Added multiple upstream patches to fix various memory bugs

- Fixes "[abrt] bogofilter: yyrealloc(): bogofilter killed by SIGABRT" (#1246282)
- Fixes "why libdb4" (#1367329) by switching BR to libdb-devel (from db4-devel)

9 files changed, 393 insertions, 5 deletions

diff --git a/bogofilter.spec b/bogofilter.spec
index 8c9a573..f53f933 100644
--- a/bogofilter.spec
+++ b/bogofilter.spec
@@ -1,7 +1,7 @@
 Summary: Fast anti-spam filtering by Bayesian statistical analysis
 Name: bogofilter
 Version: 1.2.4
-Release: 6%{?dist}
+Release: 7%{?dist}
 License: GPLv2
 Group: Applications/Internet
 URL: http://bogofilter.sourceforge.net/
@@ -10,11 +10,24 @@ URL: http://bogofilter.sourceforge.net/
 # but due to bug 912694 which identified three files with license
 # problems the following steps are necessary to repack bogofilter
 # wget http://downloads.sourceforge.net/bogofilter/bogofilter-1.2.4.tar.gz
-# tar xf bogofilter-1.2.4.tar.gz 
+# tar xf bogofilter-1.2.4.tar.gz
 # rm bogofilter-1.2.4/doc/bogofilter-SA-20[0-1][0,5]-0[1,2]
 # tar cf bogofilter-1.2.4.repack.tar.gz bogofilter-1.2.4
 Source: bogofilter-%{version}.repack.tar.gz
-BuildRequires: flex db4-devel gsl-devel
+# Patches are taken from upstreams SVN:
+#  svn checkout svn://svn.code.sf.net/p/bogofilter/code/trunk bogofilter-code
+#  cd bogofilter-code
+#  svndiff -c 6995 > patch.r6995
+Patch1: patch.r6995
+# patch.r7009 is adapted to apply without a previous patch
+Patch2: patch.r7009
+Patch3: patch.r7016
+Patch4: patch.r7023
+Patch5: patch.r7030
+Patch6: patch.r7032
+Patch7: patch.r7034
+Patch8: patch.r7035
+BuildRequires: flex libdb-devel gsl-devel
 BuildRequires: /usr/bin/iconv
 BuildRequires: perl-generators
 
@@ -30,7 +43,6 @@ by sites that process a lot of mail.
 %package bogoupgrade
 Summary: Upgrades bogofilter database to current version
 Group: Applications/Internet
-Provides: bogoupgrade
 Requires: %{name} = %{version}-%{release}
 
 %description bogoupgrade
@@ -43,13 +55,21 @@ main bogofilter package.
 
 %prep
 %setup -q
+%patch1 -p1
+%patch2 -p1
+%patch3 -p1
+%patch4 -p1
+%patch5 -p1
+%patch6 -p1
+%patch7 -p1
+%patch8 -p1
 iconv -f iso-8859-1 -t utf-8 \
  doc/bogofilter-faq-fr.html > doc/bogofilter-faq-fr.html.utf8
 %{__mv} -f doc/bogofilter-faq-fr.html.utf8 \
  doc/bogofilter-faq-fr.html
 
 %build
-CFLAGS="%{optflags} -I%{_includedir}/libdb4" LDFLAGS="-L%{_libdir}/libdb4" %configure --disable-rpath
+%configure --disable-rpath
 %{__make} %{?_smp_mflags}
 
 %install
@@ -83,6 +103,11 @@ CFLAGS="%{optflags} -I%{_includedir}/libdb4" LDFLAGS="-L%{_libdir}/libdb4" %conf
 %exclude %{_mandir}/man1/bogoupgrade*
 
