Date: Tue, 28 Nov 2017 08:54:00 +0000 (UTC) From: Vsevolod Stakhov <vsevolod@FreeBSD.org> To: ports-committers@freebsd.org, svn-ports-all@freebsd.org, svn-ports-branches@freebsd.org Subject: svn commit: r455024 - in branches/2017Q4/mail/exim: . files Message-ID: <201711280854.vAS8s0sx070504@repo.freebsd.org>
next in thread | raw e-mail | index | archive | help
Author: vsevolod Date: Tue Nov 28 08:54:00 2017 New Revision: 455024 URL: https://svnweb.freebsd.org/changeset/ports/455024 Log: MFH: r454936 - Fix RCE vulnerability: The receive_msg function in receive.c in the SMTP daemon in Exim 4.88 and 4.89 allows remote attackers to execute arbitrary code or cause a denial of service (use-after-free) via vectors involving BDAT commands. PR: 223870 Submitted by: Gary Security: 68b29058-d348-11e7-b9fe-c13eb7bcbf4f Approved by: ports-secteam (swills) Added: branches/2017Q4/mail/exim/files/patch-CVE-2017-16943 - copied unchanged from r454936, head/mail/exim/files/patch-CVE-2017-16943 Modified: branches/2017Q4/mail/exim/Makefile Directory Properties: branches/2017Q4/ (props changed) Modified: branches/2017Q4/mail/exim/Makefile ============================================================================== --- branches/2017Q4/mail/exim/Makefile Tue Nov 28 08:46:25 2017 (r455023) +++ branches/2017Q4/mail/exim/Makefile Tue Nov 28 08:54:00 2017 (r455024) @@ -3,7 +3,7 @@ PORTNAME= exim PORTVERSION?= ${EXIM_VERSION} -PORTREVISION= 1 +PORTREVISION= 2 CATEGORIES= mail ipv6 MASTER_SITES= EXIM:exim MASTER_SITE_SUBDIR= /exim4/:exim \ Copied: branches/2017Q4/mail/exim/files/patch-CVE-2017-16943 (from r454936, head/mail/exim/files/patch-CVE-2017-16943) ============================================================================== --- /dev/null 00:00:00 1970 (empty, because file is newly added) +++ branches/2017Q4/mail/exim/files/patch-CVE-2017-16943 Tue Nov 28 08:54:00 2017 (r455024, copy of r454936, head/mail/exim/files/patch-CVE-2017-16943) @@ -0,0 +1,35 @@ +From: Jeremy Harris <jgh146exb@wizmail.org> +Date: Fri, 24 Nov 2017 20:22:33 +0000 (+0000) +Subject: Avoid release of store if there have been later allocations. Bug 2199 +X-Git-Url: https://git.exim.org/exim.git/commitdiff_plain/4e6ae6235c68de243b1c2419027472d7659aa2b4 + +Avoid release of store if there have been later allocations. Bug 2199 +--- + +diff --git a/src/src/receive.c b/src/src/receive.c +index e7e518a..d9b5001 100644 +--- src/receive.c.orig ++++ src/receive.c +@@ -1810,8 +1810,8 @@ for (;;) + (and sometimes lunatic messages can have ones that are 100s of K long) we + call store_release() for strings that have been copied - if the string is at + the start of a block (and therefore the only thing in it, because we aren't +- doing any other gets), the block gets freed. We can only do this because we +- know there are no other calls to store_get() going on. */ ++ doing any other gets), the block gets freed. We can only do this release if ++ there were no allocations since the once that we want to free. */ + + if (ptr >= header_size - 4) + { +@@ -1820,9 +1820,10 @@ for (;;) + header_size *= 2; + if (!store_extend(next->text, oldsize, header_size)) + { ++ BOOL release_ok = store_last_get[store_pool] == next->text; + uschar *newtext = store_get(header_size); + memcpy(newtext, next->text, ptr); +- store_release(next->text); ++ if (release_ok) store_release(next->text); + next->text = newtext; + } + }
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?201711280854.vAS8s0sx070504>