Patch/Update procmail because of CVE-2014-3618

[sierkb@…]

CVE-2014-3618: Heap-based buffer overflow in formisc.c in formail in procmail 3.22 allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via a crafted email header, related to "unbalanced quotes."
​https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3618,
​https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-3618

Since Apple hast removed procmail from OS X since OS X 10.11 (see ​https://support.apple.com/de-de/HT205267), a most recent and security patched procmail provided by MacPorts might be wise.

Homebrew already has reacted accordingly: ​https://github.com/Homebrew/homebrew/pull/43686.

[ryandesign (Ryan Carsten Schmidt)]

CVE-2014-3618 appears to be from last year.

The Homebrew ticket you reference doesn't seem to talk about any CVE. It just seems to be the request to add a procmail package to Homebrew.

Part of their ticket seems to talk about using Apple's patched procmail sources instead of the 14-year-old version 3.22 that we currently use. Are you claiming that Apple has already fixed the problems mentioned in this CVE in their sources?

[sierkb@…]

Replying to ryandesign@…:

CVE-2014-3618 appears to be from last year.

Yes.

The Homebrew ticket you reference doesn't seem to talk about any CVE. It just seems to be the request to add a procmail package to Homebrew.

Yes. But I think, it's irrelevant for MacPorts. I've only mentioned Homebrew's action to highlight and stress, that there obviously seems to be a need for an up-to-date and security-fixed procmail on OS X. MacPorts already provides a procmail port (which this ticket is about to trigger an update to fix a security issue filed in CVE-2014-3618), Homebrew so far not provides procmail at all – until now.

Part of their ticket seems to talk about using Apple's patched procmail sources instead of the 14-year-old version 3.22 that we currently use.

Yes. See above. Sources to a fix (as it seems, it might be a very small fix) are given on the webpage of the CVE page of MITRE and NIST given above.

Are you claiming that Apple has already fixed the problems mentioned in this CVE in their sources?

No. Apple seems to have "fixed" it by entirely removing procmail instead of fixing it, and so from their point of view nothing more to fix for them, problem "solved":

procmail

Available for: Mac OS X v10.6.8 and later

Impact: Multiple vulnerabilities in procmail

Description: Multiple vulnerabilities existed in procmail versions prior to 3.22. These issues were addressed by removing procmail.

CVE-ID

CVE-2014-3618

[ryandesign (Ryan Carsten Schmidt)]

Replying to sierkb@…:

Sources to a fix (as it seems, it might be a very small fix) are given on the webpage of the CVE page of MITRE and NIST given above.

Could you give me the exact URL to the fix? I cannot find it.

Or, prepare a patch for the portfile and attach it to this ticket.

[sierkb@…]

Replying to ryandesign@…:

Could you give me the exact URL to the fix? I cannot find it.

​http://www.openwall.com/lists/oss-security/2014/09/03/8

Btw: it is the very first reference link given on CVE-2014-3618's CVE and MITRE webpage named above.

An equal patch file (patch-src-formisc.c) concerning the Heap-based buffer overflow in formisc.c addressed by CVE-2014-3618 on FreeBSDs ports collection:
​http://www.freshports.org/mail/procmail → ​http://svnweb.freebsd.org/ports?view=revision&revision=368009 → ​http://svnweb.freebsd.org/ports/head/mail/procmail/files/patch-src-formisc.c?view=markup&pathrev=368009

The same patch for FreeBSD's procmail on FreeBSD's GitHub repository:
​https://github.com/freebsd/freebsd-ports/blob/master/mail/procmail/files/patch-src-formisc.c

[neverpanic (Clemens Lang)]

Committed in r143284.