Fixes CVE-2014-3618 (heap overflow in formisc.c allowing denial of service and potential remote execution of arbitrary code). https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3618 Source: http://seclists.org/oss-sec/2014/q3/495 Adopted by Debian as patch '27': https://sources.debian.net/src/procmail/3.22-25/debian/patches/27/ --- a/src/formisc.c +++ b/src/formisc.c @@ -84,12 +84,11 @@ case '"':*target++=delim='"';start++; } ;{ int i; - do + while(*start) if((i= *target++= *start++)==delim) /* corresponding delimiter? */ break; else if(i=='\\'&&*start) /* skip quoted character */ *target++= *start++; - while(*start); /* anything? */ } hitspc=2; }