From 300e6ea624e95dc5f0fb9d33c646b81e24ae9470 Mon Sep 17 00:00:00 2001
From: Jaroslav Škarvada <jskarvad@redhat.com>
Date: Nov 27 2017 14:33:25 +0000
Subject: Fixed use-after-free

  Resolves: CVE-2017-16943

---

diff --git a/exim-4.89-CVE-2017-16943.patch b/exim-4.89-CVE-2017-16943.patch
new file mode 100644
index 0000000..bd3468d
--- /dev/null
+++ b/exim-4.89-CVE-2017-16943.patch
@@ -0,0 +1,27 @@
+diff --git a/src/receive.c b/src/receive.c
+index 7980c32..3246621 100644
+--- a/src/receive.c
++++ b/src/receive.c
+@@ -1772,8 +1772,8 @@ for (;;)
+   (and sometimes lunatic messages can have ones that are 100s of K long) we
+   call store_release() for strings that have been copied - if the string is at
+   the start of a block (and therefore the only thing in it, because we aren't
+-  doing any other gets), the block gets freed. We can only do this because we
+-  know there are no other calls to store_get() going on. */
++  doing any other gets), the block gets freed. We can only do this release if
++  there were no allocations since the once that we want to free. */
+ 
+   if (ptr >= header_size - 4)
+     {
+@@ -1782,9 +1782,10 @@ for (;;)
+     header_size *= 2;
+     if (!store_extend(next->text, oldsize, header_size))
+       {
++      BOOL release_ok = store_last_get[store_pool] == next->text;
+       uschar *newtext = store_get(header_size);
+       memcpy(newtext, next->text, ptr);
+-      store_release(next->text);
++      if (release_ok) store_release(next->text);
+       next->text = newtext;
+       }
+     }
diff --git a/exim.spec b/exim.spec
index 6891316..bb80178 100644
--- a/exim.spec
+++ b/exim.spec
@@ -14,7 +14,7 @@
 Summary: The exim mail transfer agent
 Name: exim
 Version: 4.89
-Release: 5%{?dist}
+Release: 6%{?dist}
 License: GPLv2+
 Url: http://www.exim.org/
 Group: System Environment/Daemons
@@ -70,6 +70,7 @@ Patch29: exim-4.89-CVE-2017-1000369.patch
 # Backported from upstream:
 # https://git.exim.org/exim.git/commitdiff/14de8063d82edc5bf003ed50abdea55ac542679b
 Patch30: exim-4.89-calloutsize.patch
+Patch31: exim-4.89-CVE-2017-16943.patch
 
 Requires: /etc/pki/tls/certs /etc/pki/tls/private
 Requires: /etc/aliases
@@ -219,6 +220,7 @@ greylisting unconditional.
 %patch28 -p1 -b .mariadb-10.2-compile-fix
 %patch29 -p1 -b .CVE-2017-1000369
 %patch30 -p1 -b .calloutsize
+%patch31 -p1 -b .CVE-2017-16943
 
 cp src/EDITME Local/Makefile
 sed -i 's@^# LOOKUP_MODULE_DIR=.*@LOOKUP_MODULE_DIR=%{_libdir}/exim/%{version}-%{release}/lookups@' Local/Makefile
@@ -599,6 +601,10 @@ test "$1"  = 0 || %{_initrddir}/clamd.exim condrestart >/dev/null 2>&1 || :
 %{_sysconfdir}/cron.daily/greylist-tidy.sh
 
 %changelog
+* Mon Nov 27 2017 Jaroslav Škarvada <jskarvad@redhat.com> - 4.89-6
+- Fixed use-after-free
+  Resolves: CVE-2017-16943
+
 * Fri Aug 18 2017 Jaroslav Škarvada <jskarvad@redhat.com> - 4.89-5
 - Fixed compilation with the mariadb-10.2
   Resolves: rhbz#1467312