From 8378820dab0b6955fb0e2b27f24a1626f9124e5b Mon Sep 17 00:00:00 2001
From: Peter Marko <peter.marko@siemens.com>
Date: Fri, 27 Dec 2024 11:56:04 +0100
Subject: procmail: patch CVE-2014-3618

Take patch from Debian.
https://sources.debian.org/data/main/p/procmail/3.22-20%2Bdeb7u1/debian/patches/CVE-2014-3618.patch

Signed-off-by: Peter Marko <peter.marko@siemens.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
---
 .../procmail/procmail/CVE-2014-3618.patch          | 29 ++++++++++++++++++++++
 meta-oe/recipes-support/procmail/procmail_3.22.bb  |  4 ++-
 2 files changed, 32 insertions(+), 1 deletion(-)
 create mode 100644 meta-oe/recipes-support/procmail/procmail/CVE-2014-3618.patch

diff --git a/meta-oe/recipes-support/procmail/procmail/CVE-2014-3618.patch b/meta-oe/recipes-support/procmail/procmail/CVE-2014-3618.patch
new file mode 100644
index 0000000000..b041924361
--- /dev/null
+++ b/meta-oe/recipes-support/procmail/procmail/CVE-2014-3618.patch
@@ -0,0 +1,29 @@
+Description: Fix heap-overflow in formail
+ CVE-2014-3618: Heap-overflow in formail when processing
+ specially-crafted email headers.
+Origin: http://www.openwall.com/lists/oss-security/2014/09/03/8
+Bug-Debian: https://bugs.debian.org/704675
+Bug-Debian: https://bugs.debian.org/760443
+Forwarded: not-needed
+Last-Update: 2014-09-04
+
+CVE: CVE-2014-3618
+Upstream-Status: Inactive-Upstream [lastrelease: 2001]
+Signed-off-by: Peter Marko <peter.marko@siemens.com>
+
+--- a/src/formisc.c
++++ b/src/formisc.c
+@@ -84,12 +84,11 @@ normal:	   *target++= *start++;
+ 	case '"':*target++=delim='"';start++;
+       }
+      ;{ int i;
+-	do
++	while(*start)
+ 	   if((i= *target++= *start++)==delim)	 /* corresponding delimiter? */
+ 	      break;
+ 	   else if(i=='\\'&&*start)		    /* skip quoted character */
+ 	      *target++= *start++;
+-	while(*start);						/* anything? */
+       }
+      hitspc=2;
+    }
diff --git a/meta-oe/recipes-support/procmail/procmail_3.22.bb b/meta-oe/recipes-support/procmail/procmail_3.22.bb
index 3623bd7776..efe716ea51 100644
--- a/meta-oe/recipes-support/procmail/procmail_3.22.bb
+++ b/meta-oe/recipes-support/procmail/procmail_3.22.bb
@@ -12,7 +12,9 @@ SRC_URI = "http://www.ring.gr.jp/archives/net/mail/${BPN}/${BP}.tar.gz \
     file://from-debian-to-fix-compile-errors.patch \
     file://from-debian-to-modify-parameters.patch \
     file://from-debian-to-fix-man-file.patch \
-    file://man-file-mailstat.1-from-debian.patch"
+    file://man-file-mailstat.1-from-debian.patch \
+    file://CVE-2014-3618.patch \
+"
 SRC_URI[sha256sum] = "087c75b34dd33d8b9df5afe9e42801c9395f4bf373a784d9bc97153b0062e117"
 
 LICENSE = "GPL-2.0-only & Artistic-1.0"
-- 
cgit v1.2.3-54-g00ecf