7.5 High
CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:P/I:P/A:P
0.106 Low
EPSS
Percentile
95.1%
Matthias Andree reports:
When using Unicode databases (default in more recent bogofilter
installations), upon encountering invalid input sequences,
bogofilter or bogolexer could overrun a malloc()'d buffer,
corrupting the heap, while converting character sets. Bogofilter
would usually be processing untrusted data received from the
network at that time.
This problem was aggravated by an unrelated bug that made
bogofilter process binary attachments as though they were text, and
attempt charset conversion on them. Given the MIME default
character set, US-ASCII, all input octets in the range 0x80…0xff
were considered invalid input sequences and could trigger the heap
corruption.
OS | Version | Architecture | Package | Version | Filename |
---|---|---|---|---|---|
FreeBSD | any | noarch | bogofilter | = 0.93.5 | UNKNOWN |
FreeBSD | any | noarch | bogofilter | < 0.96.3 | UNKNOWN |