diff options
author | Leo Famulari <leo@famulari.name> | 2016-05-29 13:02:23 -0400 |
---|---|---|
committer | Leo Famulari <leo@famulari.name> | 2016-05-29 13:12:16 -0400 |
commit | 1d982d787dfdd6739fe6c829aee332e9b24bdc31 (patch) | |
tree | e700e7c6c2adb91dc2fb21d55f2417548c483cba | |
parent | c68d8126f9dc6f932fdbfe04b0c773c42d49938a (diff) | |
download | guix-1d982d787dfdd6739fe6c829aee332e9b24bdc31.tar.gz |
gnu: procmail: Fix CVE-2014-3618.
* gnu/packages/patches/procmail-CVE-2014-3618.patch: New file. * gnu/local.mk (dist_patch_DATA): Add it. * gnu/packages/mail.scm (procmail): Use it.
-rw-r--r-- | gnu/local.mk | 1 | ||||
-rw-r--r-- | gnu/packages/mail.scm | 3 | ||||
-rw-r--r-- | gnu/packages/patches/procmail-CVE-2014-3618.patch | 26 |
3 files changed, 29 insertions, 1 deletions
diff --git a/gnu/local.mk b/gnu/local.mk index 9a9cff4238..3f595b47ce 100644 --- a/gnu/local.mk +++ b/gnu/local.mk @@ -689,6 +689,7 @@ dist_patch_DATA = \ %D%/packages/patches/portaudio-audacity-compat.patch \ %D%/packages/patches/portmidi-modular-build.patch \ %D%/packages/patches/procmail-ambiguous-getline-debian.patch \ + %D%/packages/patches/procmail-CVE-2014-3618.patch \ %D%/packages/patches/pt-scotch-build-parallelism.patch \ %D%/packages/patches/pulseaudio-fix-mult-test.patch \ %D%/packages/patches/pulseaudio-longer-test-timeout.patch \ diff --git a/gnu/packages/mail.scm b/gnu/packages/mail.scm index 39133fcff0..b4563277aa 100644 --- a/gnu/packages/mail.scm +++ b/gnu/packages/mail.scm @@ -1149,7 +1149,8 @@ deliver it in various ways.") ;; The following patch fixes an ambiguous definition of ;; getline() in formail.c. The patch is provided by Debian as ;; patch 24. - (patches (search-patches "procmail-ambiguous-getline-debian.patch")))) + (patches (search-patches "procmail-ambiguous-getline-debian.patch" + "procmail-CVE-2014-3618.patch")))) (arguments `(#:phases (modify-phases %standard-phases (replace 'configure diff --git a/gnu/packages/patches/procmail-CVE-2014-3618.patch b/gnu/packages/patches/procmail-CVE-2014-3618.patch new file mode 100644 index 0000000000..e3f2759738 --- /dev/null +++ b/gnu/packages/patches/procmail-CVE-2014-3618.patch @@ -0,0 +1,26 @@ +Fixes CVE-2014-3618 (heap overflow in formisc.c allowing denial of +service and potential remote execution of arbitrary code). +https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3618 + +Source: +http://seclists.org/oss-sec/2014/q3/495 + +Adopted by Debian as patch '27': +https://sources.debian.net/src/procmail/3.22-25/debian/patches/27/ + +--- a/src/formisc.c ++++ b/src/formisc.c +@@ -84,12 +84,11 @@ + case '"':*target++=delim='"';start++; + } + ;{ int i; +- do ++ while(*start) + if((i= *target++= *start++)==delim) /* corresponding delimiter? */ + break; + else if(i=='\\'&&*start) /* skip quoted character */ + *target++= *start++; +- while(*start); /* anything? */ + } + hitspc=2; + } |