Date: Tue, 4 May 2021 16:03:38 GMT From: Dima Panov <fluffy@FreeBSD.org> To: ports-committers@FreeBSD.org, dev-commits-ports-all@FreeBSD.org, dev-commits-ports-branches@FreeBSD.org Subject: git: 1cb912fd52ce - 2021Q2 - mail/exim: update to 4.94.2 security release Message-ID: <202105041603.144G3cOZ013965@gitrepo.freebsd.org>
next in thread | raw e-mail | index | archive | help
The branch 2021Q2 has been updated by fluffy: URL: https://cgit.FreeBSD.org/ports/commit/?id=1cb912fd52ce82aecfe55a3a9cca88daddf6208d commit 1cb912fd52ce82aecfe55a3a9cca88daddf6208d Author: Dima Panov <fluffy@FreeBSD.org> AuthorDate: 2021-05-04 15:57:17 +0000 Commit: Dima Panov <fluffy@FreeBSD.org> CommitDate: 2021-05-04 16:03:24 +0000 mail/exim: update to 4.94.2 security release * New upstream security release. + Release based on +fixes branch. + Fixes multiple security vulnerabilities reported by Qualys and adds related robustness improvements. (Special thanks to Heiko) CVE-2020-28023: Out-of-bounds read in smtp_setup_msg() CVE-2020-28007: Link attack in Exim's log directory CVE-2020-28016: Heap out-of-bounds write in parse_fix_phrase() CVE-2020-28012: Missing close-on-exec flag for privileged pipe CVE-2020-28024: Heap buffer underflow in smtp_ungetc() CVE-2020-28009: Integer overflow in get_stdinput() CVE-2020-28015, CVE-28021: New-line injection into spool header file CVE-2020-28026: Line truncation and injection in spool_read_header() CVE-2020-28022: Heap out-of-bounds read and write in extract_option() CVE-2020-28017: Integer overflow in receive_add_recipient() CVE-2020-28013: Heap buffer overflow in parse_fix_phrase() CVE-2020-28011: Heap buffer overflow in queue_run() CVE-2020-28010: Heap out-of-bounds write in main() CVE-2020-28018: Use-after-free in tls-openssl.c CVE-2020-28025: Heap out-of-bounds read in pdkim_finish_bodyhash() CVE-2020-28014, CVE-2021-27216: PID file handling CVE-2020-28008: Assorted attacks in Exim's spool directory CVE-2020-28019: Failure to reset function pointer after BDAT error * Incorporate debian patches to turn taint failures into warnings. (cherry picked from commit 0a629bd71087f75c3b334edb53b01ec68709ab60) --- mail/exim/Makefile | 31 +- mail/exim/distinfo | 6 +- ...ain-config-option-allow_insecure_tainted_.patch | 230 +++++++++ mail/exim/files/debian/75_02-search.patch | 39 ++ mail/exim/files/debian/75_03-dbstuff.patch | 30 ++ mail/exim/files/debian/75_04-acl.patch | 67 +++ mail/exim/files/debian/75_05-parse.patch | 30 ++ mail/exim/files/debian/75_06-rda.patch | 28 ++ mail/exim/files/debian/75_07-appendfile.patch | 34 ++ mail/exim/files/debian/75_08-autoreply.patch | 70 +++ mail/exim/files/debian/75_09-pipe.patch | 36 ++ mail/exim/files/debian/75_10-deliver.patch | 49 ++ mail/exim/files/debian/75_11-directory.patch | 26 + mail/exim/files/debian/75_12-expand.patch | 34 ++ mail/exim/files/debian/75_13-lf_sqlperform.patch | 49 ++ .../exim/files/debian/75_14-rf_get_transport.patch | 28 ++ mail/exim/files/debian/75_15-deliver.patch | 31 ++ mail/exim/files/debian/75_16-smtp_out.patch | 38 ++ mail/exim/files/debian/75_17-smtp.patch | 29 ++ mail/exim/files/debian/75_18-update-doc.patch | 154 ++++++ ...g_name-and-rejectlog_name-unconditionally.patch | 42 ++ mail/exim/files/debian/75_21-tidy-log.c.patch | 124 +++++ .../exim/files/debian/75_22-Silence-compiler.patch | 222 +++++++++ ...e-the-main-_log-if-we-do-not-see-a-chance.patch | 166 +++++++ .../files/debian/75_24-Silence-the-compiler.patch | 57 +++ ...ntchecks-for-mkdir-this-isn-t-part-of-4.9.patch | 27 ++ ...002-Taint-fix-pam-expansion-condition.-Bug-2587 | 56 --- ...aint-fix-listcount-expansion-operator.-Bug-2586 | 43 -- .../patch-z0004-Docs-fix-mistaken-variable-name | 28 -- mail/exim/files/patch-z0006-Docs-typoes | 25 - ...ultiple-ACL-actions-to-properly-manage-tainted- | 79 ---- mail/exim/files/patch-z0008-Fix-bi.-Bug-2590 | 44 -- ...9-Filters-fix-vacation-in-Exim-filter.-Bug-2593 | 48 -- ...-6125-rules-for-certifucate-name-checks-when-CN | 180 ------- ...atch-z0011-Taint-fix-radius-expansion-condition | 40 -- ..._map_per_host-call-search_tidyup-in-fail-path.- | 42 -- .../files/patch-z0013-Taint-fix-verify.-Bug-2598 | 50 -- ..._copy-macro-to-not-multiple-eval-args.-Bug-2603 | 48 -- ...handle-request-when-a-callout-hold-is-active.-B | 118 ----- ...ch-z0016-Lookups-Fix-subdir-filter-on-a-dsearch | 53 --- ...segfault-on-bad-missing-sqlite_dbfile.