Vipul's Razor-agents Crafted HTML Pre-processing DoS

2005-05-12T08:07:15
ID OSVDB:17390
Type osvdb
Reporter Martin Blapp(mbr_freebsd@users.sourceforge.net)
Modified 2005-05-12T08:07:15

Description

Vulnerability Description

Vipul's Razor-agents contains a flaw that may allow a remote denial of service. The issue is triggered when certain unspecified malformed HTML emails are processed, and will result in loss of availability for the service.

Solution Description

Upgrade to version 2.70 or higher, as it has been reported to fix this vulnerability. An upgrade is required as there are no known workarounds.

Short Description

Vipul's Razor-agents contains a flaw that may allow a remote denial of service. The issue is triggered when certain unspecified malformed HTML emails are processed, and will result in loss of availability for the service.

Manual Testing Notes

Running special mails through SA with razor2 enabled, causes a segmentation fault. Some example mails can be found at the Generic Informational URL listed in External References. Steps to reproduce:

spamassassin -tD < email.txt

or

razor-check -d email.txt

References:

Vendor URL: http://razor.sourceforge.net/ Vendor Specific News/Changelog Entry: http://razor.sourceforge.net/docs/changes.php Secunia Advisory ID:15739 Secunia Advisory ID:15820 Secunia Advisory ID:15804 Secunia Advisory ID:15921 Secunia Advisory ID:16413 Related OSVDB ID: 17391 Other Advisory URL: http://lists.suse.com/archive/suse-security-announce/2005-Jun/0010.html Other Advisory URL: http://www.trustix.org/errata/2005/0029/ Other Advisory URL: http://www.debian.org/security/2005/dsa-773 Other Advisory URL: http://www.debian.org/security/2005/dsa-738 Other Advisory URL: http://www.gentoo.org/security/en/glsa/glsa-200506-17.xml Generic Informational URL: http://sourceforge.net/mailarchive/message.php?msg_id=11732585 CVE-2005-2024 Bugtraq ID: 13984