From owner-svn-ports-all@freebsd.org Sat Jul 18 09:54:53 2020 Return-Path: Delivered-To: svn-ports-all@mailman.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.nyi.freebsd.org (Postfix) with ESMTP id 186FF362ADB; Sat, 18 Jul 2020 09:54:53 +0000 (UTC) (envelope-from fluffy@FreeBSD.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mxrelay.nyi.freebsd.org", Issuer "Let's Encrypt Authority X3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4B83Hw68KDz449l; Sat, 18 Jul 2020 09:54:52 +0000 (UTC) (envelope-from fluffy@FreeBSD.org) Received: from repo.freebsd.org (repo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:0]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id B66558CFE; Sat, 18 Jul 2020 09:54:52 +0000 (UTC) (envelope-from fluffy@FreeBSD.org) Received: from repo.freebsd.org ([127.0.1.37]) by repo.freebsd.org (8.15.2/8.15.2) with ESMTP id 06I9sqhc065909; Sat, 18 Jul 2020 09:54:52 GMT (envelope-from fluffy@FreeBSD.org) Received: (from fluffy@localhost) by repo.freebsd.org (8.15.2/8.15.2/Submit) id 06I9snIQ065886; Sat, 18 Jul 2020 09:54:49 GMT (envelope-from fluffy@FreeBSD.org) Message-Id: <202007180954.06I9snIQ065886@repo.freebsd.org> X-Authentication-Warning: repo.freebsd.org: fluffy set sender to fluffy@FreeBSD.org using -f From: Dima Panov Date: Sat, 18 Jul 2020 09:54:49 +0000 (UTC) To: ports-committers@freebsd.org, svn-ports-all@freebsd.org, svn-ports-branches@freebsd.org Subject: svn commit: r542486 - in branches/2020Q3/mail/exim: . files X-SVN-Group: ports-branches X-SVN-Commit-Author: fluffy X-SVN-Commit-Paths: in branches/2020Q3/mail/exim: . files X-SVN-Commit-Revision: 542486 X-SVN-Commit-Repository: ports MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-BeenThere: svn-ports-all@freebsd.org X-Mailman-Version: 2.1.33 Precedence: list List-Id: SVN commit messages for the ports tree List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 18 Jul 2020 09:54:53 -0000 Author: fluffy Date: Sat Jul 18 09:54:49 2020 New Revision: 542486 URL: https://svnweb.freebsd.org/changeset/ports/542486 Log: MFH: r542419 mail/exim: import exim-4.94+fixes branch as state of 2020.07.17 Used git diffs: [02/26] Taint: fix pam expansion condition. Bug 2587 [03/26] Taint: fix listcount expansion operator. Bug 2586 [04/26] Docs: fix mistaken variable name [06/26] Docs: typoes [07/26] Taint: fix multiple ACL actions to properly manage tainted argument data [08/26] Fix -bi. Bug 2590 [09/26] Filters: fix "vacation" in Exim filter. Bug 2593 [10/26] TLS: use RFC 6125 rules for certifucate name checks when CNAMES are present. Bug 2594 [11/26] Taint: fix radius expansion condition [13/26] Taint: fix verify. Bug 2598 [14/26] Fix string_copy() macro to not multiple-eval args. Bug 2603 [15/26] Cutthrough: handle request when a callout-hold is active. Bug 2604 [16/26] Lookups: Fix "subdir" filter on a dsearch. [18/26] Sqlite: fix segfault on bad/missing sqlite_dbfile. Bug 2606 [19/26] Taint: fix ACL "spam" condition, to permit tainted name arguments. [20/26] Fix message-reception clock usage. Bug 2615 [21/26] typoes [22/26] Fix DKIM signing to always ;-terminate. Bug 2295 [23/26] Fix taint trap in parse_fix_phrase(). Bug 2617 [24/26] Taint: fix ACL "spam" condition, to permit tainted name arguments [25/26] Fix debug_print_socket() [26/26] debug_print_socket(): output formatting Approved by: ports-secteam (joneum) Added: branches/2020Q3/mail/exim/files/patch-z0002-Taint-fix-pam-expansion-condition.