Debian Bug report logs -
#760443
procmail: CVE-2014-3618: Heap-overflow in formail when processing specially-crafted email headers
Reported by: Salvatore Bonaccorso <carnil@debian.org>
Date: Thu, 4 Sep 2014 06:42:07 UTC
Severity: grave
Tags: help, patch, security, upstream
Merged with 704675
Found in version procmail/3.22-19
Fixed in versions procmail/3.22-22, procmail/3.22-20+deb7u1
Done: Salvatore Bonaccorso <carnil@debian.org>
Bug is archived. No further changes may be made.
Forwarded to bug@procmail.org
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, carnil@debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Santiago Vila <sanvila@debian.org>:
Bug#760443; Package src:procmail.
(Thu, 04 Sep 2014 06:42:12 GMT) (full text, mbox, link).
Acknowledgement sent
to Salvatore Bonaccorso <carnil@debian.org>:
New Bug report received and forwarded. Copy sent to carnil@debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Santiago Vila <sanvila@debian.org>.
(Thu, 04 Sep 2014 06:42:12 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Source: procmail
Version: 3.22-19
Severity: grave
Tags: security patch upstream
Hi,
the following vulnerability was published for procmail.
CVE-2014-3618[0]:
Heap-overflow in procmail's formail utility when processing specially-crafted email headers
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2014-3618
[1] http://www.openwall.com/lists/oss-security/2014/09/03/8
Regards,
Salvatore
Information forwarded
to debian-bugs-dist@lists.debian.org, Santiago Vila <sanvila@debian.org>:
Bug#760443; Package src:procmail.
(Thu, 04 Sep 2014 09:24:04 GMT) (full text, mbox, link).
Acknowledgement sent
to Santiago Vila <sanvila@unex.es>:
Extra info received and forwarded to list. Copy sent to Santiago Vila <sanvila@debian.org>.
(Thu, 04 Sep 2014 09:24:04 GMT) (full text, mbox, link).
Message #10 received at 760443@bugs.debian.org (full text, mbox, reply):
On Thu, Sep 04, 2014 at 08:40:23AM +0200, Salvatore Bonaccorso wrote:
> Source: procmail
> Version: 3.22-19
> Severity: grave
> Tags: security patch upstream
>
> Hi,
>
> the following vulnerability was published for procmail.
>
> CVE-2014-3618[0]:
> Heap-overflow in procmail's formail utility when processing specially-crafted email headers
>
> If you fix the vulnerability please also make sure to include the
> CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
>
> For further information see:
>
> [0] https://security-tracker.debian.org/tracker/CVE-2014-3618
> [1] http://www.openwall.com/lists/oss-security/2014/09/03/8
Seems the same bug as #704675. I'll check.
Information forwarded
to debian-bugs-dist@lists.debian.org, Santiago Vila <sanvila@debian.org>:
Bug#760443; Package src:procmail.
(Thu, 04 Sep 2014 10:03:04 GMT) (full text, mbox, link).
Acknowledgement sent
to Santiago Vila <sanvila@unex.es>:
Extra info received and forwarded to list. Copy sent to Santiago Vila <sanvila@debian.org>.
(Thu, 04 Sep 2014 10:03:04 GMT) (full text, mbox, link).
Message #15 received at 760443@bugs.debian.org (full text, mbox, reply):
Checked: Yes, it is the same as this bug:
http://bugs.debian.org/704675
I'll fix them both in unstable with urgency=high.
Information forwarded
to debian-bugs-dist@lists.debian.org, Santiago Vila <sanvila@debian.org>:
Bug#760443; Package src:procmail.
(Thu, 04 Sep 2014 10:39:05 GMT) (full text, mbox, link).
Acknowledgement sent
to Santiago Vila <sanvila@unex.es>:
Extra info received and forwarded to list. Copy sent to Santiago Vila <sanvila@debian.org>.
(Thu, 04 Sep 2014 10:39:05 GMT) (full text, mbox, link).
Message #20 received at 760443@bugs.debian.org (full text, mbox, reply):
Hello security people.
I've just fixed this in procmail 3.22-22 in unstable.
The quilt patch is debian/patches/27.
If there is anything else I could/should do, please say so.
Thanks.
