Date: Mon, 27 Nov 2017 07:55:18 +0000 (UTC) From: Vsevolod Stakhov <vsevolod@FreeBSD.org> To: ports-committers@freebsd.org, svn-ports-all@freebsd.org, svn-ports-head@freebsd.org Subject: svn commit: r454936 - in head/mail/exim: . files Message-ID: <201711270755.vAR7tIeX013829@repo.freebsd.org>
next in thread | raw e-mail | index | archive | help
Author: vsevolod Date: Mon Nov 27 07:55:17 2017 New Revision: 454936 URL: https://svnweb.freebsd.org/changeset/ports/454936 Log: - Fix RCE vulnerability: The receive_msg function in receive.c in the SMTP daemon in Exim 4.88 and 4.89 allows remote attackers to execute arbitrary code or cause a denial of service (use-after-free) via vectors involving BDAT commands. PR: 223870 Submitted by: Gary MFH: 2017Q4 Security: CVE-2017-16943 Added: head/mail/exim/files/patch-CVE-2017-16943 (contents, props changed) Modified: head/mail/exim/Makefile Modified: head/mail/exim/Makefile ============================================================================== --- head/mail/exim/Makefile Mon Nov 27 07:28:35 2017 (r454935) +++ head/mail/exim/Makefile Mon Nov 27 07:55:17 2017 (r454936) @@ -3,7 +3,7 @@ PORTNAME= exim PORTVERSION?= ${EXIM_VERSION} -PORTREVISION= 1 +PORTREVISION= 2 CATEGORIES= mail ipv6 MASTER_SITES= EXIM:exim MASTER_SITE_SUBDIR= /exim4/:exim \ Added: head/mail/exim/files/patch-CVE-2017-16943 ============================================================================== --- /dev/null 00:00:00 1970 (empty, because file is newly added) +++ head/mail/exim/files/patch-CVE-2017-16943 Mon Nov 27 07:55:17 2017 (r454936) @@ -0,0 +1,35 @@ +From: Jeremy Harris <jgh146exb@wizmail.org> +Date: Fri, 24 Nov 2017 20:22:33 +0000 (+0000) +Subject: Avoid release of store if there have been later allocations. Bug 2199 +X-Git-Url: https://git.exim.org/exim.git/commitdiff_plain/4e6ae6235c68de243b1c2419027472d7659aa2b4 + +Avoid release of store if there have been later allocations. Bug 2199 +--- + +diff --git a/src/src/receive.c b/src/src/receive.c +index e7e518a..d9b5001 100644 +--- src/receive.c.orig ++++ src/receive.c +@@ -1810,8 +1810,8 @@ for (;;) + (and sometimes lunatic messages can have ones that are 100s of K long) we + call store_release() for strings that have been copied - if the string is at + the start of a block (and therefore the only thing in it, because we aren't +- doing any other gets), the block gets freed. We can only do this because we +- know there are no other calls to store_get() going on. */ ++ doing any other gets), the block gets freed. We can only do this release if ++ there were no allocations since the once that we want to free. */ + + if (ptr >= header_size - 4) + { +@@ -1820,9 +1820,10 @@ for (;;) + header_size *= 2; + if (!store_extend(next->text, oldsize, header_size)) + { ++ BOOL release_ok = store_last_get[store_pool] == next->text; + uschar *newtext = store_get(header_size); + memcpy(newtext, next->text, ptr); +- store_release(next->text); ++ if (release_ok) store_release(next->text); + next->text = newtext; + } + }
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?201711270755.vAR7tIeX013829>