From: Peter Marko <[email protected]> Take patch from Debian. https://sources.debian.org/data/main/p/procmail/3.22-20%2Bdeb7u1/debian/patches/CVE-2014-3618.patch
Signed-off-by: Peter Marko <[email protected]> --- .../procmail/procmail/CVE-2014-3618.patch | 29 +++++++++++++++++++ .../recipes-support/procmail/procmail_3.22.bb | 4 ++- 2 files changed, 32 insertions(+), 1 deletion(-) create mode 100644 meta-oe/recipes-support/procmail/procmail/CVE-2014-3618.patch diff --git a/meta-oe/recipes-support/procmail/procmail/CVE-2014-3618.patch b/meta-oe/recipes-support/procmail/procmail/CVE-2014-3618.patch new file mode 100644 index 0000000000..b041924361 --- /dev/null +++ b/meta-oe/recipes-support/procmail/procmail/CVE-2014-3618.patch @@ -0,0 +1,29 @@ +Description: Fix heap-overflow in formail + CVE-2014-3618: Heap-overflow in formail when processing + specially-crafted email headers. +Origin: http://www.openwall.com/lists/oss-security/2014/09/03/8 +Bug-Debian: https://bugs.debian.org/704675 +Bug-Debian: https://bugs.debian.org/760443 +Forwarded: not-needed +Last-Update: 2014-09-04 + +CVE: CVE-2014-3618 +Upstream-Status: Inactive-Upstream [lastrelease: 2001] +Signed-off-by: Peter Marko <[email protected]> + +--- a/src/formisc.c ++++ b/src/formisc.c +@@ -84,12 +84,11 @@ normal: *target++= *start++; + case '"':*target++=delim='"';start++; + } + ;{ int i; +- do ++ while(*start) + if((i= *target++= *start++)==delim) /* corresponding delimiter? */ + break; + else if(i=='\\'&&*start) /* skip quoted character */ + *target++= *start++; +- while(*start); /* anything? */ + } + hitspc=2; + } diff --git a/meta-oe/recipes-support/procmail/procmail_3.22.bb b/meta-oe/recipes-support/procmail/procmail_3.22.bb index 3623bd7776..efe716ea51 100644 --- a/meta-oe/recipes-support/procmail/procmail_3.22.bb +++ b/meta-oe/recipes-support/procmail/procmail_3.22.bb @@ -12,7 +12,9 @@ SRC_URI = "http://www.ring.gr.jp/archives/net/mail/${BPN}/${BP}.tar.gz \ file://from-debian-to-fix-compile-errors.patch \ file://from-debian-to-modify-parameters.patch \ file://from-debian-to-fix-man-file.patch \ - file://man-file-mailstat.1-from-debian.patch" + file://man-file-mailstat.1-from-debian.patch \ + file://CVE-2014-3618.patch \ +" SRC_URI[sha256sum] = "087c75b34dd33d8b9df5afe9e42801c9395f4bf373a784d9bc97153b0062e117" LICENSE = "GPL-2.0-only & Artistic-1.0" -- 2.30.2
-=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#114562): https://lists.openembedded.org/g/openembedded-devel/message/114562 Mute This Topic: https://lists.openembedded.org/mt/110303083/21656 Group Owner: [email protected] Unsubscribe: https://lists.openembedded.org/g/openembedded-devel/unsub [[email protected]] -=-=-=-=-=-=-=-=-=-=-=-
