bogofilter Base64 Character Set Conversion Denial of Service

by Carol~ Moderator - 12/7/12 6:22 AM

In Reply to: VULNERABILITIES / FIXES - December 07, 2012 by Carol~ Moderator

bogofilter Base64 Character Set Conversion Denial of Service Vulnerability

Release Date : 2012-12-07

Criticality level : Moderately critical
Impact : DoS
Where : From remote
Solution Status : Vendor Patch

Software: bogofilter 1.x

Description:
A vulnerability has been reported in bogofilter, which can be exploited by malicious people to cause a DoS (Denial of Service).

The vulnerability is caused due to an error in the "convert()" function (src/iconvert.c) when converting the character set and can be exploited to cause a heap-based buffer overflow via specially crafted base64 string.

The vulnerability is reported in versions 1.2.2 and prior.

Solution:
Update to version 1.2.3 (r6973).

Provided and/or discovered by:
Julius Plenz

Original Advisory:
bogofilter-SA-2012-01:
http://bogofilter.sourceforge.net/security/bogofilter-SA-2012-01

http://secunia.com/advisories/51334/