Fixed denial of service

Resolves: CVE-2017-16944
2017-12-01 12:25:05 +01:00 · 2017-12-01 12:25:05 +01:00 · abd09da2d4
parent 0b307bc6ad
commit abd09da2d4
2 changed files with 50 additions and 1 deletions
--- a/exim-4.89-CVE-2017-16944.patch
+++ b/exim-4.89-CVE-2017-16944.patch
@ -0,0 +1,41 @@
+diff --git a/src/receive.c b/src/receive.c
+index 3246621..f19c8b9 100644
+--- a/src/receive.c
+++ b/src/receive.c
+@@ -1827,7 +1827,7 @@ for (;;)
+   prevent further reading), and break out of the loop, having freed the
+   empty header, and set next = NULL to indicate no data line. */
+ 
+-  if (ptr == 0 && ch == '.' && (smtp_input || dot_ends))
+  if (ptr == 0 && ch == '.' && dot_ends)
+     {
+     ch = (receive_getc)(GETC_BUFFER_UNLIMITED);
+     if (ch == '\r')
+diff --git a/src/smtp_in.c b/src/smtp_in.c
+index 1b45f84..0207540 100644
+--- a/src/smtp_in.c
+++ b/src/smtp_in.c
+@@ -4955,16 +4955,23 @@ while (done <= 0)
+       DEBUG(D_receive) debug_printf("chunking state %d, %d bytes\n",
+ 				    (int)chunking_state, chunking_data_left);
+ 
+      /* push the current receive_* function on the "stack", and
+      replace them by bdat_getc(), which in turn will use the lwr_receive_*
+      functions to do the dirty work. */
+       lwr_receive_getc = receive_getc;
+       lwr_receive_ungetc = receive_ungetc;
+
+       receive_getc = bdat_getc;
+       receive_ungetc = bdat_ungetc;
+ 
+      dot_ends = FALSE;
+
+       goto DATA_BDAT;
+       }
+ 
+     case DATA_CMD:
+     HAD(SCH_DATA);
+    dot_ends = TRUE;
+ 
+     DATA_BDAT:		/* Common code for DATA and BDAT */
+     if (!discarded && recipients_count <= 0)
--- a/exim.spec
+++ b/exim.spec
@ -14,7 +14,7 @@
 Summary: The exim mail transfer agent
 Name: exim
 Version: 4.89
-Release: 8%{?dist}
+Release: 9%{?dist}
 License: GPLv2+
 Url: http://www.exim.org/
 Group: System Environment/Daemons
@ -69,7 +69,10 @@ Patch28: exim-4.89-CVE-2017-1000369.patch
 # https://git.exim.org/exim.git/commitdiff/14de8063d82edc5bf003ed50abdea55ac542679b
 Patch29: exim-4.89-calloutsize.patch
 Patch30: exim-4.89-mariadb-macro-fix.patch
+# Upstream ticket: https://bugs.exim.org/show_bug.cgi?id=2199
 Patch31: exim-4.89-CVE-2017-16943.patch
+# Upstream ticket: https://bugs.exim.org/show_bug.cgi?id=2201
+Patch32: exim-4.89-CVE-2017-16944.patch

 Requires: /etc/pki/tls/certs /etc/pki/tls/private
 Requires: /etc/aliases
@ -220,6 +223,7 @@ greylisting unconditional.
 %patch29 -p1 -b .calloutsize
 %patch30 -p1 -b .mariadb-macro-fix
 %patch31 -p1 -b .CVE-2017-16943
+%patch32 -p1 -b .CVE-2017-16944

 cp src/EDITME Local/Makefile
 sed -i 's@^# LOOKUP_MODULE_DIR=.*@LOOKUP_MODULE_DIR=%{_libdir}/exim/%{version}-%{release}/lookups@' Local/Makefile
@ -600,6 +604,10 @@ test "$1"  = 0 || %{_initrddir}/clamd.exim condrestart >/dev/null 2>&1 || :
 %{_sysconfdir}/cron.daily/greylist-tidy.sh

 %changelog
+* Fri Dec  1 2017 Jaroslav Škarvada <jskarvad@redhat.com> - 4.89-9
+- Fixed denial of service
+  Resolves: CVE-2017-16944
+
 * Thu Nov 30 2017 Jaroslav Škarvada <jskarvad@redhat.com> - 4.89-8
 - Dropped tcp_wrappers support
  Resolves: rhbz#1518763