 %changelog
+* Thu Sep 22 2016 Adrian Reber <adrian@lisas.de> - 1.2.4-7
+- Added multiple upstream patches to fix various memory bugs
+- Fixes "[abrt] bogofilter: yyrealloc(): bogofilter killed by SIGABRT" (#1246282)
+- Fixes "why libdb4" (#1367329) by switching BR to libdb-devel (from db4-devel)
+
 * Mon Feb 22 2016 Orion Poplawski <orion@cora.nwra.com> - 1.2.4-6
 - Rebuild for gsl 2.1
 
diff --git a/patch.r6995 b/patch.r6995
new file mode 100644
index 0000000..a451a13
--- /dev/null
+++ b/patch.r6995
@@ -0,0 +1,14 @@
+Index: bogofilter/NEWS
+===================================================================
+--- bogofilter/NEWS	(revision 6994)
++++ bogofilter/NEWS	(revision 6995)
+@@ -46,7 +46,8 @@
+ 	  svn checkout http://svn.code.sf.net/p/bogofilter/code/trunk bogofilter
+ 
+ 	  And developers would use, replacing joe by their sf.net login:
+-	  svn checkout --username=joe svn+ssh://m-a@svn.code.sf.net/p/bogofilter/code/trunk bogofilter
++	  svn checkout --username=joe \
++	    svn+ssh://svn.code.sf.net/p/bogofilter/code/trunk bogofilter
+ 
+ 	2012-12-03
+ 	* Add bogofilter-SA-2012-01 (CVE-2012-5468).
diff --git a/patch.r7009 b/patch.r7009
new file mode 100644
index 0000000..f5c16a7
--- /dev/null
+++ b/patch.r7009
@@ -0,0 +1,16 @@
+Index: bogofilter/NEWS
+===================================================================
+--- bogofilter/NEWS	(revision 7008)
++++ bogofilter/NEWS	(revision 7009)
+@@ -15,6 +15,11 @@
+ 
+ -------------------------------------------------------------------------------
+ 
++	2013-11-30
++
++	* Updated autoconf/automake stuff so that tests work properly with
++	  automake versions that default to running parallel-tests.
++
+ 1.2.4	2013-07-01 (released)
+ 
+ 	2013-06-28
diff --git a/patch.r7016 b/patch.r7016
new file mode 100644
index 0000000..9560d45
--- /dev/null
+++ b/patch.r7016
@@ -0,0 +1,127 @@
+Index: bogofilter/AUTHORS
+===================================================================
+--- bogofilter/AUTHORS	(revision 7015)
++++ bogofilter/AUTHORS	(revision 7016)
+@@ -55,3 +55,4 @@
+ Marco Bozzolan
+ Paul Mangan
+ Roman Trunov
++Julius Plenz
+Index: bogofilter/src/tests/inputs/t.passthrough-truncation-in.gz
+===================================================================
+Cannot display: file marked as a binary type.
+svn:mime-type = application/octet-stream
+Index: bogofilter/src/tests/inputs/t.passthrough-truncation-in.gz
+===================================================================
+--- bogofilter/src/tests/inputs/t.passthrough-truncation-in.gz	(nonexistent)
++++ bogofilter/src/tests/inputs/t.passthrough-truncation-in.gz	(revision 7016)
+
+Property changes on: bogofilter/src/tests/inputs/t.passthrough-truncation-in.gz
+___________________________________________________________________
+Added: svn:mime-type
+## -0,0 +1 ##
++application/octet-stream
+\ No newline at end of property
+Index: bogofilter/src/tests/t.passthrough-truncation
+===================================================================
+--- bogofilter/src/tests/t.passthrough-truncation	(nonexistent)
++++ bogofilter/src/tests/t.passthrough-truncation	(revision 7016)
+@@ -0,0 +1,19 @@
++#! /bin/sh
++
++. ${srcdir:=.}/t.frame
++
++# t.passthrough-hb
++#
++#	test for correct passthrough of misdeclared MIME parts
++#	test case provided by Julius Plenz, July 2014.
++
