4random() where
    available, and drand48() elsewhere.
  * Assorted fixes for issues found with clang analyzer:
    + Fix a potential NULL deference
    + Fix a potential division by zero
    + Remove dead assignments and increments
  * Update Doxyfile and source contrib/bogogrep.c for docs, too.
  * Security bugfix, CVE-2010-2494:
    Fix a heap corruption in base64 decoder on invalid input.
    Analysis and patch by Julius Plenz &amp;lt;plenz@cis.fu-berlin.de&amp;gt;.
    Please see doc/bogofilter-SA-2010-01 for details.
  * Updated sendmail milter contrib/bogofilter-milter.pl to v1.??????
  * Bump supported/minimum SQLite3 versions and warning threshold.
    See doc/README.sqlite for details.
  * Mark BerkeleyDB 4.8.26 and 5.0.21 supported.
  * Make t.maint more robust; ignore .ENCODING token. To fix test
    failures on, for instance, FreeBSD with unicode enabled.
  * Fix several compiler warnings "array subscript has type 'char'", by
    casting the arguments to unsigned char.
  * Split error messages for ENOENT and EINVAL into new function.
  * Avoid divison by zero in robx computation by checking if there are at
    least one ham message and one spam message registered.
  * contrib/spamitarium.pl updated to version 0.4.0
  * Updated and integrated Ted Phelps's "Patch to prevent .ENCODING from
    being discarded by bogoutil -m" (SourceForge Patch #1743984).
- remove call to suse_update_config (very old work around)
- Remove redundant tags/sections from specfile
- Use %_smp_mflags for parallel build</description>
</patchinfo>
openSUSE Build Service is sponsored by
Places