-Bug-2606 | 59 --- ...CL-spam-condition-to-permit-tainted-name-argume | 52 -- ...020-Fix-message-reception-clock-usage.-Bug-2615 | 158 ------- mail/exim/files/patch-z0021-typoes | 24 - ...-Fix-DKIM-signing-to-always-terminate.-Bug-2295 | 193 -------- ...3-Fix-taint-trap-in-parse_fix_phrase-.-Bug-2617 | 366 -------------- ...CL-spam-condition-to-permit-tainted-name-argume | 74 --- mail/exim/files/patch-z0025-Fix-debug_print_socket | 79 ---- ...atch-z0026-debug_print_socket-output-formatting | 51 -- ...ing-of-local_part_data-in-docs-and-debug-output | 54 --- ...-z0028-Fix-readsocket-eol-replacement.-Bug-2630 | 216 --------- ...9-Taint-fix-off-by-one-in-is_tainted-.-Bug-2634 | 51 -- ...30-Build-ifdef-guard-for-EXPERIMENTAL_QUEUEFILE | 32 -- ...1-Taint-fix-off-by-one-in-is_tainted-.-Bug-2634 | 28 -- ...ch-z0032-DANE-force-SNI-to-use-domain.-Bug-2265 | 102 ---- ...E-Fix-2-rcpt-message-diff-domins-case.-Bug-2265 | 217 --------- mail/exim/files/patch-z0034-Fix-non-DANE-build | 92 ---- ...patch-z0035-DANE-Fix-2-messages-from-queue-case | 525 --------------------- mail/exim/files/patch-z0036-Fix-non-DANE-build | 114 ----- ...r-errno-before-any-data-i-o-op-so-error-logging | 41 -- mail/exim/files/patch-z0039-Fix-non-TLS-build | 83 ---- .../files/patch-z0040-eximon-fix-FreeBSD-build | 25 - ...P-fix-taint-check-in-server-list-walk.-Bug-2646 | 51 -- ...s-authenticator-pubname-through-spool.-Bug-2648 | 107 ----- mail/exim/options | 2 + 65 files changed, 1674 insertions(+), 3653 deletions(-) diff --git a/mail/exim/Makefile b/mail/exim/Makefile index a8c99db8c762..b66114db3c6b 100644 --- a/mail/exim/Makefile +++ b/mail/exim/Makefile @@ -2,7 +2,7 @@ PORTNAME= exim PORTVERSION?= ${EXIM_VERSION} -PORTREVISION?= 4 +PORTREVISION?= 0 CATEGORIES= mail MASTER_SITES= EXIM:exim MASTER_SITE_SUBDIR= /exim4/:exim \ @@ -65,6 +65,33 @@ SPF_LIB_DEPENDS= libspf2.so:mail/libspf2 SQLITE_LIB_DEPENDS= libicudata.so:devel/icu SQLITE_USES= pkgconfig sqlite +TAINTWARN_PATCHES_PREFIX= ${FILESDIR}/debian/75 +TAINTWARN_EXTRA_PATCHES= \ + ${TAINTWARN_PATCHES_PREFIX}_01-Introduce-main-config-option-allow_insecure_tainted_.patch:-p1 \ + ${TAINTWARN_PATCHES_PREFIX}_02-search.patch:-p1 \ + ${TAINTWARN_PATCHES_PREFIX}_03-dbstuff.patch:-p1 \ + ${TAINTWARN_PATCHES_PREFIX}_04-acl.patch:-p1 \ + ${TAINTWARN_PATCHES_PREFIX}_05-parse.patch:-p1 \ + ${TAINTWARN_PATCHES_PREFIX}_06-rda.patch:-p1 \ + ${TAINTWARN_PATCHES_PREFIX}_07-appendfile.patch:-p1 \ + ${TAINTWARN_PATCHES_PREFIX}_08-autoreply.patch:-p1 \ + ${TAINTWARN_PATCHES_PREFIX}_09-pipe.patch:-p1 \ + ${TAINTWARN_PATCHES_PREFIX}_10-deliver.patch:-p1 \ + ${TAINTWARN_PATCHES_PREFIX}_11-directory.patch:-p1 \ + ${TAINTWARN_PATCHES_PREFIX}_12-expand.patch:-p1 \ + ${TAINTWARN_PATCHES_PREFIX}_13-lf_sqlperform.patch:-p1 \ + ${TAINTWARN_PATCHES_PREFIX}_14-rf_get_transport.patch:-p1 \ + ${TAINTWARN_PATCHES_PREFIX}_15-deliver.patch:-p1 \ + ${TAINTWARN_PATCHES_PREFIX}_16-smtp_out.patch:-p1 \ + ${TAINTWARN_PATCHES_PREFIX}_17-smtp.patch:-p1 \ + ${TAINTWARN_PATCHES_PREFIX}_18-update-doc.patch:-p1 \ + ${TAINTWARN_PATCHES_PREFIX}_20-Set-mainlog_name-and-rejectlog_name-unconditionally.patch:-p1 \ + ${TAINTWARN_PATCHES_PREFIX}_21-tidy-log.c.patch:-p1 \ + ${TAINTWARN_PATCHES_PREFIX}_22-Silence-compiler.patch:-p1 \ + ${TAINTWARN_PATCHES_PREFIX}_23-Do-not-close-the-main-_log-if-we-do-not-see-a-chance.patch:-p1 \ + ${TAINTWARN_PATCHES_PREFIX}_24-Silence-the-compiler.patch:-p1 \ + ${TAINTWARN_PATCHES_PREFIX}_26-Disable-taintchecks-for-mkdir-this-isn-t-part-of-4.9.patch:-p1 + .include <bsd.port.options.mk> # OCSP is supported for openssl only @@ -104,7 +131,7 @@ EXTRA_PATCHES+= ${FILESDIR}/extra-patch-Local-sa-exim.c EXTRA_PATCHES+= ${FILESDIR}/extra-patch-Local-sa-exim.conf .endif -EXIM_VERSION= 4.94 +EXIM_VERSION= 4.94.2 SA_EXIM_VERSION=4.2.1 EXIM_INSTALL_ARG+= "-no_chown" "-no_symlink" EXTRA_PATCHES+= `${FIND} ${PATCHDIR} -name '74_*.patch'|${SORT} -h` diff --git a/mail/exim/distinfo b/mail/exim/distinfo index 64c610468f1b..cf1ae320eaa8 100644 --- a/mail/exim/distinfo +++ b/mail/exim/distinfo @@ -1,5 +1,5 @@ -TIMESTAMP = 1591032067 -SHA256 (exim/exim-4.94.tar.bz2) = 73feeaa5ddb43363782db0c307b593aacb49542dd7e4b795a2880779595affe5 -SIZE (exim/exim-4.94.tar.bz2) = 1997217 +TIMESTAMP = 1620141511 +SHA256 (exim/exim-4.94.2.tar.bz2) = 902e611486400608691dff31e1d8725eb9e23602399ad75670ec18878643bc4f +SIZE (exim/exim-4.94.2.tar.bz2) = 2007178 SHA256 (exim/sa-exim-4.2.1.tar.gz) = 