++gzip -c -d <"$srcdir/inputs/t.passthrough-truncation-in.gz" >"$TMPDIR/input"
++$BOGOFILTER -e -p -C < "$TMPDIR/input" \
++| $GREP -v "^X-Bogosity: Unsure," > "$TMPDIR/output"
++
++if  [ $verbose -eq 0 ]; then
++    cmp "$TMPDIR/input" "$TMPDIR/output"
++else
++    set +e
++    diff $DIFF_BRIEF "$TMPDIR/input" "$TMPDIR/output"
++fi
+
+Property changes on: bogofilter/src/tests/t.passthrough-truncation
+___________________________________________________________________
+Added: svn:executable
+## -0,0 +1 ##
++*
+\ No newline at end of property
+Index: bogofilter/src/tests/Makefile.am
+===================================================================
+--- bogofilter/src/tests/Makefile.am	(revision 7015)
++++ bogofilter/src/tests/Makefile.am	(revision 7016)
+@@ -35,7 +35,7 @@
+ 	t.ignore_spam_header \
+ 	t.nullstatsprefix \
+ 	t.integrity t.integrity2 t.integrity3 \
+-	t.passthrough-hb \
++	t.passthrough-hb t.passthrough-truncation \
+ 	t.escaped.html t.escaped.url \
+ 	t.base64 t.split t.parsing \
+ 	t.lexer t.lexer.mbx t.lexer.qpcr t.lexer.eoh \
+@@ -97,6 +97,7 @@
+ 	inputs/msg.split.dr.0118.base64 \
+ 	inputs/msg.split.gs.0119.text \
+ 	inputs/spam.mbx \
++	inputs/t.passthrough-truncation-in.gz \
+ 	outputs/MH.out \
+ 	outputs/bogolex.out \
+ 	outputs/bulkmode.out \
+Index: bogofilter/src/lexer.c
+===================================================================
+--- bogofilter/src/lexer.c	(revision 7015)
++++ bogofilter/src/lexer.c	(revision 7016)
+@@ -220,15 +220,25 @@
+ 
+ #ifndef	DISABLE_UNICODE
+     if (encoding == E_UNICODE &&
+-	!msg_state->mime_dont_decode)
++	!msg_state->mime_dont_decode &&
++        count > 0)
+     {
+ 	iconvert(linebuff, buff);
++
++	/* If we return count = 0 here, the caller will think we have
++	 * no more bytes left to read, even though before the iconvert
++	 * call we had a positive number of bytes. This *will* lead to
++	 * a message truncation which we try to avoid by simply
++	 * returning the original input buffer (which has positive
++	 * length) instead. */
++	if(buff->t.leng == 0)
++	    memcpy(buff, linebuff, sizeof(*buff));
++
+ 	/*
+ 	 * iconvert, treating multi-byte sequences, can shrink or enlarge
+ 	 * the output compared to its input.  Correct count.
+ 	 */
+-	if (count > 0)
+-	    count = buff->t.leng;
++	count = buff->t.leng;
+     }
+ #endif
+ 
+Index: bogofilter/NEWS
+===================================================================
+--- bogofilter/NEWS	(revision 7015)
++++ bogofilter/NEWS	(revision 7016)
+@@ -15,6 +15,13 @@
+ 
+ -------------------------------------------------------------------------------
+ 
++	2014-07-10
++
++	* Take patch from Julius Plenz to fix a bug in the charset converter
++	  that causes truncation of messages in pass-through mode in rare
++	  circumstances, for instance, if binary data is misdeclared as
++	  text/html.  Also add his test case, t.passthrough-truncation.
++
+ 	2013-11-30
+ 
+ 	* Updated autoconf/automake stuff so that tests work properly with
diff --git a/patch.r7023 b/patch.r7023
new file mode 100644
index 0000000..b02f5e8
--- /dev/null
+++ b/patch.r7023
@@ -0,0 +1,83 @@
+Index: bogofilter/src/mime.c
+===================================================================
+--- bogofilter/src/mime.c	(revision 7022)
++++ bogofilter/src/mime.c	(revision 7023)
+@@ -279,6 +279,25 @@
+     mime_push(parent);
