From: Phil Pennock Date: Fri, 30 Oct 2020 00:42:40 +0000 (-0400) Subject: SECURITY: fix Qualys CVE-2020-PFPZA X-Git-Tag: exim-4.95-RC0~51^2~45 X-Git-Url: https://git.exim.org/exim.git/commitdiff_plain/bafc62583bc4ded96e3a66d2fb98c9d7afaa8768?ds=inline;hp=cb08e2f59f2166660abc998a0554e64c61d4a0f5 SECURITY: fix Qualys CVE-2020-PFPZA (cherry picked from commit 29d7a8c25f182c91d5d30f124f9e296dce5c018e) (cherry picked from commit 0a6a7a3fd8464bae9ce0cf889e8eeb0bf0bab756) --- diff --git a/doc/doc-txt/ChangeLog b/doc/doc-txt/ChangeLog index 07fba9c23..95b95e794 100644 --- a/doc/doc-txt/ChangeLog +++ b/doc/doc-txt/ChangeLog @@ -273,6 +273,9 @@ PP/05 Fix security issue CVE-2020-PFPSN and guard against cmdline invoker providing a particularly obnoxious sender full name. Reported by Qualys. +pp/06 Fix CVE-2020-28016 (PFPZA): Heap out-of-bounds write in parse_fix_phrase() + + Exim version 4.94 ----------------- diff --git a/src/src/parse.c b/src/src/parse.c index 7dfb9a7eb..8d689e88a 100644 --- a/src/src/parse.c +++ b/src/src/parse.c @@ -984,6 +984,11 @@ if (i < len) /* No non-printers; use the RFC 822 quoting rules */ +if (!len) + { + return string_copy_taint_function("", is_tainted(phrase)); + } + buffer = store_get(len*4, is_tainted(phrase)); s = phrase;