[packages/spamassassin] - up to 3.4.6; fixes CVE-2020-1946 (in 3.4.5)

arekm arekm at pld-linux.org
Wed May 26 13:24:16 CEST 2021 

commit 24ca2c6fe75a771b7da96b2daa50e816a3ed39d1
Author: Arkadiusz Miśkiewicz <arekm at maven.pl>
Date:   Wed May 26 13:23:49 2021 +0200

    - up to 3.4.6; fixes CVE-2020-1946 (in 3.4.5)

 bug_771408_perl_version | 11 ++++++-----
 spamassassin.spec       |  5 +++--
 2 files changed, 9 insertions(+), 7 deletions(-)
---
diff --git a/spamassassin.spec b/spamassassin.spec
index a10c0d6..86dbef6 100644
--- a/spamassassin.spec
+++ b/spamassassin.spec
@@ -11,12 +11,12 @@
 Summary:	A spam filter for email which can be invoked from mail delivery agents
 Summary(pl.UTF-8):	Filtr antyspamowy, przeznaczony dla programów dostarczających pocztę (MDA)
 Name:		spamassassin
-Version:	3.4.4
+Version:	3.4.6
 Release:	1
 License:	Apache v2.0
 Group:		Applications/Mail
 Source0:	http://ftp.ps.pl/pub/apache//spamassassin/source/%{pdir}-%{pnam}-%{version}.tar.bz2
-# Source0-md5:	ce51fe5665d5838c56db6712846b58bb
+# Source0-md5:	0ef3f64ffcdf6f1e96068e19a16ce1be
 Source1:	%{name}.sysconfig
 Source2:	%{name}-spamd.init
 Source3:	%{name}-default.rc
@@ -355,6 +355,7 @@ fi
 
 # It's needed for help of spamassassin command.
 %{perl_vendorlib}/spamassassin-run.pod
+%{_mandir}/man1/sa-check_spamd.1*
 %{_mandir}/man1/sa-learn.1*
 %{_mandir}/man1/spamassassin.1*
 %{_mandir}/man1/spamassassin-run.1*
diff --git a/bug_771408_perl_version b/bug_771408_perl_version
index f51e0bf..e22b385 100644
--- a/bug_771408_perl_version
+++ b/bug_771408_perl_version
@@ -1,9 +1,10 @@
 upstream fix for bug #771408
 Index: spamassassin-3.4.1/lib/Mail/SpamAssassin/Conf/Parser.pm
 ===================================================================
---- spamassassin-3.4.1.orig/lib/Mail/SpamAssassin/Conf/Parser.pm
-+++ spamassassin-3.4.1/lib/Mail/SpamAssassin/Conf/Parser.pm
-@@ -536,6 +536,9 @@ sub handle_conditional {
+diff -urNp -x '*.orig' Mail-SpamAssassin-3.4.4.org/lib/Mail/SpamAssassin/Conf/Parser.pm Mail-SpamAssassin-3.4.4/lib/Mail/SpamAssassin/Conf/Parser.pm
+--- Mail-SpamAssassin-3.4.4.org/lib/Mail/SpamAssassin/Conf/Parser.pm	2020-01-25 03:50:49.000000000 +0100
++++ Mail-SpamAssassin-3.4.4/lib/Mail/SpamAssassin/Conf/Parser.pm	2021-03-10 14:52:59.391415202 +0100
+@@ -537,6 +537,9 @@ sub handle_conditional {
      elsif ($token eq 'perl_version') {
        $eval .= $]." ";
      }
@@ -11,5 +12,5 @@ Index: spamassassin-3.4.1/lib/Mail/SpamAssassin/Conf/Parser.pm
 +      $eval .= $]." ";
 +    }
      elsif ($token =~ /^\w[\w\:]+$/) { # class name
-       my $u = untaint_var($token);
-       $eval .= '"' . $u . '" ';
+       # Strictly controlled form:
+       if ($token =~ /^(?:\w+::){0,10}\w+$/) {
================================================================

---- gitweb:

http://git.pld-linux.org/gitweb.cgi/packages/spamassassin.git/commitdiff/24ca2c6fe75a771b7da96b2daa50e816a3ed39d1

More information about the pld-cvs-commit mailing list