Page 1 of 1

sa-update SHA1 calculation bug

Posted: 2017-09-21 00:30
by rstarkov
I've decided to update my ancient SpamAssassin installation and ran into a problem: the latest version has a buggy sa-update that calculates the SHA1 hash incorrectly!

Here's an extract from a debug (-D) run of sa-update:

Code: Select all

downloading to: C:\SpamAssassin\Bin\share\3.004001\updates_spamassassin_org\1799552.tar.gz, update
http: (curl.exe) GET http://sa-update.ena.com/1799552.tar.gz, success
downloading to: C:\SpamAssassin\Bin\share\3.004001\updates_spamassassin_org\1799552.tar.gz.sha1, update
http: (curl.exe) GET http://sa-update.ena.com/1799552.tar.gz.sha1, success
dbg: sha1: verification wanted: 10801ca581564e652a009e80f6195c4bb8532a94
dbg: sha1: verification result: 74ea7198eb78c4a33c420a7cb7c399bce2f372d2
channel: SHA1 verification failed, channel failed
Here's a non-buggy SHA1 calculation on the downloaded file:

Code: Select all

%%%% HASHDEEP-1.0
%%%% size,sha1,filename
## hashdeep64.EXE -c sha1 C:\SpamAssassin\Bin\share\3.004001\updates_spamassassin_org\1799552.tar.gz
##
274927,10801ca581564e652a009e80f6195c4bb8532a94,C:\SpamAssassin\Bin\share\3.004001\updates_spamassassin_org\1799552.tar.gz
Fail... This is v3.41 downloaded from https://www.jam-software.de/customers/d ... anguage=EN and I tried both 32 and 64 builds, both had this problem.

Any tips on how to get this version of SpamAssassin to update?

Re: sa-update SHA1 calculation bug

Posted: 2017-09-21 00:32
by mattg
What does Jam Software say about this updating issue with their product?

Re: sa-update SHA1 calculation bug

Posted: 2017-09-21 00:54
by rstarkov
I've only emailed them just now. This forum is the best place I know for community support related to SpamAssassin for windows so... I was hoping someone running hMailServer may have experienced this and knows how to deal with it.

Re: sa-update SHA1 calculation bug

Posted: 2017-09-21 01:01
by mattg
That's OK and I agree, I was just making sure that you have contacted them.

Personally I run SpamAssassin on a virtual Ubuntu server install, so it is a little different for me. Updates etc all just happen without my intervention.

Re: sa-update SHA1 calculation bug

Posted: 2017-09-24 17:39
by rstarkov
The response from Jam Software was almost immediate and very helpful! Apparently this happens if there is a "curl.exe" on the path. Removing it fixed the problem for me.

Jam Software say that it's a bug in the SpamAssassin's Perl code.

Re: sa-update SHA1 calculation bug

Posted: 2017-09-25 00:44
by mattg
Thanks for the post back with the solution.
(and Yes, Jam software are normally very responsive)

Re: sa-update SHA1 calculation bug

Posted: 2018-07-03 21:23
by attwoodw
I know I'm a little late to this party but have just run into this problem today, could anyone please tell me in which file the problematic path resides?

Re: sa-update SHA1 calculation bug

Posted: 2018-07-03 23:51
by mattg
mattg wrote:
2017-09-21 00:32
What does Jam Software say about this updating issue with their product?

Re: sa-update SHA1 calculation bug

Posted: 2018-07-13 20:43
by attwoodw
>>>>>>>>>>>>>>Paste of email<<<<<<<<<<<<<<<<<
Dear Mr. Attwood,

The problem is caused by the program curl.exe resisting in several locations on your system.
In case “Curl.exe” exists in some directory that is also listed in your systems PATH environment variable, sa-update will use this version, instead of using the version that was shipped with SpamAssassin.

Please save the attached file as „sa-update“ and copy it to the directory and replace the original file:
C:\Program Files (x86)\Common Files\JAM Software\SpamAssassin\runtime\
This should fix the issue.

Best regards

>>>>>>>>>>>>>>end of Paste<<<<<<<<<<<<<<<<<

The email has answered my question and I have resolved the more than one curl.exe in the PATH environment variable, however there was no attached file to the email. I suspect the replacement "sa-update" has an additional absolute PATH variable to the SpamAssassin curl.exe

I found the additional curl.exe in my C:\Windows\System32\ folder "Windows 10 [Version 10.0.17134.165]"

I will update this when I receive the script from JAM

Re: sa-update SHA1 calculation bug

Posted: 2018-07-17 13:01
by attwoodw
Rerplacement sa-update file link

https://fileshare.jam-software.de/share ... cedownload

I have also attached it as a compressed file should the link expire

Save the file as „sa-update“ and copy it to the directory and replace the original file:
C:\Program Files (x86)\Common Files\JAM Software\SpamAssassin\runtime\


The attached compressed file contains the JAM replacement sa-update
sa-update.7z
(19.23 KiB) Downloaded 145 times

I hope someone finds this useful

Best Wishes
Wayne

Re: sa-update SHA1 calculation bug

Posted: 2018-07-20 09:38
by KooiInc
Hi Wayne, thanks for your efforts and the file. It made my day!

Regards /Renzo Kooi

Re: sa-update SHA1 calculation bug

Posted: 2019-02-01 18:41
by PVi1
Hi all,

in my case, archive file with rules was only partially downloaded - eg its size was about 55KB instead of cca 290KB.
So I started sa-update with -D args and watched the output. I have tried to download that archive from my PC and it worked fine, so it was clear that it is not a server issue. So I have started to remove unessessary arguments from curl command responsible for downloading that archive.
That way I have found that problem was caused by curl -z argument! :oops:

So I have edited sa-update file, on line 1472 and commented statement responsible or adding -z argument:

Code: Select all

    #push(@args, '-z', $out_fname_short)  if $out_fname_exists && !$force_reload;
Saved and restarted sa-update via:

Code: Select all

. /opt/zimbra/.bashrc; /opt/zimbra/libexec/zmsaupdate
All is working fine now and amavisd started successfully!

Enjoy zimbra with antispam protection enabled.... :P

It tooks me 3 hours to figure it :evil:

Regards,

Peter