| Message ID | 20180219161435.20547-1-peter@korsgaard.com |
|---|---|
| State | Accepted |
| Commit | 8343069e2c3cc79ad14600816a772fcd7592e291 |
| Headers | show |
| Series | exim: add upstream security fix | expand |
>>>>> "Peter" == Peter Korsgaard <peter@korsgaard.com> writes: > Fixes the following security issue: > CVE-2018-6789: Meh Chang discovered a buffer overflow flaw in a utility > function used in the SMTP listener of Exim, a mail transport agent. A > remote attacker can take advantage of this flaw to cause a denial of > service, or potentially the execution of arbitrary code via a specially > crafted message. > Dropped ChangeLog hunk and adjusted file path of upstream commit so it > applies to tarball. > Signed-off-by: Peter Korsgaard <peter@korsgaard.com> Committed, thanks.
>>>>> "Peter" == Peter Korsgaard <peter@korsgaard.com> writes: > Fixes the following security issue: > CVE-2018-6789: Meh Chang discovered a buffer overflow flaw in a utility > function used in the SMTP listener of Exim, a mail transport agent. A > remote attacker can take advantage of this flaw to cause a denial of > service, or potentially the execution of arbitrary code via a specially > crafted message. > Dropped ChangeLog hunk and adjusted file path of upstream commit so it > applies to tarball. > Signed-off-by: Peter Korsgaard <peter@korsgaard.com> Committed to 2017.02.x, thanks.
diff --git a/package/exim/0005-Fix-base64d-buffer-size-CVE-2018-6789.patch b/package/exim/0005-Fix-base64d-buffer-size-CVE-2018-6789.patch new file mode 100644 index 0000000000..1811a7ff98 --- /dev/null +++ b/package/exim/0005-Fix-base64d-buffer-size-CVE-2018-6789.patch @@ -0,0 +1,37 @@ +From 062990cc1b2f9e5d82a413b53c8f0569075de700 Mon Sep 17 00:00:00 2001 +From: "Heiko Schlittermann (HS12-RIPE)" <hs@schlittermann.de> +Date: Mon, 5 Feb 2018 22:23:32 +0100 +Subject: [PATCH] Fix base64d() buffer size (CVE-2018-6789) + +Credits for discovering this bug: Meh Chang <meh@devco.re> + +[Peter: Drop ChangeLog change, fix path] +Signed-off-by: Peter Korsgaard <peter@korsgaard.com> +--- + src/base64.c | 8 ++++++-- + 1 file changed, 6 insertions(+), 2 deletions(-) + +diff --git a/src/base64.c b/src/base64.c +index f6f187f0..e58ca6c7 100644 +--- a/src/base64.c ++++ b/src/base64.c +@@ -152,10 +152,14 @@ static uschar dec64table[] = { + int + b64decode(const uschar *code, uschar **ptr) + { ++ + int x, y; +-uschar *result = store_get(3*(Ustrlen(code)/4) + 1); ++uschar *result; + +-*ptr = result; ++{ ++ int l = Ustrlen(code); ++ *ptr = result = store_get(1 + l/4 * 3 + l%4); ++} + + /* Each cycle of the loop handles a quantum of 4 input bytes. For the last + quantum this may decode to 1, 2, or 3 output bytes. */ +-- +2.11.0 +
Fixes the following security issue: CVE-2018-6789: Meh Chang discovered a buffer overflow flaw in a utility function used in the SMTP listener of Exim, a mail transport agent. A remote attacker can take advantage of this flaw to cause a denial of service, or potentially the execution of arbitrary code via a specially crafted message. Dropped ChangeLog hunk and adjusted file path of upstream commit so it applies to tarball. Signed-off-by: Peter Korsgaard <peter@korsgaard.com> --- ...005-Fix-base64d-buffer-size-CVE-2018-6789.patch | 37 ++++++++++++++++++++++ 1 file changed, 37 insertions(+) create mode 100644 package/exim/0005-Fix-base64d-buffer-size-CVE-2018-6789.patch