Date: Thursday, November 30, 2017 @ 00:58:53 Author: anthraxx Revision: 270779
upgpkg: exim 4.89-2 (security update) CVE-2017-1000369 CVE-2017-16943 Added: exim/trunk/CVE-2017-1000369.patch exim/trunk/CVE-2017-16943.patch Modified: exim/trunk/PKGBUILD ------------------------+ CVE-2017-1000369.patch | 68 +++++++++++++++++++++++++++++++++++++++++++++++ CVE-2017-16943.patch | 56 ++++++++++++++++++++++++++++++++++++++ PKGBUILD | 22 +++++++++++---- 3 files changed, 141 insertions(+), 5 deletions(-) Added: CVE-2017-1000369.patch =================================================================== --- CVE-2017-1000369.patch (rev 0) +++ CVE-2017-1000369.patch 2017-11-30 00:58:53 UTC (rev 270779) @@ -0,0 +1,68 @@ +From 65e061b76867a9ea7aeeb535341b790b90ae6c21 Mon Sep 17 00:00:00 2001 +From: "Heiko Schlittermann (HS12-RIPE)" <[email protected]> +Date: Wed, 31 May 2017 23:08:56 +0200 +Subject: [PATCH] Cleanup (prevent repeated use of -p/-oMr to avoid mem leak) + +--- + doc/doc-docbook/spec.xfpt | 3 ++- + src/src/exim.c | 19 +++++++++++++++++-- + 2 files changed, 19 insertions(+), 3 deletions(-) + +diff --git a/doc/doc-docbook/spec.xfpt b/doc/doc-docbook/spec.xfpt +index 06373ccde..7816bc26d 100644 +--- a/doc/doc-docbook/spec.xfpt ++++ b/doc/doc-docbook/spec.xfpt +@@ -4274,7 +4274,7 @@ or &%-bs%& is used. For &%-bh%&, the protocol is forced to one of the standard + SMTP protocol names (see the description of &$received_protocol$& in section + &<<SECTexpvar>>&). For &%-bs%&, the protocol is always &"local-"& followed by + one of those same names. For &%-bS%& (batched SMTP) however, the protocol can +-be set by &%-oMr%&. ++be set by &%-oMr%&. Repeated use of this option is not supported. + + .vitem &%-oMs%&&~<&'host&~name'&> + .oindex "&%-oMs%&" +@@ -4374,6 +4374,7 @@ host name and its colon can be omitted when only the protocol is to be set. + Note the Exim already has two private options, &%-pd%& and &%-ps%&, that refer + to embedded Perl. It is therefore impossible to set a protocol value of &`d`& + or &`s`& using this option (but that does not seem a real limitation). ++Repeated use of this option is not supported. + + .vitem &%-q%& + .oindex "&%-q%&" +diff --git a/src/src/exim.c b/src/src/exim.c +index 67583e584..88e119778 100644 +--- a/src/src/exim.c ++++ b/src/src/exim.c +@@ -3106,7 +3106,14 @@ for (i = 1; i < argc; i++) + + /* -oMr: Received protocol */ + +- else if (Ustrcmp(argrest, "Mr") == 0) received_protocol = argv[++i]; ++ else if (Ustrcmp(argrest, "Mr") == 0) ++ ++ if (received_protocol) ++ { ++ fprintf(stderr, "received_protocol is set already\n"); ++ exit(EXIT_FAILURE); ++ } ++ else received_protocol = argv[++i]; + + /* -oMs: Set sender host name */ + +@@ -3202,7 +3209,15 @@ for (i = 1; i < argc; i++) + + if (*argrest != 0) + { +- uschar *hn = Ustrchr(argrest, ':'); ++ uschar *hn; ++ ++ if (received_protocol) ++ { ++ fprintf(stderr, "received_protocol is set already\n"); ++ exit(EXIT_FAILURE); ++ } ++ ++ hn = Ustrchr(argrest, ':'); + if (hn == NULL) + { + received_protocol = argrest; Added: CVE-2017-16943.patch =================================================================== --- CVE-2017-16943.patch (rev 0) +++ CVE-2017-16943.patch 2017-11-30 00:58:53 UTC (rev 270779) @@ -0,0 +1,56 @@ +From 4090d62a4b25782129cc1643596dc2f6e8f63bde Mon Sep 17 00:00:00 2001 +From: Jeremy Harris <[email protected]> +Date: Fri, 24 Nov 2017 20:22:33 +0000 +Subject: [PATCH 1/1] Avoid release of store if there have been later + allocations. Bug 2199 + +--- + doc/doc-txt/ChangeLog | 4 ++++ + src/src/receive.c | 7 ++++--- + 2 files changed, 8 insertions(+), 3 deletions(-) + +diff --git a/doc/doc-txt/ChangeLog b/doc/doc-txt/ChangeLog +index e937ba2..a2d9339 100644 +--- a/doc/doc-txt/ChangeLog ++++ b/doc/doc-txt/ChangeLog +@@ -59,6 +59,10 @@ JH/30 Fix a logging bug on aarch64: an unsafe routine was previously used for + connection in response to HELO" was logged instead of the actual 4xx + error for the HELO. + ++JH/34 Bug 2199: