[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
01/01: gnu: procmail: Fix CVE-2017-16844.
From: |
Leo Famulari |
Subject: |
01/01: gnu: procmail: Fix CVE-2017-16844. |
Date: |
Tue, 21 Nov 2017 21:58:48 -0500 (EST) |
lfam pushed a commit to branch master
in repository guix.
commit c297e965d51a332b15bccbb180d6f9a400cb8805
Author: Leo Famulari <address@hidden>
Date: Tue Nov 21 12:47:40 2017 -0500
gnu: procmail: Fix CVE-2017-16844.
* gnu/packages/patches/procmail-CVE-2017-16844.patch: New file.
* gnu/local.mk (dist_patch_DATA): Add it.
* gnu/packages/mail.scm (procmail)[source]: Use it.
---
gnu/local.mk | 1 +
gnu/packages/mail.scm | 3 ++-
gnu/packages/patches/procmail-CVE-2017-16844.patch | 25 ++++++++++++++++++++++
3 files changed, 28 insertions(+), 1 deletion(-)
diff --git a/gnu/local.mk b/gnu/local.mk
index f8e5539..0993c45 100644
--- a/gnu/local.mk
+++ b/gnu/local.mk
@@ -978,6 +978,7 @@ dist_patch_DATA =
\
%D%/packages/patches/portmidi-modular-build.patch \
%D%/packages/patches/procmail-ambiguous-getline-debian.patch \
%D%/packages/patches/procmail-CVE-2014-3618.patch \
+ %D%/packages/patches/procmail-CVE-2017-16844.patch \
%D%/packages/patches/proot-test-fhs.patch \
%D%/packages/patches/psm-arch.patch \
%D%/packages/patches/psm-ldflags.patch \
diff --git a/gnu/packages/mail.scm b/gnu/packages/mail.scm
index 77d9351..38140d6 100644
--- a/gnu/packages/mail.scm
+++ b/gnu/packages/mail.scm
@@ -1611,7 +1611,8 @@ deliver it in various ways.")
;; getline() in formail.c. The patch is provided by Debian as
;; patch 24.
(patches (search-patches "procmail-ambiguous-getline-debian.patch"
- "procmail-CVE-2014-3618.patch"))))
+ "procmail-CVE-2014-3618.patch"
+ "procmail-CVE-2017-16844.patch"))))
(arguments
`(#:phases (modify-phases %standard-phases
(replace 'configure
diff --git a/gnu/packages/patches/procmail-CVE-2017-16844.patch
b/gnu/packages/patches/procmail-CVE-2017-16844.patch
new file mode 100644
index 0000000..b96540c
--- /dev/null
+++ b/gnu/packages/patches/procmail-CVE-2017-16844.patch
@@ -0,0 +1,25 @@
+Fix CVE-2017-16844:
+
+https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-16844
+https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=876511
+
+Patch copied from Debian procmail package 3.22-26:
+
+http://http.debian.net/debian/pool/main/p/procmail/procmail_3.22-26.debian.tar.xz
+
+From: Santiago Vila <address@hidden>
+Subject: Fix heap-based buffer overflow in loadbuf()
+Bug-Debian: http://bugs.debian.org/876511
+X-Debian-version: 3.22-26
+
+--- a/src/formisc.c
++++ b/src/formisc.c
+@@ -103,7 +103,7 @@
+ }
+ /* append to buf */
+ void loadbuf(text,len)const char*const text;const size_t len;
+-{ if(buffilled+len>buflen) /* buf can't hold the text */
++{ while(buffilled+len>buflen) /* buf can't hold the text */
+ buf=realloc(buf,buflen+=Bsize);
+ tmemmove(buf+buffilled,text,len);buffilled+=len;
+ }