1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
|
From 2600301ba6dbac5c9d640c87007a07ee6dcea1f4 Mon Sep 17 00:00:00 2001
From: "Heiko Schlittermann (HS12-RIPE)" <hs@schlittermann.de>
Date: Mon, 19 Aug 2019 14:45:48 +0200
Subject: [PATCH] string.c: do not interpret '\\' before '\0' (CVE-2019-15846)
--- a/doc/ChangeLog
+++ b/doc/ChangeLog
@@ -4,6 +4,11 @@ This document describes *changes* to pre
affect Exim's operation, with an unchanged configuration file. For new
options, and new features, see the NewStuff file next to this ChangeLog.
+Exim version 4.92.2
+-------------------
+
+HS/01 Handle trailing backslash gracefully. (CVE-2019-15846)
+
Since version 4.92
------------------
--- a/src/string.c
+++ b/src/string.c
@@ -224,6 +224,8 @@ interpreted in strings.
Arguments:
pp points a pointer to the initiating "\" in the string;
the pointer gets updated to point to the final character
+ If the backslash is the last character in the string, it
+ is not interpreted.
Returns: the value of the character escape
*/
@@ -236,6 +238,7 @@ const uschar *hex_digits= CUS"0123456789
int ch;
const uschar *p = *pp;
ch = *(++p);
+if (ch == '\0') return **pp;
if (isdigit(ch) && ch != '8' && ch != '9')
{
ch -= '0';
@@ -1210,8 +1213,8 @@ memcpy(g->s + p, s, count);
g->ptr = p + count;
return g;
}
-
-
+
+
gstring *
string_cat(gstring *string, const uschar *s)
{
|
