A heap overflow has been reported in procmail by Tavis Ormandy on the oss-security list: http://www.openwall.com/lists/oss-security/2014/09/03/8 Depending on the configuration this may be exploited remotely by sending a mail, so it should probably be considered quite severe. procmail hasn't seen a release in ages, a patch is in the above oss-security-post.
CVE-2014-3618 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-3618): Heap-based buffer overflow in formisc.c in formail in procmail 3.22 allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via a crafted email header, related to "unbalanced quotes."
@ Maintainer(s): Please apply https://sources.debian.net/src/procmail/3.22-25/debian/patches/27/
@Maintainers ping Gentoo Security Padawan ChrisADR
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=31e0e8db9e641bbe158add9c6d4907f2c3eb2d57 commit 31e0e8db9e641bbe158add9c6d4907f2c3eb2d57 Author: Aaron Bauman <bman@gentoo.org> AuthorDate: 2019-03-24 00:22:31 +0000 Commit: Aaron Bauman <bman@gentoo.org> CommitDate: 2019-03-24 00:26:04 +0000 mail-filter/procmail: revbump to fix longstanding vulnerabilities This patch is a combination of patches from the OSS ML and the Debian bug tracker. Both patches and authors can be found in the below referenced bugs. Bug: https://bugs.gentoo.org/522114 Bug: https://bugs.gentoo.org/638108 Signed-off-by: Aaron Bauman <bman@gentoo.org> .../files/procmail-CVE-2014-3618-16844.patch | 25 +++++ mail-filter/procmail/procmail-3.22-r12.ebuild | 123 +++++++++++++++++++++ 2 files changed, 148 insertions(+)
-r12 was dropped due to reports of CPU utilization due to loops
I just had formail hang with -r13 - same as happened with -r12