Reply sent
to Santiago Vila <sanvila@debian.org>:
You have taken responsibility.
(Thu, 04 Sep 2014 10:39:21 GMT) (full text, mbox, link).
Notification sent
to Salvatore Bonaccorso <carnil@debian.org>:
Bug acknowledged by developer.
(Thu, 04 Sep 2014 10:39:21 GMT) (full text, mbox, link).
Message #25 received at 760443-close@bugs.debian.org (full text, mbox, reply):
Source: procmail
Source-Version: 3.22-22
We believe that the bug you reported is fixed in the latest version of
procmail, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 760443@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Santiago Vila <sanvila@debian.org> (supplier of updated procmail package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Format: 1.8
Date: Thu, 04 Sep 2014 12:08:36 +0200
Source: procmail
Binary: procmail
Architecture: source amd64
Version: 3.22-22
Distribution: unstable
Urgency: high
Maintainer: Santiago Vila <sanvila@debian.org>
Changed-By: Santiago Vila <sanvila@debian.org>
Description:
procmail - Versatile e-mail processor
Closes: 704675 760443
Changes:
procmail (3.22-22) unstable; urgency=high
.
* Fixed heap overflow in formail that made it to crash on messages
having specially-crafted headers. Closes: #704675, #760443.
For reference, this is CVE-2014-3618.
Checksums-Sha1:
43e8f9ff06b0572fcb8afd17083d124001c0f32f 1305 procmail_3.22-22.dsc
0a38ce2fe38b29804064fcb02fa580adc474cb13 18988 procmail_3.22-22.debian.tar.xz
5509fb7cb673011e787086972824c39789e1a95e 139360 procmail_3.22-22_amd64.deb
Checksums-Sha256:
4aaba7cd7fcc41122776e40dd12f8e7b9349f2f859c58cc8c9b37b939d764def 1305 procmail_3.22-22.dsc
6db7a8d52790d67aa15d2dd300bd98de59f3b45c3bb3cab22aebaa7353c25aba 18988 procmail_3.22-22.debian.tar.xz
cc36693da55d36efc728ce3ee4842148c3aca375cc00d1204509efedec365fe5 139360 procmail_3.22-22_amd64.deb
Files:
a4d93182abf78b6361f10269a83dcf2f 139360 mail standard procmail_3.22-22_amd64.deb
e53bf80a6f27523350a1240bf8002c4c 1305 mail standard procmail_3.22-22.dsc
754c7bbf4dd3ca09abe6d160d5d18f2d 18988 mail standard procmail_3.22-22.debian.tar.xz
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iQEcBAEBCAAGBQJUCDwUAAoJEEHOfwufG4syuigH/2+b8Ee7KYHe5kJXsXThKqjN
wG113ERnOZ/AhzzExGBWxo/GTTBAwpdUgwi7wL0uuxuCZz1LTvqwEXvQ9/BXo446
0CVGe4M5rXmutjUnW9hIgLS2M0UGp1u+EmyF/xxo2JhW8JjfZoEVJ8rPBWfVtnub
o1NWkenAzPuv1x1B/8mcKWjwFLJdNygB0NyKY5XqE/A/0dqx6r/5hqaacd64OSNO
5ZD2vVrboYfzHAk2WfFXfwT0bx/uI7tZH5OYTOjRUn8ImGBiM6YvbiofA0tvz6eT
vOgIUsQPGpDCn+8vzYLC0QPVfU5XLWkUaHZkf5FOrW6Zy6yd2Cnwl3IwaxGVg8A=
=lNxB
-----END PGP SIGNATURE-----
Bug reassigned from package 'src:procmail' to 'procmail'.
Request was from Santiago Vila <sanvila@unex.es>
to control@bugs.debian.org.
(Thu, 04 Sep 2014 11:57:29 GMT) (full text, mbox, link).
No longer marked as found in versions procmail/3.22-19.
Request was from Santiago Vila <sanvila@unex.es>
to control@bugs.debian.org.
(Thu, 04 Sep 2014 11:57:30 GMT) (full text, mbox, link).
No longer marked as fixed in versions procmail/3.22-22.
Request was from Santiago Vila <sanvila@unex.es>
to control@bugs.debian.org.
(Thu, 04 Sep 2014 11:57:31 GMT) (full text, mbox, link).
