Fixed denial of service

Resolves: CVE-2017-16944
2017-12-01 14:21:49 +01:00 · 2017-12-01 14:21:49 +01:00 · 62c96cdc52
parent 8bdd6e1817
commit 62c96cdc52
2 changed files with 50 additions and 1 deletions
--- a/exim-4.89-CVE-2017-16944.patch
+++ b/exim-4.89-CVE-2017-16944.patch
@ -0,0 +1,41 @@
+diff --git a/src/receive.c b/src/receive.c
+index 3246621..f19c8b9 100644
+--- a/src/receive.c
+++ b/src/receive.c
+@@ -1827,7 +1827,7 @@ for (;;)
+   prevent further reading), and break out of the loop, having freed the
+   empty header, and set next = NULL to indicate no data line. */
+ 
+-  if (ptr == 0 && ch == '.' && (smtp_input || dot_ends))
+  if (ptr == 0 && ch == '.' && dot_ends)
+     {
+     ch = (receive_getc)(GETC_BUFFER_UNLIMITED);
+     if (ch == '\r')
+diff --git a/src/smtp_in.c b/src/smtp_in.c
+index 1b45f84..0207540 100644
+--- a/src/smtp_in.c
+++ b/src/smtp_in.c
+@@ -4955,16 +4955,23 @@ while (done <= 0)
+       DEBUG(D_receive) debug_printf("chunking state %d, %d bytes\n",
+ 				    (int)chunking_state, chunking_data_left);
+ 
+      /* push the current receive_* function on the "stack", and
+      replace them by bdat_getc(), which in turn will use the lwr_receive_*
+      functions to do the dirty work. */
+       lwr_receive_getc = receive_getc;
+       lwr_receive_ungetc = receive_ungetc;
+
+       receive_getc = bdat_getc;
+       receive_ungetc = bdat_ungetc;
+ 
+      dot_ends = FALSE;
+
+       goto DATA_BDAT;
+       }
+ 
+     case DATA_CMD:
+     HAD(SCH_DATA);
+    dot_ends = TRUE;
+ 
+     DATA_BDAT:		/* Common code for DATA and BDAT */
+     if (!discarded && recipients_count <= 0)
--- a/exim.spec
+++ b/exim.spec
@ -15,7 +15,7 @@
 Summary: The exim mail transfer agent
 Name: exim
 Version: 4.89
-Release: 3%{?dist}
+Release: 4%{?dist}
 License: GPLv2+
 Url: http://www.exim.org/
 Group: System Environment/Daemons
@ -76,7 +76,10 @@ Patch29: exim-4.89-CVE-2017-1000369.patch
 # Backported from upstream:
 # https://git.exim.org/exim.git/commitdiff/14de8063d82edc5bf003ed50abdea55ac542679b
 Patch30: exim-4.89-calloutsize.patch
+# Upstream ticket: https://bugs.exim.org/show_bug.cgi?id=2199
 Patch31: exim-4.89-CVE-2017-16943.patch
+# Upstream ticket: https://bugs.exim.org/show_bug.cgi?id=2201
+Patch32: exim-4.89-CVE-2017-16944.patch

 Requires: /etc/pki/tls/certs /etc/pki/tls/private
 Requires: /etc/aliases
@ -239,6 +242,7 @@ greylisting unconditional.
 %patch29 -p1 -b .CVE-2017-1000369
 %patch30 -p1 -b .calloutsize
 %patch31 -p1 -b .CVE-2017-16943
+%patch32 -p1 -b .CVE-2017-16944

 cp src/EDITME Local/Makefile
 sed -i 's@^# LOOKUP_MODULE_DIR=.*@LOOKUP_MODULE_DIR=%{_libdir}/exim/%{version}-%{release}/lookups@' Local/Makefile
@ -631,6 +635,10 @@ test "$1"  = 0 || %{_initrddir}/clamd.exim condrestart >/dev/null 2>&1 || :
 %{_sysconfdir}/cron.daily/greylist-tidy.sh

 %changelog
+* Fri Dec  1 2017 Jaroslav Škarvada <jskarvad@redhat.com> - 4.89-4
+- Fixed denial of service
+  Resolves: CVE-2017-16944
+
 * Mon Nov 27 2017 Jaroslav Škarvada <jskarvad@redhat.com> - 4.89-3
 - Fixed use-after-free
  Resolves: CVE-2017-16943