From 8bdd6e1817af978a7d66a2697fed577b5bc29e8e Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Jaroslav=20=C5=A0karvada?= Date: Mon, 27 Nov 2017 15:34:56 +0100 Subject: [PATCH] Fixed use-after-free Resolves: CVE-2017-16943 --- exim-4.89-CVE-2017-16943.patch | 27 +++++++++++++++++++++++++++ exim.spec | 8 +++++++- 2 files changed, 34 insertions(+), 1 deletion(-) create mode 100644 exim-4.89-CVE-2017-16943.patch diff --git a/exim-4.89-CVE-2017-16943.patch b/exim-4.89-CVE-2017-16943.patch new file mode 100644 index 0000000..bd3468d --- /dev/null +++ b/exim-4.89-CVE-2017-16943.patch @@ -0,0 +1,27 @@ +diff --git a/src/receive.c b/src/receive.c +index 7980c32..3246621 100644 +--- a/src/receive.c ++++ b/src/receive.c +@@ -1772,8 +1772,8 @@ for (;;) + (and sometimes lunatic messages can have ones that are 100s of K long) we + call store_release() for strings that have been copied - if the string is at + the start of a block (and therefore the only thing in it, because we aren't +- doing any other gets), the block gets freed. We can only do this because we +- know there are no other calls to store_get() going on. */ ++ doing any other gets), the block gets freed. We can only do this release if ++ there were no allocations since the once that we want to free. */ + + if (ptr >= header_size - 4) + { +@@ -1782,9 +1782,10 @@ for (;;) + header_size *= 2; + if (!store_extend(next->text, oldsize, header_size)) + { ++ BOOL release_ok = store_last_get[store_pool] == next->text; + uschar *newtext = store_get(header_size); + memcpy(newtext, next->text, ptr); +- store_release(next->text); ++ if (release_ok) store_release(next->text); + next->text = newtext; + } + } diff --git a/exim.spec b/exim.spec index d0ac7cf..6501d35 100644 --- a/exim.spec +++ b/exim.spec @@ -15,7 +15,7 @@ Summary: The exim mail transfer agent Name: exim Version: 4.89 -Release: 2%{?dist} +Release: 3%{?dist} License: GPLv2+ Url: http://www.exim.org/ Group: System Environment/Daemons @@ -76,6 +76,7 @@ Patch29: exim-4.89-CVE-2017-1000369.patch # Backported from upstream: # https://git.exim.org/exim.git/commitdiff/14de8063d82edc5bf003ed50abdea55ac542679b Patch30: exim-4.89-calloutsize.patch +Patch31: exim-4.89-CVE-2017-16943.patch Requires: /etc/pki/tls/certs /etc/pki/tls/private Requires: /etc/aliases @@ -237,6 +238,7 @@ greylisting unconditional. %patch28 -p1 -b .mariadb-10.2-compile-fix %patch29 -p1 -b .CVE-2017-1000369 %patch30 -p1 -b .calloutsize +%patch31 -p1 -b .CVE-2017-16943 cp src/EDITME Local/Makefile sed -i 's@^# LOOKUP_MODULE_DIR=.*@LOOKUP_MODULE_DIR=%{_libdir}/exim/%{version}-%{release}/lookups@' Local/Makefile @@ -629,6 +631,10 @@ test "$1" = 0 || %{_initrddir}/clamd.exim condrestart >/dev/null 2>&1 || : %{_sysconfdir}/cron.daily/greylist-tidy.sh %changelog +* Mon Nov 27 2017 Jaroslav Škarvada - 4.89-3 +- Fixed use-after-free + Resolves: CVE-2017-16943 + * Fri Aug 18 2017 Jaroslav Škarvada - 4.89-2 - Fixed compilation with the mariadb-10.2 Resolves: rhbz#1467312