Hello community,
here is the log from the commit of package procmail for openSUSE:Factory checked in at 2014-10-14 07:12:11
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Comparing /work/SRC/openSUSE:Factory/procmail (Old)
and /work/SRC/openSUSE:Factory/.procmail.new (New)
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "procmail"
Changes:
--------
--- /work/SRC/openSUSE:Factory/procmail/procmail.changes 2013-04-18 15:00:36.000000000 +0200
+++ /work/SRC/openSUSE:Factory/.procmail.new/procmail.changes 2014-10-14 07:12:59.000000000 +0200
@@ -1,0 +2,15 @@
+Thu Sep 4 13:32:42 UTC 2014 - werner@suse.de
+
+- Correct licenses
+- Add cflags() shell function to be able to check for compiler,
+ linker, and assembler flags, that is if those are supported by
+ the compiler, linker, or assembler.
+
+-------------------------------------------------------------------
+Thu Sep 4 08:39:12 UTC 2014 - werner@suse.de
+
+- Add patch procmail-3.22-CVE-2014-3618.patch to fix heap-overflow
+ in procmail's formail utility when processing specially-crafted
+ email headers (bnc#894999, CVE-2014-3618)
+
+-------------------------------------------------------------------
New:
----
procmail-3.22-CVE-2014-3618.patch
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Other differences:
------------------
++++++ procmail.spec ++++++
--- /var/tmp/diff_new_pack.0ExfVE/_old 2014-10-14 07:13:00.000000000 +0200
+++ /var/tmp/diff_new_pack.0ExfVE/_new 2014-10-14 07:13:00.000000000 +0200
@@ -1,7 +1,7 @@
#
# spec file for package procmail
#
-# Copyright (c) 2013 SUSE LINUX Products GmbH, Nuernberg, Germany.
+# Copyright (c) 2014 SUSE LINUX Products GmbH, Nuernberg, Germany.
#
# All modifications and additions to the file contributed by third parties
# remain the property of their copyright owners, unless otherwise agreed
@@ -34,6 +34,8 @@
Patch4: procmail-%{version}-owl-truncate.dif
Patch5: procmail-%{version}-autoconf.dif
Patch6: procmail-%{version}-ipv6.patch
+# PATCH-FIX-SUSE Heap-overflow in procmail's formail utility when processing specially-crafted email headers (bnc#894999)
+Patch7: procmail-%{version}-CVE-2014-3618.patch
BuildRequires: pcre-devel
BuildRequires: postfix
%if %suse_version >= 1230
@@ -56,21 +58,62 @@
echo Patch $p
patch -s -p1 --fuzz=0 < $p
done
-%patch0 -b .mailstat
-%patch1
-%patch2
-%patch3
-%patch4
-%patch5
-%patch6 -p1 -b .ipv6
+%patch0 -p0
+%patch1 -p0
+%patch2 -p0
+%patch3 -p0
+%patch4 -p0
+%patch5 -p0
+%patch6 -p1
+%patch7 -p0
sed -ri '\@^/\*@,\@\*/@{ s@^(/\*[^*]*)(/\*)@\1\*/ \2@; }' config.h
sed -ri '\@^/\*@,\@\*/@{ s@^(/\*[^*]*)(/\*)@\1\*/ \2@; }' src/includes.h
sed -ri '\@^#.*[[:blank:]]+/\*[^/]*$@M,\@\*/$@{ s@(^[[:blank:]]+)/\*@\1 @;}' src/includes.h
%build
- RPM_OPT_FLAGS="-std=c89 %{optflags} -Wno-parentheses -Wno-sign-compare -Wno-unprototyped-calls"
- export RPM_OPT_FLAGS
- make %{?_smp_mflags} XCFLAGS="-fno-strict-aliasing -D_LARGEFILE64_SOURCE -D_FILE_OFFSET_BITS=64" MANDIR=%{_mandir} LDFLAGS0=
+ cflags ()
+ {
+ local flag=$1; shift
+ local var=$1; shift
+ local gold
+ test -n "${flag}" -a -n "${var}" || return
+ case "${!var}" in
+ *${flag}*) return
+ esac
+ if type ld.gold > /dev/null 2>&1 ; then
+ gold=-Wl,-fuse-ld=gold
+ fi
+ set -o noclobber
+ case "$flag" in
+ -Wl,*)
+ if echo 'int main () { return 0; }' | \
+ ${CC:-gcc} -Werror $gold $flag -o /dev/null -xc - > /dev/null 2>&1 ; then
+ eval $var=\${$var:+\$$var\ }$flag
+ fi
+ rm -f ldtest.c
+ ;;
+ *)
+ if ${CC:-gcc} -Werror $gold $flag -S -o /dev/null -xc /dev/null > /dev/null 2>&1 ; then
+ eval $var=\${$var:+\$$var\ }$flag
+ fi
+ if ${CXX:-g++} -Werror $gold $flag -S -o /dev/null -xc++ /dev/null > /dev/null 2>&1 ; then
+ eval $var=\${$var:+\$$var\ }$flag
+ fi
+ esac
+ set +o noclobber
+ }
+ RPM_OPT_FLAGS="%{optflags}"
+ XCFLAGS="$(getconf LFS_CFLAGS)"
+ cflags -std=c89 RPM_OPT_FLAGS
+ cflags -Wno-parentheses RPM_OPT_FLAGS
+ cflags -Wno-sign-compare RPM_OPT_FLAGS
+ cflags -Wno-unprototyped-calls RPM_OPT_FLAGS
+ cflags -pipe RPM_OPT_FLAGS
+ cflags -fno-strict-aliasing XCFLAGS
+ cflags -Wl,-O2 LDFLAGS0
+ cflags -Wl,--hash-size=8599 LDFLAGS0
+ export RPM_OPT_FLAGS XCFLAGS LDFLAGS0
+ make %{?_smp_mflags} XCFLAGS="${XCFLAGS}" MANDIR=%{_mandir} LDFLAGS0="${LDFLAGS0}"
%install
mkdir -p %{buildroot}%{_mandir}/man{1,5} %{buildroot}%{_prefix}/bin
@@ -79,6 +122,7 @@
%files
%defattr(-,root,root)
+%doc Artistic COPYING
%doc FAQ FEATURES README examples
%{_bindir}/formail
%{_bindir}/lockfile
++++++ procmail-3.22-CVE-2014-3618.patch ++++++
BNC#894999 - VUL-0: procmail: CVE-2014-3618 procmail: Heap-overflow in
procmail's formail utility when processing specially-crafted email headers
---
src/formisc.c | 7 ++++---
1 file changed, 4 insertions(+), 3 deletions(-)
--- src/formisc.c
+++ src/formisc.c 2014-09-04 08:27:31.827152957 +0000
@@ -83,13 +83,14 @@ normal: *target++= *start++;
break;
case '"':*target++=delim='"';start++;
}
- ;{ int i;
- do
+ {
+ while(*start) /* anything? */
+ { int i;
if((i= *target++= *start++)==delim) /* corresponding delimiter? */
break;
else if(i=='\\'&&*start) /* skip quoted character */
*target++= *start++;
- while(*start); /* anything? */
+ }
}
hitspc=2;
}
++++++ procmail.keyring ++++++
--- /var/tmp/diff_new_pack.0ExfVE/_old 2014-10-14 07:13:00.000000000 +0200
+++ /var/tmp/diff_new_pack.0ExfVE/_new 2014-10-14 07:13:00.000000000 +0200
@@ -1,16 +1,16 @@
+pub 1024R/4A25D351 1999-02-09
+uid Procmail Distribution