Hi Santiago, hi Jakub,
On Thu, Nov 16, 2017 at 10:35:05PM +0100, Santiago Vila wrote:
> On Sat, Sep 23, 2017 at 12:24:35AM +0200, Jakub Wilk wrote:
> > Package: procmail
> > Version: 3.22-25+b1
> > Tags: security
> >
> > formail crashes on the attached file:
> >
> > $ zcat overflow.822.gz | formail -r
> > *** Error in `formail': corrupted size vs. prev_size: 0x584565a8 ***
> > ...
> > Aborted
> >
> > I believe the culrpit is the loadbuf() function. It looks like this:
> >
> > void loadbuf(text,len)const char*const text;const size_t len;
> > { if(buffilled+len>buflen) /* buf can't hold the
> > text */
> > buf=realloc(buf,buflen+=Bsize);
> > tmemmove(buf+buffilled,text,len);buffilled+=len;
> > }
> >
> > When the buffer is too small, the function tries to resize it, but only by
> > Bsize (=128) bytes. This is not necessarily enough.
>
> Thanks for the report and sorry for my late reply.
>
> Based on your analysis, it would seem that keeping trying the realloc
> until the condition inside the if becomes false would fix this.
>
> I don't have an i386 system around. Can you try the following
> (trivial) attached patch?
>
> Salvatore: If this patch solves the issue and I upload it for unstable,
> would you like me to care/help about stable as well?
> (following your indications).
It's possibly fine to fix this via a DSA, although I'm not sure if
it's limited to denial-of-service. Can you propose debdiffs for
jessie-security and stretch-security to [email protected]?
Regards,
Salvatore
