SpamAssassin: Execution of arbitrary code — GLSA 200606-09

SpamAssassin, when running with certain options, could allow local or even remote attackers to execute arbitrary commands, possibly as the root user.

Affected packages

mail-filter/spamassassin on all architectures
Affected versions < 3.1.3
Unaffected versions >= 3.1.3

Background

SpamAssassin is an extensible email filter used to identify junk email. spamd is the daemonized version of SpamAssassin.

Description

When spamd is run with both the "--vpopmail" (-v) and "--paranoid" (-P) options, it is vulnerable to an unspecified issue.

Impact

With certain configuration options, a local or even remote attacker could execute arbitrary code with the rights of the user running spamd, which is root by default, by sending a crafted message to the spamd daemon. Furthermore, the attack can be remotely performed if the "--allowed-ips" (-A) option is present and specifies non-local adresses. Note that Gentoo Linux is not vulnerable in the default configuration.

Workaround

Don't use both the "--paranoid" (-P) and the "--vpopmail" (-v) options.

Resolution

All SpamAssassin users should upgrade to the latest version:

 # emerge --sync
 # emerge --ask --oneshot --verbose ">=mail-filter/spamassassin-3.1.3"

References

Release date
June 11, 2006

Latest revision
June 11, 2006: 01

Severity
high

Exploitable
remote

Bugzilla entries