fix a use-after-free while reading smtp input for header lines. ++ A crafted sequence of BDAT commands could result in in-use memory beeing ++ freed. ++ + + Exim version 4.89 + ----------------- +diff --git a/src/src/receive.c b/src/src/receive.c +index 95cf13e..20672db 100644 +--- a/src/src/receive.c ++++ b/src/src/receive.c +@@ -1772,8 +1772,8 @@ for (;;) + (and sometimes lunatic messages can have ones that are 100s of K long) we + call store_release() for strings that have been copied - if the string is at + the start of a block (and therefore the only thing in it, because we aren't +- doing any other gets), the block gets freed. We can only do this because we +- know there are no other calls to store_get() going on. */ ++ doing any other gets), the block gets freed. We can only do this release if ++ there were no allocations since the once that we want to free. */ + + if (ptr >= header_size - 4) + { +@@ -1782,9 +1782,10 @@ for (;;) + header_size *= 2; + if (!store_extend(next->text, oldsize, header_size)) + { ++ BOOL release_ok = store_last_get[store_pool] == next->text; + uschar *newtext = store_get(header_size); + memcpy(newtext, next->text, ptr); +- store_release(next->text); ++ if (release_ok) store_release(next->text); + next->text = newtext; + } + } +-- +1.9.1 + Modified: PKGBUILD =================================================================== --- PKGBUILD 2017-11-29 23:19:42 UTC (rev 270778) +++ PKGBUILD 2017-11-30 00:58:53 UTC (rev 270779) @@ -7,7 +7,7 @@ pkgname=exim pkgver=4.89 -pkgrel=1 +pkgrel=2 pkgdesc='Message Transfer Agent' arch=('x86_64') url='http://www.exim.org/' @@ -17,8 +17,7 @@ depends=('gdbm' 'pcre' 'pam' 'openssl' 'libldap') provides=('smtp-server' 'smtp-forwarder') conflicts=('smtp-server' 'smtp-forwarder') -options=('!makeflags') -source=("ftp://ftp.exim.org/pub/exim/exim4/exim-$pkgver.tar.bz2"; +source=("https://ftp.exim.org/pub/exim/exim4/exim-$pkgver.tar.bz2"{,.asc} aliases exim.logrotate exim.Makefile @@ -26,8 +25,11 @@ exim.service [email protected] exim.socket - exim-submission.socket) + exim-submission.socket + CVE-2017-16943.patch + CVE-2017-1000369.patch) sha512sums=('1e059966a93b47f055ab4ec2a4556f2c918aff56ea0367585f3a853f00411e9c275e13be4f9ae615a468fa06263135cd6a138fa1753f1b7fb3259a3321fcca65' + 'SKIP' 'a91c6a9e5b3ac9d143741dba01e11616812ba44c3a8c768c8232364026460f0b8fdeeb120a2f2b86742a6e3ebbfc9d6335b86d108b044e43108b4a6f0374c9ad' 'd8e3b466e0bba8175cfe762058dec49018495a260aa5efd139f4ef435284c305958cbd7fc514e81042146368b749ae38f0bf276fc0b4b91918ef33126900aa81' '27164b44ff6d99942aaea876f8b7b974f2f668b3b2a5993eecaf6cfa418b08bf16520423070da27268e7f0f4a9d55a8a362430152427dc390e6286500089e6df' @@ -35,11 +37,21 @@ 'e2fc3966c320460a26fbbf83e98df725587dc126dfe9d7a84c3285eb4b22a061b30499425c70f3d73cf13aa81c194274004efd20ce1316836463b982117909f8' '11c8133ee15b3e5193c9b1c59aed66c81b6e045dd23310bede9fcde6c88905db5ef08afdb798b53b75a7465915ea1247e980edf95db07a7f9b7bb58ce95fbb5a' 'db621116907ceb573e6f34581f47c91f751bff593054d7ddc32397b34c7f2405bec184bdb0589d2ac457fa3a61bcba072761e3a6293a99c9c764d2d9fd6069ae' - '4a233761793e3510e9efa5aad3a6098c41b757f13133a7ea825680f2b393aba8d7935f16bf1dd065dde884fe7ba45639a8d398333a7d9bf0a6b72f88c8f2a09d') + '4a233761793e3510e9efa5aad3a6098c41b757f13133a7ea825680f2b393aba8d7935f16bf1dd065dde884fe7ba45639a8d398333a7d9bf0a6b72f88c8f2a09d' + '28c141cf557ccecd14063ca687af94c1aa9b369148139b07c167da06b6f5a280028cc6c733925565f24887d269dd5b149c62a3d76058a65f6354f96d1b93cd9e' + 'ac3b606396302a5494d4f5c68e12781cb156168c787ea7ad1a397c516109de5689691668cd020eafba4bac4219c11218900935827555ed38fa7c806023acc95a') +validpgpkeys=('C693A034E1ED6EE954CAE2DA13DAD99C7E41519C' + 'ACBB4324393ADE3515DA2DDA4D1E900E14C1CC04') # Phil Pennock <[email protected]> build() { cd $pkgname-$pkgver + patch -p1 < "${srcdir}/CVE-2017-16943.patch" + patch -p1 < "${srcdir}/CVE-2017-1000369.patch" +} +build() { + cd $pkgname-$pkgver + cp ../$pkgname.Makefile Local/Makefile make }
