Date: Thursday, November 30, 2017 @ 12:51:02 Author: anthraxx Revision: 270842
upgpkg: exim 4.89.1-1 (security update) https://security.archlinux.org/AVG-518 CVE-2017-16944 CVE-2017-16943 CVE-2017-10140 CVE-2017-1000369 Modified: exim/trunk/PKGBUILD Deleted: exim/trunk/CVE-2017-1000369.patch exim/trunk/CVE-2017-16943.patch ------------------------+ CVE-2017-1000369.patch | 68 ----------------------------------------------- CVE-2017-16943.patch | 56 -------------------------------------- PKGBUILD | 25 +++++------------ 3 files changed, 8 insertions(+), 141 deletions(-) Deleted: CVE-2017-1000369.patch =================================================================== --- CVE-2017-1000369.patch 2017-11-30 12:09:23 UTC (rev 270841) +++ CVE-2017-1000369.patch 2017-11-30 12:51:02 UTC (rev 270842) @@ -1,68 +0,0 @@ -From 65e061b76867a9ea7aeeb535341b790b90ae6c21 Mon Sep 17 00:00:00 2001 -From: "Heiko Schlittermann (HS12-RIPE)" <h...@schlittermann.de> -Date: Wed, 31 May 2017 23:08:56 +0200 -Subject: [PATCH] Cleanup (prevent repeated use of -p/-oMr to avoid mem leak) - ---- - doc/doc-docbook/spec.xfpt | 3 ++- - src/src/exim.c | 19 +++++++++++++++++-- - 2 files changed, 19 insertions(+), 3 deletions(-) - -diff --git a/doc/doc-docbook/spec.xfpt b/doc/doc-docbook/spec.xfpt -index 06373ccde..7816bc26d 100644 ---- a/doc/doc-docbook/spec.xfpt -+++ b/doc/doc-docbook/spec.xfpt -@@ -4274,7 +4274,7 @@ or &%-bs%& is used. For &%-bh%&, the protocol is forced to one of the standard - SMTP protocol names (see the description of &$received_protocol$& in section - &<<SECTexpvar>>&). For &%-bs%&, the protocol is always &"local-"& followed by - one of those same names. For &%-bS%& (batched SMTP) however, the protocol can --be set by &%-oMr%&. -+be set by &%-oMr%&. Repeated use of this option is not supported. - - .vitem &%-oMs%&&~<&'host&~name'&> - .oindex "&%-oMs%&" -@@ -4374,6 +4374,7 @@ host name and its colon can be omitted when only the protocol is to be set. - Note the Exim already has two private options, &%-pd%& and &%-ps%&, that refer - to embedded Perl. It is therefore impossible to set a protocol value of &`d`& - or &`s`& using this option (but that does not seem a real limitation). -+Repeated use of this option is not supported. - - .vitem &%-q%& - .oindex "&%-q%&" -diff --git a/src/src/exim.c b/src/src/exim.c -index 67583e584..88e119778 100644 ---- a/src/src/exim.c -+++ b/src/src/exim.c -@@ -3106,7 +3106,14 @@ for (i = 1; i < argc; i++) - - /* -oMr: Received protocol */ - -- else if (Ustrcmp(argrest, "Mr") == 0) received_protocol = argv[++i]; -+ else if (Ustrcmp(argrest, "Mr") == 0) -+ -+ if (received_protocol) -+ { -+ fprintf(stderr, "received_protocol is set already\n"); -+ exit(EXIT_FAILURE); -+ } -+ else received_protocol = argv[++i]; - - /* -oMs: Set sender host name */ - -@@ -3202,7 +3209,15 @@ for (i = 1; i < argc; i++) - - if (*argrest != 0) - { -- uschar *hn = Ustrchr(argrest, ':'); -+ uschar *hn; -+ -+ if (received_protocol) -+ { -+ fprintf(stderr, "received_protocol is set already\n"); -+ exit(EXIT_FAILURE); -+ } -+ -+ hn = Ustrchr(argrest, ':'); - if (hn == NULL) - { - received_protocol = argrest; Deleted: CVE-2017-16943.patch =================================================================== --- CVE-2017-16943.patch 2017-11-30 12:09:23 UTC (rev 270841) +++ CVE-2017-16943.patch 2017-11-30 12:51:02 UTC (rev 270842) @@ -1,56 +0,0 @@ -From 4090d62a4b25782129cc1643596dc2f6e8f63bde Mon Sep 17 00:00:00 2001 -From: Jeremy Harris <jgh146...