From 4ad2a2a84d2e598b518b6c489d54062424f85485 Mon Sep 17 00:00:00 2001 From: CentOS Sources Date: Aug 01 2017 03:26:20 +0000 Subject: import procmail-3.22-36.el7 --- diff --git a/SOURCES/procmail-3.22-out-of-bounds-rw-fixes.patch b/SOURCES/procmail-3.22-out-of-bounds-rw-fixes.patch new file mode 100644 index 0000000..8563ea3 --- /dev/null +++ b/SOURCES/procmail-3.22-out-of-bounds-rw-fixes.patch @@ -0,0 +1,58 @@ +diff --git a/src/cstdio.c b/src/cstdio.c +index 7b6fe6d..0a0bd5b 100644 +--- a/src/cstdio.c ++++ b/src/cstdio.c +@@ -144,7 +144,7 @@ int getbl(p,end)char*p,*end; /* my gets */ + { case '\n':case EOF:*q='\0'; + return overflow?-1:p!=q; /* did we read anything at all? */ + } +- if(q==end) /* check here so that a trailing backslash won't be lost */ ++ if(q>=end) /* check here so that a trailing backslash won't be lost */ + q=p,overflow=1; + *q++=i; + } +@@ -199,7 +199,7 @@ int getlline(target,end)char*target,*end; + if(*(target=strchr(target,'\0')-1)=='\\') + { if(chp2!=target) /* non-empty line? */ + target++; /* then preserve the backslash */ +- if(target>end-2) /* space enough for getbl? */ ++ if(target>=end-2) /* space enough for getbl? */ + target=end-linebuf,overflow=1; /* toss what we have */ + continue; + } +diff --git a/src/formail.c b/src/formail.c +index 1f5c9dd..49b9967 100644 +--- a/src/formail.c ++++ b/src/formail.c +@@ -219,7 +219,8 @@ static char*getsender(namep,fldp,headreply)char*namep;struct field*fldp; + if(i>=0&&(i!=maxindex(sest)||fldp==rdheader)) /* found anything? */ + { char*saddr;char*tmp; /* determine the weight */ + nowm=areply&&headreply?headreply==1?sest[i].wrepl:sest[i].wrrepl:i;chp+=j; +- tmp=malloc(j=fldp->Tot_len-j);tmemmove(tmp,chp,j);(chp=tmp)[j-1]='\0'; ++ tmp=malloc((j=fldp->Tot_len-j) + 1);tmemmove(tmp,chp,j);(chp=tmp)[j-1]='\0'; ++ chp[j]='\0'; + if(sest[i].head==From_) + { char*pastad; + if(strchr(saddr=chp,'\n')) /* multiple From_ lines */ +@@ -364,7 +365,7 @@ static PROGID; + + int main(lastm,argv)int lastm;const char*const argv[]; + { int i,split=0,force=0,bogus=1,every=0,headreply=0,digest=0,nowait=0,keepb=0, +- minfields=(char*)progid-(char*)progid,conctenate=0,babyl=0,babylstart, ++ minfields=(char*)progid-(char*)progid,conctenate=0,babyl=0,babylstart=0, + berkeley=0,forgetclen; + long maxlen,ctlength;FILE*idcache=0;pid_t thepid; + size_t j,lnl,escaplen;char*chp,*namep,*escap=ESCAP; +diff --git a/src/formisc.c b/src/formisc.c +index c48df52..5c2869d 100644 +--- a/src/formisc.c ++++ b/src/formisc.c +@@ -66,7 +66,7 @@ inc: start++; + retz: *target='\0'; + ret: return start; + } +- if(*start=='\\') ++ if(*start=='\\' && *(start + 1)) + *target++='\\',start++; + hitspc=2; + goto normal; /* normal word */ diff --git a/SPECS/procmail.spec b/SPECS/procmail.spec index c1b8592..6cd31b5 100644 --- a/SPECS/procmail.spec +++ b/SPECS/procmail.spec @@ -8,7 +8,7 @@ Summary: Mail processing program Name: procmail Version: 3.22 -Release: 35%{?dist} +Release: 36%{?dist} License: GPLv2+ or Artistic Group: Applications/Internet # Source: ftp://ftp.procmail.org/pub/procmail/procmail-%{version}.tar.gz @@ -25,6 +25,7 @@ Patch4: procmail-3.22-truncate.patch Patch5: procmail-3.22-ipv6.patch Patch6: procmail-3.22-getline.patch Patch7: procmail-3.22-CVE-2014-3618.patch +Patch8: procmail-3.22-out-of-bounds-rw-fixes.patch BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n) %description @@ -44,6 +45,7 @@ forward certain incoming mail automatically to someone. %patch5 -p1 -b .ipv6 %patch6 -p1 -b .getline %patch7 -p1 -b .CVE-2014-3618 +%patch8 -p1 -b .out-of-bounds-rw-fixes find examples -type f | xargs chmod 644 @@ -79,6 +81,10 @@ rm -rf ${RPM_BUILD_ROOT} %{_mandir}/man[15]/* %changelog +* Wed Mar 22 2017 Jaroslav Škarvada - 3.22-36 +- Fixed several out of bounds RWs + Resolves: rhbz#1138526 + * Thu Sep 4 2014 Jaroslav Škarvada - 3.22-35 - Fixed buffer overflow in formail Resolves: CVE-2014-3618