gnu: procmail: Fix CVE-2017-16844.
* gnu/packages/patches/procmail-CVE-2017-16844.patch: New file. * gnu/local.mk (dist_patch_DATA): Add it. * gnu/packages/mail.scm (procmail)[source]: Use it.master
parent
3ebbf6d218
commit
c297e965d5
|
@ -978,6 +978,7 @@ dist_patch_DATA = \
|
||||||
%D%/packages/patches/portmidi-modular-build.patch \
|
%D%/packages/patches/portmidi-modular-build.patch \
|
||||||
%D%/packages/patches/procmail-ambiguous-getline-debian.patch \
|
%D%/packages/patches/procmail-ambiguous-getline-debian.patch \
|
||||||
%D%/packages/patches/procmail-CVE-2014-3618.patch \
|
%D%/packages/patches/procmail-CVE-2014-3618.patch \
|
||||||
|
%D%/packages/patches/procmail-CVE-2017-16844.patch \
|
||||||
%D%/packages/patches/proot-test-fhs.patch \
|
%D%/packages/patches/proot-test-fhs.patch \
|
||||||
%D%/packages/patches/psm-arch.patch \
|
%D%/packages/patches/psm-arch.patch \
|
||||||
%D%/packages/patches/psm-ldflags.patch \
|
%D%/packages/patches/psm-ldflags.patch \
|
||||||
|
|
|
@ -1611,7 +1611,8 @@ deliver it in various ways.")
|
||||||
;; getline() in formail.c. The patch is provided by Debian as
|
;; getline() in formail.c. The patch is provided by Debian as
|
||||||
;; patch 24.
|
;; patch 24.
|
||||||
(patches (search-patches "procmail-ambiguous-getline-debian.patch"
|
(patches (search-patches "procmail-ambiguous-getline-debian.patch"
|
||||||
"procmail-CVE-2014-3618.patch"))))
|
"procmail-CVE-2014-3618.patch"
|
||||||
|
"procmail-CVE-2017-16844.patch"))))
|
||||||
(arguments
|
(arguments
|
||||||
`(#:phases (modify-phases %standard-phases
|
`(#:phases (modify-phases %standard-phases
|
||||||
(replace 'configure
|
(replace 'configure
|
||||||
|
|
|
@ -0,0 +1,25 @@
|
||||||
|
Fix CVE-2017-16844:
|
||||||
|
|
||||||
|
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-16844
|
||||||
|
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=876511
|
||||||
|
|
||||||
|
Patch copied from Debian procmail package 3.22-26:
|
||||||
|
|
||||||
|
http://http.debian.net/debian/pool/main/p/procmail/procmail_3.22-26.debian.tar.xz
|
||||||
|
|
||||||
|
From: Santiago Vila <sanvila@debian.org>
|
||||||
|
Subject: Fix heap-based buffer overflow in loadbuf()
|
||||||
|
Bug-Debian: http://bugs.debian.org/876511
|
||||||
|
X-Debian-version: 3.22-26
|
||||||
|
|
||||||
|
--- a/src/formisc.c
|
||||||
|
+++ b/src/formisc.c
|
||||||
|
@@ -103,7 +103,7 @@
|
||||||
|
}
|
||||||
|
/* append to buf */
|
||||||
|
void loadbuf(text,len)const char*const text;const size_t len;
|
||||||
|
-{ if(buffilled+len>buflen) /* buf can't hold the text */
|
||||||
|
+{ while(buffilled+len>buflen) /* buf can't hold the text */
|
||||||
|
buf=realloc(buf,buflen+=Bsize);
|
||||||
|
tmemmove(buf+buffilled,text,len);buffilled+=len;
|
||||||
|
}
|
Reference in New Issue