CVE-2017-16844

EUVD-2017-8018
Heap-based buffer overflow in the loadbuf function in formisc.c in formail in procmail 3.22 allows remote attackers to cause a denial of service (application crash) or possibly execute arbitrary code via a crafted e-mail message because of a hardcoded realloc size, a different vulnerability than CVE-2014-3618.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTPrimary
9.8 CRITICAL
NETWORK
LOW
NONE
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Base Score
CVSS 3.x
EPSS Score
Percentile: 95%
Affected Products (NVD)
VendorProductVersion
procmailprocmail
3.22
𝑥
= Vulnerable software versions
Debian logo
Debian Releases
Debian Product
Codename
procmail
bookworm
3.22-27
fixed
bullseye
3.22-26+deb11u1
fixed
sid
3.24+really3.22-4
fixed
trixie
3.24+really3.22-4
fixed
Ubuntu logo
Ubuntu Releases
Ubuntu Product
Codename
procmail
artful
Fixed 3.22-25ubuntu0.17.10.1
released
trusty
Fixed 3.22-21ubuntu0.2
released
xenial
Fixed 3.22-25ubuntu0.16.04.1
released
zesty
Fixed 3.22-25ubuntu0.17.04.1
released
Common Weakness Enumeration
References
http://www.securitytracker.com/id/1039844
https://access.redhat.com/errata/RHSA-2017:3269
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=876511
https://lists.debian.org/debian-lts-announce/2017/11/msg00019.html
https://www.debian.org/security/2017/dsa-4041
http://www.securitytracker.com/id/1039844
https://access.redhat.com/errata/RHSA-2017:3269
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=876511
https://lists.debian.org/debian-lts-announce/2017/11/msg00019.html
https://www.debian.org/security/2017/dsa-4041