+ }
+ 
++static bool is_final_boundary(
++	const byte	*ins,
++	size_t		 inlen,
++	size_t		 blen
++)
++{
++    if (inlen >= 5
++	    && inlen >= blen + 2
++	    && ins[0] == '-'
++	    && ins[1] == '-'
++	    && ins[blen+2] == '-'
++	    && ins[blen+3] == '-')
++    {
++	return true;
++    }
++    return false;
++}
++
++
+ /**
+  * Check if the line given in \a boundary is a boundary of one of the
+  * outer MIME containers and store the results in \a b.
+@@ -301,28 +320,18 @@
+ 	       (buf[blen - 1] == '\r' || buf[blen - 1] == '\n'))
+ 	    blen--;
+ 
+-	/* skip initial -- */
+-	buf += 2;
+-	blen -= 2;
+-
+-	/* skip and note ending --, if any */
+-	if (blen > 2 && buf[blen - 1] == '-' && buf[blen - 2] == '-') {
+-	    b->is_final = true;
+-	    blen -= 2;
+-	} else {
+-	    b->is_final = false;
+-	}
+-
+ 	/* search stack for matching boundary, in reverse order */
+ 	for (ptr = mime_stack_bot; ptr != NULL; ptr = ptr->parent)
+ 	{
+ 	    if (is_mime_container(ptr)
+ 		&& ptr->boundary != NULL
+-		&& ptr->boundary_len == blen
+-		&& (memcmp(ptr->boundary, buf, blen) == 0))
++		&& (ptr->boundary_len + 2 == blen
++		    || ptr->boundary_len + 4 == blen)
++		&& (memcmp(ptr->boundary, buf + 2, ptr->boundary_len) == 0))
+ 	    {
+ 		b->depth = ptr->depth;
+ 		b->is_valid = true;
++		b->is_final = is_final_boundary(buf, blen, ptr->boundary_len);
+ 		break;
+ 	    }
+ 	}
+Index: bogofilter/NEWS
+===================================================================
+--- bogofilter/NEWS	(revision 7022)
++++ bogofilter/NEWS	(revision 7023)
+@@ -15,6 +15,15 @@
+ 
+ -------------------------------------------------------------------------------
+ 
++	2015-02-25
++
++	* Fix the lexer to handle MIME multipart messages properly when the
++	  boundary ended in "--".  The parser would previously never find the
++	  MIME parts because it mistook all boundaries ending in two dashes to
++	  be the final boundary of the multipart, rather than checking if the
++	  two dashes were extra.
++	  Reported by Matt Garretson to the bogofilter mailing list today.
++
+ 	2014-07-10
+ 
+ 	* Take patch from Julius Plenz to fix a bug in the charset converter
diff --git a/patch.r7030 b/patch.r7030
new file mode 100644
index 0000000..1465e8a
--- /dev/null
+++ b/patch.r7030
@@ -0,0 +1,48 @@
+Index: bogofilter/src/lexer.c
+===================================================================
+--- bogofilter/src/lexer.c	(revision 7029)
++++ bogofilter/src/lexer.c	(revision 7030)
+@@ -329,7 +329,7 @@
+ 	count += cnt;
+ 
+ 	/* Note: some malformed messages can cause xfgetsl() to report
+-	** "Invalid buffer size, exiting."  ** and then abort.  This
++	** "Invalid buffer size, exiting."  and then abort.  This
+ 	** can happen when the parser is in html mode and there's a
+ 	** leading '<' but no closing '>'.
+ 	**
+@@ -343,9 +343,12 @@
+ 
+ 	if (count >= MAX_TOKEN_LEN * 2 && 
+ 	    long_token(buff.t.u.text, (uint) count)) {
+-	    uint start = buff.t.leng - count;
+-	    uint length = count - max_token_len;
+-	    buff_shift(&buff, start, length);
++	    /* Make sure not to shift bytes outside the buffer */
++	    if (buff.t.leng >= (uint) count) {
++		    uint start = buff.t.leng - count;
++		    uint length = count - max_token_len;
++		    buff_shift(&buff, start, length);
++	    }
+ 	    count = buff.t.leng;
+ 	}
+ 	else
+Index: bogofilter/NEWS
