Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 522114 (CVE-2014-3618) - <mail-filter/procmail-3.22-r14: heap overflow in formail tool
Summary: <mail-filter/procmail-3.22-r14: heap overflow in formail tool
Alias: CVE-2014-3618
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal normal (vote)
Assignee: Gentoo Security
Whiteboard: B3 [noglsa cve]
Depends on: CVE-2014-16844
  Show dependency tree
Reported: 2014-09-04 05:31 UTC by Hanno Böck
Modified: 2019-04-06 16:43 UTC (History)
8 users (show)

See Also:
Package list:
Runtime testing required: ---


Note You need to log in before you can comment on or make changes to this bug.
Description Hanno Böck gentoo-dev 2014-09-04 05:31:56 UTC
A heap overflow has been reported in procmail by Tavis Ormandy on the oss-security list:

Depending on the configuration this may be exploited remotely by sending a mail, so it should probably be considered quite severe. procmail hasn't seen a release in ages, a patch is in the above oss-security-post.
Comment 1 GLSAMaker/CVETool Bot gentoo-dev 2015-01-04 01:28:08 UTC
CVE-2014-3618 (
  Heap-based buffer overflow in formisc.c in formail in procmail 3.22 allows
  remote attackers to cause a denial of service (crash) and possibly execute
  arbitrary code via a crafted email header, related to "unbalanced quotes."
Comment 2 Thomas Deutschmann gentoo-dev Security 2016-12-01 17:52:12 UTC
@ Maintainer(s): Please apply
Comment 3 Christopher Díaz Riveros (RETIRED) gentoo-dev Security 2017-09-20 04:26:32 UTC
@Maintainers ping

Gentoo Security Padawan
Comment 4 Larry the Git Cow gentoo-dev 2019-03-24 00:26:14 UTC
The bug has been referenced in the following commit(s):

commit 31e0e8db9e641bbe158add9c6d4907f2c3eb2d57
Author:     Aaron Bauman <>
AuthorDate: 2019-03-24 00:22:31 +0000
Commit:     Aaron Bauman <>
CommitDate: 2019-03-24 00:26:04 +0000

    mail-filter/procmail: revbump to fix longstanding vulnerabilities
    This patch is a combination of patches from the OSS ML and the Debian
    bug tracker.  Both patches and authors can be found in the below
    referenced bugs.
    Signed-off-by: Aaron Bauman <>

 .../files/procmail-CVE-2014-3618-16844.patch       |  25 +++++
 mail-filter/procmail/procmail-3.22-r12.ebuild      | 123 +++++++++++++++++++++
 2 files changed, 148 insertions(+)
Comment 5 Aaron Bauman Gentoo Infrastructure gentoo-dev Security 2019-03-26 22:49:42 UTC
-r12 was dropped due to reports of CPU utilization due to loops
Comment 6 A Blamey 2019-03-28 09:32:14 UTC
I just had formail hang with -r13 - same as happened with -r12