Date: Tue, 21 Nov 2017 04:22:34 +0000 From: bugzilla-noreply@freebsd.org To: freebsd-ports-bugs@FreeBSD.org Subject: [Bug 223777] mail/procmail: CVE-2017-16844 heap overflow affecting formail Message-ID: <bug-223777-13@https.bugs.freebsd.org/bugzilla/>
next in thread | raw e-mail | index | archive | help
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=3D223777 Bug ID: 223777 Summary: mail/procmail: CVE-2017-16844 heap overflow affecting formail Product: Ports & Packages Version: Latest Hardware: Any OS: Any Status: New Severity: Affects Many People Priority: --- Component: Individual Port(s) Assignee: sunpoet@FreeBSD.org Reporter: jdc@koitsu.org Assignee: sunpoet@FreeBSD.org Flags: maintainer-feedback?(sunpoet@FreeBSD.org) procmail's formail utility contains a heap overflow which can cause a denial-of-service if given certain malformed mail. Details: https://cve.mitre.org/cgi-bin/cvename.cgi?name=3DCVE-2017-16844 https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=3D876511 https://www.debian.org/security/2017/dsa-4041 https://usn.ubuntu.com/usn/usn-3483-1/ Patch for 3.22, which I'll also attach, but be aware FreeBSD uses procmail = 3.21 and I'm unsure if the patch is compatible: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=3D876511#10 If upgrading to procmail 3.22 is thus required, this is the location for the code (the official procmail website has been down for almost 4 months now): http://www.ring.gr.jp/archives/net/mail/procmail/procmail-3.22.tar.gz --=20 You are receiving this mail because: You are the assignee for the bug.=
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?bug-223777-13>