Bug 193560

Summary: [patch] mail/procmail: CVE-2014-3618 Heap-overflow in procmail's formail utility
Product: Ports & Packages Reporter: martin
Component: Individual Port(s)Assignee: Po-Chuan Hsieh <sunpoet>
Status: Closed FIXED    
Severity: Affects Many People CC: arved
Priority: ---    
Version: Latest   
Hardware: Any   
OS: Any   
Attachments:
Description Flags
Patch none

Description martin 2014-09-11 13:20:55 UTC 
The attached patch (based on the one in Fedora 20 and Tavis Ormandy's patch at http://www.openwall.com/lists/oss-security/2014/09/03/8) fixes CVE-2014-3618.

I've not managed to repeat the crash in Fedora's bug report #1121299, but the code definitely overflows the buffer.
Comment 1 martin 2014-09-11 13:21:34 UTC 
Created attachment 147218 [details]
Patch
Comment 2 Tilman Keskinoz freebsd_committer freebsd_triage 2014-09-11 15:27:18 UTC 
over to maintainer
Comment 3 Po-Chuan Hsieh freebsd_committer freebsd_triage 2014-09-12 15:01:21 UTC 
It's fixed in r368009 (head) and r368028 (2014Q3). Thanks!