Set Bug forwarded-to-address to 'bug@procmail.org'.
Request was from Santiago Vila <sanvila@unex.es>
to control@bugs.debian.org.
(Thu, 04 Sep 2014 11:57:32 GMT) (full text, mbox, link).
Severity set to 'important' from 'grave'
Request was from Santiago Vila <sanvila@unex.es>
to control@bugs.debian.org.
(Thu, 04 Sep 2014 11:57:33 GMT) (full text, mbox, link).
Marked as fixed in versions procmail/3.22-22.
Request was from Santiago Vila <sanvila@unex.es>
to control@bugs.debian.org.
(Thu, 04 Sep 2014 11:57:34 GMT) (full text, mbox, link).
Marked as found in versions procmail/3.22-19.
Request was from Santiago Vila <sanvila@unex.es>
to control@bugs.debian.org.
(Thu, 04 Sep 2014 11:57:35 GMT) (full text, mbox, link).
Added tag(s) help.
Request was from Santiago Vila <sanvila@unex.es>
to control@bugs.debian.org.
(Thu, 04 Sep 2014 11:57:36 GMT) (full text, mbox, link).
Merged 704675 760443
Request was from Santiago Vila <sanvila@unex.es>
to control@bugs.debian.org.
(Thu, 04 Sep 2014 11:57:38 GMT) (full text, mbox, link).
Information forwarded
to debian-bugs-dist@lists.debian.org, Santiago Vila <sanvila@debian.org>:
Bug#760443; Package procmail.
(Thu, 04 Sep 2014 12:12:21 GMT) (full text, mbox, link).
Acknowledgement sent
to Santiago Vila <sanvila@unex.es>:
Extra info received and forwarded to list. Copy sent to Santiago Vila <sanvila@debian.org>.
(Thu, 04 Sep 2014 12:12:21 GMT) (full text, mbox, link).
Message #48 received at 760443@bugs.debian.org (full text, mbox, reply):
severity 704675 grave
thanks
The reason for this severity is "data loss".
However, I believe that if formail is used in this way in procmail recipes:
:0 fhw
| formail bla bla
then the "w" flag prevents data from being lost:
w Wait for the filter or program to finish and check its exitcode
(normally ignored); if the filter is unsuccessful, then
the text will not have been filtered.
Anyway, the security team has decided to fix this in stable, so there
is little point in discussing about bug severity.
Severity set to 'grave' from 'important'
Request was from Santiago Vila <sanvila@unex.es>
to control@bugs.debian.org.
(Thu, 04 Sep 2014 12:12:25 GMT) (full text, mbox, link).
Message #51 received at 704675-close@bugs.debian.org (full text, mbox, reply):
Source: procmail
Source-Version: 3.22-20+deb7u1
We believe that the bug you reported is fixed in the latest version of
procmail, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 704675@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Salvatore Bonaccorso <carnil@debian.org> (supplier of updated procmail package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Thu, 04 Sep 2014 10:26:01 +0200
Source: procmail
Binary: procmail
Architecture: source amd64
Version: 3.22-20+deb7u1
Distribution: wheezy-security
Urgency: high
Maintainer: Santiago Vila <sanvila@debian.org>
Changed-By: Salvatore Bonaccorso <carnil@debian.org>
Description:
procmail - Versatile e-mail processor
Closes: 704675 760443
Changes:
procmail (3.22-20+deb7u1) wheezy-security; urgency=high
.
* Non-maintainer upload by the Security Team.
* Add CVE-2014-3618.patch.
