CVE-2010-2494 : Multiple buffer underflows in the base64 decoder in base64.c in (1) bogofilter and (2) bogolexer in bogofilter before 1.

Multiple buffer underflows in the base64 decoder in base64.c in (1) bogofilter and (2) bogolexer in bogofilter before 1.2.2 allow remote attackers to cause a denial of service (heap memory corruption and application crash) via an e-mail message with invalid base64 data that begins with an = (equals) character.

Published 2010-07-08 18:30:01

Updated 2013-02-14 04:31:10

Source Red Hat, Inc.

View at NVD, CVE.org

Vulnerability category: OverflowMemory CorruptionDenial of service

Exploit prediction scoring system (EPSS) score for CVE-2010-2494

Probability of exploitation activity in the next 30 days: 10.85%

Percentile, the proportion of vulnerabilities that are scored at or less: ~ 94 % EPSS Score History EPSS FAQ

CVSS scores for CVE-2010-2494

Base Score	Base Severity	CVSS Vector	Exploitability Score	Impact Score	Score Source
5.0	MEDIUM	AV:N/AC:L/Au:N/C:N/I:N/A:P	10.0	2.9	NIST
Access Vector: Network Access Complexity: Low Authentication: None Confidentiality Impact: None Integrity Impact: None Availability Impact: Partial

CWE ids for CVE-2010-2494

CWE-119 Improper Restriction of Operations within the Bounds of a Memory Buffer

The product performs operations on a memory buffer, but it can read from or write to a memory location that is outside of the intended boundary of the buffer.

Assigned by: nvd@nist.gov (Primary)

References for CVE-2010-2494

http://bogofilter.svn.sourceforge.net/viewvc/bogofilter/trunk/bogofilter/src/base64.c?view=patch&r1=6906&r2=6903

404 Not Found
Patch
http://marc.info/?l=oss-security&m=127831760712436&w=2

'Re: [oss-security] Request CVE ID for bogofilter base64 decoder' - MARC
http://lists.fedoraproject.org/pipermail/package-announce/2010-August/046558.html

[SECURITY] Fedora 13 Update: bogofilter-1.2.2-1.fc13
http://marc.info/?l=oss-security&m=127840569013531&w=2

'[oss-security] REPOST: CVE request for bogofilter' - MARC
Patch
http://www.vupen.com/english/advisories/2010/2233

Webmail | OVH- OVH
http://bogofilter.svn.sourceforge.net/viewvc/bogofilter/trunk/bogofilter/doc/bogofilter-SA-2010-01?revision=6909&pathrev=6909

404 Not Found
http://lists.opensuse.org/opensuse-security-announce/2012-12/msg00016.html

[security-announce] openSUSE-SU-2012:1650-1: important: update for bogof
http://lists.fedoraproject.org/pipermail/package-announce/2010-August/046590.html

[SECURITY] Fedora 12 Update: bogofilter-1.2.2-1.fc12
https://bugzilla.redhat.com/show_bug.cgi?id=611551

611551 – (CVE-2010-2494) CVE-2010-2494 bogofilter: array index underflow/OOB write via invalid input
http://www.securityfocus.com/bid/41339

bogofilter Base64 Encoding '=' Character Heap Memory Corruption Vulnerability
http://lists.opensuse.org/opensuse-security-announce/2013-01/msg00021.html

[security-announce] openSUSE-SU-2013:0166-1: important: update for bogof
http://marc.info/?l=oss-security&m=127844323105405&w=2

'Re: [oss-security] Request CVE ID for bogofilter base64 decoder' - MARC
http://bogofilter.sourceforge.net/security/bogofilter-SA-2010-01

Encountered a 404 error
http://marc.info/?l=oss-security&m=127814747231102&w=2

'[oss-security] Request CVE ID for bogofilter base64 decoder heap corruption' - MARC
http://www.ubuntu.com/usn/USN-980-1

USN-980-1: bogofilter vulnerability | Ubuntu security notices
http://lists.opensuse.org/opensuse-security-announce/2010-08/msg00001.html

[security-announce] SUSE Security Summary Report: SUSE-SR:2010:014

CVEs referencing this url
http://lists.opensuse.org/opensuse-security-announce/2012-12/msg00015.html

[security-announce] openSUSE-SU-2012:1648-1: important: update for bogof

Products affected by CVE-2010-2494

Bogofilter » Bogofilter
Versions up to, including, (<=) 1.2.1
cpe:2.3:a:bogofilter:bogofilter:*:*:*:*:*:*:*:*
Matching versions
Bogofilter » Bogofilter » Version: 1.2.0
cpe:2.3:a:bogofilter:bogofilter:1.2.0:*:*:*:*:*:*:*
Matching versions
Bogofilter » Bogofilter » Version: 1.1.0
cpe:2.3:a:bogofilter:bogofilter:1.1.0:*:*:*:*:*:*:*
Matching versions
Bogofilter » Bogofilter » Version: 1.0.3
cpe:2.3:a:bogofilter:bogofilter:1.0.3:*:*:*:*:*:*:*
Matching versions
Bogofilter » Bogofilter » Version: 1.1.3
cpe:2.3:a:bogofilter:bogofilter:1.1.3:*:*:*:*:*:*:*
Matching versions
Bogofilter » Bogofilter » Version: 1.1.2
cpe:2.3:a:bogofilter:bogofilter:1.1.2:*:*:*:*:*:*:*
Matching versions
Bogofilter » Bogofilter » Version: 1.1.1
cpe:2.3:a:bogofilter:bogofilter:1.1.1:*:*:*:*:*:*:*
Matching versions
Bogofilter » Bogofilter » Version: 1.1.5
cpe:2.3:a:bogofilter:bogofilter:1.1.5:*:*:*:*:*:*:*
Matching versions
Bogofilter » Bogofilter » Version: 1.1.4
cpe:2.3:a:bogofilter:bogofilter:1.1.4:*:*:*:*:*:*:*
Matching versions
Bogofilter » Bogofilter » Version: 1.0.0
cpe:2.3:a:bogofilter:bogofilter:1.0.0:*:*:*:*:*:*:*
Matching versions
Bogofilter » Bogofilter » Version: 1.1.7
cpe:2.3:a:bogofilter:bogofilter:1.1.7:*:*:*:*:*:*:*
Matching versions
Bogofilter » Bogofilter » Version: 1.1.6
cpe:2.3:a:bogofilter:bogofilter:1.1.6:*:*:*:*:*:*:*
Matching versions
Bogofilter » Bogofilter » Version: 1.0.2
cpe:2.3:a:bogofilter:bogofilter:1.0.2:*:*:*:*:*:*:*
Matching versions
Bogofilter » Bogofilter » Version: 1.0.1
cpe:2.3:a:bogofilter:bogofilter:1.0.1:*:*:*:*:*:*:*
Matching versions

Vulnerability Details : CVE-2010-2494

Exploit prediction scoring system (EPSS) score for CVE-2010-2494

CVSS scores for CVE-2010-2494

CWE ids for CVE-2010-2494

References for CVE-2010-2494

Products affected by CVE-2010-2494