Bug 21885

Summary: procmail new heap-based buffer overflow security issue (CVE-2017-16844)
Product: Mageia Reporter: David Walser <luigiwalser>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact: Sec team <security>
Severity: normal    
Priority: Normal CC: herman.viaene, lewyssmith, sysadmin-bugs
Version: 6Keywords: advisory, validated_update
Target Milestone: ---   
Hardware: All   
OS: Linux   
Whiteboard: MGA5TOO MGA5-32-OK MGA6-64-OK
Source RPM: procmail-3.22-24.mga6.src.rpm CVE:
Status comment:
Attachments: testbox for formail

Description David Walser 2017-10-17 12:45:15 CEST 
Fedora has issued an advisory today (October 17):
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/DKF7SN6RKVFTADUVEPX2ZA5USDIVPKEA/

Patched packages uploaded for Mageia 5, Mageia 6, and Cauldron.

Advisory:
========================

Updated procmail package fixes security vulnerability:

A flaw was found in the loadbuf function in formisc.c. When the buffer is too
small, the function tries to resize it, but only by Bsize (=128) bytes. This
is not necessarily enough and could cause denial of service.

References:
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/DKF7SN6RKVFTADUVEPX2ZA5USDIVPKEA/
========================

Updated packages in core/updates_testing:
========================
procmail-3.22-23.1.mga5
procmail-3.22-24.1.mga6

from SRPMS:
procmail-3.22-23.1.mga5.src.rpm
procmail-3.22-24.1.mga6.src.rpm
David Walser 2017-10-17 12:45:22 CEST

Whiteboard: (none) => MGA5TOO

Comment 1 Herman Viaene 2017-10-20 15:19:33 CEST 
MGA5-32 on Asus A6000VM Xfce
No installation issues.
Followed test as per bug 14056 Comment 1, I will attach the mbox.bin here
at CLI
$ formail -s < ./mbox.bin
From 3080872697845058505@null Fri Jul 18 16:00:46 2014
X-Google-Thread: 1101ff,b478806d690fea0
X-Google-Thread: 111f74,9b7e51d2af7e2141
X-Google-Thread: fec13,9b7e51d2af7e2141
X-Google-Attributes: gid1101ff,gid111f74,gidfec13,public
X-Google-Language: ENGLISH,ASCII-7-bit
Path: g2news1.google.com!postnews.google.com!g44g2000cwa.googlegroups.com!not-for-mail
and some more "interesting" text.
Seems OK

Whiteboard: MGA5TOO => MGA5TOO MGA5-32-OK
CC: (none) => herman.viaene

Comment 2 Herman Viaene 2017-10-20 15:20:26 CEST 
Created attachment 9742 [details]
testbox for formail
Comment 3 Lewis Smith 2017-10-27 16:03:19 CEST 
Testing M6/64
Using the given input binary mbox (thanks Claire & Herman) as prescribed.
However:
"-s   The  input  will  be  split  up into separate mail messages, and piped into a program one by one ... If you omit the program, then formail will simply concatenate the split mails on stdout again."
Note that 'formail' is one of several programs in this package; the others are 'lockfile', 'mailstat', 'procmail' itself.

 https://bugzilla.redhat.com/show_bug.cgi?id=1500070#c4
shows the test for this bug, which does use 'formail' (via valgrind), so that is OK. It also indicates a PoC file, but this is (alas) not visibly available. The test is clear, and a good basis for confidence.

BEFORE the update: procmail-3.22-24.mga6
 $ formail -s < ./mbox.bin > before

AFTER the update: procmail-3.22-24.1.mga6
 $ formail -s < ./mbox.bin > after
The two output files start as shown in comment 1, and are identical.
Identical also to the input mbox.bin [see note above on -s option].

Validating this as it has one of each release & architecture.
Will do the advisory from comment 0, adding a Debian ref from the RedHat one. No CVE yet.

CC: (none) => lewyssmith, sysadmin-bugs
Whiteboard: MGA5TOO MGA5-32-OK => MGA5TOO MGA5-32-OK MGA6-64-OK
Keywords: (none) => advisory, validated_update

Comment 4 Mageia Robot 2017-10-30 20:24:12 CET 
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2017-0392.html

Resolution: (none) => FIXED
Status: NEW => RESOLVED

Comment 5 David Walser 2017-11-22 19:38:19 CET 
Debian has issued an advisory for this on November 19:
https://www.debian.org/security/2017/dsa-4041

It has been assigned CVE-2017-16844.

Summary: procmail new heap-based buffer overflow security issue => procmail new heap-based buffer overflow security issue (CVE-2017-16844)