HCoop / hcoop / debian / exim4.git / blame
| Commit | Line | Data |
|---|---|---|
| d1e9e98a AM |
1 | From 2600301ba6dbac5c9d640c87007a07ee6dcea1f4 Mon Sep 17 00:00:00 2001 |
| 2 | From: "Heiko Schlittermann (HS12-RIPE)" <hs@schlittermann.de> | |
| 3 | Date: Mon, 19 Aug 2019 14:45:48 +0200 | |
| 4 | Subject: [PATCH] string.c: do not interpret '\\' before '\0' (CVE-2019-15846) | |
| 5 | ||
| 6 | ||
| 7 | --- a/doc/ChangeLog | |
| 8 | +++ b/doc/ChangeLog | |
| 9 | @@ -4,6 +4,11 @@ This document describes *changes* to pre | |
| 10 | affect Exim's operation, with an unchanged configuration file. For new | |
| 11 | options, and new features, see the NewStuff file next to this ChangeLog. | |
| 12 | ||
| 13 | +Exim version 4.92.2 | |
| 14 | +------------------- | |
| 15 | + | |
| 16 | +HS/01 Handle trailing backslash gracefully. (CVE-2019-15846) | |
| 17 | + | |
| 18 | ||
| 01e60269 AM |
19 | Since version 4.92 |
| 20 | ------------------ | |
| d1e9e98a AM |
21 | --- a/src/string.c |
| 22 | +++ b/src/string.c | |
| 01e60269 | 23 | @@ -224,6 +224,8 @@ interpreted in strings. |
| d1e9e98a AM |
24 | Arguments: |
| 25 | pp points a pointer to the initiating "\" in the string; | |
| 26 | the pointer gets updated to point to the final character | |
| 27 | + If the backslash is the last character in the string, it | |
| 28 | + is not interpreted. | |
| 29 | Returns: the value of the character escape | |
| 30 | */ | |
| 31 | ||
| 01e60269 | 32 | @@ -236,6 +238,7 @@ const uschar *hex_digits= CUS"0123456789 |
| d1e9e98a AM |
33 | int ch; |
| 34 | const uschar *p = *pp; | |
| 35 | ch = *(++p); | |
| 36 | +if (ch == '\0') return **pp; | |
| 37 | if (isdigit(ch) && ch != '8' && ch != '9') | |
| 38 | { | |
| 39 | ch -= '0'; | |
| 01e60269 AM |
40 | @@ -1210,8 +1213,8 @@ memcpy(g->s + p, s, count); |
| 41 | g->ptr = p + count; | |
| 42 | return g; | |
| 43 | } | |
| 44 | - | |
| 45 | - | |
| 46 | + | |
| 47 | + | |
| 48 | gstring * | |
| 49 | string_cat(gstring *string, const uschar *s) | |
| 50 | { |