Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 522114 (CVE-2014-3618)

Summary: <mail-filter/procmail-3.22-r14: heap overflow in formail tool
Product: Gentoo Security Reporter: Hanno Böck <hanno>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: normal CC: ab4bd, atoth, bjh-gentoobt, chris, gentoo, maintainer-needed, michael.nospam1, net-mail+disabled
Priority: Normal    
Version: unspecified   
Hardware: All   
OS: Linux   
URL: http://www.openwall.com/lists/oss-security/2014/09/03/8
Whiteboard: B3 [noglsa cve]
Package list:
Runtime testing required: ---
Bug Depends on: 638108    
Bug Blocks:    

Description Hanno Böck gentoo-dev 2014-09-04 05:31:56 UTC 
A heap overflow has been reported in procmail by Tavis Ormandy on the oss-security list:
http://www.openwall.com/lists/oss-security/2014/09/03/8

Depending on the configuration this may be exploited remotely by sending a mail, so it should probably be considered quite severe. procmail hasn't seen a release in ages, a patch is in the above oss-security-post.
Comment 1 GLSAMaker/CVETool Bot gentoo-dev 2015-01-04 01:28:08 UTC 
CVE-2014-3618 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-3618):
  Heap-based buffer overflow in formisc.c in formail in procmail 3.22 allows
  remote attackers to cause a denial of service (crash) and possibly execute
  arbitrary code via a crafted email header, related to "unbalanced quotes."
Comment 2 Thomas Deutschmann (RETIRED) gentoo-dev 2016-12-01 17:52:12 UTC 
@ Maintainer(s): Please apply https://sources.debian.net/src/procmail/3.22-25/debian/patches/27/
Comment 3 Christopher Díaz Riveros (RETIRED) gentoo-dev Security 2017-09-20 04:26:32 UTC 
@Maintainers ping

Gentoo Security Padawan
ChrisADR
Comment 4 Larry the Git Cow gentoo-dev 2019-03-24 00:26:14 UTC 
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=31e0e8db9e641bbe158add9c6d4907f2c3eb2d57

commit 31e0e8db9e641bbe158add9c6d4907f2c3eb2d57
Author:     Aaron Bauman <bman@gentoo.org>
AuthorDate: 2019-03-24 00:22:31 +0000
Commit:     Aaron Bauman <bman@gentoo.org>
CommitDate: 2019-03-24 00:26:04 +0000

    mail-filter/procmail: revbump to fix longstanding vulnerabilities
    
    This patch is a combination of patches from the OSS ML and the Debian
    bug tracker.  Both patches and authors can be found in the below
    referenced bugs.
    
    Bug: https://bugs.gentoo.org/522114
    Bug: https://bugs.gentoo.org/638108
    Signed-off-by: Aaron Bauman <bman@gentoo.org>

 .../files/procmail-CVE-2014-3618-16844.patch       |  25 +++++
 mail-filter/procmail/procmail-3.22-r12.ebuild      | 123 +++++++++++++++++++++
 2 files changed, 148 insertions(+)
Comment 5 Aaron Bauman (RETIRED) gentoo-dev 2019-03-26 22:49:42 UTC 
-r12 was dropped due to reports of CPU utilization due to loops
Comment 6 A Blamey 2019-03-28 09:32:14 UTC 
I just had formail hang with -r13 - same as happened with -r12