procmail: at least two CVE fixes
|Reported by:||Owned by:|
I noticed a while back that Arch had picked up a CVE fix from debian. I've now found time to dig down and sort out what fedora and debian are using.
The two CVEs are CVE-2014-3618.patch and CVE-2017-16844 (the latter is what Arch added recently, and originated at debian). There is also a 'truncate' and a 'crash fix' patch which look useful.
Fedora use a consolidated patch from debian procmail_3.22-8 but a lot of it looks like policy rather than bug fixes.
Debian have a suite of 28 patches, names just 01-28, but many of these are for policy, including in the documentation. There is also a patch to enable ipv6, but I don't have any way to test that, and it seems to require autoreconf, so I'm ignoring it since nobody has complained it doesn't support ipv6.
Of the individual patches which were not policy and not ipv6, the following are withing the 3.22-8 patch that fedora use, so I've added them:
10 (segfault in manifold.c) 14 (wrong amounts of memory allocated in a pipe) 17 (formail prints body if content length header is found)
I've prepared a consolidated patch, and applied it to my 8.1 system where it seems to be working.