Bug#778653: unblock: procmail/3.22-24

To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: Bug#778653: unblock: procmail/3.22-24
From: Moritz Muehlenhoff <jmm@debian.org>
Date: Tue, 17 Feb 2015 23:40:48 +0100
Message-id: <[🔎] 20150217224048.14899.76738.reportbug@pisco.westfalen.local>
Reply-to: Moritz Muehlenhoff <jmm@debian.org>, 778653@bugs.debian.org

Package: release.debian.org
Severity: normal
User: release.debian.org@packages.debian.org
Usertags: unblock

Please unblock package procmail. It fixes several heap overflows
and memory corruptions spotted in recent fuzzing attempts (one
has been assigned CVE-2014-9681).

unblock procmail/3.22-24

Cheers,
        Moritz

debdiff:

diff -Nru procmail-3.22/debian/changelog procmail-3.22/debian/changelog
--- procmail-3.22/debian/changelog	2014-09-04 12:08:43.000000000 +0200
+++ procmail-3.22/debian/changelog	2015-02-11 16:44:51.000000000 +0100
@@ -1,3 +1,23 @@
+procmail (3.22-24) unstable; urgency=medium
+
+  * Fix two memory corruption problems in formail. Closes: #769937.
+    Reported by Jakub Wilk. Patch by Jan Darmochwal. Thanks a lot.
+    The problems are the following:
+  - Off-by-one heap overflow when parsing addresses that have left angle
+    bracket, then a comma, but no right angle bracket: <moo@example.com,
+  - Off-by-one heap overflow when parsing addresses that end with
+    backslash: <moo@example.com\
+
+ -- Santiago Vila <sanvila@debian.org>  Wed, 11 Feb 2015 16:41:40 +0100
+
+procmail (3.22-23) unstable; urgency=medium
+
+  * Fixed heap overflow in procmail that made it to segfault on
+    some unusual (but legit) .procmailrc files. Closes: #771958.
+    Thanks a lot to Tero Marttila.
+
+ -- Santiago Vila <sanvila@debian.org>  Wed, 03 Dec 2014 23:51:52 +0100
+
 procmail (3.22-22) unstable; urgency=high
 
   * Fixed heap overflow in formail that made it to crash on messages
diff -Nru procmail-3.22/debian/patches/28 procmail-3.22/debian/patches/28
--- procmail-3.22/debian/patches/28	1970-01-01 01:00:00.000000000 +0100
+++ procmail-3.22/debian/patches/28	2014-12-03 23:47:51.000000000 +0100
@@ -0,0 +1,23 @@
+From: Tero Marttila <terom@fixme.fi>
+Subject: Fix off-by-one error that makes procmail to segfault on certain .procmailrc files
+
+--- a/src/cstdio.c
++++ b/src/cstdio.c
+@@ -144,7 +144,7 @@
+       { case '\n':case EOF:*q='\0';
+ 	   return overflow?-1:p!=q;	     /* did we read anything at all? */
+       }
+-     if(q==end)	    /* check here so that a trailing backslash won't be lost */
++     if(q>=end)	    /* check here so that a trailing backslash won't be lost */
+ 	q=p,overflow=1;
+      *q++=i;
+    }
+@@ -199,7 +199,7 @@
+ 	   if(*(target=strchr(target,'\0')-1)=='\\')
+ 	    { if(chp2!=target)				  /* non-empty line? */
+ 		 target++;		      /* then preserve the backslash */
+-	      if(target>end-2)			  /* space enough for getbl? */
++	      if(target>=end-2)			  /* space enough for getbl? */
+ 		 target=end-linebuf,overflow=1;		/* toss what we have */
+ 	      continue;
+ 	    }
diff -Nru procmail-3.22/debian/patches/29 procmail-3.22/debian/patches/29
--- procmail-3.22/debian/patches/29	1970-01-01 01:00:00.000000000 +0100
+++ procmail-3.22/debian/patches/29	2015-02-11 16:19:46.000000000 +0100
@@ -0,0 +1,25 @@
+From: Jan Darmochwal <jdarmochwal@gmx.de>
+Subject: formail memory corruption fixes
+
+--- a/src/formail.c
++++ b/src/formail.c
+@@ -219,7 +219,7 @@
+   if(i>=0&&(i!=maxindex(sest)||fldp==rdheader))		  /* found anything? */
+    { char*saddr;char*tmp;			     /* determine the weight */
+      nowm=areply&&headreply?headreply==1?sest[i].wrepl:sest[i].wrrepl:i;chp+=j;
+-     tmp=malloc(j=fldp->Tot_len-j);tmemmove(tmp,chp,j);(chp=tmp)[j-1]='\0';
++     tmp=malloc((j=fldp->Tot_len-j) + 1);tmemmove(tmp,chp,j);(chp=tmp)[j-1]='\0';
+      if(sest[i].head==From_)
+       { char*pastad;
+ 	if(strchr(saddr=chp,'\n'))		     /* multiple From_ lines */
+--- a/src/formisc.c
++++ b/src/formisc.c
+@@ -66,7 +66,7 @@
+ retz:	      *target='\0';
+ ret:	      return start;
+ 	    }
+-	   if(*start=='\\')
++	   if(*start=='\\' && *(start + 1))
+ 	      *target++='\\',start++;
+ 	   hitspc=2;
+ 	   goto normal;					      /* normal word */
diff -Nru procmail-3.22/debian/patches/series procmail-3.22/debian/patches/series
--- procmail-3.22/debian/patches/series	2014-09-04 12:00:00.000000000 +0200
+++ procmail-3.22/debian/patches/series	2015-02-11 16:19:45.000000000 +0100
@@ -26,3 +26,5 @@
 25
 26
 27
+28
+29



-- System Information:
Debian Release: 8.0
  APT prefers unstable
  APT policy: (500, 'unstable')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 3.16.0-4-amd64 (SMP w/2 CPU cores)
Locale: LANG=de_DE.UTF-8, LC_CTYPE=de_DE.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)

Reply to:

Follow-Ups:
- Bug#778653: unblock: procmail/3.22-24
  - From: Santiago Vila <sanvila@unex.es>
- Bug#778653: unblock: procmail/3.22-24
  - From: Moritz Muehlenhoff <jmm@inutil.org>
- Bug#778653: marked as done (unblock: procmail/3.22-24)
  - From: owner@bugs.debian.org (Debian Bug Tracking System)

Prev by Date: Bug#771520: marked as done (unblock: libsodium/1.0.1-1)
Next by Date: Bug#769961: marked as done (unblock android-permissions/0.2)
Previous by thread: Bug#771520: marked as done (unblock: libsodium/1.0.1-1)
Next by thread: Bug#778653: unblock: procmail/3.22-24
Index(es):
- Date
- Thread