[Bug 223777] mail/procmail: CVE-2017-16844 heap overflow affecting formail
bugzilla-noreply at freebsd.org
bugzilla-noreply at freebsd.org
Tue Nov 21 04:22:34 UTC 2017
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=223777
Bug ID: 223777
Summary: mail/procmail: CVE-2017-16844 heap overflow affecting
formail
Product: Ports & Packages
Version: Latest
Hardware: Any
OS: Any
Status: New
Severity: Affects Many People
Priority: ---
Component: Individual Port(s)
Assignee: sunpoet at FreeBSD.org
Reporter: jdc at koitsu.org
Assignee: sunpoet at FreeBSD.org
Flags: maintainer-feedback?(sunpoet at FreeBSD.org)
procmail's formail utility contains a heap overflow which can cause a
denial-of-service if given certain malformed mail.
Details:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-16844
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=876511
https://www.debian.org/security/2017/dsa-4041
https://usn.ubuntu.com/usn/usn-3483-1/
Patch for 3.22, which I'll also attach, but be aware FreeBSD uses procmail 3.21
and I'm unsure if the patch is compatible:
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=876511#10
If upgrading to procmail 3.22 is thus required, this is the location for the
code (the official procmail website has been down for almost 4 months now):
http://www.ring.gr.jp/archives/net/mail/procmail/procmail-3.22.tar.gz
--
You are receiving this mail because:
You are the assignee for the bug.
More information about the freebsd-ports-bugs
mailing list