+===================================================================
+--- bogofilter/NEWS	(revision 7029)
++++ bogofilter/NEWS	(revision 7030)
+@@ -15,6 +15,14 @@
+ 
+ -------------------------------------------------------------------------------
+ 
++	2015-02-28
++
++	* Fix the lexer to not try to delete parts from HTML tokens if it is
++	  reading garbage (for instance, binary files misdeclared as HTML).
++	  This was exposed on Fedora 20 and 21 but not Ubuntu 14.04 (x86_64),
++	  and is possibly related to its newer flex 2.5.37 that may have
++	  changed the way it uses yyinput() a bit.  Reported by Matt Garretson.
++
+ 	2015-02-25
+ 
+ 	* Fix the lexer to handle MIME multipart messages properly when the
diff --git a/patch.r7032 b/patch.r7032
new file mode 100644
index 0000000..eaba3ad
--- /dev/null
+++ b/patch.r7032
@@ -0,0 +1,19 @@
+Index: bogofilter/src/maint.c
+===================================================================
+--- bogofilter/src/maint.c	(revision 7031)
++++ bogofilter/src/maint.c	(revision 7032)
+@@ -118,11 +118,11 @@
+     bool discard;
+ 
+     if (token->u.text[0] == '.') {	/* keep .ENCODING, .MSG_COUNT, and .ROBX */
+-	if (strcmp((const char *)token->u.text, MSG_COUNT) == 0)
++	if (0 == word_cmps(token, MSG_COUNT))
+ 	    return false;
+-	if (strcmp((const char *)token->u.text, ROBX_W) == 0)
++	if (0 == word_cmps(token, ROBX_W))
+ 	    return false;
+-	if (strcmp((const char *)token->u.text, WORDLIST_ENCODING) == 0)
++	if (0 == word_cmps(token, WORDLIST_ENCODING))
+ 	    return false;
+     }
+ 
diff --git a/patch.r7034 b/patch.r7034
new file mode 100644
index 0000000..790b901
--- /dev/null
+++ b/patch.r7034
@@ -0,0 +1,16 @@
+Index: bogofilter/NEWS
+===================================================================
+--- bogofilter/NEWS	(revision 7033)
++++ bogofilter/NEWS	(revision 7034)
+@@ -15,6 +15,11 @@
+ 
+ -------------------------------------------------------------------------------
+ 
++	2015-10-10
++
++	* Fix an out-of-bounds memory read in maint.c's discard_token().
++	  Found with clang 3.6's address sanitizer.
++
+ 	2015-02-28
+ 
+ 	* Fix the lexer to not try to delete parts from HTML tokens if it is
diff --git a/patch.r7035 b/patch.r7035
new file mode 100644
index 0000000..6ef6f81
--- /dev/null
+++ b/patch.r7035
@@ -0,0 +1,40 @@
+Index: bogofilter/src/wordlists.c
+===================================================================
+--- bogofilter/src/wordlists.c	(revision 7034)
++++ bogofilter/src/wordlists.c	(revision 7035)
+@@ -265,9 +265,6 @@
+ 	xfree(i);
+     }
+ 
+-    if (commit)
+-	word_lists = NULL;
+-
+     return err;
+ }
+ 
+Index: bogofilter/src/wordlists_base.c
+===================================================================
+--- bogofilter/src/wordlists_base.c	(revision 7034)
++++ bogofilter/src/wordlists_base.c	(revision 7035)
+@@ -134,6 +134,8 @@
+ 	list = free_wordlistnode(list);
+     }
+ 
++    word_lists = NULL;
++
+     bogohome_cleanup();
+ }
+ 
+Index: bogofilter/NEWS
+===================================================================
+--- bogofilter/NEWS	(revision 7034)
++++ bogofilter/NEWS	(revision 7035)
+@@ -17,6 +17,8 @@
+ 
+ 	2015-10-10
+ 
++	* Fix a memory leak in close_wordlists().
++
+ 	* Fix an out-of-bounds memory read in maint.c's discard_token().
+ 	  Found with clang 3.6's address sanitizer.
+