-Bug-2587 - copied unchanged from r542419, head/mail/exim/files/patch-z0002-Taint-fix-pam-expansion-condition.-Bug-2587 branches/2020Q3/mail/exim/files/patch-z0003-Taint-fix-listcount-expansion-operator.-Bug-2586 - copied unchanged from r542419, head/mail/exim/files/patch-z0003-Taint-fix-listcount-expansion-operator.-Bug-2586 branches/2020Q3/mail/exim/files/patch-z0004-Docs-fix-mistaken-variable-name - copied unchanged from r542419, head/mail/exim/files/patch-z0004-Docs-fix-mistaken-variable-name branches/2020Q3/mail/exim/files/patch-z0006-Docs-typoes - copied unchanged from r542419, head/mail/exim/files/patch-z0006-Docs-typoes branches/2020Q3/mail/exim/files/patch-z0007-Taint-fix-multiple-ACL-actions-to-properly-manage-tainted- - copied unchanged from r542419, head/mail/exim/files/patch-z0007-Taint-fix-multiple-ACL-actions-to-properly-manage-tainted- branches/2020Q3/mail/exim/files/patch-z0008-Fix-bi.-Bug-2590 - copied unchanged from r542419, head/mail/exim/files/patch-z0008-Fix-bi.-Bug-2590 branches/2020Q3/mail/exim/files/patch-z0009-Filters-fix-vacation-in-Exim-filter.-Bug-2593 - copied unchanged from r542419, head/mail/exim/files/patch-z0009-Filters-fix-vacation-in-Exim-filter.-Bug-2593 branches/2020Q3/mail/exim/files/patch-z0010-TLS-use-RFC-6125-rules-for-certifucate-name-checks-when-CN - copied unchanged from r542419, head/mail/exim/files/patch-z0010-TLS-use-RFC-6125-rules-for-certifucate-name-checks-when-CN branches/2020Q3/mail/exim/files/patch-z0011-Taint-fix-radius-expansion-condition - copied unchanged from r542419, head/mail/exim/files/patch-z0011-Taint-fix-radius-expansion-condition branches/2020Q3/mail/exim/files/patch-z0012-smtp_accept_map_per_host-call-search_tidyup-in-fail-path.- - copied unchanged from r542419, head/mail/exim/files/patch-z0012-smtp_accept_map_per_host-call-search_tidyup-in-fail-path.- branches/2020Q3/mail/exim/files/patch-z0013-Taint-fix-verify.-Bug-2598 - copied unchanged from r542419, head/mail/exim/files/patch-z0013-Taint-fix-verify.-Bug-2598 branches/2020Q3/mail/exim/files/patch-z0014-Fix-string_copy-macro-to-not-multiple-eval-args.-Bug-2603 - copied unchanged from r542419, head/mail/exim/files/patch-z0014-Fix-string_copy-macro-to-not-multiple-eval-args.-Bug-2603 branches/2020Q3/mail/exim/files/patch-z0015-Cutthrough-handle-request-when-a-callout-hold-is-active.-B - copied unchanged from r542419, head/mail/exim/files/patch-z0015-Cutthrough-handle-request-when-a-callout-hold-is-active.-B branches/2020Q3/mail/exim/files/patch-z0016-Lookups-Fix-subdir-filter-on-a-dsearch - copied unchanged from r542419, head/mail/exim/files/patch-z0016-Lookups-Fix-subdir-filter-on-a-dsearch branches/2020Q3/mail/exim/files/patch-z0018-Sqlite-fix-segfault-on-bad-missing-sqlite_dbfile.-Bug-2606 - copied unchanged from r542419, head/mail/exim/files/patch-z0018-Sqlite-fix-segfault-on-bad-missing-sqlite_dbfile.-Bug-2606 branches/2020Q3/mail/exim/files/patch-z0019-Taint-fix-ACL-spam-condition-to-permit-tainted-name-argume - copied unchanged from r542419, head/mail/exim/files/patch-z0019-Taint-fix-ACL-spam-condition-to-permit-tainted-name-argume branches/2020Q3/mail/exim/files/patch-z0020-Fix-message-reception-clock-usage.-Bug-2615 - copied unchanged from r542419, head/mail/exim/files/patch-z0020-Fix-message-reception-clock-usage.