ISS X-Force Database: spamassassin-message-recipients-dos(23048): SpamAssassin large number of message recipients can cause a denial of service

SpamAssassin large number of message recipients can cause a denial of service

spamassassin-message-recipients-dos (23048)

Medium Risk

Description:

SpamAssassin is vulnerable to a denial of service attack. A remote attacker could send an email message addressed to a very large number of recipients that would cause the /SpamAssassin/Message.pm header parsing process to consume all available stack space and cause the Perl process to crash.

Consequences:

Denial of Service

Remedy:

Update to the current version of SpamAssassin (version 3.1.0 or later) available from the SpamAssassin: Downloads Web page. See References.

For Red Hat Linux:
Refer to RHSA-2006:0129-8 for patch, upgrade, or suggested workaround information. See References.

References:

O�Reilly Media, Inc. Perl.com: The Source for Perl.
SpamAssassin - Original Advisory: Bugzilla Bug 4570 Mail with lots of To addresses in header triggers Bus error in Perl.
SpamAssassin - Welcome to SpamAssassin: The Apache SpamAssassin Project.
SpamAssassin: Downloads: The Apache SpamAssassin Project.
ASA-2006-068: spamassassin security update (RHSA-2006-0129)
BID-15373: SpamAssassin Bus Error Spam Detection Bypass Vulnerability
CVE-2005-3351: SpamAssassin 3.0.4 allows attackers to bypass spam detection via an e-mail with a large number of recipients (To addresses), which triggers a bus error in Perl.
MDKSA-2005:221: Updated spamassassin packages fixes vulnerability
OSVDB ID: 11581: SpamAssassin Email Domain Address Saturation DoS
RHSA-2006-0129: spamassassin security update
SA17386: SpamAssassin Long Message Header Denial of Service
SUSE-SR:2005:027: SUSE Security Summary Report
VUPEN/ADV-2005-2364: SpamAssassin Remote Denial of Service and Security Bypass Issue

Platforms Affected:

Apache SpamAssassin 3.0.4
Larry Wall Perl 5.8.7
MandrakeSoft Mandrake Linux 10.1 X86_64
MandrakeSoft Mandrake Linux 10.1
MandrakeSoft Mandrake Linux 2006 X86_64
MandrakeSoft Mandrake Linux 2006
MandrakeSoft Mandrake Linux LE2005
MandrakeSoft Mandrake Linux LE2005 X86_64
RedHat Enterprise Linux 4 WS
RedHat Enterprise Linux 4 ES
RedHat Enterprise Linux 4 AS
RedHat Enterprise Linux 4 Desktop

Reported:

Nov 10, 2005

The information within this database may change without notice. Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. In no event shall the author/distributor (IBM Internet Security Systems X-Force) be held liable for any damages whatsoever arising out of or in connection with the use or spread of this information.

For corrections or additions please email xforce@iss.net

Return to the main page