CVE-2017-16844 — Improper Restriction of Operations within the Bounds of a Memory Buffer in Procmail

CWE-119 — Improper Restriction of Operations within the Bounds of a Memory Buffer CWE-122 — Heap-based Buffer Overflow10 documents8 sources

Severity

9.8CRITICALNVD

OSV7.5

EPSS

22.0%

top 4.21%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Procmail Debian Procmail Msrc Azl3 Procmail 3.22-53 ON Azure Linux 3.0 +5 more

Timeline

PublishedNov 16

Latest updateMay 14

Description

Heap-based buffer overflow in the loadbuf function in formisc.c in formail in procmail 3.22 allows remote attackers to cause a denial of service (application crash) or possibly execute arbitrary code via a crafted e-mail message because of a hardcoded realloc size, a different vulnerability than CVE-2014-3618.

CVSS vector

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HExploitability: 3.9 | Impact: 5.9

Affected Packages9 packages

▶debiandebian/procmail< procmail 3.22-26 (bookworm)

▶Debianprocmail/procmail< 3.22-26+3

▶NVDprocmail/procmail3.22

▶msrcmsrc/azl3_procmail_3.22-53_on_azure_linux_3.0

▶msrcmsrc/cbl2_procmail_3.22-53_on_cbl_mariner_2.0

🔴Vulnerability Details

GHSA

GHSA-4f62-c8fw-44pp: Heap-based buffer overflow in the loadbuf function in formisc↗2022-05-14

▶

OSV

CVE-2017-16844: Heap-based buffer overflow in the loadbuf function in formisc↗2017-11-16

▶

📋Vendor Advisories

Ubuntu

procmail vulnerability↗2017-11-21

▶

Ubuntu

procmail vulnerability↗2017-11-20

▶

Microsoft

▶

Red Hat

procmail: Heap-based buffer overflow in loadbuf function in formisc.c↗2017-09-22

▶

Debian

CVE-2017-16844: procmail - Heap-based buffer overflow in the loadbuf function in formisc.c in formail in pr...↗2017

▶

💬Community

Bugzilla

CVE-2017-16844 procmail: Heap-based buffer overflow in loadbuf function in formisc.c↗2017-10-09

▶

Bugzilla

CVE-2017-16844 procmail: Heap-based buffer overflow in loadbuf function in formisc.c [fedora-all]↗2017-10-09

▶