CVE - CVE-2009-1391 (under review)

[Justin Mason <jm...@gmail.com>]

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1391

Do we need to do anything about this?


Sent from my iPhone

Re: CVE - CVE-2009-1391 (under review)

[Justin Mason <jm...@jmason.org>]

Ok, sounds safe enough.

On Monday, December 7, 2009, Mark Martinec <Ma...@ijs.si> wrote:
> On Sunday December 6 2009 13:39:51 Justin Mason wrote:
>> http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1391
>
>> Do we need to do anything about this?
>
> Probably not. The Compress::Raw::Zlib is used by Compress::Zlib
> which is used by SpamAssassin to optionally decompress spamc/spamd
> communication, at least the DependencyInfo.pm claims so.
> This could potentially be exploited by a rogue spamc-lookalike
> client (which could fabricate an arbitrary zip), but not by
> mail compressed by a regular spamc. I think the mail compressed
> attachments are not decompressed by SpamAssassin at all.
>
> On the amavisd side (as mentioned in the CVE), the version 2.017
> of Compress::Raw::Zlib is enforced since amavisd-new-2.6.4,
> released in June 2009.
>
>   Mark
>
>

-- 
--j.

Re: CVE - CVE-2009-1391 (under review)

[Mark Martinec <Ma...@ijs.si>]

On Sunday December 6 2009 13:39:51 Justin Mason wrote:
> http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1391

> Do we need to do anything about this?

Probably not. The Compress::Raw::Zlib is used by Compress::Zlib
which is used by SpamAssassin to optionally decompress spamc/spamd
communication, at least the DependencyInfo.pm claims so.
This could potentially be exploited by a rogue spamc-lookalike
client (which could fabricate an arbitrary zip), but not by
mail compressed by a regular spamc. I think the mail compressed
attachments are not decompressed by SpamAssassin at all.

On the amavisd side (as mentioned in the CVE), the version 2.017
of Compress::Raw::Zlib is enforced since amavisd-new-2.6.4,
released in June 2009.

  Mark