CVE-2014-3618: Heap-overflow in formail when processing
specially-crafted email headers. (Closes: #704675, #760443)
Checksums-Sha1:
a319689ee111c4f976a02eee136ab73915752ba6 1674 procmail_3.22-20+deb7u1.dsc
cd4e44c15559816453fd60349e5a32289f6f2965 226817 procmail_3.22.orig.tar.gz
a7aa667547579929888debf0c7b8ca1e4e28d50f 18848 procmail_3.22-20+deb7u1.debian.tar.gz
ce4d05dbe1e6eb5fd9b0d9478ca50edeb9513989 159226 procmail_3.22-20+deb7u1_amd64.deb
Checksums-Sha256:
ec1febf9f0aa70ad9334ac756c5c73925c39967650f1d19ca2e4df781415c698 1674 procmail_3.22-20+deb7u1.dsc
087c75b34dd33d8b9df5afe9e42801c9395f4bf373a784d9bc97153b0062e117 226817 procmail_3.22.orig.tar.gz
5bc938cf5fce6260b612729749461656234ce5d16defec6ed8d2393a2cacd601 18848 procmail_3.22-20+deb7u1.debian.tar.gz
09686f52e47b7c4e632c0020ba76c90e9d7994e70799235a098d1120755402e8 159226 procmail_3.22-20+deb7u1_amd64.deb
Files:
962c045cd56412abb96ba9ae622e11ef 1674 mail standard procmail_3.22-20+deb7u1.dsc
1678ea99b973eb77eda4ecf6acae53f1 226817 mail standard procmail_3.22.orig.tar.gz
95409a61e10cc19acb5092dd0e746c00 18848 mail standard procmail_3.22-20+deb7u1.debian.tar.gz
241b8f88bcbc26421b1d71cbbd6ba4ce 159226 mail standard procmail_3.22-20+deb7u1_amd64.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iQIcBAEBCgAGBQJUCExzAAoJEAVMuPMTQ89E1zsQAIfTiAcqDkHcDBYOjkSexwwZ
RbOkrgWYiOfKhzwADJoWkoZt1LsWAbjm/b9A9dHxkAWDnV6P1fN9ZcWZGPPAxgH+
y13TBceaJTwlI77i0mkcB/b6ChfYrkie/QOtbFr8+MtIeKj+muVu9ohC5ORj53IP
Po0HPTXUXzGr//AB9CgtdhgAPuO8R59iRy7e8DQ0u8cTOIGrgWZ5cS95SVt+jOyd
keRzmMa4RT1oCriD1+kL4EuBAlNT1MDaMTecqC/hemh6E9UdIPtbh6d8Nrd3UBkT
6rgb8opXWpjt4CHDTTuGIPxYTLxqLwMnaX2SrPyHU54VdXzICoM+DNqwMtQCSHAF
NEvYkINCLJ72hG9TB74XWTNgu5xEnsfvnVuYWohkKWsUF3t/jlTVkKOnvbNl962D
koNigTHQj8xWcpuyjcH9hLETuFbG5bQHCrJWOAWfZRvh4+WKrZQTCj1ymqy61Ong
hKAXoPvTcJbFmklKPXteiZIwa1mJIuy36vuXgjIzMz8I0i1ERbAUEyCo4BJgmL4B
sWdfy0TdLhtZuDVDdP5opJHObWLb9eIx4DJLr4NH9zhJP6nFw8EorZ6tV3G3d289
25I+sRzdfIBEgEfYl1C7LbqbgnWSchhn076Ccj5rpoSSLEo3fVQXPaV/1H/qDEdR
0hMbqcx31C2EyJKXLZh4
=3eMR
-----END PGP SIGNATURE-----
Reply sent
to Salvatore Bonaccorso <carnil@debian.org>:
You have taken responsibility.
(Thu, 04 Sep 2014 22:51:11 GMT) (full text, mbox, link).
Notification sent
to Salvatore Bonaccorso <carnil@debian.org>:
Bug acknowledged by developer.
(Thu, 04 Sep 2014 22:51:11 GMT) (full text, mbox, link).
Message #56 received at 760443-close@bugs.debian.org (full text, mbox, reply):
Source: procmail
Source-Version: 3.22-20+deb7u1
We believe that the bug you reported is fixed in the latest version of
procmail, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 760443@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Salvatore Bonaccorso <carnil@debian.org> (supplier of updated procmail package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Thu, 04 Sep 2014 10:26:01 +0200
Source: procmail
Binary: procmail
Architecture: source amd64
Version: 3.22-20+deb7u1
Distribution: wheezy-security
Urgency: high
Maintainer: Santiago Vila <sanvila@debian.org>
Changed-By: Salvatore Bonaccorso <carnil@debian.org>
Description:
procmail - Versatile e-mail processor
Closes: 704675 760443
Changes:
procmail (3.22-20+deb7u1) wheezy-security; urgency=high
.
* Non-maintainer upload by the Security Team.
* Add CVE-2014-3618.patch.
