gnu: procmail: Fix CVE-2014-3618.
* gnu/packages/patches/procmail-CVE-2014-3618.patch: New file. * gnu/local.mk (dist_patch_DATA): Add it. * gnu/packages/mail.scm (procmail): Use it.
This commit is contained in:
parent
c68d8126f9
commit
1d982d787d
|
@ -689,6 +689,7 @@ dist_patch_DATA = \
|
||||||
%D%/packages/patches/portaudio-audacity-compat.patch \
|
%D%/packages/patches/portaudio-audacity-compat.patch \
|
||||||
%D%/packages/patches/portmidi-modular-build.patch \
|
%D%/packages/patches/portmidi-modular-build.patch \
|
||||||
%D%/packages/patches/procmail-ambiguous-getline-debian.patch \
|
%D%/packages/patches/procmail-ambiguous-getline-debian.patch \
|
||||||
|
%D%/packages/patches/procmail-CVE-2014-3618.patch \
|
||||||
%D%/packages/patches/pt-scotch-build-parallelism.patch \
|
%D%/packages/patches/pt-scotch-build-parallelism.patch \
|
||||||
%D%/packages/patches/pulseaudio-fix-mult-test.patch \
|
%D%/packages/patches/pulseaudio-fix-mult-test.patch \
|
||||||
%D%/packages/patches/pulseaudio-longer-test-timeout.patch \
|
%D%/packages/patches/pulseaudio-longer-test-timeout.patch \
|
||||||
|
|
|
@ -1149,7 +1149,8 @@ deliver it in various ways.")
|
||||||
;; The following patch fixes an ambiguous definition of
|
;; The following patch fixes an ambiguous definition of
|
||||||
;; getline() in formail.c. The patch is provided by Debian as
|
;; getline() in formail.c. The patch is provided by Debian as
|
||||||
;; patch 24.
|
;; patch 24.
|
||||||
(patches (search-patches "procmail-ambiguous-getline-debian.patch"))))
|
(patches (search-patches "procmail-ambiguous-getline-debian.patch"
|
||||||
|
"procmail-CVE-2014-3618.patch"))))
|
||||||
(arguments
|
(arguments
|
||||||
`(#:phases (modify-phases %standard-phases
|
`(#:phases (modify-phases %standard-phases
|
||||||
(replace 'configure
|
(replace 'configure
|
||||||
|
|
|
@ -0,0 +1,26 @@
|
||||||
|
Fixes CVE-2014-3618 (heap overflow in formisc.c allowing denial of
|
||||||
|
service and potential remote execution of arbitrary code).
|
||||||
|
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3618
|
||||||
|
|
||||||
|
Source:
|
||||||
|
http://seclists.org/oss-sec/2014/q3/495
|
||||||
|
|
||||||
|
Adopted by Debian as patch '27':
|
||||||
|
https://sources.debian.net/src/procmail/3.22-25/debian/patches/27/
|
||||||
|
|
||||||
|
--- a/src/formisc.c
|
||||||
|
+++ b/src/formisc.c
|
||||||
|
@@ -84,12 +84,11 @@
|
||||||
|
case '"':*target++=delim='"';start++;
|
||||||
|
}
|
||||||
|
;{ int i;
|
||||||
|
- do
|
||||||
|
+ while(*start)
|
||||||
|
if((i= *target++= *start++)==delim) /* corresponding delimiter? */
|
||||||
|
break;
|
||||||
|
else if(i=='\\'&&*start) /* skip quoted character */
|
||||||
|
*target++= *start++;
|
||||||
|
- while(*start); /* anything? */
|
||||||
|
}
|
||||||
|
hitspc=2;
|
||||||
|
}
|
Loading…
Reference in New Issue