Fixed use-after-free

Resolves: CVE-2017-16943
2017-11-27 15:34:56 +01:00 · 2017-11-27 15:34:56 +01:00 · 8bdd6e1817
commit 8bdd6e1817
parent ea73ae82d0
2 changed files with 34 additions and 1 deletions
--- a/exim-4.89-CVE-2017-16943.patch
+++ b/exim-4.89-CVE-2017-16943.patch
@ -0,0 +1,27 @@
+diff --git a/src/receive.c b/src/receive.c
+index 7980c32..3246621 100644
+--- a/src/receive.c
+++ b/src/receive.c
+@@ -1772,8 +1772,8 @@ for (;;)
+   (and sometimes lunatic messages can have ones that are 100s of K long) we
+   call store_release() for strings that have been copied - if the string is at
+   the start of a block (and therefore the only thing in it, because we aren't
+-  doing any other gets), the block gets freed. We can only do this because we
+-  know there are no other calls to store_get() going on. */
+  doing any other gets), the block gets freed. We can only do this release if
+  there were no allocations since the once that we want to free. */
+ 
+   if (ptr >= header_size - 4)
+     {
+@@ -1782,9 +1782,10 @@ for (;;)
+     header_size *= 2;
+     if (!store_extend(next->text, oldsize, header_size))
+       {
+      BOOL release_ok = store_last_get[store_pool] == next->text;
+       uschar *newtext = store_get(header_size);
+       memcpy(newtext, next->text, ptr);
+-      store_release(next->text);
+      if (release_ok) store_release(next->text);
+       next->text = newtext;
+       }
+     }
--- a/exim.spec
+++ b/exim.spec
@ -15,7 +15,7 @@
 Summary: The exim mail transfer agent
 Name: exim
 Version: 4.89
-Release: 2%{?dist}
+Release: 3%{?dist}
 License: GPLv2+
 Url: http://www.exim.org/
 Group: System Environment/Daemons
@ -76,6 +76,7 @@ Patch29: exim-4.89-CVE-2017-1000369.patch
 # Backported from upstream:
 # https://git.exim.org/exim.git/commitdiff/14de8063d82edc5bf003ed50abdea55ac542679b
 Patch30: exim-4.89-calloutsize.patch
+Patch31: exim-4.89-CVE-2017-16943.patch

 Requires: /etc/pki/tls/certs /etc/pki/tls/private
 Requires: /etc/aliases
@ -237,6 +238,7 @@ greylisting unconditional.
 %patch28 -p1 -b .mariadb-10.2-compile-fix
 %patch29 -p1 -b .CVE-2017-1000369
 %patch30 -p1 -b .calloutsize
+%patch31 -p1 -b .CVE-2017-16943

 cp src/EDITME Local/Makefile
 sed -i 's@^# LOOKUP_MODULE_DIR=.*@LOOKUP_MODULE_DIR=%{_libdir}/exim/%{version}-%{release}/lookups@' Local/Makefile
@ -629,6 +631,10 @@ test "$1"  = 0 || %{_initrddir}/clamd.exim condrestart >/dev/null 2>&1 || :
 %{_sysconfdir}/cron.daily/greylist-tidy.sh

 %changelog
+* Mon Nov 27 2017 Jaroslav Škarvada <jskarvad@redhat.com> - 4.89-3
+- Fixed use-after-free
+  Resolves: CVE-2017-16943
+
 * Fri Aug 18 2017 Jaroslav Škarvada <jskarvad@redhat.com> - 4.89-2
 - Fixed compilation with the mariadb-10.2
  Resolves: rhbz#1467312