Your message dated Sat, 09 Jul 2022 11:47:43 +0100
with message-id
<2280fe8c78e64b02a6c1d04c6dde5a32e342ba81.ca...@adam-barratt.org.uk>
and subject line Closing requests for updates included in 11.4
has caused the Debian Bug report #1014221,
regarding bullseye-pu:package procmail/3.22-26+deb11u1
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
1014221: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1014221
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Package: release.debian.org
Severity: normal
Tags: bullseye
User: [email protected]
Usertags: pu
Dear release managers: There was a NULL pointer dereference fix in
procmail which I've just applied to bullseye as well. There is no CVE
for this, but nevertheless it's the type of bug I don't want to see in
stable.
The patch was taken from the author's git repository and it has been
working in testing/unstable for several months now.
The debdiff is attached.
(I will also try to upload for buster before its final release)
Thanks.
diff -Nru procmail-3.22/debian/changelog procmail-3.22/debian/changelog
--- procmail-3.22/debian/changelog 2017-11-16 23:42:36.000000000 +0100
+++ procmail-3.22/debian/changelog 2022-07-02 13:20:00.000000000 +0200
@@ -1,3 +1,11 @@
+procmail (3.22-26+deb11u1) unstable; urgency=medium
+
+ * Fix NULL pointer dereference. Closes: #769938.
+ Reported by Jakub Wilk using American Fuzzy Lop.
+ Patch from Stephen R. van den Berg.
+
+ -- Santiago Vila <[email protected]> Sat, 02 Jul 2022 13:20:00 +0200
+
procmail (3.22-26) unstable; urgency=medium
* Fix buffer overflow in loadbuf(). Closes: #876511.
diff -Nru procmail-3.22/debian/patches/31 procmail-3.22/debian/patches/31
--- procmail-3.22/debian/patches/31 1970-01-01 01:00:00.000000000 +0100
+++ procmail-3.22/debian/patches/31 2022-07-02 12:32:00.000000000 +0200
@@ -0,0 +1,19 @@
+From: Stephen R. van den Berg <[email protected]>
+Subject: Cater for mails containing an incomplete From_ line.
+Bug-Debian: http://bugs.debian.org/769938
+X-Debian-version: 3.22-27
+
+--- a/src/from.c
++++ b/src/from.c
+@@ -117,7 +117,10 @@
+ themail.p[extra]='\0'; /* terminate it for strchr */
+ }
+ while(!(rstart=strchr(themail.p,'\n')));
+- extra=rstart?extra-(++rstart-themail.p):0;
++ if (rstart)
++ extra -= ++rstart - themail.p;
++ else
++ extra = 0, rstart = themail.p;
+ }
+ else
+ { size_t tfrl= ++rstart-themail.p; /* length of existing From_ line */
diff -Nru procmail-3.22/debian/patches/series
procmail-3.22/debian/patches/series
--- procmail-3.22/debian/patches/series 2017-11-16 23:41:45.000000000 +0100
+++ procmail-3.22/debian/patches/series 2022-07-02 12:00:00.000000000 +0200
@@ -29,3 +29,4 @@
28
29
30
+31
--- End Message ---
--- Begin Message ---
Package: release.debian.org
Version: 11.4
(re-sending with fixed bug numbers)
Hi,
The updates discussed in these bugs were included in today's bullseye
point release.
Regards,
Adam
--- End Message ---