-Bug-2615 branches/2020Q3/mail/exim/files/patch-z0021-typoes - copied unchanged from r542419, head/mail/exim/files/patch-z0021-typoes branches/2020Q3/mail/exim/files/patch-z0022-Fix-DKIM-signing-to-always-terminate.-Bug-2295 - copied unchanged from r542419, head/mail/exim/files/patch-z0022-Fix-DKIM-signing-to-always-terminate.-Bug-2295 branches/2020Q3/mail/exim/files/patch-z0023-Fix-taint-trap-in-parse_fix_phrase-.-Bug-2617 - copied unchanged from r542419, head/mail/exim/files/patch-z0023-Fix-taint-trap-in-parse_fix_phrase-.-Bug-2617 branches/2020Q3/mail/exim/files/patch-z0024-Taint-fix-ACL-spam-condition-to-permit-tainted-name-argume - copied unchanged from r542419, head/mail/exim/files/patch-z0024-Taint-fix-ACL-spam-condition-to-permit-tainted-name-argume branches/2020Q3/mail/exim/files/patch-z0025-Fix-debug_print_socket - copied unchanged from r542419, head/mail/exim/files/patch-z0025-Fix-debug_print_socket branches/2020Q3/mail/exim/files/patch-z0026-debug_print_socket-output-formatting - copied unchanged from r542419, head/mail/exim/files/patch-z0026-debug_print_socket-output-formatting Modified: branches/2020Q3/mail/exim/Makefile Directory Properties: branches/2020Q3/ (props changed) Modified: branches/2020Q3/mail/exim/Makefile ============================================================================== --- branches/2020Q3/mail/exim/Makefile Sat Jul 18 09:36:03 2020 (r542485) +++ branches/2020Q3/mail/exim/Makefile Sat Jul 18 09:54:49 2020 (r542486) @@ -3,7 +3,7 @@ PORTNAME= exim PORTVERSION?= ${EXIM_VERSION} -PORTREVISION?= 0 +PORTREVISION?= 1 CATEGORIES= mail MASTER_SITES= EXIM:exim MASTER_SITE_SUBDIR= /exim4/:exim \ Copied: branches/2020Q3/mail/exim/files/patch-z0002-Taint-fix-pam-expansion-condition.-Bug-2587 (from r542419, head/mail/exim/files/patch-z0002-Taint-fix-pam-expansion-condition.-Bug-2587) ============================================================================== --- /dev/null 00:00:00 1970 (empty, because file is newly added) +++ branches/2020Q3/mail/exim/files/patch-z0002-Taint-fix-pam-expansion-condition.-Bug-2587 Sat Jul 18 09:54:49 2020 (r542486, copy of r542419, head/mail/exim/files/patch-z0002-Taint-fix-pam-expansion-condition.-Bug-2587) @@ -0,0 +1,56 @@ +From 173bd1c8f9cf83ad8c0e61a9e32678e7e371d41d Mon Sep 17 00:00:00 2001 +From: Jeremy Harris +Date: Tue, 2 Jun 2020 14:50:31 +0100 +Subject: [PATCH 02/26] Taint: fix pam expansion condition. Bug 2587 + +(cherry picked from commit f7f933a199be8bb7362c715e0040545b514cddca) +--- + doc/ChangeLog | 9 +++++++++ + src/auths/call_pam.c | 5 ++--- + +diff --git doc/ChangeLog doc/ChangeLog +index 585deb042..dbdc22117 100644 +--- doc/ChangeLog ++++ doc/ChangeLog +@@ -3,6 +3,15 @@ affect Exim's operation, with an unchanged configuration file. For new + options, and new features, see the NewStuff file next to this ChangeLog. + + ++Since Exim version 4.94 ++----------------------- ++ ++JH/02 Bug 2587: Fix pam expansion condition. Tainted values are commonly used ++ as arguments, so an implementation trying to copy these into a local ++ buffer was taking a taint-enformance trap. Fix by using dynamically ++ created buffers. ++ ++ + Exim version 4.94 + ----------------- + +diff --git src/auths/call_pam.c src/auths/call_pam.c +index 2959cbbf3..80bb23ec3 100644 +--- src/auths/call_pam.c ++++ src/auths/call_pam.c +@@ -83,8 +83,7 @@ for (int i = 0; i < num_msg; i++) + { + case PAM_PROMPT_ECHO_ON: + case PAM_PROMPT_ECHO_OFF: +- arg = string_nextinlist(&pam_args, &sep, big_buffer, big_buffer_size); +- if (!arg) ++ if (!