#10356: procmail: at least two CVE fixes
-------------------------+-------------------------
Reporter: ken@… | Owner: blfs-book@…
Type: enhancement | Status: new
Priority: high | Milestone: 8.2
Component: BOOK | Version: SVN
Severity: normal | Keywords:
-------------------------+-------------------------
I noticed a while back that Arch had picked up a CVE fix from debian. I've
now found time to dig down and sort out what fedora and debian are using.
The two CVEs are CVE-2014-3618.patch and CVE-2017-16844 (the latter is
what Arch added recently, and originated at debian).
There is also a 'truncate' and a 'crash fix' patch which look useful.
Fedora use a consolidated patch from debian procmail_3.22-8 but a lot of
it looks like policy rather than bug fixes.
Debian have a suite of 28 patches, names just 01-28, but many of these are
for policy, including in the documentation. There is also a patch to
enable ipv6, but I don't have any way to test that, and it seems to
require autoreconf, so I'm ignoring it since nobody has complained it
doesn't support ipv6.
Of the individual patches which were not policy and not ipv6, the
following are withing the 3.22-8 patch that fedora use, so I've added
them:
10 (segfault in manifold.c)
14 (wrong amounts of memory allocated in a pipe)
17 (formail prints body if content length header is found)
I've prepared a consolidated patch, and applied it to my 8.1 system where
it seems to be working.
--
Ticket URL: <http://wiki.linuxfromscratch.org/blfs/ticket/10356>
BLFS Trac <http://wiki.linuxfromscratch.org/blfs>
Beyond Linux From Scratch
--
http://lists.linuxfromscratch.org/listinfo/blfs-book
FAQ: http://www.linuxfromscratch.org/blfs/faq.html
Unsubscribe: See the above information page
