Bug 21885 - procmail new heap-based buffer overflow security issue (CVE-2017-16844)
Summary: procmail new heap-based buffer overflow security issue (CVE-2017-16844)
Status: RESOLVED FIXED
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 6
Hardware: All Linux
Priority: Normal normal
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL:
Whiteboard: MGA5TOO MGA5-32-OK MGA6-64-OK
Keywords: advisory, validated_update
Depends on:
Blocks:
 
Reported: 2017-10-17 12:45 CEST by David Walser
Modified: 2017-11-22 19:38 CET (History)
3 users (show)

See Also:
Source RPM: procmail-3.22-24.mga6.src.rpm
CVE:
Status comment:


Attachments
testbox for formail (3.51 KB, text/plain)
2017-10-20 15:20 CEST, Herman Viaene
Details

Description David Walser 2017-10-17 12:45:15 CEST
Fedora has issued an advisory today (October 17):
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/DKF7SN6RKVFTADUVEPX2ZA5USDIVPKEA/

Patched packages uploaded for Mageia 5, Mageia 6, and Cauldron.

Advisory:
========================

Updated procmail package fixes security vulnerability:

A flaw was found in the loadbuf function in formisc.c. When the buffer is too
small, the function tries to resize it, but only by Bsize (=128) bytes. This
is not necessarily enough and could cause denial of service.

References:
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/DKF7SN6RKVFTADUVEPX2ZA5USDIVPKEA/
========================

Updated packages in core/updates_testing:
========================
procmail-3.22-23.1.mga5
procmail-3.22-24.1.mga6

from SRPMS:
procmail-3.22-23.1.mga5.src.rpm
procmail-3.22-24.1.mga6.src.rpm
David Walser 2017-10-17 12:45:22 CEST

Whiteboard: (none) => MGA5TOO

Comment 1 Herman Viaene 2017-10-20 15:19:33 CEST
MGA5-32 on Asus A6000VM Xfce
No installation issues.
Followed test as per bug 14056 Comment 1, I will attach the mbox.bin here
at CLI
$ formail -s < ./mbox.bin
From 3080872697845058505@null Fri Jul 18 16:00:46 2014
X-Google-Thread: 1101ff,b478806d690fea0
X-Google-Thread: 111f74,9b7e51d2af7e2141
X-Google-Thread: fec13,9b7e51d2af7e2141
X-Google-Attributes: gid1101ff,gid111f74,gidfec13,public
X-Google-Language: ENGLISH,ASCII-7-bit
Path: g2news1.google.com!postnews.google.com!g44g2000cwa.googlegroups.com!not-for-mail
and some more "interesting" text.
Seems OK

Whiteboard: MGA5TOO => MGA5TOO MGA5-32-OK
CC: (none) => herman.viaene

Comment 2 Herman Viaene 2017-10-20 15:20:26 CEST
Created attachment 9742 [details]
testbox for formail
Comment 3 Lewis Smith 2017-10-27 16:03:19 CEST
Testing M6/64
Using the given input binary mbox (thanks Claire & Herman) as prescribed.
However:
"-s   The  input  will  be  split  up into separate mail messages, and piped into a program one by one ... If you omit the program, then formail will simply concatenate the split mails on stdout again."
Note that 'formail' is one of several programs in this package; the others are 'lockfile', 'mailstat', 'procmail' itself.

 https://bugzilla.redhat.com/show_bug.cgi?id=1500070#c4
shows the test for this bug, which does use 'formail' (via valgrind), so that is OK. It also indicates a PoC file, but this is (alas) not visibly available. The test is clear, and a good basis for confidence.

BEFORE the update: procmail-3.22-24.mga6
 $ formail -s < ./mbox.bin > before

AFTER the update: procmail-3.22-24.1.mga6
 $ formail -s < ./mbox.bin > after
The two output files start as shown in comment 1, and are identical.
Identical also to the input mbox.bin [see note above on -s option].

Validating this as it has one of each release & architecture.
Will do the advisory from comment 0, adding a Debian ref from the RedHat one. No CVE yet.

CC: (none) => lewyssmith, sysadmin-bugs
Whiteboard: MGA5TOO MGA5-32-OK => MGA5TOO MGA5-32-OK MGA6-64-OK
Keywords: (none) => advisory, validated_update

Comment 4 Mageia Robot 2017-10-30 20:24:12 CET
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2017-0392.html

Resolution: (none) => FIXED
Status: NEW => RESOLVED

Comment 5 David Walser 2017-11-22 19:38:19 CET
Debian has issued an advisory for this on November 19:
https://www.debian.org/security/2017/dsa-4041

It has been assigned CVE-2017-16844.

Summary: procmail new heap-based buffer overflow security issue => procmail new heap-based buffer overflow security issue (CVE-2017-16844)


Note You need to log in before you can comment on or make changes to this bug.