From 62c96cdc52a66342080b1180104b8a77ff3b6a9d Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Jaroslav=20=C5=A0karvada?= Date: Fri, 1 Dec 2017 14:21:49 +0100 Subject: [PATCH] Fixed denial of service Resolves: CVE-2017-16944 --- exim-4.89-CVE-2017-16944.patch | 41 ++++++++++++++++++++++++++++++++++ exim.spec | 10 ++++++++- 2 files changed, 50 insertions(+), 1 deletion(-) create mode 100644 exim-4.89-CVE-2017-16944.patch diff --git a/exim-4.89-CVE-2017-16944.patch b/exim-4.89-CVE-2017-16944.patch new file mode 100644 index 0000000..81e8032 --- /dev/null +++ b/exim-4.89-CVE-2017-16944.patch @@ -0,0 +1,41 @@ +diff --git a/src/receive.c b/src/receive.c +index 3246621..f19c8b9 100644 +--- a/src/receive.c ++++ b/src/receive.c +@@ -1827,7 +1827,7 @@ for (;;) + prevent further reading), and break out of the loop, having freed the + empty header, and set next = NULL to indicate no data line. */ + +- if (ptr == 0 && ch == '.' && (smtp_input || dot_ends)) ++ if (ptr == 0 && ch == '.' && dot_ends) + { + ch = (receive_getc)(GETC_BUFFER_UNLIMITED); + if (ch == '\r') +diff --git a/src/smtp_in.c b/src/smtp_in.c +index 1b45f84..0207540 100644 +--- a/src/smtp_in.c ++++ b/src/smtp_in.c +@@ -4955,16 +4955,23 @@ while (done <= 0) + DEBUG(D_receive) debug_printf("chunking state %d, %d bytes\n", + (int)chunking_state, chunking_data_left); + ++ /* push the current receive_* function on the "stack", and ++ replace them by bdat_getc(), which in turn will use the lwr_receive_* ++ functions to do the dirty work. */ + lwr_receive_getc = receive_getc; + lwr_receive_ungetc = receive_ungetc; ++ + receive_getc = bdat_getc; + receive_ungetc = bdat_ungetc; + ++ dot_ends = FALSE; ++ + goto DATA_BDAT; + } + + case DATA_CMD: + HAD(SCH_DATA); ++ dot_ends = TRUE; + + DATA_BDAT: /* Common code for DATA and BDAT */ + if (!discarded && recipients_count <= 0) diff --git a/exim.spec b/exim.spec index 6501d35..031ddb2 100644 --- a/exim.spec +++ b/exim.spec @@ -15,7 +15,7 @@ Summary: The exim mail transfer agent Name: exim Version: 4.89 -Release: 3%{?dist} +Release: 4%{?dist} License: GPLv2+ Url: http://www.exim.org/ Group: System Environment/Daemons @@ -76,7 +76,10 @@ Patch29: exim-4.89-CVE-2017-1000369.patch # Backported from upstream: # https://git.exim.org/exim.git/commitdiff/14de8063d82edc5bf003ed50abdea55ac542679b Patch30: exim-4.89-calloutsize.patch +# Upstream ticket: https://bugs.exim.org/show_bug.cgi?id=2199 Patch31: exim-4.89-CVE-2017-16943.patch +# Upstream ticket: https://bugs.exim.org/show_bug.cgi?id=2201 +Patch32: exim-4.89-CVE-2017-16944.patch Requires: /etc/pki/tls/certs /etc/pki/tls/private Requires: /etc/aliases @@ -239,6 +242,7 @@ greylisting unconditional. %patch29 -p1 -b .CVE-2017-1000369 %patch30 -p1 -b .calloutsize %patch31 -p1 -b .CVE-2017-16943 +%patch32 -p1 -b .CVE-2017-16944 cp src/EDITME Local/Makefile sed -i 's@^# LOOKUP_MODULE_DIR=.*@LOOKUP_MODULE_DIR=%{_libdir}/exim/%{version}-%{release}/lookups@' Local/Makefile @@ -631,6 +635,10 @@ test "$1" = 0 || %{_initrddir}/clamd.exim condrestart >/dev/null 2>&1 || : %{_sysconfdir}/cron.daily/greylist-tidy.sh %changelog +* Fri Dec 1 2017 Jaroslav Škarvada - 4.89-4 +- Fixed denial of service + Resolves: CVE-2017-16944 + * Mon Nov 27 2017 Jaroslav Škarvada - 4.89-3 - Fixed use-after-free Resolves: CVE-2017-16943