[arch-commits] Commit in exim/trunk (3 files)
Levente Polyak
anthraxx at archlinux.org
Thu Nov 30 00:58:54 UTC 2017
Date: Thursday, November 30, 2017 @ 00:58:53
Author: anthraxx
Revision: 270779
upgpkg: exim 4.89-2 (security update)
CVE-2017-1000369
CVE-2017-16943
Added:
exim/trunk/CVE-2017-1000369.patch
exim/trunk/CVE-2017-16943.patch
Modified:
exim/trunk/PKGBUILD
------------------------+
CVE-2017-1000369.patch | 68 +++++++++++++++++++++++++++++++++++++++++++++++
CVE-2017-16943.patch | 56 ++++++++++++++++++++++++++++++++++++++
PKGBUILD | 22 +++++++++++----
3 files changed, 141 insertions(+), 5 deletions(-)
Added: CVE-2017-1000369.patch
===================================================================
--- CVE-2017-1000369.patch (rev 0)
+++ CVE-2017-1000369.patch 2017-11-30 00:58:53 UTC (rev 270779)
@@ -0,0 +1,68 @@
+From 65e061b76867a9ea7aeeb535341b790b90ae6c21 Mon Sep 17 00:00:00 2001
+From: "Heiko Schlittermann (HS12-RIPE)" <hs at schlittermann.de>
+Date: Wed, 31 May 2017 23:08:56 +0200
+Subject: [PATCH] Cleanup (prevent repeated use of -p/-oMr to avoid mem leak)
+
+---
+ doc/doc-docbook/spec.xfpt | 3 ++-
+ src/src/exim.c | 19 +++++++++++++++++--
+ 2 files changed, 19 insertions(+), 3 deletions(-)
+
+diff --git a/doc/doc-docbook/spec.xfpt b/doc/doc-docbook/spec.xfpt
+index 06373ccde..7816bc26d 100644
+--- a/doc/doc-docbook/spec.xfpt
++++ b/doc/doc-docbook/spec.xfpt
+@@ -4274,7 +4274,7 @@ or &%-bs%& is used. For &%-bh%&, the protocol is forced to one of the standard
+ SMTP protocol names (see the description of &$received_protocol$& in section
+ &<<SECTexpvar>>&). For &%-bs%&, the protocol is always &"local-"& followed by
+ one of those same names. For &%-bS%& (batched SMTP) however, the protocol can
+-be set by &%-oMr%&.
++be set by &%-oMr%&. Repeated use of this option is not supported.
+
+ .vitem &%-oMs%&&~<&'host&~name'&>
+ .oindex "&%-oMs%&"
+@@ -4374,6 +4374,7 @@ host name and its colon can be omitted when only the protocol is to be set.
+ Note the Exim already has two private options, &%-pd%& and &%-ps%&, that refer
+ to embedded Perl. It is therefore impossible to set a protocol value of &`d`&
+ or &`s`& using this option (but that does not seem a real limitation).
++Repeated use of this option is not supported.
+
+ .vitem &%-q%&
+ .oindex "&%-q%&"
+diff --git a/src/src/exim.c b/src/src/exim.c
+index 67583e584..88e119778 100644
+--- a/src/src/exim.c
++++ b/src/src/exim.c
+@@ -3106,7 +3106,14 @@ for (i = 1; i < argc; i++)
+
+ /* -oMr: Received protocol */
+
+- else if (Ustrcmp(argrest, "Mr") == 0) received_protocol = argv[++i];
++ else if (Ustrcmp(argrest, "Mr") == 0)
++
++ if (received_protocol)
++ {
++ fprintf(stderr, "received_protocol is set already\n");
++ exit(EXIT_FAILURE);
++ }
++ else received_protocol = argv[++i];
+
+ /* -oMs: Set sender host name */
+
+@@ -3202,7 +3209,15 @@ for (i = 1; i < argc; i++)
+
+ if (*argrest != 0)
+ {
+- uschar *hn = Ustrchr(argrest, ':');
++ uschar *hn;
++
++ if (received_protocol)
++ {
++ fprintf(stderr, "received_protocol is set already\n");
++ exit(EXIT_FAILURE);
++ }
++
++ hn = Ustrchr(argrest, ':');
+ if (hn == NULL)
+ {
+ received_protocol = argrest;
Added: CVE-2017-16943.patch
===================================================================
--- CVE-2017-16943.patch (rev 0)
+++ CVE-2017-16943.patch 2017-11-30 00:58:53 UTC (rev 270779)
@@ -0,0 +1,56 @@
+From 4090d62a4b25782129cc1643596dc2f6e8f63bde Mon Sep 17 00:00:00 2001
+From: Jeremy Harris <jgh146exb at wizmail.org>
+Date: Fri, 24 Nov 2017 20:22:33 +0000
+Subject: [PATCH 1/1] Avoid release of store if there have been later
+ allocations. Bug 2199
+
+---
+ doc/doc-txt/ChangeLog | 4 ++++
+ src/src/receive.c | 7 ++++---
+ 2 files changed, 8 insertions(+), 3 deletions(-)
+
+diff --git a/doc/doc-txt/ChangeLog b/doc/doc-txt/ChangeLog
+index e937ba2..a2d9339 100644
+--- a/doc/doc-txt/ChangeLog
++++ b/doc/doc-txt/ChangeLog
+@@ -59,6 +59,10 @@ JH/30 Fix a logging bug on aarch64: an unsafe routine was previously used for
+ connection in response to HELO" was logged instead of the actual 4xx
+ error for the HELO.
+
++JH/34 Bug 2199: fix a use-after-free while reading smtp input for header lines.
