#49044: Patch/Update procmail because of CVE-2014-3618 -----------------------+-------------------------------- Reporter: sierkb@… | Owner: macports-tickets@… Type: update | Status: new Priority: High | Milestone: Component: ports | Version: Resolution: | Keywords: security Port: procmail | -----------------------+-------------------------------- Comment (by sierkb@…): Replying to [comment:1 ryandesign@…]:

CVE-2014-3618 appears to be from last year.

Yes.

The Homebrew ticket you reference doesn't seem to talk about any CVE. It just seems to be the request to add a procmail package to Homebrew.

Yes. But I think, it's irrelevant for MacPorts. I've only mentioned Homebrew's action to highlight and stress, that there obviously seems to be a need for an up-to-date and security-fixed procmail on OS X. MacPorts already provides a procmail port (which this ticket is about to trigger an update to fix a security issue filed in CVE-2014-3618), Homebrew so far not provides procmail at all – until now.

Part of their ticket seems to talk about using Apple's patched procmail sources instead of the 14-year-old version 3.22 that we currently use.

Yes. See above. Sources to a fix (as it seems, it might be a very small fix) are given on the webpage of the CVE page of MITRE and NIST given above.

Are you claiming that Apple has already fixed the problems mentioned in this CVE in their sources?

No. Apple seems to have "fixed" it by entirely removing procmail instead of fixing it, and so from their point of view nothing more to fix for them, problem "solved": procmail Available for: Mac OS X v10.6.8 and later Impact: Multiple vulnerabilities in procmail Description: Multiple vulnerabilities existed in procmail versions prior to 3.22. These issues were addressed by ''removing'' procmail. CVE-ID CVE-2014-3618 -- Ticket URL: <https://trac.macports.org/ticket/49044#comment:2> MacPorts <https://www.macports.org/> Ports system for OS X

#49044: Patch/Update procmail because of CVE-2014-3618 -----------------------+-------------------------------- Reporter: sierkb@… | Owner: macports-tickets@… Type: update | Status: new Priority: High | Milestone: Component: ports | Version: Resolution: | Keywords: security Port: procmail | -----------------------+-------------------------------- Comment (by sierkb@…): Replying to [comment:3 ryandesign@…]:

Could you give me the exact URL to the fix? I cannot find it.

[http://www.openwall.com/lists/oss-security/2014/09/03/8][[BR]] Btw: it is the very first reference link given on CVE-2014-3618's CVE and MITRE webpage named above. An equal patch file (''patch-src-formisc.c'') concerning the Heap-based buffer overflow in formisc.c addressed by CVE-2014-3618 on FreeBSDs ports collection:[[BR]] [http://www.freshports.org/mail/procmail] → [http://svnweb.freebsd.org/ports?view=revision&revision=368009] → [http://svnweb.freebsd.org/ports/head/mail/procmail/files/patch-src- formisc.c?view=markup&pathrev=368009] The same patch for FreeBSD's procmail on FreeBSD's GitHub repository:[[BR]] [https://github.com/freebsd/freebsd-ports/blob/master/mail/procmail/files /patch-src-formisc.c] -- Ticket URL: <https://trac.macports.org/ticket/49044#comment:4> MacPorts <https://www.macports.org/> Ports system for OS X