1 files changed, 39 insertions, 0 deletions

diff --git a/debian/patches/84_05-CVE-2020-28011-Heap-buffer-overflow-in-queue_run.patch b/debian/patches/84_05-CVE-2020-28011-Heap-buffer-overflow-in-queue_run.patch
new file mode 100644
index 0000000..086644b
--- /dev/null
+++ b/debian/patches/84_05-CVE-2020-28011-Heap-buffer-overflow-in-queue_run.patch
@@ -0,0 +1,39 @@
+From 9970ba4d8b9477d98c722221b6b7b97f03104b9f Mon Sep 17 00:00:00 2001
+From: Qualys Security Advisory <qsa@qualys.com>
+Date: Sun, 21 Feb 2021 19:22:33 -0800
+Subject: [PATCH 05/29] CVE-2020-28011: Heap buffer overflow in queue_run()
+
+---
+ src/queue.c | 14 ++++++++++----
+ 1 file changed, 10 insertions(+), 4 deletions(-)
+
+diff --git a/src/queue.c b/src/queue.c
+index 92109ef92..41af5b85e 100644
+--- a/src/queue.c
++++ b/src/queue.c
+@@ -416,12 +416,18 @@ if (!recurse)
+     p += sprintf(CS p, " -q%s", extras);
+ 
+   if (deliver_selectstring)
+-    p += sprintf(CS p, " -R%s %s", f.deliver_selectstring_regex? "r" : "",
+-      deliver_selectstring);
++    {
++    snprintf(CS p, big_buffer_size - (p - big_buffer), " -R%s %s",
++      f.deliver_selectstring_regex? "r" : "", deliver_selectstring);
++    p += strlen(CCS p);
++    }
+ 
+   if (deliver_selectstring_sender)
+-    p += sprintf(CS p, " -S%s %s", f.deliver_selectstring_sender_regex? "r" : "",
+-      deliver_selectstring_sender);
++    {
++    snprintf(CS p, big_buffer_size - (p - big_buffer), " -S%s %s",
++      f.deliver_selectstring_sender_regex? "r" : "", deliver_selectstring_sender);
++    p += strlen(CCS p);
++    }
+ 
+   log_detail = string_copy(big_buffer);
+   if (*queue_name)
+-- 
+2.30.2
+