summaryrefslogtreecommitdiffstats
path: root/debian/patches/84_04-CVE-2020-28010-Heap-out-of-bounds-write-in-main.patch
diff options
context:
space:
mode:
Diffstat (limited to '')
-rw-r--r--debian/patches/84_04-CVE-2020-28010-Heap-out-of-bounds-write-in-main.patch42
1 files changed, 42 insertions, 0 deletions
diff --git a/debian/patches/84_04-CVE-2020-28010-Heap-out-of-bounds-write-in-main.patch b/debian/patches/84_04-CVE-2020-28010-Heap-out-of-bounds-write-in-main.patch
new file mode 100644
index 0000000..9e3d368
--- /dev/null
+++ b/debian/patches/84_04-CVE-2020-28010-Heap-out-of-bounds-write-in-main.patch
@@ -0,0 +1,42 @@
+From 5987d0dfe88ee6081b72857bc8085c7d2afd53a3 Mon Sep 17 00:00:00 2001
+From: Qualys Security Advisory <qsa@qualys.com>
+Date: Sun, 21 Feb 2021 19:17:32 -0800
+Subject: [PATCH 04/29] CVE-2020-28010: Heap out-of-bounds write in main()
+
+Based on Phil Pennock's commit 0f57feb4.
+---
+ src/exim.c | 11 ++++++-----
+ 1 file changed, 6 insertions(+), 5 deletions(-)
+
+diff --git a/src/exim.c b/src/exim.c
+index 83b5ef51f..a7dc48c4e 100644
+--- a/src/exim.c
++++ b/src/exim.c
+@@ -3664,6 +3664,9 @@ during readconf_main() some expansion takes place already. */
+ /* Store the initial cwd before we change directories. Can be NULL if the
+ dir has already been unlinked. */
+ initial_cwd = os_getcwd(NULL, 0);
++if (initial_cwd && strlen(CCS initial_cwd) >= BIG_BUFFER_SIZE) {
++ exim_fail("exim: initial cwd is far too long\n");
++}
+
+ /* checking:
+ -be[m] expansion test -
+@@ -3950,11 +3953,9 @@ if ( (debug_selector & D_any || LOGGING(arguments))
+ p += 13;
+ else
+ {
+- Ustrncpy(p + 4, initial_cwd, big_buffer_size-5);
+- p += 4 + Ustrlen(initial_cwd);
+- /* in case p is near the end and we don't provide enough space for
+- * string_format to be willing to write. */
+- *p = '\0';
++ p += 4;
++ snprintf(CS p, big_buffer_size - (p - big_buffer), "%s", CCS initial_cwd);
++ p += strlen(CCS p);
+ }
+
+ (void)string_format(p, big_buffer_size - (p - big_buffer), " %d args:", argc);
+--
+2.30.2
+