24d4bf7b0fdddaea11f132981cebb6a86a4ab20ef54111a8ebd481b421c6e2c1 SIZE (exim/sa-exim-4.2.1.tar.gz) = 68933 diff --git a/mail/exim/files/debian/75_01-Introduce-main-config-option-allow_insecure_tainted_.patch b/mail/exim/files/debian/75_01-Introduce-main-config-option-allow_insecure_tainted_.patch new file mode 100644 index 000000000000..0295ec18fa6e --- /dev/null +++ b/mail/exim/files/debian/75_01-Introduce-main-config-option-allow_insecure_tainted_.patch @@ -0,0 +1,230 @@ +From ec06d64532e4952fc36429f73e0222d26997ef7c Mon Sep 17 00:00:00 2001 +From: "Heiko Schlittermann (HS12-RIPE)" <hs@schlittermann.de> +Date: Thu, 1 Apr 2021 22:44:31 +0200 +Subject: [PATCH 01/23] Introduce main config option + allow_insecure_tainted_data + +This option is deprecated already now. +--- + src/EDITME | 7 +++++ + src/config.h.defaults | 2 ++ + src/functions.h | 54 ++++++++++++++++++++++++++++++--------- + src/globals.c | 10 ++++++++ + src/globals.h | 4 +++ + src/macros.h | 3 +++ + src/readconf.c | 3 +++ + 7 files changed, 71 insertions(+), 12 deletions(-) + +diff --git a/src/EDITME b/src/EDITME +index 8da36a353..cebb8e2ec 100644 +--- a/src/EDITME ++++ b/src/EDITME +@@ -749,6 +749,13 @@ FIXED_NEVER_USERS=root + + # WHITELIST_D_MACROS=TLS:SPOOL + ++# The next setting enables a main config option ++# "allow_insecure_tainted_data" to turn taint failures into warnings. ++# Though this option is new, it is deprecated already now, and will be ++# ignored in future releases of Exim. It is meant as mitigation for ++# upgrading old (possibly insecure) configurations to more secure ones. ++ALLOW_INSECURE_TAINTED_DATA=yes ++ + #------------------------------------------------------------------------------ + # Exim has support for the AUTH (authentication) extension of the SMTP + # protocol, as defined by RFC 2554. If you don't know what SMTP authentication +diff --git a/src/config.h.defaults b/src/config.h.defaults +index e17f015f9..4e8b18904 100644 +--- a/src/config.h.defaults ++++ b/src/config.h.defaults +@@ -17,6 +17,8 @@ Do not put spaces between # and the 'define'. + #define ALT_CONFIG_PREFIX + #define TRUSTED_CONFIG_LIST + ++#define ALLOW_INSECURE_TAINTED_DATA ++ + #define APPENDFILE_MODE 0600 + #define APPENDFILE_DIRECTORY_MODE 0700 + #define APPENDFILE_LOCKFILE_MODE 0600 +diff --git a/src/functions.h b/src/functions.h +index 51bb17a09..1e8083673 100644 +--- a/src/functions.h ++++ b/src/functions.h +@@ -1083,36 +1083,66 @@ if (f.running_in_test_harness && f.testsuite_delays) millisleep(millisec); + + /******************************************************************************/ + /* Taint-checked file opens */ ++static inline uschar * ++is_tainted2(const void *p, int lflags, const uschar* fmt, ...) ++{ ++va_list ap; ++uschar *msg; ++rmark mark; ++ ++if (!is_tainted(p)) ++ return NULL; ++ ++mark = store_mark(); ++va_start(ap, fmt); ++msg = string_from_gstring(string_vformat(NULL, SVFMT_TAINT_NOCHK|SVFMT_EXTEND, fmt, ap)); ++va_end(ap); ++ ++#ifdef ALLOW_INSECURE_TAINTED_DATA ++if (allow_insecure_tainted_data) ++ { ++ if LOGGING(tainted) log_write(0, LOG_MAIN, "Warning: %s", msg); ++ store_reset(mark); ++ return NULL; ++ } ++#endif ++ ++if (lflags) log_write(0, lflags, "%s", msg); ++return msg; /* no store_reset(), as the message might be used afterwards and Exim ++ is expected to exit anyway, so we do not care about the leaked ++ storage */ ++} + + static inline int + exim_open2(const char *pathname, int flags) + { +-if (!is_tainted(pathname)) return open(pathname, flags); +-log_write(0, LOG_MAIN|LOG_PANIC, "Tainted filename '%s'", pathname); ++if (!is_tainted2(pathname, LOG_MAIN|LOG_PANIC, "Tainted filename '%s'", pathname)) ++ return open(pathname, flags); + errno = EACCES; + return -1; + } ++ + static inline int + exim_open(const char *pathname, int flags, mode_t mode) + { +-if (!is_tainted(pathname)) return open(pathname, flags, mode); +-log_write(0, LOG_MAIN|LOG_PANIC, "Tainted filename '%s'", pathname); ++if (!is_tainted2(pathname, LOG_MAIN|LOG_PANIC, "Tainted filename '%s'", pathname)) ++ return open(pathname, flags, mode); + errno = EACCES; + return -1; + } + static inline int + exim_openat(int dirfd, const char *pathname, int flags) + { +-if (!is_tainted(pathname)) return openat(dirfd, pathname, flags); +-log_write(0, LOG_MAIN|LOG_PANIC, "Tainted filename '%s'", pathname); ++if (!is_tainted2(pathname, LOG_MAIN|LOG_PANIC, "Tainted