CVE-2014-3618: Heap-overflow in formail when processing
specially-crafted email headers. (Closes: #704675, #760443)
Checksums-Sha1:
a319689ee111c4f976a02eee136ab73915752ba6 1674 procmail_3.22-20+deb7u1.dsc
cd4e44c15559816453fd60349e5a32289f6f2965 226817 procmail_3.22.orig.tar.gz
a7aa667547579929888debf0c7b8ca1e4e28d50f 18848 procmail_3.22-20+deb7u1.debian.tar.gz
ce4d05dbe1e6eb5fd9b0d9478ca50edeb9513989 159226 procmail_3.22-20+deb7u1_amd64.deb
Checksums-Sha256:
ec1febf9f0aa70ad9334ac756c5c73925c39967650f1d19ca2e4df781415c698 1674 procmail_3.22-20+deb7u1.dsc
087c75b34dd33d8b9df5afe9e42801c9395f4bf373a784d9bc97153b0062e117 226817 procmail_3.22.orig.tar.gz
5bc938cf5fce6260b612729749461656234ce5d16defec6ed8d2393a2cacd601 18848 procmail_3.22-20+deb7u1.debian.tar.gz
09686f52e47b7c4e632c0020ba76c90e9d7994e70799235a098d1120755402e8 159226 procmail_3.22-20+deb7u1_amd64.deb
Files:
962c045cd56412abb96ba9ae622e11ef 1674 mail standard procmail_3.22-20+deb7u1.dsc
1678ea99b973eb77eda4ecf6acae53f1 226817 mail standard procmail_3.22.orig.tar.gz
95409a61e10cc19acb5092dd0e746c00 18848 mail standard procmail_3.22-20+deb7u1.debian.tar.gz
241b8f88bcbc26421b1d71cbbd6ba4ce 159226 mail standard procmail_3.22-20+deb7u1_amd64.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iQIcBAEBCgAGBQJUCExzAAoJEAVMuPMTQ89E1zsQAIfTiAcqDkHcDBYOjkSexwwZ
RbOkrgWYiOfKhzwADJoWkoZt1LsWAbjm/b9A9dHxkAWDnV6P1fN9ZcWZGPPAxgH+
y13TBceaJTwlI77i0mkcB/b6ChfYrkie/QOtbFr8+MtIeKj+muVu9ohC5ORj53IP
Po0HPTXUXzGr//AB9CgtdhgAPuO8R59iRy7e8DQ0u8cTOIGrgWZ5cS95SVt+jOyd
keRzmMa4RT1oCriD1+kL4EuBAlNT1MDaMTecqC/hemh6E9UdIPtbh6d8Nrd3UBkT
6rgb8opXWpjt4CHDTTuGIPxYTLxqLwMnaX2SrPyHU54VdXzICoM+DNqwMtQCSHAF
NEvYkINCLJ72hG9TB74XWTNgu5xEnsfvnVuYWohkKWsUF3t/jlTVkKOnvbNl962D
koNigTHQj8xWcpuyjcH9hLETuFbG5bQHCrJWOAWfZRvh4+WKrZQTCj1ymqy61Ong
hKAXoPvTcJbFmklKPXteiZIwa1mJIuy36vuXgjIzMz8I0i1ERbAUEyCo4BJgmL4B
sWdfy0TdLhtZuDVDdP5opJHObWLb9eIx4DJLr4NH9zhJP6nFw8EorZ6tV3G3d289
25I+sRzdfIBEgEfYl1C7LbqbgnWSchhn076Ccj5rpoSSLEo3fVQXPaV/1H/qDEdR
0hMbqcx31C2EyJKXLZh4
=3eMR
-----END PGP SIGNATURE-----
Reply sent
to Salvatore Bonaccorso <carnil@debian.org>:
You have taken responsibility.
(Thu, 04 Sep 2014 22:51:12 GMT) (full text, mbox, link).
Notification sent
to Boris 'pi' Piwinger <3.14@piology.org>:
Bug acknowledged by developer.
(Thu, 04 Sep 2014 22:51:12 GMT) (full text, mbox, link).
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org.
(Sun, 19 Oct 2014 07:30:08 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed Jun 19 14:11:41 2019;
Machine Name:
buxtehude
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.
Vulmon