Package: amavisd-new Version: 2.6.1.dfsg-1 Severity: normal
It appears that the banned filename CLSID regex is still matching on what I believe are valid filenames. You can find a lot of history abount this regex in this old bug report. http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=373159 This site here describes the vulnerability. http://www.declude.com/Articles.asp?ID=107 "This vulnerability occurs when an E-mail uses a 'CLSID' as an extension." And another site here http://www.gfi.com/emailsecuritytest/faq.htm#clsid "Attachments that end with a Class ID (CLSID) file extension" So from those two sites, it appears that the CLSID is only a problem if it is the extension to the filename. Here is an example of what I consider a valid filename. name="{2CC67A0A-4693-4972-BEFC-50AC40B39602}.jpg" And here is an example of what I would consider a bad filename name="image.jpg.{2CC67A0A-4693-4972-BEFC-50AC40B39602}" # current strict regex '\{[0-9a-f]{8}(-[0-9a-f]{4}){3}-[0-9a-f]{12}\}?'i # suggested replacement to fix the problem. '\{[0-9a-f]{8}(-[0-9a-f]{4}){3}-[0-9a-f]{12}\}?$'i The replacement regex adds a '$' to the end so that it will only match when the CLSID is an extension Thanks. -- System Information: Debian Release: lenny/sid APT prefers unstable APT policy: (500, 'unstable') Architecture: i386 (i686) Kernel: Linux 2.6.26-1-686 (SMP w/2 CPU cores) Locale: LANG=C, LC_CTYPE=C (charmap=ANSI_X3.4-1968) Shell: /bin/sh linked to /bin/bash Versions of packages amavisd-new depends on: ii adduser 3.110 add and remove users and groups ii debconf [debconf-2.0] 1.5.24 Debian configuration management sy ii file 4.26-1 Determines file type using "magic" ii libarchive-zip-perl 1.18-1 Module for manipulation of ZIP arc ii libberkeleydb-perl 0.34-1+b1 use Berkeley DB 4 databases from P ii libcompress-zlib-perl 2.015-1 Perl module for creation and manip ii libconvert-tnef-perl 0.17-8 Perl module to read TNEF files ii libconvert-uulib-perl 1.11-1 Perl interface to the uulib librar pn libdigest-md5-perl <none> (no description available) ii libio-stringy-perl 2.110-4 Perl modules for IO from scalars a ii libmailtools-perl 2.04-1 Manipulate email in perl programs pn libmime-base64-perl <none> (no description available) ii libmime-tools-perl 5.427-1 Perl5 modules for MIME-compliant m ii libnet-server-perl 0.97-1 An extensible, general perl server ii libunix-syslog-perl 1.1-2 Perl interface to the UNIX syslog( ii perl [libtime-hires-perl] 5.10.0-15 Larry Wall's Practical Extraction ii perl-modules [libarchive-tar- 5.10.0-16 Core Perl modules amavisd-new recommends no packages. Versions of packages amavisd-new suggests: pn apt-listchanges <none> (no description available) ii arj 3.10.22-6 archiver for .arj files ii cabextract 1.2-3 a program to extract Microsoft Cab ii clamav 0.94.dfsg-1 anti-virus utility for Unix - comm pn clamav-daemon <none> (no description available) ii cpio 2.9-14 GNU cpio -- a program to manage ar pn dspam <none> (no description available) ii lha 1.14i-10.3 lzh archiver ii libauthen-sasl-perl 2.12-1 Authen::SASL - SASL Authentication ii libdbi-perl 1.607-1 Perl5 database interface by Tim Bu pn libmail-dkim-perl <none> (no description available) pn libnet-ldap-perl <none> (no description available) ii lzop 1.02~rc1-2 fast compression program pn nomarch <none> (no description available) ii spamassassin 3.2.5-1 Perl-based spam filter using text ii unrar 1:3.8.4-1 Unarchiver for .rar files (non-fre ii zoo 2.10-21 manipulate zoo archives -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