filename '%s'", pathname)) ++ return openat(dirfd, pathname, flags); + errno = EACCES; + return -1; + } + static inline int + exim_openat4(int dirfd, const char *pathname, int flags, mode_t mode) + { +-if (!is_tainted(pathname)) return openat(dirfd, pathname, flags, mode); +-log_write(0, LOG_MAIN|LOG_PANIC, "Tainted filename '%s'", pathname); ++if (!is_tainted2(pathname, LOG_MAIN|LOG_PANIC, "Tainted filename '%s'", pathname)) ++ return openat(dirfd, pathname, flags, mode); + errno = EACCES; + return -1; + } +@@ -1120,8 +1150,8 @@ return -1; + static inline FILE * + exim_fopen(const char *pathname, const char *mode) + { +-if (!is_tainted(pathname)) return fopen(pathname, mode); +-log_write(0, LOG_MAIN|LOG_PANIC, "Tainted filename '%s'", pathname); ++if (!is_tainted2(pathname, LOG_MAIN|LOG_PANIC, "Tainted filename '%s'", pathname)) ++ return fopen(pathname, mode); + errno = EACCES; + return NULL; + } +@@ -1129,8 +1159,8 @@ return NULL; + static inline DIR * + exim_opendir(const uschar * name) + { +-if (!is_tainted(name)) return opendir(CCS name); +-log_write(0, LOG_MAIN|LOG_PANIC, "Tainted dirname '%s'", name); ++if (!is_tainted2(name, LOG_MAIN|LOG_PANIC, "Tainted dirname '%s'", name)) ++ return opendir(CCS name); + errno = EACCES; + return NULL; + } +diff --git a/src/globals.c b/src/globals.c +index c34ac9ddd..ff660c352 100644 +--- a/src/globals.c ++++ b/src/globals.c +@@ -98,6 +98,10 @@ int sqlite_lock_timeout = 5; + BOOL move_frozen_messages = FALSE; + #endif + ++#ifdef ALLOW_INSECURE_TAINTED_DATA ++BOOL allow_insecure_tainted_data = FALSE; ++#endif ++ + /* These variables are outside the #ifdef because it keeps the code less + cluttered in several places (e.g. during logging) if we can always refer to + them. Also, the tls_ variables are now always visible. Note that these are +@@ -1033,6 +1037,9 @@ int log_default[] = { /* for initializing log_selector */ + Li_size_reject, + Li_skip_delivery, + Li_smtp_confirmation, ++#ifdef ALLOW_INSECURE_TAINTED_DATA ++ Li_tainted, ++#endif + Li_tls_certificate_verified, + Li_tls_cipher, + -1 +@@ -1100,6 +1107,9 @@ bit_table log_options[] = { /* must be in alphabetical order, + BIT_TABLE(L, smtp_protocol_error), + BIT_TABLE(L, smtp_syntax_error), + BIT_TABLE(L, subject), ++#ifdef ALLOW_INSECURE_TAINTED_DATA ++ BIT_TABLE(L, tainted), ++#endif + BIT_TABLE(L, tls_certificate_verified), + BIT_TABLE(L, tls_cipher), + BIT_TABLE(L, tls_peerdn), +diff --git a/src/globals.h b/src/globals.h +index a4c1143b7..8d72577e0 100644 +--- a/src/globals.h ++++ b/src/globals.h +@@ -77,6 +77,10 @@ extern int sqlite_lock_timeout; /* Internal lock waiting timeout */ + extern BOOL move_frozen_messages; /* Get them out of the normal directory */ + #endif + ++#ifdef ALLOW_INSECURE_TAINTED_DATA ++extern BOOL allow_insecure_tainted_data; ++#endif ++ + /* These variables are outside the #ifdef because it keeps the code less + cluttered in several places (e.g. during logging) if we can always refer to + them. Also, the tls_ variables are now always visible. */ +diff --git a/src/macros.h b/src/macros.h +index f78ae2e3d..322ddbf56 100644 +--- a/src/macros.h ++++ b/src/macros.h +@@ -498,6 +498,9 @@ enum logbit { + Li_smtp_mailauth, + Li_smtp_no_mail, + Li_subject, ++#ifdef ALLOW_INSECURE_TAINTED_DATA ++ Li_tainted, ++#endif + Li_tls_certificate_verified, + Li_tls_cipher, + Li_tls_peerdn, +diff --git a/src/readconf.c b/src/readconf.c +index 948fa2403..133135f8f 100644 +--- a/src/readconf.c ++++ b/src/readconf.c +@@ -68,6 +68,9 @@ static optionlist optionlist_config[] = { + { "add_environment", opt_stringptr, {&add_environment} }, + { "admin_groups", opt_gidlist, {&admin_groups} }, + { "allow_domain_literals", opt_bool, {&allow_domain_literals} }, ++#ifdef ALLOW_INSECURE_TAINTED_DATA ++ { "allow_insecure_tainted_data", opt_bool, {&allow_insecure_tainted_data} }, ++#endif + { "allow_mx_to_ip", opt_bool, {&allow_mx_to_ip} }, + { "allow_utf8_domains", opt_bool, {&allow_utf8_domains} }, + { "auth_advertise_hosts", opt_stringptr, {&auth_advertise_hosts} }, +-- +2.30.2 + diff --git a/mail/exim/files/debian/75_02-search.patch b/mail/exim/files/debian/75_02-search.patch new file mode 100644 index 000000000000..226a350af10d --- /dev/null +++ b/mail/exim/files/debian/75_02-search.patch @@ -0,0 +1,39 @@ +From b71d675f695c2cf17357b190476129535d5f446c Mon Sep 17 00:00:00 2001 +From: "Heiko Schlittermann (HS12-RIPE)" <hs@schlittermann.de> +Date: Thu, 1 Apr 2021 22:45:03 +0200 +Subject: [PATCH 02/23] search + +--- + src/search.c | 8 ++------ + 1 file changed, 2 insertions(+), 6 deletions(-) + +diff --git a/src/search.c b/src/search.c +index f8aaacb04..f6e4d1f5b 100644 +--- a/src/search.c ++++ b/src/search.c +@@ -343,12 +343,8 @@ lookup_info *lk = lookup_list[search_type]; + uschar keybuffer[256]; + int old_pool = store_pool; + +-if (filename && is_tainted(filename)) +- { +- log_write(0, LOG_MAIN|LOG_PANIC, +- "Tainted filename for search: '%s'", filename); ++if (filename && is_tainted2(filename, LOG_MAIN|LOG_PANIC, "Tainted filename for search '%s'", filename)) + return NULL; +- } + + /* Change to the search store pool and remember our reset point */ + +@@ -639,7 +635,7 @@ DEBUG(D_lookup) + /* Arrange to put this database at the top of the LRU chain if it is a type + that opens real files. */ + +-if ( open_top != (tree_node *)handle ++if ( open_top != (tree_node *)handle + && lookup_list[t->name[0]-'0']->type == lookup_absfile) + { + search_cache *c = (search_cache *)(t->data.ptr); +-- +2.30.2 + diff --git a/mail/exim/files/debian/75_03-dbstuff.patch b/mail/exim/files/debian/75_03-dbstuff.patch new file mode 100644 index 000000000000..dc9da8e44c54 --- /dev/null +++ b/mail/exim/files/debian/75_03-dbstuff.patch @@ -0,0 +1,30 @@ +From 35b11dd0e52b5ac176849f807cca8898bcaf0c3d Mon Sep 17 00:00:00 2001 +From: "Heiko Schlittermann (HS12-RIPE)" <hs@schlittermann.de> +Date: Sun, 28 Mar 2021 10:49:49 +0200 +Subject: [PATCH 03/23] dbstuff + +--- + src/dbstuff.h | 6 ++---- + 1 file changed, 2 insertions(+), 4 deletions(-) + +diff --git a/src/dbstuff.h b/src/dbstuff.h +index c1fb54346..dcee78696 100644 +--- a/src/dbstuff.h ++++ b/src/dbstuff.h +@@ -643,11 +643,9 @@ after reading data. */ + : (flags) == O_RDWR ? "O_RDWR" \ + : (flags) == (O_RDWR|O_CREAT) ? "O_RDWR|O_CREAT" \ + : "??"); \ +- if (is_tainted(name) || is_tainted(dirname)) \ +- { \ +- log_write(0, LOG_MAIN|LOG_PANIC, "Tainted name for DB file not permitted"); \ ++ if (is_tainted2(name, LOG_MAIN|LOG_PANIC, "Tainted name '%s' for DB file not permitted", name) \ ++ || is_tainted2(dirname, LOG_MAIN|LOG_PANIC, "Tainted name '%s' for DB directory not permitted", dirname)) \ + *dbpp = NULL; \ +- } \ + else \ + { EXIM_DBOPEN__(name, dirname, flags, mode, dbpp); } \ + DEBUG(D_hints_lookup) debug_printf_indent("returned from EXIM_DBOPEN: %p\n", *dbpp); \ +-- +2.30.2 + diff --git a/mail/exim/files/debian/75_04-acl.patch b/mail/exim/files/debian/75_04-acl.patch new file mode 100644 index 000000000000..810b2e591675 --- /dev/null +++ b/mail/exim/files/debian/75_04-acl.patch @@ -0,0 +1,67 @@ +From 44fd80ad8abcd885fc1c8dbb294fc2140e4ef481 Mon Sep 17 00:00:00 2001 +From: "Heiko Schlittermann (HS12-RIPE)" <hs@schlittermann.de> +Date: Sun, 28 Mar 2021 10:50:14 +0200 +Subject: [PATCH 04/23] acl +Last-Update: 2021-05-01 + +--- + src/acl.c | 32 ++++++++++++++++---------------- + 1 file changed, 16 insertions(+), 16 deletions(-) + +--- a/src/acl.c ++++ b/src/acl.c +@@ -3596,24 +3596,26 @@ + rc = mime_regex(&arg); + break; + #endif + + case ACLC_QUEUE: +- if (is_tainted(arg)) + { +- *log_msgptr = string_sprintf("Tainted name '%s' for queue not permitted", +- arg); +- return ERROR; ++ uschar *m; ++ if (m = is_tainted2(arg, 0, "Tainted name '%s' for queue not permitted", arg)) ++ { ++ *log_msgptr = m; ++ return ERROR; ++ } ++ if (Ustrchr(arg, '/')) ++ { ++ *log_msgptr = string_sprintf( ++ "Directory separator not permitted in queue name: '%s'", arg); ++ return ERROR; ++ } ++ queue_name = string_copy_perm(arg, FALSE); ++ break; + } +- if (Ustrchr(arg, '/')) +- { +- *log_msgptr = string_sprintf( +- "Directory separator not permitted in queue name: '%s'", arg); +- return ERROR; +- } +- queue_name = string_copy_perm(arg, FALSE); +- break; + + case ACLC_RATELIMIT: + rc = acl_ratelimit(arg, where, log_msgptr); + break; + +@@ -4005,14 +4007,12 @@ + } + + else if (*ss == '/') + { + struct stat statbuf; +- if (is_tainted(ss)) ++ if (is_tainted2(ss, LOG_MAIN|LOG_PANIC, "Tainted ACL file name '%s'", ss)) + { +- log_write(0, LOG_MAIN|LOG_PANIC, +- "attempt to open tainted ACL file name \"%s\"", ss); + /* Avoid leaking info to an attacker */ + *log_msgptr = US"internal configuration error"; + return ERROR; + } + if ((fd = Uopen(ss, O_RDONLY, 0)) < 0) diff --git a/mail/exim/files/debian/75_05-parse.patch b/mail/exim/files/debian/75_05-parse.patch