mail-mta/exim: add patch for CVE-2017-16944, bug #638772

Original patch is slightly adjusted to the 4.98 codebase in order to
apply.

Bug: https://bugs.gentoo.org/638772
Package-Manager: Portage-2.3.13, Repoman-2.3.3

diff --git a/mail-mta/exim/exim-4.89-r4.ebuild b/mail-mta/exim/exim-4.89-r5.ebuild
similarity index 99%
rename from mail-mta/exim/exim-4.89-r4.ebuild
rename to mail-mta/exim/exim-4.89-r5.ebuild
index 14b6181d4cb49ca23ef523442083c9efc4b427cf..c6da0e48afc0d5c78c6ab7208381b8a94201966a 100644 (file)
--- a/mail-mta/exim/exim-4.89-r4.ebuild
+++ b/mail-mta/exim/exim-4.89-r5.ebuild
@@ -98,6 +98,7 @@ src_prepare() {
        epatch "${FILESDIR}"/${P}-transport-crash.patch # from git/in next release
        epatch "${FILESDIR}"/${P}-address-expando-crash.patch # from git/in next release
        epatch "${FILESDIR}"/${P}-CVE-2017-16943.patch # from git/in next release
+       epatch "${FILESDIR}"/${P}-CVE-2017-16944.patch # from git/in next release
 
        if use maildir ; then
                epatch "${FILESDIR}"/exim-4.20-maildir.patch

diff --git a/mail-mta/exim/files/exim-4.89-CVE-2017-16944.patch b/mail-mta/exim/files/exim-4.89-CVE-2017-16944.patch
new file mode 100644 (file)
index 0000000..285a617
--- /dev/null
+++ b/mail-mta/exim/files/exim-4.89-CVE-2017-16944.patch
@@ -0,0 +1,57 @@
+From 178ecb70987f024f0e775d87c2f8b2cf587dd542 Mon Sep 17 00:00:00 2001
+From: "Heiko Schlittermann (HS12-RIPE)" <hs@schlittermann.de>
+Date: Mon, 27 Nov 2017 22:42:33 +0100
+Subject: [PATCH] Chunking: do not treat the first lonely dot special.
+ CVE-2017-16944, Bug 2201
+
+Modified to apply on 4.89-gentoo
+
+---
+ src/src/receive.c | 2 +-
+ src/src/smtp_in.c | 7 +++++++
+ 2 files changed, 8 insertions(+), 1 deletion(-)
+
+diff --git a/src/src/receive.c b/src/src/receive.c
+index 541eba1..417e975 100644
+--- a/src/src/receive.c
++++ b/src/src/receive.c
+@@ -1865,7 +1865,7 @@ for (;;)
+   prevent further reading), and break out of the loop, having freed the
+   empty header, and set next = NULL to indicate no data line. */
+ 
+-  if (ptr == 0 && ch == '.' && (smtp_input || dot_ends))
++  if (ptr == 0 && ch == '.' && dot_ends)
+     {
+     ch = (receive_getc)(GETC_BUFFER_UNLIMITED);
+     if (ch == '\r')
+diff --git a/src/src/smtp_in.c b/src/src/smtp_in.c
+index 1fdb705..0aabc53 100644
+--- a/src/src/smtp_in.c
++++ b/src/src/smtp_in.c
+@@ -5094,16 +5094,23 @@ while (done <= 0)
+       DEBUG(D_receive) debug_printf("chunking state %d, %d bytes\n",
+                                   (int)chunking_state, chunking_data_left);
+ 
++      /* push the current receive_* function on the "stack", and
++      replace them by bdat_getc(), which in turn will use the lwr_receive_*
++      functions to do the dirty work. */
+       lwr_receive_getc = receive_getc;
+       lwr_receive_ungetc = receive_ungetc;
++
+       receive_getc = bdat_getc;
+       receive_ungetc = bdat_ungetc;
+ 
++      dot_ends = FALSE;
++
+       goto DATA_BDAT;
+       }
+ 
+     case DATA_CMD:
+     HAD(SCH_DATA);
++    dot_ends = TRUE;
+ 
+     DATA_BDAT:                /* Common code for DATA and BDAT */
+     if (!discarded && recipients_count <= 0)
+-- 
+1.9.1
+