svn commit: r454936 - in head/mail/exim: . files
Vsevolod Stakhov
vsevolod at FreeBSD.org
Mon Nov 27 07:55:19 UTC 2017
Author: vsevolod
Date: Mon Nov 27 07:55:17 2017
New Revision: 454936
URL: https://svnweb.freebsd.org/changeset/ports/454936
Log:
- Fix RCE vulnerability:
The receive_msg function in receive.c in the SMTP daemon in Exim 4.88 and 4.89
allows remote attackers to execute arbitrary code or cause a denial of service
(use-after-free) via vectors involving BDAT commands.
PR: 223870
Submitted by: Gary
MFH: 2017Q4
Security: CVE-2017-16943
Added:
head/mail/exim/files/patch-CVE-2017-16943 (contents, props changed)
Modified:
head/mail/exim/Makefile
Modified: head/mail/exim/Makefile
==============================================================================
--- head/mail/exim/Makefile Mon Nov 27 07:28:35 2017 (r454935)
+++ head/mail/exim/Makefile Mon Nov 27 07:55:17 2017 (r454936)
@@ -3,7 +3,7 @@
PORTNAME= exim
PORTVERSION?= ${EXIM_VERSION}
-PORTREVISION= 1
+PORTREVISION= 2
CATEGORIES= mail ipv6
MASTER_SITES= EXIM:exim
MASTER_SITE_SUBDIR= /exim4/:exim \
Added: head/mail/exim/files/patch-CVE-2017-16943
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ head/mail/exim/files/patch-CVE-2017-16943 Mon Nov 27 07:55:17 2017 (r454936)
@@ -0,0 +1,35 @@
+From: Jeremy Harris <jgh146exb at wizmail.org>
+Date: Fri, 24 Nov 2017 20:22:33 +0000 (+0000)
+Subject: Avoid release of store if there have been later allocations. Bug 2199
+X-Git-Url: https://git.exim.org/exim.git/commitdiff_plain/4e6ae6235c68de243b1c2419027472d7659aa2b4
+
+Avoid release of store if there have been later allocations. Bug 2199
+---
+
+diff --git a/src/src/receive.c b/src/src/receive.c
+index e7e518a..d9b5001 100644
+--- src/receive.c.orig
++++ src/receive.c
+@@ -1810,8 +1810,8 @@ for (;;)
+ (and sometimes lunatic messages can have ones that are 100s of K long) we
+ call store_release() for strings that have been copied - if the string is at
+ the start of a block (and therefore the only thing in it, because we aren't
+- doing any other gets), the block gets freed. We can only do this because we
+- know there are no other calls to store_get() going on. */
++ doing any other gets), the block gets freed. We can only do this release if
++ there were no allocations since the once that we want to free. */
+
+ if (ptr >= header_size - 4)
+ {
+@@ -1820,9 +1820,10 @@ for (;;)
+ header_size *= 2;
+ if (!store_extend(next->text, oldsize, header_size))
+ {
++ BOOL release_ok = store_last_get[store_pool] == next->text;
+ uschar *newtext = store_get(header_size);
+ memcpy(newtext, next->text, ptr);
+- store_release(next->text);
++ if (release_ok) store_release(next->text);
+ next->text = newtext;
+ }
+ }
More information about the svn-ports-all
mailing list