summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorPeter Korsgaard <peter@korsgaard.com>2018-02-19 16:14:35 (GMT)
committerPeter Korsgaard <peter@korsgaard.com>2018-02-20 08:04:53 (GMT)
commit8343069e2c3cc79ad14600816a772fcd7592e291 (patch)
treea4da3de7bc5d26fbd83457c75ae4d90de6d4e2a3
parent157a198d304224c12fa0d91d977a6619d021f5c6 (diff)
downloadbuildroot-master.tar.gz
buildroot-master.tar.bz2
exim: add upstream security fixHEADmaster
Fixes the following security issue: CVE-2018-6789: Meh Chang discovered a buffer overflow flaw in a utility function used in the SMTP listener of Exim, a mail transport agent. A remote attacker can take advantage of this flaw to cause a denial of service, or potentially the execution of arbitrary code via a specially crafted message. Dropped ChangeLog hunk and adjusted file path of upstream commit so it applies to tarball. Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
-rw-r--r--package/exim/0005-Fix-base64d-buffer-size-CVE-2018-6789.patch37
1 files changed, 37 insertions, 0 deletions
diff --git a/package/exim/0005-Fix-base64d-buffer-size-CVE-2018-6789.patch b/package/exim/0005-Fix-base64d-buffer-size-CVE-2018-6789.patch
new file mode 100644
index 0000000..1811a7f
--- /dev/null
+++ b/package/exim/0005-Fix-base64d-buffer-size-CVE-2018-6789.patch
@@ -0,0 +1,37 @@
+From 062990cc1b2f9e5d82a413b53c8f0569075de700 Mon Sep 17 00:00:00 2001
+From: "Heiko Schlittermann (HS12-RIPE)" <hs@schlittermann.de>
+Date: Mon, 5 Feb 2018 22:23:32 +0100
+Subject: [PATCH] Fix base64d() buffer size (CVE-2018-6789)
+
+Credits for discovering this bug: Meh Chang <meh@devco.re>
+
+[Peter: Drop ChangeLog change, fix path]
+Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
+---
+ src/base64.c | 8 ++++++--
+ 1 file changed, 6 insertions(+), 2 deletions(-)
+
+diff --git a/src/base64.c b/src/base64.c
+index f6f187f0..e58ca6c7 100644
+--- a/src/base64.c
++++ b/src/base64.c
+@@ -152,10 +152,14 @@ static uschar dec64table[] = {
+ int
+ b64decode(const uschar *code, uschar **ptr)
+ {
++
+ int x, y;
+-uschar *result = store_get(3*(Ustrlen(code)/4) + 1);
++uschar *result;
+
+-*ptr = result;
++{
++ int l = Ustrlen(code);
++ *ptr = result = store_get(1 + l/4 * 3 + l%4);
++}
+
+ /* Each cycle of the loop handles a quantum of 4 input bytes. For the last
+ quantum this may decode to 1, 2, or 3 output bytes. */
+--
+2.11.0
+