(arg = string_nextinlist(&pam_args, &sep, NULL, 0))) + { + arg = US""; + pam_arg_ended = TRUE; +@@ -155,7 +154,7 @@ pam_arg_ended = FALSE; + fail. PAM doesn't support authentication with an empty user (it prompts for it, + causing a potential mis-interpretation). */ + +-user = string_nextinlist(&pam_args, &sep, big_buffer, big_buffer_size); ++user = string_nextinlist(&pam_args, &sep, NULL, 0); + if (user == NULL || user[0] == 0) return FAIL; + + /* Start off PAM interaction */ +-- +2.24.3 (Apple Git-128) + Copied: branches/2020Q3/mail/exim/files/patch-z0003-Taint-fix-listcount-expansion-operator.-Bug-2586 (from r542419, head/mail/exim/files/patch-z0003-Taint-fix-listcount-expansion-operator.-Bug-2586) ============================================================================== --- /dev/null 00:00:00 1970 (empty, because file is newly added) +++ branches/2020Q3/mail/exim/files/patch-z0003-Taint-fix-listcount-expansion-operator.-Bug-2586 Sat Jul 18 09:54:49 2020 (r542486, copy of r542419, head/mail/exim/files/patch-z0003-Taint-fix-listcount-expansion-operator.-Bug-2586) @@ -0,0 +1,43 @@ +From 63652bbaf66c4bdb388b08fdf3eb8ab1e4d91475 Mon Sep 17 00:00:00 2001 +From: Jeremy Harris +Date: Tue, 2 Jun 2020 15:03:36 +0100 +Subject: [PATCH 03/26] Taint: fix listcount expansion operator. Bug 2586 + +(cherry picked from commit 44644c2e404a3ea0191db0b0458e86924fb240bb) +--- + doc/ChangeLog | 4 ++++ + src/expand.c | 3 +-- + +diff --git doc/ChangeLog doc/ChangeLog +index dbdc22117..94bcea29b 100644 +--- doc/ChangeLog ++++ doc/ChangeLog +@@ -11,6 +11,10 @@ JH/02 Bug 2587: Fix pam expansion condition. Tainted values are commonly used + buffer was taking a taint-enformance trap. Fix by using dynamically + created buffers. + ++JH/03 Bug 2586: Fix listcount expansion operator. Using tainted arguments is ++ reasonable, eg. to count headers. Fix by using dynamically created ++ buffers rather than a local, ++ + + Exim version 4.94 + ----------------- +diff --git src/expand.c src/expand.c +index 26f7f10ac..6ed22c14d 100644 +--- src/expand.c ++++ src/expand.c +@@ -7208,9 +7208,8 @@ while (*s != 0) + { + int cnt = 0; + int sep = 0; +- uschar buffer[256]; + +- while (string_nextinlist(CUSS &sub, &sep, buffer, sizeof(buffer))) cnt++; ++ while (string_nextinlist(CUSS &sub, &sep, NULL, 0)) cnt++; + yield = string_fmt_append(yield, "%d", cnt); + continue; + } +-- +2.24.3 (Apple Git-128) + Copied: branches/2020Q3/mail/exim/files/patch-z0004-Docs-fix-mistaken-variable-name (from r542419, head/mail/exim/files/patch-z0004-Docs-fix-mistaken-variable-name) ============================================================================== --- /dev/null 00:00:00 1970 (empty, because file is newly added) +++ branches/2020Q3/mail/exim/files/patch-z0004-Docs-fix-mistaken-variable-name Sat Jul 18 09:54:49 2020 (r542486, copy of r542419, head/mail/exim/files/patch-z0004-Docs-fix-mistaken-variable-name) @@ -0,0 +1,28 @@ +From aabe0ebe82297d7dec3abdfff9c3b1edc34fd8ab Mon Sep 17 00:00:00 2001 +From: Patrick Boutilier +Date: Tue, 2 Jun 2020 15:16:10 +0100 +Subject: [PATCH 04/26] Docs: fix mistaken variable name + +(cherry picked from commit eb55cb1d2c5552209e24345e9d21f83ec1eaccf6) +--- + README.UPDATING | 4 ++-- + +diff --git README.UPDATING README.UPDATING +index a0afa8df0..708027f2c 100644 +--- README.UPDATING ++++ README.UPDATING +@@ -31,9 +31,9 @@ Exim version 4.94 + + Some Transports now refuse to use tainted data in constructing their delivery + location; this WILL BREAK configurations which are not updated accordingly. +-In particular: any Transport use of $local_user which has been relying upon ++In particular: any Transport use of $local_part which has been relying upon + check_local_user far away in the Router to make it safe, should be updated to +-replace $local_user with $local_part_data. ++replace $local_part with $local_part_data. + + Attempting to remove, in router or transport, a header name that ends with + an asterisk (which is a standards-legal name) will now result in all headers +-- +2.24.3 (Apple Git-128) + Copied: branches/2020Q3/mail/exim/files/patch-z0006-Docs-typoes (from r542419, head/mail/exim/files/patch-z0006-Docs-typoes) ============================================================================== --- /dev/null 00:00:00 1970 (empty, because file is newly added) +++ branches/2020Q3/mail/exim/files/patch-z0006-Docs-typoes Sat Jul 18 09:54:49 2020 (r542486, copy of r542419, head/mail/exim/files/patch-z0006-Docs-typoes) @@ -0,0 +1,25 @@ +From de498d230862bcc49acbc6d5e76c71b1e15596c3 Mon Sep 17 00:00:00 2001 +From: Jeremy Harris +Date: Tue, 2 Jun 2020 16:34:42 +0100 +Subject: [PATCH 06/26] Docs: typoes + +Cherry-picked from: 1195f8f2a4 +--- + doc/ChangeLog | 2 +- + +diff --git doc/ChangeLog doc/ChangeLog +index 94bcea29b..f858c9121 100644 +--- doc/ChangeLog ++++ doc/ChangeLog +@@ -8,7 +8,7 @@ Since Exim version 4.94 + + JH/02 Bug 2587: Fix pam expansion condition. Tainted values are commonly used + as arguments, so an implementation trying to copy these into a local +- buffer was taking a taint-enformance trap. Fix by using dynamically ++ buffer was taking a taint-enforcement trap. Fix by using dynamically + created buffers. + + JH/03 Bug 2586: Fix listcount expansion operator. Using tainted arguments is +-- +2.24.3 (Apple Git-128) + Copied: branches/2020Q3/mail/exim/files/patch-z0007-Taint-fix-multiple-ACL-actions-to-properly-manage-tainted- (from r542419, head/mail/exim/files/patch-z0007-Taint-fix-multiple-ACL-actions-to-properly-manage-tainted-) ============================================================================== --- /dev/null 00:00:00 1970 (empty, because file is newly added) +++ branches/2020Q3/mail/exim/files/patch-z0007-Taint-fix-multiple-ACL-actions-to-properly-manage-tainted- Sat Jul 18 09:54:49 2020 (r542486, copy of r542419, head/mail/exim/files/patch-z0007-Taint-fix-multiple-ACL-actions-to-properly-manage-tainted-) @@ -0,0 +1,79 @@ +From 623f07cfdcaca96274ca765d0fcf0761bdf7151b Mon Sep 17 00:00:00 2001 +From: Jeremy Harris +Date: Wed, 3 Jun 2020 11:40:17 +0100 +Subject: [PATCH 07/26] Taint: fix multiple ACL actions to properly manage + tainted argument data + +(cherry picked from commit 12b7f811de4a540d0724585aecfa33b5881e2a30) +--- + doc/ChangeLog | 4 +++- + src/acl.c | 12 ++++++------ + +diff --git doc/ChangeLog doc/ChangeLog +index f858c9121..015959cb6 100644 +--- doc/ChangeLog ++++ doc/ChangeLog +@@ -13,7 +13,9 @@ JH/02 Bug 2587: Fix pam expansion condition. Tainted values are commonly used + + JH/03 Bug 2586: Fix listcount expansion operator. Using tainted arguments is + reasonable, eg. to