diff options
author | Daniel Baumann <daniel.baumann@progress-linux.org> | 2024-05-06 00:47:27 +0000 |
---|---|---|
committer | Daniel Baumann <daniel.baumann@progress-linux.org> | 2024-05-06 00:47:27 +0000 |
commit | d5eb37dd4a5a433c40c3c1e7ead424add62663f8 (patch) | |
tree | 6a18289cb463d11227d1fa4c990548e50a09d917 /debian/patches/84_04-CVE-2020-28010-Heap-out-of-bounds-write-in-main.patch | |
parent | Adding upstream version 4.92. (diff) | |
download | exim4-d5eb37dd4a5a433c40c3c1e7ead424add62663f8.tar.xz exim4-d5eb37dd4a5a433c40c3c1e7ead424add62663f8.zip |
Adding debian version 4.92-8+deb10u6.debian/4.92-8+deb10u6debian
Signed-off-by: Daniel Baumann <daniel.baumann@progress-linux.org>
Diffstat (limited to '')
-rw-r--r-- | debian/patches/84_04-CVE-2020-28010-Heap-out-of-bounds-write-in-main.patch | 42 |
1 files changed, 42 insertions, 0 deletions
diff --git a/debian/patches/84_04-CVE-2020-28010-Heap-out-of-bounds-write-in-main.patch b/debian/patches/84_04-CVE-2020-28010-Heap-out-of-bounds-write-in-main.patch new file mode 100644 index 0000000..9e3d368 --- /dev/null +++ b/debian/patches/84_04-CVE-2020-28010-Heap-out-of-bounds-write-in-main.patch @@ -0,0 +1,42 @@ +From 5987d0dfe88ee6081b72857bc8085c7d2afd53a3 Mon Sep 17 00:00:00 2001 +From: Qualys Security Advisory <qsa@qualys.com> +Date: Sun, 21 Feb 2021 19:17:32 -0800 +Subject: [PATCH 04/29] CVE-2020-28010: Heap out-of-bounds write in main() + +Based on Phil Pennock's commit 0f57feb4. +--- + src/exim.c | 11 ++++++----- + 1 file changed, 6 insertions(+), 5 deletions(-) + +diff --git a/src/exim.c b/src/exim.c +index 83b5ef51f..a7dc48c4e 100644 +--- a/src/exim.c ++++ b/src/exim.c +@@ -3664,6 +3664,9 @@ during readconf_main() some expansion takes place already. */ + /* Store the initial cwd before we change directories. Can be NULL if the + dir has already been unlinked. */ + initial_cwd = os_getcwd(NULL, 0); ++if (initial_cwd && strlen(CCS initial_cwd) >= BIG_BUFFER_SIZE) { ++ exim_fail("exim: initial cwd is far too long\n"); ++} + + /* checking: + -be[m] expansion test - +@@ -3950,11 +3953,9 @@ if ( (debug_selector & D_any || LOGGING(arguments)) + p += 13; + else + { +- Ustrncpy(p + 4, initial_cwd, big_buffer_size-5); +- p += 4 + Ustrlen(initial_cwd); +- /* in case p is near the end and we don't provide enough space for +- * string_format to be willing to write. */ +- *p = '\0'; ++ p += 4; ++ snprintf(CS p, big_buffer_size - (p - big_buffer), "%s", CCS initial_cwd); ++ p += strlen(CCS p); + } + + (void)string_format(p, big_buffer_size - (p - big_buffer), " %d args:", argc); +-- +2.30.2 + |