Package: release.debian.org
Severity: normal
Tags: bullseye
User: release.debian....@packages.debian.org
Usertags: pu
Dear release managers: There was a NULL pointer dereference fix in
procmail which I've just applied to bullseye as well. There is no CVE
for this, but nevertheless it's the type of bug I don't want to see in
stable.
The patch was taken from the author's git repository and it has been
working in testing/unstable for several months now.
The debdiff is attached.
(I will also try to upload for buster before its final release)
Thanks.
diff -Nru procmail-3.22/debian/changelog procmail-3.22/debian/changelog
--- procmail-3.22/debian/changelog 2017-11-16 23:42:36.000000000 +0100
+++ procmail-3.22/debian/changelog 2022-07-02 13:20:00.000000000 +0200
@@ -1,3 +1,11 @@
+procmail (3.22-26+deb11u1) unstable; urgency=medium
+
+ * Fix NULL pointer dereference. Closes: #769938.
+ Reported by Jakub Wilk using American Fuzzy Lop.
+ Patch from Stephen R. van den Berg.
+
+ -- Santiago Vila <sanv...@debian.org> Sat, 02 Jul 2022 13:20:00 +0200
+
procmail (3.22-26) unstable; urgency=medium
* Fix buffer overflow in loadbuf(). Closes: #876511.
diff -Nru procmail-3.22/debian/patches/31 procmail-3.22/debian/patches/31
--- procmail-3.22/debian/patches/31 1970-01-01 01:00:00.000000000 +0100
+++ procmail-3.22/debian/patches/31 2022-07-02 12:32:00.000000000 +0200
@@ -0,0 +1,19 @@
+From: Stephen R. van den Berg <s...@cuci.nl>
+Subject: Cater for mails containing an incomplete From_ line.
+Bug-Debian: http://bugs.debian.org/769938
+X-Debian-version: 3.22-27
+
+--- a/src/from.c
++++ b/src/from.c
+@@ -117,7 +117,10 @@
+ themail.p[extra]='\0'; /* terminate it for strchr */
+ }
+ while(!(rstart=strchr(themail.p,'\n')));
+- extra=rstart?extra-(++rstart-themail.p):0;
++ if (rstart)
++ extra -= ++rstart - themail.p;
++ else
++ extra = 0, rstart = themail.p;
+ }
+ else
+ { size_t tfrl= ++rstart-themail.p; /* length of existing From_ line */
diff -Nru procmail-3.22/debian/patches/series
procmail-3.22/debian/patches/series
--- procmail-3.22/debian/patches/series 2017-11-16 23:41:45.000000000 +0100
+++ procmail-3.22/debian/patches/series 2022-07-02 12:00:00.000000000 +0200
@@ -29,3 +29,4 @@
28
29
30
+31