Opened 4 years ago

Closed 4 years ago

#10356 closed enhancement (fixed)

procmail: at least two CVE fixes

Reported by: ken@… Owned by: ken@…
Priority: high Milestone: 8.2
Component: BOOK Version: SVN
Severity: normal Keywords:
Cc:

Description

I noticed a while back that Arch had picked up a CVE fix from debian. I've now found time to dig down and sort out what fedora and debian are using.

The two CVEs are CVE-2014-3618.patch and CVE-2017-16844 (the latter is what Arch added recently, and originated at debian). There is also a 'truncate' and a 'crash fix' patch which look useful.

Fedora use a consolidated patch from debian procmail_3.22-8 but a lot of it looks like policy rather than bug fixes.

Debian have a suite of 28 patches, names just 01-28, but many of these are for policy, including in the documentation. There is also a patch to enable ipv6, but I don't have any way to test that, and it seems to require autoreconf, so I'm ignoring it since nobody has complained it doesn't support ipv6.

Of the individual patches which were not policy and not ipv6, the following are withing the 3.22-8 patch that fedora use, so I've added them:

10 (segfault in manifold.c) 14 (wrong amounts of memory allocated in a pipe) 17 (formail prints body if content length header is found)

I've prepared a consolidated patch, and applied it to my 8.1 system where it seems to be working.

Change History (2)

comment:1 by ken@…, 4 years ago

Owner: changed from blfs-book@… to ken@…
Status: newassigned

comment:2 by ken@…, 4 years ago

Resolution: fixed
Status: assignedclosed
Note: See TracTickets for help on using tickets.