A CVE was assigned for a buffer overflow in procmail's formail utility: http://seclists.org/oss-sec/2014/q3/495 There's a PoC mbox file attached to that message and more details in that thread. Patched packages uploaded for Mageia 3, Mageia 4, and Cauldron. Advisory: ======================== Updated procmail package fixes security vulnerability: A heap-based buffer overflow was reported in procmail's formail utility when parsing addresses with unbalanced quotes (CVE-2014-3618). References: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3618 https://bugzilla.redhat.com/show_bug.cgi?id=1137581 ======================== Updated packages in core/updates_testing: ======================== procmail-3.22-18.1.mga3 procmail-3.22-19.1.mga4 from SRPMS: procmail-3.22-18.1.mga3.src.rpm procmail-3.22-19.1.mga4.src.rpm Reproducible: Steps to Reproduce:
Whiteboard: (none) => MGA3TOO
Testing complete mga4 64 Downloaded mbox.bin from the link in comment 0 Before ------ $ formail -s < ./mbox.bin > /dev/null *** Error in `formail': free(): invalid next size (fast): 0x0000000001fad180 *** Segmentation fault After ----- $ formail -s < ./mbox.bin > /dev/null No segfault so remove the redirect to see what it's doing.. $ formail -s < ./mbox.bin From 3080872697845058505@null Fri Jul 18 16:00:46 2014 X-Google-Thread: 1101ff,b478806d690fea0 X-Google-Thread: 111f74,9b7e51d2af7e2141 X-Google-Thread: fec13,9b7e51d2af7e2141 X-Google-Attributes: gid1101ff,gid111f74,gidfec13,public X-Google-Language: ENGLISH,ASCII-7-bit ...etc Shows the email thread.
Whiteboard: MGA3TOO => MGA3TOO has_procedure mga4-64-ok
Testing mga3 32 Doesn't appear vulnerable. $ formail -s < mbox.bin From 3080872697845058505@null Fri Jul 18 16:00:46 2014 X-Google-Thread: 1101ff,b478806d690fea0 X-Google-Thread: 111f74,9b7e51d2af7e2141 X-Google-Thread: fec13,9b7e51d2af7e2141 X-Google-Attributes: gid1101ff,gid111f74,gidfec13,public X-Google-Language: ENGLISH,ASCII-7-bit ...etc $ rpm -q procmail procmail-3.22-18.mga3 Appears Ok with the update also. I'll check mga3 64 too.
Testing complete mga3 64 It appears to only affect 64bit builds. Adding the OK's. Before ------ $ formail -s < mbox.bin > /dev/null *** Error in `formail': free(): invalid next size (fast): 0x00000000017ef100 *** Segmentation fault After ----- $ formail -s < mbox.bin From 3080872697845058505@null Fri Jul 18 16:00:46 2014 X-Google-Thread: 1101ff,b478806d690fea0 X-Google-Thread: 111f74,9b7e51d2af7e2141 X-Google-Thread: fec13,9b7e51d2af7e2141 X-Google-Attributes: gid1101ff,gid111f74,gidfec13,public X-Google-Language: ENGLISH,ASCII-7-bit
Whiteboard: MGA3TOO has_procedure mga4-64-ok => MGA3TOO has_procedure mga3-32-ok mga3-64-ok mga4-64-ok
Debian and Ubuntu have issued advisories for this on September 4: https://www.debian.org/security/2014/dsa-3019 http://www.ubuntu.com/usn/usn-2340-1/
URL: (none) => http://lwn.net/Vulnerabilities/610939/
Testing complete mga4 32 Again 32bit appears not to be vulnerable.
Whiteboard: MGA3TOO has_procedure mga3-32-ok mga3-64-ok mga4-64-ok => MGA3TOO has_procedure mga3-32-ok mga3-64-ok mga4-32-ok mga4-64-ok
Validating. Advisory from comment 0 uploaded. Could sysadmin please push to 3 & 4 updates Thanks
Keywords: (none) => validated_updateWhiteboard: MGA3TOO has_procedure mga3-32-ok mga3-64-ok mga4-32-ok mga4-64-ok => MGA3TOO has_procedure advisory mga3-32-ok mga3-64-ok mga4-32-ok mga4-64-okCC: (none) => sysadmin-bugs
An update for this issue has been pushed to Mageia Updates repository. http://advisories.mageia.org/MGASA-2014-0373.html
Status: NEW => RESOLVEDResolution: (none) => FIXED