From 1d982d787dfdd6739fe6c829aee332e9b24bdc31 Mon Sep 17 00:00:00 2001 From: Leo Famulari Date: Sun, 29 May 2016 13:02:23 -0400 Subject: gnu: procmail: Fix CVE-2014-3618. * gnu/packages/patches/procmail-CVE-2014-3618.patch: New file. * gnu/local.mk (dist_patch_DATA): Add it. * gnu/packages/mail.scm (procmail): Use it. --- gnu/local.mk | 1 + gnu/packages/mail.scm | 3 ++- gnu/packages/patches/procmail-CVE-2014-3618.patch | 26 +++++++++++++++++++++++ 3 files changed, 29 insertions(+), 1 deletion(-) create mode 100644 gnu/packages/patches/procmail-CVE-2014-3618.patch diff --git a/gnu/local.mk b/gnu/local.mk index 9a9cff4238..3f595b47ce 100644 --- a/gnu/local.mk +++ b/gnu/local.mk @@ -689,6 +689,7 @@ dist_patch_DATA = \ %D%/packages/patches/portaudio-audacity-compat.patch \ %D%/packages/patches/portmidi-modular-build.patch \ %D%/packages/patches/procmail-ambiguous-getline-debian.patch \ + %D%/packages/patches/procmail-CVE-2014-3618.patch \ %D%/packages/patches/pt-scotch-build-parallelism.patch \ %D%/packages/patches/pulseaudio-fix-mult-test.patch \ %D%/packages/patches/pulseaudio-longer-test-timeout.patch \ diff --git a/gnu/packages/mail.scm b/gnu/packages/mail.scm index 39133fcff0..b4563277aa 100644 --- a/gnu/packages/mail.scm +++ b/gnu/packages/mail.scm @@ -1149,7 +1149,8 @@ deliver it in various ways.") ;; The following patch fixes an ambiguous definition of ;; getline() in formail.c. The patch is provided by Debian as ;; patch 24. - (patches (search-patches "procmail-ambiguous-getline-debian.patch")))) + (patches (search-patches "procmail-ambiguous-getline-debian.patch" + "procmail-CVE-2014-3618.patch")))) (arguments `(#:phases (modify-phases %standard-phases (replace 'configure diff --git a/gnu/packages/patches/procmail-CVE-2014-3618.patch b/gnu/packages/patches/procmail-CVE-2014-3618.patch new file mode 100644 index 0000000000..e3f2759738 --- /dev/null +++ b/gnu/packages/patches/procmail-CVE-2014-3618.patch @@ -0,0 +1,26 @@ +Fixes CVE-2014-3618 (heap overflow in formisc.c allowing denial of +service and potential remote execution of arbitrary code). +https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3618 + +Source: +http://seclists.org/oss-sec/2014/q3/495 + +Adopted by Debian as patch '27': +https://sources.debian.net/src/procmail/3.22-25/debian/patches/27/ + +--- a/src/formisc.c ++++ b/src/formisc.c +@@ -84,12 +84,11 @@ + case '"':*target++=delim='"';start++; + } + ;{ int i; +- do ++ while(*start) + if((i= *target++= *start++)==delim) /* corresponding delimiter? */ + break; + else if(i=='\\'&&*start) /* skip quoted character */ + *target++= *start++; +- while(*start); /* anything? */ + } + hitspc=2; + } -- cgit 1.4.1