File CVE-2019-15846.patch of Package exim.openSUSE_Leap_15.1_Update

Index: exim-4.88/doc/ChangeLog
===================================================================
--- exim-4.88.orig/doc/ChangeLog
+++ exim-4.88/doc/ChangeLog
@@ -232,6 +232,7 @@ JH/18 Bug 1709: When built with TLS supp
       Packagers of Exim are strongly encouraged to create a server certificate
       at installation time.
 
+HS/01 Handle trailing backslash gracefully. (CVE-2019-15846)
 HS/03 Add -bP config_file as a synonym for -bP configure_file, for consistency
       with the $config_file variable.
 
Index: exim-4.88/doc/cve-2019-15846
===================================================================
--- /dev/null
+++ exim-4.88/doc/cve-2019-15846
@@ -0,0 +1,45 @@
+CVE ID:     CVE-2019-15846
+Date:       2019-09-02 (CVE assigned)
+Credits:    Zerons <sironhide0null@gmail.com> for the initial report
+            Qualys https://www.qualys.com/ for the analysis
+Version(s): all versions up to and including 4.92.1
+Issue:      A local or remote attacker can execute programs with root
+            privileges.
+
+Conditions to be vulnerable
+===========================
+
+If your Exim server accepts TLS connections, it is vulnerable. This does
+not depend on the TLS libray, so both, GnuTLS and OpenSSL are affected.
+
+Details
+=======
+
+The vulnerability is exploitable by sending a SNI ending in a
+backslash-null sequence during the initial TLS handshake. The exploit
+exists as a POC. For more details see the document qualys.mbx
+
+Mitigation
+==========
+
+Do not offer TLS. (This mitigation is not recommended.)
+
+Fix
+===
+
+Download and build a fixed version:
+
+    Tarballs: https://ftp.exim.org/pub/exim/exim4/
+    Git:      https://github.com/Exim/exim.git
+              - tag    exim-4.92.2
+              - branch exim-4.92.2+fixes
+
+The tagged commit is the officially released version. The +fixes branch
+isn't officially maintained, but contains the security fix *and* useful
+fixes.
+
+If you can't install the above versions, ask your package maintainer for
+a version containing the backported fix. On request and depending on our
+resources we will support you in backporting the fix.  (Please note,
+the Exim project officially doesn't support versions prior the current
+stable version.)
Index: exim-4.88/src/string.c
===================================================================
--- exim-4.88.orig/src/string.c
+++ exim-4.88/src/string.c
@@ -220,6 +220,8 @@ interpreted in strings.
 Arguments:
   pp       points a pointer to the initiating "\" in the string;
            the pointer gets updated to point to the final character
+	    if the backslash is the last character in the string, it
+           is not interpreted.
 Returns:   the value of the character escape
 */
 
@@ -232,6 +234,7 @@ const uschar *hex_digits= CUS"0123456789
 int ch;
 const uschar *p = *pp;
 ch = *(++p);
+if (ch == '\0') return **pp;
 if (isdigit(ch) && ch != '8' && ch != '9')
   {
   ch -= '0';