X-Git-Url: http://git.hcoop.net/hcoop/debian/exim4.git/blobdiff_plain/ed7df6aed3350267779da0674e270711e5914e79..d1d56ac364669b9a323ad9494f96398ba502dac0:/debian/patches/82_Fix-base64d-buffer-size-CVE-2018-6789.patch

diff --git a/debian/patches/82_Fix-base64d-buffer-size-CVE-2018-6789.patch b/debian/patches/82_Fix-base64d-buffer-size-CVE-2018-6789.patch
new file mode 100644
index 0000000..146339c
--- /dev/null
+++ b/debian/patches/82_Fix-base64d-buffer-size-CVE-2018-6789.patch
@@ -0,0 +1,29 @@
+Description: Fix base64d() buffer size (CVE-2018-6789)
+ Credits for discovering this bug: Meh Chang <meh@devco.re>
+Origin: vendor
+Bug-Debian: https://bugs.debian.org/890000
+Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2018-6789
+Forwarded: not-needed
+Author: "Heiko Schlittermann (HS12-RIPE)" <hs@schlittermann.de>
+Last-Update: 2018-02-10
+---
+
+--- a/src/base64.c
++++ b/src/base64.c
+@@ -152,10 +152,14 @@ static uschar dec64table[] = {
+ int
+ b64decode(uschar *code, uschar **ptr)
+ {
++
+ int x, y;
+-uschar *result = store_get(3*(Ustrlen(code)/4) + 1);
++uschar *result;
+ 
+-*ptr = result;
++{
++  int l = Ustrlen(code);
++  *ptr = result = store_get(1 + l/4 * 3 + l%4);
++}
+ 
+ /* Each cycle of the loop handles a quantum of 4 input bytes. For the last
+ quantum this may decode to 1, 2, or 3 output bytes. */