Razor Agents Segmentation Fault

Versions of Vupil's Razor between (and including) 2.61 and 2.72, will Segmentation fault during processing of certain legitimate email, resulting in a Denial Of Service. Discovery of these issues is credited to Martin Blapp and Nick Leverton:
http://lists.roaringpenguin.com/pipermail/mimedefang/2004-August/023636.html

A sample that can be fed to either:
razor-check -d email.txt
or:
spamassassin -tD < email.txt
is located at: http://www200.pair.com/mecham/email.txt
This problem was noticed on or before August 2004, the FreeBSD ports were patched, and a workaround provided to the Razor developers:
http://sourceforge.net/tracker/index.php?func=detail&aid=1003857&group_id=3978&atid=303978

In June of 2005, along with other improvements, portions of this workaround were applied to razor source code, and it was announced that razor once had a problem, but it was fixed in version 2.71:
http://sourceforge.net/mailarchive/forum.php?thread_id=7520323&forum_id=4259
http://www.securityfocus.com/bid/13984

Unfortunately, either the problem was not solved in version 2.71 (or 2.72), or a new problem was introduced, probably due to the fact that one line in the source code was not used as written in the work-around:

In the file deHTMLxs.xs, the line in the patch reads:
*(raw + size - 1) = '\0';
however, in the source code of version 2.72, the line reads:
*(raw + size) = '\0';

If this line is changed to the line supplied in the patch, e.g. *(raw + size - 1) = '\0';, is recompiled and reinstalled, razor no longer Segmentation faults when fed the sample email.

A bug report has been filed with razor:
http://sourceforge.net/tracker/index.php?func=detail&aid=1224440&group_id=3978&atid=103978

Other points of reference:
Vupil's Razor Home Page http://razor.sourceforge.net/
Razor-users mailing list http://sourceforge.net/mailarchive/forum.php?forum=razor-users
http://sourceforge.net/mailarchive/forum.php?thread_id=7317812&forum_id=4258
http://marc.theaimsgroup.com/?l=amavis-user&m=111928725005194&w=2
http://marc.theaimsgroup.com/?l=amavis-user&m=111582765520742&w=2

This problem may only exist in Linux environments, but that statement is pure conjecture at this point. It might be worthwhile to note that FreeBSD systems do not Segfault when running an unmodified version of razor-agents 2.72. Remember that a portion of the two FreeBSD patches is incorporated in this version.

For What It's Worth, I patched version 2.67 with this patch, and the program appeared to work normally. It did not Segfault when fed email.txt, and it still detected it as spam, but I am not a programmer, so draw your own conclusions; no warranty:

--- deHTMLxs.xs.orig	2005-06-23 08:24:04.000000000 -0600
+++ deHTMLxs.xs	2005-06-23 08:29:27.000000000 -0600
@@ -112,6 +112,7 @@
             text = SvRV(scalarref);
             raw = SvPV(text,size);
 
+            *(raw + size - 1) = '\0';
             if ( (cleaned = malloc(size+1)) && 
                  (res = html_strip(raw, cleaned))  // html_strip will memset cleaned to 0
                  ) {

On JUNE 22nd, Jordan Ritter (a razor developer) responds:

Hey folks,

    We really appreciate the effort from everyone.  We now have
    email.txt and are adding it to the unit tests, plus are in the
    process of fixing the bug itself (permanently this time!).  Please
    be patient, and we'll roll a new release shortly.

    If there are any other problems or issues, razor agents is getting
    some attention so now would be a good time to speak up, on list or
    off (direct to Vipul and myself).

Best,
--jordan

In a subsequent conversation with Jordan:

# Correct me if I'm wrong, but I believe this problem applies to all
# versions between (and including) 2.61 to 2.72.

Well, AFAICT the offending line of code was introduced in the most
recent release cycle.  This is not to say that the original crash was
not present from a different bug(s) in the code; just that this
particular single byte overwrite past the end of the buffer is brand
new to the 2.7x series.

# Jordan, has any thought been given to publishing patches for major
# older versions? I know that Debian 3.1 (Sarge stable) uses 2.67 and
# something like that might be of value to package maintainers of
# distros like Debian that maintain older versions.

Only enough thought to dismiss the idea altogether.

The old versions have serious problems, many of which were finally
addressed in this latest release cycle (see 2.7x release notes for
full list).  Plus, frankly, the older code is overcomplicated and
painfully difficult to maintain or extend (current is only an
iterative improvement, if that).  Finally, the latest versions have
significant accuracy improvements.

So, aside from this recent (admittedly serious) mea culpa which we
will address shortly, there is no real reason for people not to
upgrade.  It's Better.

Best,
--jordan

Thanks Jordan, Razor is truly a valuable tool in the fight against spam and the efforts of the developers are appreciated.

razor-agents version 2.74 was released on 28JUN05, this issue is resolved.
Vupil's Razor Home Page

mr88talent at hotmail dot com