count headers. Fix by using dynamically created +- buffers rather than a local, ++ buffers rather than a local. Do similar fixes for ACL actions "dcc", ++ "log_reject_target", "malware" and "spam"; the arguments are expanded ++ so could be handling tainted values. + + + Exim version 4.94 +diff --git src/acl.c src/acl.c +index c1d60bbd9..8619cd5ef 100644 +--- src/acl.c ++++ src/acl.c +@@ -3349,11 +3349,11 @@ for (; cb; cb = cb->next) + { + /* Separate the regular expression and any optional parameters. */ + const uschar * list = arg; +- uschar *ss = string_nextinlist(&list, &sep, big_buffer, big_buffer_size); ++ uschar *ss = string_nextinlist(&list, &sep, NULL, 0); + /* Run the dcc backend. */ + rc = dcc_process(&ss); + /* Modify return code based upon the existence of options. */ +- while ((ss = string_nextinlist(&list, &sep, big_buffer, big_buffer_size))) ++ while ((ss = string_nextinlist(&list, &sep, NULL, 0))) + if (strcmpic(ss, US"defer_ok") == 0 && rc == DEFER) + rc = FAIL; /* FAIL so that the message is passed to the next ACL */ + } +@@ -3514,7 +3514,7 @@ for (; cb; cb = cb->next) + int sep = 0; + const uschar *s = arg; + uschar * ss; +- while ((ss = string_nextinlist(&s, &sep, big_buffer, big_buffer_size))) ++ while ((ss = string_nextinlist(&s, &sep, NULL, 0))) + { + if (Ustrcmp(ss, "main") == 0) logbits |= LOG_MAIN; + else if (Ustrcmp(ss, "panic") == 0) logbits |= LOG_PANIC; +@@ -3567,7 +3567,7 @@ for (; cb; cb = cb->next) + { + /* Separate the regular expression and any optional parameters. */ + const uschar * list = arg; +- uschar * ss = string_nextinlist(&list, &sep, big_buffer, big_buffer_size); ++ uschar * ss = string_nextinlist(&list, &sep, NULL, 0); + uschar * opt; + BOOL defer_ok = FALSE; + int timeout = 0; +@@ -3672,11 +3672,11 @@ for (; cb; cb = cb->next) + { + /* Separate the regular expression and any optional parameters. */ + const uschar * list = arg; +- uschar *ss = string_nextinlist(&list, &sep, big_buffer, big_buffer_size); ++ uschar *ss = string_nextinlist(&list, &sep, NULL, 0); + + rc = spam(CUSS &ss); + /* Modify return code based upon the existence of options. */ +- while ((ss = string_nextinlist(&list, &sep, big_buffer, big_buffer_size))) ++ while ((ss = string_nextinlist(&list, &sep, NULL, 0))) + if (strcmpic(ss, US"defer_ok") == 0 && rc == DEFER) + rc = FAIL; /* FAIL so that the message is passed to the next ACL */ + } +-- +2.24.3 (Apple Git-128) + Copied: branches/2020Q3/mail/exim/files/patch-z0008-Fix-bi.-Bug-2590 (from r542419, head/mail/exim/files/patch-z0008-Fix-bi.-Bug-2590) ============================================================================== --- /dev/null 00:00:00 1970 (empty, because file is newly added) +++ branches/2020Q3/mail/exim/files/patch-z0008-Fix-bi.-Bug-2590 Sat Jul 18 09:54:49 2020 (r542486, copy of r542419, head/mail/exim/files/patch-z0008-Fix-bi.-Bug-2590) @@ -0,0 +1,44 @@ +From 0e8319c3edebfec2158fbaa4898af27cb3225c99 Mon Sep 17 00:00:00 2001 +From: Jeremy Harris +Date: Thu, 4 Jun 2020 15:28:15 +0100 +Subject: [PATCH 08/26] Fix -bi. Bug 2590 + + Actual fix from pierre.labastie@neuf.fr ; additional coding and testcase bu jgh + Broken-by: bdcc6f2bd5 + + (Cherry-picked from: 0e0e171628) +--- + doc/ChangeLog | 4 ++++ + src/exim.c | 2 +- + +diff --git doc/ChangeLog doc/ChangeLog +index 015959cb6..621d5b1b5 100644 +--- doc/ChangeLog ++++ doc/ChangeLog +@@ -17,6 +17,10 @@ JH/03 Bug 2586: Fix listcount expansion operator. Using tainted arguments is + "log_reject_target", "malware" and "spam"; the arguments are expanded + so could be handling tainted values. + ++JH/04 Bug 2590: Fix -bi (newaliases). A previous code rearrangement had ++ broken the (no-op) support for this sendmail command. Restore it ++ to doing nothing, silently, and returning good status. ++ + + Exim version 4.94 + ----------------- +diff --git src/exim.c src/exim.c +index a60488e95..6143fe989 100644 +--- src/exim.c ++++ src/exim.c +@@ -2148,7 +2148,7 @@ on the second character (the one after '-'), to save some effort. */ + concept of *the* alias file, but since Sun's YP make script calls + sendmail this way, some support must be provided. */ + case 'i': +- if (!*++argrest) bi_option = TRUE; ++ if (!*argrest) bi_option = TRUE; + else badarg = TRUE; + break; + +-- +2.24.3 (Apple Git-128) + Copied: branches/2020Q3/mail/exim/files/patch-z0009-Filters-fix-vacation-in-Exim-filter.-Bug-2593 (from r542419, head/mail/exim/files/patch-z0009-Filters-fix-vacation-in-Exim-filter.-Bug-2593) ============================================================================== --- /dev/null 00:00:00 1970 (empty, because file is newly added) +++ branches/2020Q3/mail/exim/files/patch-z0009-Filters-fix-vacation-in-Exim-filter.-Bug-2593 Sat Jul 18 09:54:49 2020 (r542486, copy of r542419, head/mail/exim/files/patch-z0009-Filters-fix-vacation-in-Exim-filter.-Bug-2593) @@ -0,0 +1,48 @@ +From 701af1005a6effaac5ce249f1c2086dc6c0c2a7f Mon Sep 17 00:00:00 2001 +From: Jeremy Harris +Date: Mon, 8 Jun 2020 13:00:55 +0100 +Subject: [PATCH 09/26] Filters: fix "vacation" in Exim filter. Bug 2593 + +Broken-by: cfb9cf20cb (4.90) +(cherry picked from commit 59eee1bc902f106d20f507ba16f37cb8ab5a5e8d) +--- + doc/ChangeLog | 5 ++ + src/transports/autoreply.c | 6 +-- + +diff --git doc/ChangeLog doc/ChangeLog +index 621d5b1b5..b9c1ec29e 100644 +--- doc/ChangeLog ++++ doc/ChangeLog +@@ -21,6 +21,11 @@ JH/04 Bug 2590: Fix -bi (newaliases). A previous code rearrangement had + broken the (no-op) support for this sendmail command. Restore it + to doing nothing, silently, and returning good status. + ++JH/05 Bug 2593: Fix "vacation" in Exim filter. Previously, when a "once" ++ record path was given (or the default used) without a leading directory ++ path, an error occurred on trying to open it. Use the transport's working ++ directory. ++ + + Exim version 4.94 + ----------------- +diff --git src/transports/autoreply.c src/transports/autoreply.c +index 4c2c08b70..865abbf4f 100644 +--- src/transports/autoreply.c ++++ src/transports/autoreply.c +@@ -474,10 +474,10 @@ if (oncelog && *oncelog && to) + else + { + EXIM_DATUM key_datum, result_datum; +- uschar * dirname = string_copy(oncelog); +- uschar * s; ++ uschar * dirname, * s; + +- if ((s = Ustrrchr(dirname, '/'))) *s = '\0'; ++ dirname = (s = Ustrrchr(oncelog, '/')) ++ ? string_copyn(oncelog, s - oncelog) : NULL; + EXIM_DBOPEN(oncelog, dirname, O_RDWR|O_CREAT, ob->mode, &dbm_file); + if (!dbm_file) + { +-- +2.24.3 (Apple Git-128) + Copied: branches/2020Q3/mail/exim/files/patch-z0010-TLS-use-RFC-6125-rules-for-certifucate-name-checks-when-CN (from r542419, head/mail/exim/files/patch-z0010-TLS-use-RFC-6125-rules-for-certifucate-name-checks-when-CN) ============================================================================== --- /dev/null 