Pardus: 2010-99: Bogofilter: Heap Corruption

Posted by Benjamin D. Thomas

A vulnerability has been fixed in bogofilter, which can be exploited by malicious people to cause a DoS (Denial of Service) and potentially compromise a vulnerable system.

------------------------------------------------------------------------
Pardus Linux Security Advisory 2010-99            security@pardus.org.tr
------------------------------------------------------------------------
      Date: 2010-08-02
  Severity: 3
      Type: Remote
------------------------------------------------------------------------

Summary
======
A vulnerability has been fixed in bogofilter, which can be exploited by
malicious people to cause a DoS (Denial  of  Service)  and  potentially
compromise a vulnerable system.


Description
==========
CVE-2010-2494:

Multiple buffer underflows in the base64 decoder  in  base64.c  in  (1)
bogofilter and (2) bogolexer in bogofilter before  1.2.2  allow  remote
attackers to cause a denial of  service  (heap  memory  corruption  and
application crash) via an e-mail message with invalid base64 data  that
begins with an = (equals) character.


Affected packages:

  Pardus 2009:
    bogofilter, all before 1.2.1-16-4


Resolution
=========
There are update(s) for bogofilter. You can  update  them  via  Package
Manager or with a single command from console:

    pisi up bogofilter

References
=========
  * http://bugs.pardus.org.tr/show_bug.cgi?id690
  * http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-2494
  * https://bugzilla.redhat.com/show_bug.cgi?ida1551

------------------------------------------------------------------------