pyrox.dev
Merge pull request #32101 from adisbladis/exim-CVE-2017-16943
exim: Fix for CVE-2017-16943 RCE vuln
authored by adisbladis and committed by GitHub d276fbaa 36058263
+39
pkgs/servers/mail/exim/cve-2017-16943.patch
+39
pkgs/servers/mail/exim/cve-2017-16943.patch
···
1
+
From 4e6ae6235c68de243b1c2419027472d7659aa2b4 Mon Sep 17 00:00:00 2001
2
+
From: Jeremy Harris <jgh146exb@wizmail.org>
3
+
Date: Fri, 24 Nov 2017 20:22:33 +0000
4
+
Subject: [PATCH] Avoid release of store if there have been later allocations.
5
+
Bug 2199
6
+
7
+
---
8
+
src/receive.c | 7 ++++---
9
+
1 file changed, 4 insertions(+), 3 deletions(-)
10
+
11
+
diff --git a/src/receive.c b/src/receive.c
12
+
index e7e518a..d9b5001 100644
13
+
--- a/src/receive.c
14
+
+++ b/src/receive.c
15
+
@@ -1810,8 +1810,8 @@ for (;;)
16
+
(and sometimes lunatic messages can have ones that are 100s of K long) we
17
+
call store_release() for strings that have been copied - if the string is at
18
+
the start of a block (and therefore the only thing in it, because we aren't
19
+
- doing any other gets), the block gets freed. We can only do this because we
20
+
- know there are no other calls to store_get() going on. */
21
+
+ doing any other gets), the block gets freed. We can only do this release if
22
+
+ there were no allocations since the once that we want to free. */
23
+
24
+
if (ptr >= header_size - 4)
25
+
{
26
+
@@ -1820,9 +1820,10 @@ for (;;)
27
+
header_size *= 2;
28
+
if (!store_extend(next->text, oldsize, header_size))
29
+
{
30
+
+ BOOL release_ok = store_last_get[store_pool] == next->text;
31
+
uschar *newtext = store_get(header_size);
32
+
memcpy(newtext, next->text, ptr);
33
+
- store_release(next->text);
34
+
+ if (release_ok) store_release(next->text);
35
+
next->text = newtext;
36
+
}
37
+
}
38
+
--
39
+
1.9.1
+1
pkgs/servers/mail/exim/default.nix
+1
pkgs/servers/mail/exim/default.nix