@wizmail.org> -Date: Fri, 24 Nov 2017 20:22:33 +0000 -Subject: [PATCH 1/1] Avoid release of store if there have been later - allocations. Bug 2199 - ---- - doc/doc-txt/ChangeLog | 4 ++++ - src/src/receive.c | 7 ++++--- - 2 files changed, 8 insertions(+), 3 deletions(-) - -diff --git a/doc/doc-txt/ChangeLog b/doc/doc-txt/ChangeLog -index e937ba2..a2d9339 100644 ---- a/doc/doc-txt/ChangeLog -+++ b/doc/doc-txt/ChangeLog -@@ -59,6 +59,10 @@ JH/30 Fix a logging bug on aarch64: an unsafe routine was previously used for - connection in response to HELO" was logged instead of the actual 4xx - error for the HELO. - -+JH/34 Bug 2199: fix a use-after-free while reading smtp input for header lines. -+ A crafted sequence of BDAT commands could result in in-use memory beeing -+ freed. -+ - - Exim version 4.89 - ----------------- -diff --git a/src/src/receive.c b/src/src/receive.c -index 95cf13e..20672db 100644 ---- a/src/src/receive.c -+++ b/src/src/receive.c -@@ -1772,8 +1772,8 @@ for (;;) - (and sometimes lunatic messages can have ones that are 100s of K long) we - call store_release() for strings that have been copied - if the string is at - the start of a block (and therefore the only thing in it, because we aren't -- doing any other gets), the block gets freed. We can only do this because we -- know there are no other calls to store_get() going on. */ -+ doing any other gets), the block gets freed. We can only do this release if -+ there were no allocations since the once that we want to free. */ - - if (ptr >= header_size - 4) - { -@@ -1782,9 +1782,10 @@ for (;;) - header_size *= 2; - if (!store_extend(next->text, oldsize, header_size)) - { -+ BOOL release_ok = store_last_get[store_pool] == next->text; - uschar *newtext = store_get(header_size); - memcpy(newtext, next->text, ptr); -- store_release(next->text); -+ if (release_ok) store_release(next->text); - next->text = newtext; - } - } --- -1.9.1 - Modified: PKGBUILD =================================================================== --- PKGBUILD 2017-11-30 12:09:23 UTC (rev 270841) +++ PKGBUILD 2017-11-30 12:51:02 UTC (rev 270842) @@ -6,8 +6,8 @@ # Contributor: judd <jvi...@zeroflux.org> pkgname=exim -pkgver=4.89 -pkgrel=2 +pkgver=4.89.1 +pkgrel=1 pkgdesc='Message Transfer Agent' arch=('x86_64') url='http://www.exim.org/' @@ -25,10 +25,8 @@ exim.service exim@.service exim.socket - exim-submission.socket - CVE-2017-16943.patch - CVE-2017-1000369.patch) -sha512sums=('1e059966a93b47f055ab4ec2a4556f2c918aff56ea0367585f3a853f00411e9c275e13be4f9ae615a468fa06263135cd6a138fa1753f1b7fb3259a3321fcca65' + exim-submission.socket) +sha512sums=('391102c5af991c3f9035aefadd031a9ab2505c682a5cd9c2268f82edb01dc5edec94d86e298d2be3c0437c261b63fb2662cc37f4de67106b0325f2c3bf7e0b9e' 'SKIP' 'a91c6a9e5b3ac9d143741dba01e11616812ba44c3a8c768c8232364026460f0b8fdeeb120a2f2b86742a6e3ebbfc9d6335b86d108b044e43108b4a6f0374c9ad' 'd8e3b466e0bba8175cfe762058dec49018495a260aa5efd139f4ef435284c305958cbd7fc514e81042146368b749ae38f0bf276fc0b4b91918ef33126900aa81' @@ -37,21 +35,14 @@ 'e2fc3966c320460a26fbbf83e98df725587dc126dfe9d7a84c3285eb4b22a061b30499425c70f3d73cf13aa81c194274004efd20ce1316836463b982117909f8' '11c8133ee15b3e5193c9b1c59aed66c81b6e045dd23310bede9fcde6c88905db5ef08afdb798b53b75a7465915ea1247e980edf95db07a7f9b7bb58ce95fbb5a' 'db621116907ceb573e6f34581f47c91f751bff593054d7ddc32397b34c7f2405bec184bdb0589d2ac457fa3a61bcba072761e3a6293a99c9c764d2d9fd6069ae' - '4a233761793e3510e9efa5aad3a6098c41b757f13133a7ea825680f2b393aba8d7935f16bf1dd065dde884fe7ba45639a8d398333a7d9bf0a6b72f88c8f2a09d' - '28c141cf557ccecd14063ca687af94c1aa9b369148139b07c167da06b6f5a280028cc6c733925565f24887d269dd5b149c62a3d76058a65f6354f96d1b93cd9e' - 'ac3b606396302a5494d4f5c68e12781cb156168c787ea7ad1a397c516109de5689691668cd020eafba4bac4219c11218900935827555ed38fa7c806023acc95a') -validpgpkeys=('C693A034E1ED6EE954CAE2DA13DAD99C7E41519C' - 'ACBB4324393ADE3515DA2DDA4D1E900E14C1CC04') # Phil Pennock <phil.penn...@spodhuis.org> + '4a233761793e3510e9efa5aad3a6098c41b757f13133a7ea825680f2b393aba8d7935f16bf1dd065dde884fe7ba45639a8d398333a7d9bf0a6b72f88c8f2a09d') +validpgpkeys=('C693A034E1ED6EE954CAE2DA13DAD99C7E41519C' # Phil Pennock <p...@exim.org> + 'ACBB4324393ADE3515DA2DDA4D1E900E14C1CC04' # Phil Pennock <phil.penn...@spodhuis.org> + 'E5CA331D44AB8E4C806FDBEE26101B62F69376CE') # Heiko Schlittermann (Exim MTA Maintainer) <he...@exim.org> build() { cd $pkgname-$pkgver - patch -p1 < "${srcdir}/CVE-2017-16943.patch" - patch -p1 < "${srcdir}/CVE-2017-1000369.patch" -} -build() { - cd $pkgname-$pkgver - cp ../$pkgname.Makefile Local/Makefile make }