Anyone using formail want to test this?
OK?
Index: Makefile
===================================================================
RCS file: /cvs/ports/mail/procmail/Makefile,v
retrieving revision 1.39
diff -u -p -r1.39 Makefile
--- Makefile 11 Mar 2013 11:23:53 -0000 1.39
+++ Makefile 4 Sep 2014 15:17:16 -0000
@@ -4,7 +4,7 @@ COMMENT= filtering local mail delivery a
DISTNAME= procmail-3.22
CATEGORIES= mail
-REVISION= 4
+REVISION= 5
MASTER_SITES= ${HOMEPAGE} \
http://mirror.switch.ch/ftp/mirror/procmail/ \
@@ -18,6 +18,7 @@ HOMEPAGE= http://www.procmail.org/
# GPLv2+
PERMIT_PACKAGE_CDROM= Yes
+
WANTLIB= c m
FLAVORS= lmtp
Index: patches/patch-src_formisc_c
===================================================================
RCS file: /cvs/ports/mail/procmail/patches/patch-src_formisc_c,v
retrieving revision 1.1
diff -u -p -r1.1 patch-src_formisc_c
--- patches/patch-src_formisc_c 17 Mar 2012 10:47:19 -0000 1.1
+++ patches/patch-src_formisc_c 4 Sep 2014 15:17:16 -0000
@@ -1,7 +1,25 @@
$OpenBSD: patch-src_formisc_c,v 1.1 2012/03/17 10:47:19 sthen Exp $
---- src/formisc.c.orig Sat Mar 17 10:43:03 2012
-+++ src/formisc.c Sat Mar 17 10:43:20 2012
-@@ -115,7 +115,7 @@ void loadchar(c)const int c; /* append
one char
+
+Hunk #1: CVE-2014-3618, heap overflow in formail when parsing addresses
+with unbalanced quotes.
+
+--- src/formisc.c.orig Fri Jun 29 03:20:45 2001
++++ src/formisc.c Thu Sep 4 16:15:48 2014
+@@ -84,12 +84,11 @@ normal: *target++= *start++;
+ case '"':*target++=delim='"';start++;
+ }
+ ;{ int i;
+- do
++ while(*start)
+ if((i= *target++= *start++)==delim) /* corresponding delimiter? */
+ break;
+ else if(i=='\\'&&*start) /* skip quoted character */
+ *target++= *start++;
+- while(*start); /* anything? */
+ }
+ hitspc=2;
+ }
+@@ -115,7 +114,7 @@ void loadchar(c)const int c; /* append
one char
buf[buffilled++]=c;
}
----- Forwarded message from Tavis Ormandy <[email protected]> -----
From: Tavis Ormandy <[email protected]>
Date: Wed, 3 Sep 2014 11:52:11 -0700
To: [email protected]
Reply-To: [email protected]
Subject: [oss-security] heap overflow in procmail
I noticed a heap overflow in procmail when parsing addresses with
unbalanced quotes. I encountered this by accident when trying to
organize a large usenet archive, this post to rec.arts.poems causes
formail to crash.
https://groups.google.com/forum/message/raw?msg=alt.arts.poetry.comments/DCuLO3qzovI/CZk15MlfqNkJ
I've attached an mbox for reference.
$ formail -s < mbox > /dev/null
*** Error in `formail': free(): invalid next size (fast): 0x00007f103784a080 ***
Segmentation fault (core dumped)
$ rpm -q procmail
procmail-3.22-33.fc20.x86_64
It looks like the fix is
--- formisc.c 2013-08-04 00:13:33.000000000 -0700
+++ formisc.c 2014-09-03 11:42:25.986002396 -0700
@@ -84,12 +84,11 @@
case '"':*target++=delim='"';start++;
}
;{ int i;
- do
+ while(*start)
if((i= *target++= *start++)==delim) /* corresponding delimiter? */
break;
else if(i=='\\'&&*start) /* skip quoted character */
*target++= *start++;
- while(*start); /* anything? */
}
hitspc=2;
}
Tavis.
----- End forwarded message -----