++ A crafted sequence of BDAT commands could result in in-use memory beeing
++ freed.
++
+
+ Exim version 4.89
+ -----------------
+diff --git a/src/src/receive.c b/src/src/receive.c
+index 95cf13e..20672db 100644
+--- a/src/src/receive.c
++++ b/src/src/receive.c
+@@ -1772,8 +1772,8 @@ for (;;)
+ (and sometimes lunatic messages can have ones that are 100s of K long) we
+ call store_release() for strings that have been copied - if the string is at
+ the start of a block (and therefore the only thing in it, because we aren't
+- doing any other gets), the block gets freed. We can only do this because we
+- know there are no other calls to store_get() going on. */
++ doing any other gets), the block gets freed. We can only do this release if
++ there were no allocations since the once that we want to free. */
+
+ if (ptr >= header_size - 4)
+ {
+@@ -1782,9 +1782,10 @@ for (;;)
+ header_size *= 2;
+ if (!store_extend(next->text, oldsize, header_size))
+ {
++ BOOL release_ok = store_last_get[store_pool] == next->text;
+ uschar *newtext = store_get(header_size);
+ memcpy(newtext, next->text, ptr);
+- store_release(next->text);
++ if (release_ok) store_release(next->text);
+ next->text = newtext;
+ }
+ }
+--
+1.9.1
+
Modified: PKGBUILD
===================================================================
--- PKGBUILD 2017-11-29 23:19:42 UTC (rev 270778)
+++ PKGBUILD 2017-11-30 00:58:53 UTC (rev 270779)
@@ -7,7 +7,7 @@
pkgname=exim
pkgver=4.89
-pkgrel=1
+pkgrel=2
pkgdesc='Message Transfer Agent'
arch=('x86_64')
url='http://www.exim.org/'
@@ -17,8 +17,7 @@
depends=('gdbm' 'pcre' 'pam' 'openssl' 'libldap')
provides=('smtp-server' 'smtp-forwarder')
conflicts=('smtp-server' 'smtp-forwarder')
-options=('!makeflags')
-source=("ftp://ftp.exim.org/pub/exim/exim4/exim-$pkgver.tar.bz2"
+source=("https://ftp.exim.org/pub/exim/exim4/exim-$pkgver.tar.bz2"{,.asc}
aliases
exim.logrotate
exim.Makefile
@@ -26,8 +25,11 @@
exim.service
exim at .service
exim.socket
- exim-submission.socket)
+ exim-submission.socket
+ CVE-2017-16943.patch
+ CVE-2017-1000369.patch)
sha512sums=('1e059966a93b47f055ab4ec2a4556f2c918aff56ea0367585f3a853f00411e9c275e13be4f9ae615a468fa06263135cd6a138fa1753f1b7fb3259a3321fcca65'
+ 'SKIP'
'a91c6a9e5b3ac9d143741dba01e11616812ba44c3a8c768c8232364026460f0b8fdeeb120a2f2b86742a6e3ebbfc9d6335b86d108b044e43108b4a6f0374c9ad'
'd8e3b466e0bba8175cfe762058dec49018495a260aa5efd139f4ef435284c305958cbd7fc514e81042146368b749ae38f0bf276fc0b4b91918ef33126900aa81'
'27164b44ff6d99942aaea876f8b7b974f2f668b3b2a5993eecaf6cfa418b08bf16520423070da27268e7f0f4a9d55a8a362430152427dc390e6286500089e6df'
@@ -35,11 +37,21 @@
'e2fc3966c320460a26fbbf83e98df725587dc126dfe9d7a84c3285eb4b22a061b30499425c70f3d73cf13aa81c194274004efd20ce1316836463b982117909f8'
'11c8133ee15b3e5193c9b1c59aed66c81b6e045dd23310bede9fcde6c88905db5ef08afdb798b53b75a7465915ea1247e980edf95db07a7f9b7bb58ce95fbb5a'
'db621116907ceb573e6f34581f47c91f751bff593054d7ddc32397b34c7f2405bec184bdb0589d2ac457fa3a61bcba072761e3a6293a99c9c764d2d9fd6069ae'
- '4a233761793e3510e9efa5aad3a6098c41b757f13133a7ea825680f2b393aba8d7935f16bf1dd065dde884fe7ba45639a8d398333a7d9bf0a6b72f88c8f2a09d')
+ '4a233761793e3510e9efa5aad3a6098c41b757f13133a7ea825680f2b393aba8d7935f16bf1dd065dde884fe7ba45639a8d398333a7d9bf0a6b72f88c8f2a09d'
+ '28c141cf557ccecd14063ca687af94c1aa9b369148139b07c167da06b6f5a280028cc6c733925565f24887d269dd5b149c62a3d76058a65f6354f96d1b93cd9e'
+ 'ac3b606396302a5494d4f5c68e12781cb156168c787ea7ad1a397c516109de5689691668cd020eafba4bac4219c11218900935827555ed38fa7c806023acc95a')
+validpgpkeys=('C693A034E1ED6EE954CAE2DA13DAD99C7E41519C'
+ 'ACBB4324393ADE3515DA2DDA4D1E900E14C1CC04') # Phil Pennock <phil.pennock at spodhuis.org>
build() {
cd $pkgname-$pkgver
+ patch -p1 < "${srcdir}/CVE-2017-16943.patch"
+ patch -p1 < "${srcdir}/CVE-2017-1000369.patch"
+}
+build() {
+ cd $pkgname-$pkgver
+
cp ../$pkgname.Makefile Local/Makefile
make
}
More information about the arch-commits
mailing list