procmail: patch CVE-2017-16844.

Take patch from Debian. https://sources.debian.org/data/main/p/procmail/3.22-26%2Bdeb10u1/debian/patches/30 Signed-off-by: Peter Marko <peter.marko@siemens.com> Signed-off-by: Khem Raj <raj.khem@gmail.com> (cherry picked from commit 3d97f4c13d5f5810659e107f6461f0b63f6fa92a) Signed-off-by: Armin Kuster <akuster808@gmail.com>
author: Peter Marko <peter.marko@siemens.com> 2024-12-27 11:56:05 +0100
committer: Armin Kuster <akuster808@gmail.com> 2025-02-04 14:29:37 -0800
commit: 0a79e257d8730447e4bf7ac6dbb772acf9d337b0 (patch)
tree: a0b0c7584b831a635a9a3e2a324f5e375952f823
parent: cf633ae4691c5572d82e384069d75b10b9e4d604 (diff)
download: meta-openembedded-0a79e257d8730447e4bf7ac6dbb772acf9d337b0.tar.gz
2 files changed, 21 insertions, 0 deletions
diff --git a/meta-oe/recipes-support/procmail/procmail/CVE-2017-16844.patch b/meta-oe/recipes-support/procmail/procmail/CVE-2017-16844.patch
new file mode 100644
index 0000000000..6e04989c33
--- /dev/null
+++ b/meta-oe/recipes-support/procmail/procmail/CVE-2017-16844.patch
@@ -0,0 +1,20 @@
+From: Santiago Vila <sanvila@debian.org>
+Subject: Fix heap-based buffer overflow in loadbuf()
+Bug-Debian: http://bugs.debian.org/876511
+X-Debian-version: 3.22-26
+CVE: CVE-2017-16844
+Upstream-Status: Inactive-Upstream [lastrelease: 2001]
+Signed-off-by: Peter Marko <peter.marko@siemens.com>
+--- a/src/formisc.c
+++ b/src/formisc.c
+@@ -103,7 +103,7 @@
+ }
+                                                            /* append to buf */
+ void loadbuf(text,len)const char*const text;const size_t len;
+-{ if(buffilled+len>buflen)                       /* buf can't hold the text */
+{ while(buffilled+len>buflen)                    /* buf can't hold the text */
+      buf=realloc(buf,buflen+=Bsize);
+   tmemmove(buf+buffilled,text,len);buffilled+=len;
+ }
diff --git a/meta-oe/recipes-support/procmail/procmail_3.22.bb b/meta-oe/recipes-support/procmail/procmail_3.22.bb
index 4806bf5f80..16fcf84dad 100644
--- a/meta-oe/recipes-support/procmail/procmail_3.22.bb
+++ b/meta-oe/recipes-support/procmail/procmail_3.22.bb
@@ -14,6 +14,7 @@ SRC_URI = "http://www.ring.gr.jp/archives/net/mail/${BPN}/${BP}.tar.gz \
    file://from-debian-to-fix-man-file.patch \
    file://man-file-mailstat.1-from-debian.patch \
    file://CVE-2014-3618.patch \
+    file://CVE-2017-16844.patch \
 "
 SRC_URI[md5sum] = "1678ea99b973eb77eda4ecf6acae53f1"
 SRC_URI[sha256sum] = "087c75b34dd33d8b9df5afe9e42801c9395f4bf373a784d9bc97153b0062e117"
author	Peter Marko <peter.marko@siemens.com>	2024-12-27 11:56:05 +0100
committer	Armin Kuster <akuster808@gmail.com>	2025-02-04 14:29:37 -0800
commit	0a79e257d8730447e4bf7ac6dbb772acf9d337b0 (patch)
tree	a0b0c7584b831a635a9a3e2a324f5e375952f823
parent	cf633ae4691c5572d82e384069d75b10b9e4d604 (diff)
download	meta-openembedded-0a79e257d8730447e4bf7ac6dbb772acf9d337b0.tar.gz

diff --git a/meta-oe/recipes-support/procmail/procmail/CVE-2017-16844.patch b/meta-oe/recipes-support/procmail/procmail/CVE-2017-16844.patch new file mode 100644 index 0000000000..6e04989c33 --- /dev/null +++ b/meta-oe/recipes-support/procmail/procmail/CVE-2017-16844.patch
@@ -0,0 +1,20 @@
		1	From: Santiago Vila <sanvila@debian.org>
		2	Subject: Fix heap-based buffer overflow in loadbuf()
		3	Bug-Debian: http://bugs.debian.org/876511
		4	X-Debian-version: 3.22-26
		5
		6	CVE: CVE-2017-16844
		7	Upstream-Status: Inactive-Upstream [lastrelease: 2001]
		8	Signed-off-by: Peter Marko <peter.marko@siemens.com>
		9
		10	--- a/src/formisc.c
		11	+++ b/src/formisc.c
		12	@@ -103,7 +103,7 @@
		13	}
		14	/* append to buf */
		15	void loadbuf(text,len)const char*const text;const size_t len;
		16	-{ if(buffilled+len>buflen) /* buf can't hold the text */
		17	+{ while(buffilled+len>buflen) /* buf can't hold the text */
		18	buf=realloc(buf,buflen+=Bsize);
		19	tmemmove(buf+buffilled,text,len);buffilled+=len;
		20	}


diff --git a/meta-oe/recipes-support/procmail/procmail_3.22.bb b/meta-oe/recipes-support/procmail/procmail_3.22.bb index 4806bf5f80..16fcf84dad 100644 --- a/meta-oe/recipes-support/procmail/procmail_3.22.bb +++ b/meta-oe/recipes-support/procmail/procmail_3.22.bb
@@ -14,6 +14,7 @@ SRC_URI = "http://www.ring.gr.jp/archives/net/mail/${BPN}/${BP}.tar.gz \
14	file://from-debian-to-fix-man-file.patch \	14	file://from-debian-to-fix-man-file.patch \
15	file://man-file-mailstat.1-from-debian.patch \	15	file://man-file-mailstat.1-from-debian.patch \
16	file://CVE-2014-3618.patch \	16	file://CVE-2014-3618.patch \
		17	file://CVE-2017-16844.patch \
17	"	18	"
18	SRC_URI[md5sum] = "1678ea99b973eb77eda4ecf6acae53f1"	19	SRC_URI[md5sum] = "1678ea99b973eb77eda4ecf6acae53f1"
19	SRC_URI[sha256sum] = "087c75b34dd33d8b9df5afe9e42801c9395f4bf373a784d9bc97153b0062e117"	20	SRC_URI[sha256sum] = "087c75b34dd33d8b9df5afe9e42801c9395f4bf373a784d9bc97153b0062e117"