new file mode 100644 index 000000000000..f9dab900f88e --- /dev/null +++ b/mail/exim/files/debian/75_05-parse.patch @@ -0,0 +1,30 @@ +From 7eeeb6f26af05322814ecc77c87f09c72ab2216a Mon Sep 17 00:00:00 2001 +From: "Heiko Schlittermann (HS12-RIPE)" <hs@schlittermann.de> +Date: Sun, 28 Mar 2021 10:58:46 +0200 +Subject: [PATCH 05/23] parse + +--- + src/parse.c | 6 +----- + 1 file changed, 1 insertion(+), 5 deletions(-) + +diff --git a/src/parse.c b/src/parse.c +index 3ea758ac9..d1bc79039 100644 +--- a/src/parse.c ++++ b/src/parse.c +@@ -1402,12 +1402,8 @@ for (;;) + return FF_ERROR; + } + +- if (is_tainted(filename)) +- { +- *error = string_sprintf("Tainted name '%s' for included file not permitted\n", +- filename); ++ if (*error = is_tainted2(filename, 0, "Tainted name '%s' for included file not permitted\n", filename)) + return FF_ERROR; +- } + + /* Check file name if required */ + +-- +2.30.2 + diff --git a/mail/exim/files/debian/75_06-rda.patch b/mail/exim/files/debian/75_06-rda.patch new file mode 100644 index 000000000000..f4ca2afc13f1 --- /dev/null +++ b/mail/exim/files/debian/75_06-rda.patch @@ -0,0 +1,28 @@ +From a6da9c67acaee699616516be141d600cc178a633 Mon Sep 17 00:00:00 2001 +From: "Heiko Schlittermann (HS12-RIPE)" <hs@schlittermann.de> +Date: Sun, 28 Mar 2021 10:59:46 +0200 +Subject: [PATCH 06/23] rda + +--- + src/rda.c | 4 +--- + 1 file changed, 1 insertion(+), 3 deletions(-) + +diff --git a/src/rda.c b/src/rda.c +index aed8abc24..6ad7dd8bd 100644 +--- a/src/rda.c ++++ b/src/rda.c +@@ -179,10 +179,8 @@ struct stat statbuf; + /* Reading a file is a form of expansion; we wish to deny attackers the + capability to specify the file name. */ + +-if (is_tainted(filename)) ++if (*error = is_tainted2(filename, 0, "Tainted name '%s' for file read not permitted\n", filename)) + { +- *error = string_sprintf("Tainted name '%s' for file read not permitted\n", +- filename); + *yield = FF_ERROR; + return NULL; + } +-- +2.30.2 + diff --git a/mail/exim/files/debian/75_07-appendfile.patch b/mail/exim/files/debian/75_07-appendfile.patch new file mode 100644 index 000000000000..5a9e37861d7f --- /dev/null +++ b/mail/exim/files/debian/75_07-appendfile.patch @@ -0,0 +1,34 @@ +From c29b50d2fe17cc108d751175ed4f4113c25c1768 Mon Sep 17 00:00:00 2001 +From: "Heiko Schlittermann (HS12-RIPE)" <hs@schlittermann.de> +Date: Sun, 28 Mar 2021 11:00:06 +0200 +Subject: [PATCH 07/23] appendfile + +--- + src/transports/appendfile.c | 8 +++++--- + 1 file changed, 5 insertions(+), 3 deletions(-) + +diff --git a/src/transports/appendfile.c b/src/transports/appendfile.c +index 8ab8b6016..7dbbaa2f9 100644 +--- a/src/transports/appendfile.c ++++ b/src/transports/appendfile.c +@@ -1286,12 +1286,14 @@ if (!(path = expand_string(fdname))) + expand_string_message); + goto ret_panic; + } +-if (is_tainted(path)) ++{ uschar *m; ++if (m = is_tainted2(path, 0, "Tainted '%s' (file or directory " ++ "name for %s transport) not permitted", path, tblock->name)) + { +- addr->message = string_sprintf("Tainted '%s' (file or directory " +- "name for %s transport) not permitted", path, tblock->name); ++ addr->message = m; + goto ret_panic; + } ++} + + if (path[0] != '/') + { +-- +2.30.2 + diff --git a/mail/exim/files/debian/75_08-autoreply.patch b/mail/exim/files/debian/75_08-autoreply.patch new file mode 100644 index 000000000000..de5eb1dd3c20 --- /dev/null +++ b/mail/exim/files/debian/75_08-autoreply.patch @@ -0,0 +1,70 @@ +From 26de37d8960da80473866fb59b9dfd10a5761538 Mon Sep 17 00:00:00 2001 +From: "Heiko Schlittermann (HS12-RIPE)" <hs@schlittermann.de> +Date: Sun, 28 Mar 2021 11:06:27 +0200 +Subject: [PATCH 08/23] autoreply + +--- + src/transports/autoreply.c | 21 ++++++++++++--------- + 1 file changed, 12 insertions(+), 9 deletions(-) + +diff --git a/src/transports/autoreply.c b/src/transports/autoreply.c +index 865abbf4f..ed99de4c6 100644 +--- a/src/transports/autoreply.c ++++ b/src/transports/autoreply.c +@@ -404,14 +404,15 @@ recipient cache. */ + + if (oncelog && *oncelog && to) + { ++ uschar *m; + time_t then = 0; + +- if (is_tainted(oncelog)) ++ if (m = is_tainted2(oncelog, 0, "Tainted '%s' (once file for %s transport)" ++ " not permitted", oncelog, tblock->name)) + { + addr->transport_return = DEFER; + addr->basic_errno = EACCES; +- addr->message = string_sprintf("Tainted '%s' (once file for %s transport)" +- " not permitted", oncelog, tblock->name); ++ addr->message = m; + goto END_OFF; + } + +@@ -515,13 +516,14 @@ if (oncelog && *oncelog && to) + + if (then != 0 && (once_repeat_sec <= 0 || now - then < once_repeat_sec)) + { ++ uschar *m; + int log_fd; +- if (is_tainted(logfile)) ++ if (m = is_tainted2(logfile, 0, "Tainted '%s' (logfile for %s transport)" ++ " not permitted", logfile, tblock->name)) + { + addr->transport_return = DEFER; + addr->basic_errno = EACCES; +- addr->message = string_sprintf("Tainted '%s' (logfile for %s transport)" +- " not permitted", logfile, tblock->name); ++ addr->message = m; + goto END_OFF; + } + +@@ -548,12 +550,13 @@ if (oncelog && *oncelog && to) + /* We are going to send a message. Ensure any requested file is available. */ + if (file) + { +- if (is_tainted(file)) ++ uschar *m; ++ if (m = is_tainted2(file, 0, "Tainted '%s' (file for %s transport)" ++ " not permitted", file, tblock->name)) + { + addr->transport_return = DEFER; + addr->basic_errno = EACCES; +- addr->message = string_sprintf("Tainted '%s' (file for %s transport)" +- " not permitted", file, tblock->name); ++ addr->message = m; + return FALSE; + } + if (!(ff = Ufopen(file, "rb")) && !ob->file_optional) +-- +2.30.2 + diff --git a/mail/exim/files/debian/75_09-pipe.patch b/mail/exim/files/debian/75_09-pipe.patch new file mode 100644 index 000000000000..0ec9bcfaed19 --- /dev/null +++ b/mail/exim/files/debian/75_09-pipe.patch @@ -0,0 +1,36 @@ +From f9628406706112be459adb3f121db8e6cf282c2d Mon Sep 17 00:00:00 2001 +From: "Heiko Schlittermann (HS12-RIPE)" <hs@schlittermann.de> +Date: Fri, 2 Apr 2021 17:30:27 +0200 +Subject: [PATCH 09/23] pipe + +--- + src/transports/pipe.c | 9 ++++++--- + 1 file changed, 6 insertions(+), 3 deletions(-) + +diff --git a/src/transports/pipe.c b/src/transports/pipe.c +index 27422bd42..4c9e68beb 100644 +--- a/src/transports/pipe.c ++++ b/src/transports/pipe.c +@@ -599,13 +599,16 @@ if (!cmd || !*cmd) + tblock->name); + return FALSE; + } +-if (is_tainted(cmd)) ++ ++{ uschar *m; ++if (m = is_tainted2(cmd, 0, "Tainted '%s' (command " ++ "for %s transport) not permitted", cmd, tblock->name)) + { +- addr->message = string_sprintf("Tainted '%s' (command " +- "for %s transport) not permitted", cmd, tblock->name); + addr->transport_return = PANIC; ++ addr->message = m; + return FALSE; + } ++} + + /* When a pipe is set up by a filter file, there may be values for $thisaddress + and numerical the variables in existence. These are passed in +-- +2.30.2 + diff --git a/mail/exim/files/debian/75_10-deliver.patch b/mail/exim/files/debian/75_10-deliver.patch new file mode 100644 index 000000000000..ea4a54239e31 --- /dev/null +++ b/mail/exim/files/debian/75_10-deliver.patch @@ -0,0 +1,49 @@ +From 2fee91ae42e974c21202e0b5e17185f6a87bf8af Mon Sep 17 00:00:00 2001 +From: "Heiko Schlittermann (HS12-RIPE)" <hs@schlittermann.de> +Date: Wed, 31 Mar 2021 23:12:44 +0200 +Subject: [PATCH 10/23] deliver + +--- + src/deliver.c | 16 +++++++++------- + 1 file changed, 9 insertions(+), 7 deletions(-) + +diff --git a/src/deliver.c b/src/deliver.c +index d85edd70e..8b7998f37 100644 +--- a/src/deliver.c ++++ b/src/deliver.c +@@ -5538,10 +5538,11 @@ FILE * fp = NULL; + if (!s || !*s) + log_write(0, LOG_MAIN|LOG_PANIC, + "Failed to expand %s: '%s'\n", varname, filename); +-else if (*s != '/' || is_tainted(s)) +- log_write(0, LOG_MAIN|LOG_PANIC, +- "%s is not %s after expansion: '%s'\n", +- varname, *s == '/' ? "untainted" : "absolute", s); ++else if (*s != '/') ++ log_write(0, LOG_MAIN|LOG_PANIC, "%s is not absolute after expansion: '%s'\n", ++ varname, s); ++else if (is_tainted2(s, LOG_MAIN|LOG_PANIC, "Tainted %s after expansion: '%s'\n", varname, s)) ++ ; + else if (!(fp = Ufopen(s, "rb"))) + log_write(0, LOG_MAIN|LOG_PANIC, "Failed to open %s for %s " + "message texts: %s", s, reason, strerror(errno)); +@@ -6148,12 +6149,13 @@ else if (system_filter && process_recipients != RECIP_FAIL_TIMEOUT) + { + uschar *tmp = expand_string(tpname); + address_file = address_pipe = NULL; ++ uschar *m; + if (!tmp) + p->message = string_sprintf("failed to expand \"%s\" as a " + "system filter transport name", tpname); +- if (is_tainted(tmp)) +- p->message = string_sprintf("attempt to used tainted value '%s' for" +- "transport '%s' as a system filter", tmp, tpname); ++ if (is_tainted2(tmp, 0, m = string_sprintf("Tainted values '%s' " ++ "for transport '%s' as a system filter", tmp, tpname))) ++ p->message = m; + tpname = tmp; + } + else +-- +2.30.2 + diff --git a/mail/exim/files/debian/75_11-directory.patch b/mail/exim/files/debian/75_11-directory.patch new file mode 100644 index 000000000000..4c3a68418c0b --- /dev/null +++ b/mail/exim/files/debian/75_11-directory.patch @@ -0,0 +1,26 @@ +From 5f41e800ce9cc7ad154047298914df955e905bf4 Mon Sep 17 00:00:00 2001 +From: "Heiko Schlittermann (HS12-RIPE)" <hs@schlittermann.de> +Date: Thu, 1 Apr 2021 21:28:59 +0200 +Subject: [PATCH 11/23] directory + +--- + src/directory.