commit: e7434ec7eeb4b4be5cd53cebba9576f940b076e9 Author: Fabian Groffen <grobian <AT> gentoo <DOT> org> AuthorDate: Wed Nov 29 08:50:07 2017 +0000 Commit: Fabian Groffen <grobian <AT> gentoo <DOT> org> CommitDate: Wed Nov 29 08:50:07 2017 +0000 URL: https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=e7434ec7
mail-mta/exim: add patch for CVE-2017-16944, bug #638772 Original patch is slightly adjusted to the 4.98 codebase in order to apply. Bug: https://bugs.gentoo.org/638772 Package-Manager: Portage-2.3.13, Repoman-2.3.3 .../{exim-4.89-r4.ebuild => exim-4.89-r5.ebuild} | 1 + mail-mta/exim/files/exim-4.89-CVE-2017-16944.patch | 57 ++++++++++++++++++++++ 2 files changed, 58 insertions(+) diff --git a/mail-mta/exim/exim-4.89-r4.ebuild b/mail-mta/exim/exim-4.89-r5.ebuild similarity index 99% rename from mail-mta/exim/exim-4.89-r4.ebuild rename to mail-mta/exim/exim-4.89-r5.ebuild index 14b6181d4cb..c6da0e48afc 100644 --- a/mail-mta/exim/exim-4.89-r4.ebuild +++ b/mail-mta/exim/exim-4.89-r5.ebuild @@ -98,6 +98,7 @@ src_prepare() { epatch "${FILESDIR}"/${P}-transport-crash.patch # from git/in next release epatch "${FILESDIR}"/${P}-address-expando-crash.patch # from git/in next release epatch "${FILESDIR}"/${P}-CVE-2017-16943.patch # from git/in next release + epatch "${FILESDIR}"/${P}-CVE-2017-16944.patch # from git/in next release if use maildir ; then epatch "${FILESDIR}"/exim-4.20-maildir.patch diff --git a/mail-mta/exim/files/exim-4.89-CVE-2017-16944.patch b/mail-mta/exim/files/exim-4.89-CVE-2017-16944.patch new file mode 100644 index 00000000000..285a6170aa8 --- /dev/null +++ b/mail-mta/exim/files/exim-4.89-CVE-2017-16944.patch @@ -0,0 +1,57 @@ +From 178ecb70987f024f0e775d87c2f8b2cf587dd542 Mon Sep 17 00:00:00 2001 +From: "Heiko Schlittermann (HS12-RIPE)" <[email protected]> +Date: Mon, 27 Nov 2017 22:42:33 +0100 +Subject: [PATCH] Chunking: do not treat the first lonely dot special. + CVE-2017-16944, Bug 2201 + +Modified to apply on 4.89-gentoo + +--- + src/src/receive.c | 2 +- + src/src/smtp_in.c | 7 +++++++ + 2 files changed, 8 insertions(+), 1 deletion(-) + +diff --git a/src/src/receive.c b/src/src/receive.c +index 541eba1..417e975 100644 +--- a/src/src/receive.c ++++ b/src/src/receive.c +@@ -1865,7 +1865,7 @@ for (;;) + prevent further reading), and break out of the loop, having freed the + empty header, and set next = NULL to indicate no data line. */ + +- if (ptr == 0 && ch == '.' && (smtp_input || dot_ends)) ++ if (ptr == 0 && ch == '.' && dot_ends) + { + ch = (receive_getc)(GETC_BUFFER_UNLIMITED); + if (ch == '\r') +diff --git a/src/src/smtp_in.c b/src/src/smtp_in.c +index 1fdb705..0aabc53 100644 +--- a/src/src/smtp_in.c ++++ b/src/src/smtp_in.c +@@ -5094,16 +5094,23 @@ while (done <= 0) + DEBUG(D_receive) debug_printf("chunking state %d, %d bytes\n", + (int)chunking_state, chunking_data_left); + ++ /* push the current receive_* function on the "stack", and ++ replace them by bdat_getc(), which in turn will use the lwr_receive_* ++ functions to do the dirty work. */ + lwr_receive_getc = receive_getc; + lwr_receive_ungetc = receive_ungetc; ++ + receive_getc = bdat_getc; + receive_ungetc = bdat_ungetc; + ++ dot_ends = FALSE; ++ + goto DATA_BDAT; + } + + case DATA_CMD: + HAD(SCH_DATA); ++ dot_ends = TRUE; + + DATA_BDAT: /* Common code for DATA and BDAT */ + if (!discarded && recipients_count <= 0) +-- +1.9.1 +
