Fedora has issued an advisory today (October 17): https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/DKF7SN6RKVFTADUVEPX2ZA5USDIVPKEA/ Patched packages uploaded for Mageia 5, Mageia 6, and Cauldron. Advisory: ======================== Updated procmail package fixes security vulnerability: A flaw was found in the loadbuf function in formisc.c. When the buffer is too small, the function tries to resize it, but only by Bsize (=128) bytes. This is not necessarily enough and could cause denial of service. References: https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/DKF7SN6RKVFTADUVEPX2ZA5USDIVPKEA/ ======================== Updated packages in core/updates_testing: ======================== procmail-3.22-23.1.mga5 procmail-3.22-24.1.mga6 from SRPMS: procmail-3.22-23.1.mga5.src.rpm procmail-3.22-24.1.mga6.src.rpm
Whiteboard: (none) => MGA5TOO
MGA5-32 on Asus A6000VM Xfce No installation issues. Followed test as per bug 14056 Comment 1, I will attach the mbox.bin here at CLI $ formail -s < ./mbox.bin From 3080872697845058505@null Fri Jul 18 16:00:46 2014 X-Google-Thread: 1101ff,b478806d690fea0 X-Google-Thread: 111f74,9b7e51d2af7e2141 X-Google-Thread: fec13,9b7e51d2af7e2141 X-Google-Attributes: gid1101ff,gid111f74,gidfec13,public X-Google-Language: ENGLISH,ASCII-7-bit Path: g2news1.google.com!postnews.google.com!g44g2000cwa.googlegroups.com!not-for-mail and some more "interesting" text. Seems OK
Whiteboard: MGA5TOO => MGA5TOO MGA5-32-OKCC: (none) => herman.viaene
Created attachment 9742 [details] testbox for formail
Testing M6/64 Using the given input binary mbox (thanks Claire & Herman) as prescribed. However: "-s The input will be split up into separate mail messages, and piped into a program one by one ... If you omit the program, then formail will simply concatenate the split mails on stdout again." Note that 'formail' is one of several programs in this package; the others are 'lockfile', 'mailstat', 'procmail' itself. https://bugzilla.redhat.com/show_bug.cgi?id=1500070#c4 shows the test for this bug, which does use 'formail' (via valgrind), so that is OK. It also indicates a PoC file, but this is (alas) not visibly available. The test is clear, and a good basis for confidence. BEFORE the update: procmail-3.22-24.mga6 $ formail -s < ./mbox.bin > before AFTER the update: procmail-3.22-24.1.mga6 $ formail -s < ./mbox.bin > after The two output files start as shown in comment 1, and are identical. Identical also to the input mbox.bin [see note above on -s option]. Validating this as it has one of each release & architecture. Will do the advisory from comment 0, adding a Debian ref from the RedHat one. No CVE yet.
CC: (none) => lewyssmith, sysadmin-bugsWhiteboard: MGA5TOO MGA5-32-OK => MGA5TOO MGA5-32-OK MGA6-64-OKKeywords: (none) => advisory, validated_update
An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2017-0392.html
Resolution: (none) => FIXEDStatus: NEW => RESOLVED
Debian has issued an advisory for this on November 19: https://www.debian.org/security/2017/dsa-4041 It has been assigned CVE-2017-16844.
Summary: procmail new heap-based buffer overflow security issue => procmail new heap-based buffer overflow security issue (CVE-2017-16844)