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/src/directory.c b/src/directory.c +index 2d4d565f4..9f88f4141 100644 +--- a/src/directory.c ++++ b/src/directory.c +@@ -44,6 +44,9 @@ uschar c = 1; + struct stat statbuf; + uschar * path; + ++if (is_tainted2(name, LOG_MAIN|LOG_PANIC, "Tainted path '%s' for new directory", name)) ++ { p = US"create"; path = US name; errno = EACCES; goto bad; } ++ + if (parent) + { + path = string_sprintf("%s%s%s", parent, US"/", name); +-- +2.30.2 + diff --git a/mail/exim/files/debian/75_12-expand.patch b/mail/exim/files/debian/75_12-expand.patch new file mode 100644 index 000000000000..ebb099d284f2 --- /dev/null +++ b/mail/exim/files/debian/75_12-expand.patch @@ -0,0 +1,34 @@ +From c02ea85f525ff256d78e084d6f76fe3032fd52e1 Mon Sep 17 00:00:00 2001 +From: "Heiko Schlittermann (HS12-RIPE)" <hs@schlittermann.de> +Date: Thu, 1 Apr 2021 21:33:50 +0200 +Subject: [PATCH 12/23] expand + +--- + src/expand.c | 8 ++++---- + 1 file changed, 4 insertions(+), 4 deletions(-) + +diff --git a/src/expand.c b/src/expand.c +index 05de94c49..21b86ebf5 100644 +--- a/src/expand.c ++++ b/src/expand.c +@@ -4383,13 +4383,13 @@ DEBUG(D_expand) + f.expand_string_forcedfail = FALSE; + expand_string_message = US""; + +-if (is_tainted(string)) ++{ uschar *m; ++if (m = is_tainted2(string, LOG_MAIN|LOG_PANIC, "Tainted string '%s' in expansion", s)) + { +- expand_string_message = +- string_sprintf("attempt to expand tainted string '%s'", s); +- log_write(0, LOG_MAIN|LOG_PANIC, "%s", expand_string_message); ++ expand_string_message = m; + goto EXPAND_FAILED; + } ++} + + while (*s != 0) + { +-- +2.30.2 + diff --git a/mail/exim/files/debian/75_13-lf_sqlperform.patch b/mail/exim/files/debian/75_13-lf_sqlperform.patch new file mode 100644 index 000000000000..67283a02676e --- /dev/null +++ b/mail/exim/files/debian/75_13-lf_sqlperform.patch @@ -0,0 +1,49 @@ +From 9810dfc25d8b9687b46e57963a3ac30bf5c9b2c9 Mon Sep 17 00:00:00 2001 +From: "Heiko Schlittermann (HS12-RIPE)" <hs@schlittermann.de> +Date: Thu, 1 Apr 2021 21:36:12 +0200 +Subject: [PATCH 13/23] lf_sqlperform + +--- + src/lookups/lf_sqlperform.c | 14 +++++++++----- + 1 file changed, 9 insertions(+), 5 deletions(-) + +diff --git a/src/lookups/lf_sqlperform.c b/src/lookups/lf_sqlperform.c +index ad1df29d1..eda3089e2 100644 +--- a/src/lookups/lf_sqlperform.c ++++ b/src/lookups/lf_sqlperform.c +@@ -102,11 +102,13 @@ if (Ustrncmp(query, "servers", 7) == 0) + } + } + +- if (is_tainted(server)) +- { +- *errmsg = string_sprintf("%s server \"%s\" is tainted", name, server); ++ { uschar *m; ++ if (m = is_tainted2(server, 0, "Tainted %s server '%s'", name, server)) ++ { ++ *errmsg = m; + return DEFER; + } ++ } + + rc = (*fn)(ss+1, server, result, errmsg, &defer_break, do_cache, opts); + if (rc != DEFER || defer_break) return rc; +@@ -158,11 +160,13 @@ else + server = ele; + } + +- if (is_tainted(server)) ++ { uschar *m; ++ if (is_tainted2(server, 0, "Tainted %s server '%s'", name, server)) + { +- *errmsg = string_sprintf("%s server \"%s\" is tainted", name, server); ++ *errmsg = m; + return DEFER; + } ++ } + + rc = (*fn)(query, server, result, errmsg, &defer_break, do_cache, opts); + if (rc != DEFER || defer_break) return rc; +-- +2.30.2 + diff --git a/mail/exim/files/debian/75_14-rf_get_transport.patch b/mail/exim/files/debian/75_14-rf_get_transport.patch new file mode 100644 index 000000000000..9e8b69d3ad6a --- /dev/null +++ b/mail/exim/files/debian/75_14-rf_get_transport.patch @@ -0,0 +1,28 @@ +From 015fff57c854184f8bce61476c46a2830a97daf8 Mon Sep 17 00:00:00 2001 +From: "Heiko Schlittermann (HS12-RIPE)" <hs@schlittermann.de> +Date: Fri, 2 Apr 2021 08:36:24 +0200 +Subject: [PATCH 14/23] rf_get_transport + +--- + src/routers/rf_get_transport.c | 4 +--- *** 4867 LINES SKIPPED ***
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?202105041603.144G3cOZ013965>