[exim/f19] Only expand integers for integer math once
Jaroslav Škarvada
jskarvad at fedoraproject.org
Wed Jul 23 18:12:43 UTC 2014
commit 24387fbdea99843a7ec62a6ef565077da010b020
Author: Jaroslav Škarvada <jskarvad at redhat.com>
Date: Wed Jul 23 20:12:35 2014 +0200
Only expand integers for integer math once
Resolves: CVE-2014-2972
exim-4.80.1-CVE-2014-2972.patch | 64 +++++++++++++++++++++++++++++++++++++++
exim.spec | 8 ++++-
2 files changed, 71 insertions(+), 1 deletions(-)
---
diff --git a/exim-4.80.1-CVE-2014-2972.patch b/exim-4.80.1-CVE-2014-2972.patch
new file mode 100644
index 0000000..e8d5426
--- /dev/null
+++ b/exim-4.80.1-CVE-2014-2972.patch
@@ -0,0 +1,64 @@
+diff --git a/src/expand.c b/src/expand.c
+index 84167b6..ed38f7e 100644
+--- a/src/expand.c
++++ b/src/expand.c
+@@ -14,6 +14,7 @@
+ /* Recursively called function */
+
+ static uschar *expand_string_internal(uschar *, BOOL, uschar **, BOOL, BOOL);
++static int_eximarith_t expanded_string_integer(uschar *, BOOL);
+
+ #ifdef STAND_ALONE
+ #ifndef SUPPORT_CRYPTEQ
+@@ -2115,7 +2116,7 @@ switch(cond_type)
+ }
+ else
+ {
+- num[i] = expand_string_integer(sub[i], FALSE);
++ num[i] = expanded_string_integer(sub[i], FALSE);
+ if (expand_string_message != NULL) return NULL;
+ }
+ }
+@@ -5932,7 +5933,7 @@ while (*s != 0)
+ int_eximarith_t max;
+ uschar *s;
+
+- max = expand_string_integer(sub, TRUE);
++ max = expanded_string_integer(sub, TRUE);
+ if (expand_string_message != NULL)
+ goto EXPAND_FAILED;
+ s = string_sprintf("%d", vaguely_random_number((int)max));
+@@ -6129,8 +6130,32 @@ Returns: the integer value, or
+ int_eximarith_t
+ expand_string_integer(uschar *string, BOOL isplus)
+ {
++return expanded_string_integer(expand_string(string), isplus);
++}
++
++
++/*************************************************
++ * Interpret string as an integer *
++ *************************************************/
++
++/* Convert a string (that has already been expanded) into an integer.
++
++This function is used inside the expansion code.
++
++Arguments:
++ s the string to be expanded
++ isplus TRUE if a non-negative number is expected
++
++Returns: the integer value, or
++ -1 if string is NULL (which implies an expansion error)
++ -2 for an integer interpretation error
++ expand_string_message is set NULL for an OK integer
++*/
++
++static int_eximarith_t
++expanded_string_integer(uschar *s, BOOL isplus)
++{
+ int_eximarith_t value;
+-uschar *s = expand_string(string);
+ uschar *msg = US"invalid integer \"%s\"";
+ uschar *endptr;
+
diff --git a/exim.spec b/exim.spec
index af56c1b..f96b097 100644
--- a/exim.spec
+++ b/exim.spec
@@ -14,7 +14,7 @@
Summary: The exim mail transfer agent
Name: exim
Version: 4.80.1
-Release: 3%{?dist}
+Release: 4%{?dist}
License: GPLv2+
Url: http://www.exim.org/
Group: System Environment/Daemons
@@ -62,6 +62,7 @@ Patch21: exim-4.63-localhost-is-local.patch
Patch22: exim-4.66-greylist-conf.patch
Patch23: exim-4.67-smarthost-config.patch
Patch25: exim-4.69-dynlookup-config.patch
+Patch26: exim-4.80.1-CVE-2014-2972.patch
Requires: /etc/pki/tls/certs /etc/pki/tls/private
Requires: /etc/aliases
@@ -215,6 +216,7 @@ greylisting unconditional.
%patch22 -p1 -b .grey
%patch23 -p1 -b .smarthost
%patch25 -p1 -b .dynconfig
+%patch26 -p1 -b .CVE-2014-2972
cp src/EDITME Local/Makefile
sed -i 's@^# LOOKUP_MODULE_DIR=.*@LOOKUP_MODULE_DIR=%{_libdir}/exim/%{version}-%{release}/lookups@' Local/Makefile
@@ -602,6 +604,10 @@ test "$1" = 0 || %{_initrddir}/clamd.exim condrestart >/dev/null 2>&1 || :
%{_sysconfdir}/cron.daily/greylist-tidy.sh
%changelog
+* Wed Jul 23 2014 Jaroslav Škarvada <jskarvad at redhat.com> - 4.80.1-4
+- Only expand integers for integer math once
+ Resolves: CVE-2014-2972
+
* Tue Feb 26 2013 Jaroslav Škarvada <jskarvad at redhat.com> - 4.80.1-3
- Switched to systemd-rpm macros
Resolves: rhbz#850102
More information about the scm-commits
mailing list