00:00:00 1970 (empty, because file is newly added) +++ branches/2020Q3/mail/exim/files/patch-z0010-TLS-use-RFC-6125-rules-for-certifucate-name-checks-when-CN Sat Jul 18 09:54:49 2020 (r542486, copy of r542419, head/mail/exim/files/patch-z0010-TLS-use-RFC-6125-rules-for-certifucate-name-checks-when-CN) @@ -0,0 +1,180 @@ +From 3fe5ec41e81831028c992f77a15292872fbbac75 Mon Sep 17 00:00:00 2001 +From: Jeremy Harris +Date: Thu, 11 Jun 2020 20:45:05 +0100 +Subject: [PATCH 10/26] TLS: use RFC 6125 rules for certifucate name + checks when CNAMES are present. Bug 2594 + + (cherry picked from commit 0851a3bbf4667081d47f5d85b6b3a5cb33cbdba6) +--- + doc/ChangeLog | 7 ++- + src/host.c | 17 +++++++ + src/structs.h | 19 ++++---- + src/tls-gnu.c | 4 +- + src/tls-openssl.c | 20 ++++----- + +diff --git doc/ChangeLog doc/ChangeLog +index b9c1ec29e..612005803 100644 +--- doc/ChangeLog ++++ doc/ChangeLog +@@ -26,6 +26,11 @@ JH/05 Bug 2593: Fix "vacation" in Exim filter. Previously, when a "once" + path, an error occurred on trying to open it. Use the transport's working + directory. + ++JH/06 Bug 2594: Change the name used for certificate name checks in the smtp ++ transport. Previously it was the name on the DNS A-record; use instead ++ the head of the CNAME chain leading there (if there is one). This seems ++ to align better with RFC 6125. ++ + + Exim version 4.94 + ----------------- +@@ -331,7 +336,7 @@ JH/20 Bug 2389: fix server advertising of usable certificates, under GnuTLS in + + JH/21 The smtp transport option "hosts_noproxy_tls" is now unset by default. + A single TCP connection by a client will now hold a TLS connection open +- for multiple message deliveries, by default. Previoud the default was to ++ for multiple message deliveries, by default. Previously the default was to + not do so. + + JH/22 The smtp transport option "hosts_try_dane" now enables all hosts by +diff --git src/host.c src/host.c +index 0e0e0130b..817d4446c 100644 +--- src/host.c ++++ src/host.c +@@ -1950,6 +1950,13 @@ BOOL temp_error = FALSE; + int af; + #endif + ++#ifndef DISABLE_TLS ++/* Copy the host name at this point to the value which is used for ++TLS certificate name checking, before anything modifies it. */ ++ ++host->certname = host->name; ++#endif ++ + /* Make sure DNS options are set as required. This appears to be necessary in + some circumstances when the get..byname() function actually calls the DNS. */ + +@@ -2117,6 +2124,9 @@ for (int i = 1; i <= times; + { + host_item *next = store_get(sizeof(host_item), FALSE); + next->name = host->name; ++#ifndef DISABLE_TLS ++ next->certname = host->certname; ++#endif + next->mx = host->mx; + next->address = text_address; + next->port = PORT_NONE; +@@ -2260,6 +2270,13 @@ BOOL v6_find_again = FALSE; + BOOL dnssec_fail = FALSE; + int i; + ++#ifndef DISABLE_TLS ++/* Copy the host name at this point to the value which is used for ++TLS certificate name checking, before any CNAME-following modifies it. */ ++ ++host->certname = host->name; ++#endif ++ + /* If allow_ip is set, a name which is an IP address returns that value + as its address. This is used for MX records when allow_mx_to_ip is set, for + those sites that feel they have to flaunt the RFC rules. */ +diff --git src/structs.h src/structs.h +index c6700d513..206237f04 100644 +--- src/structs.h ++++ src/structs.h +@@ -80,14 +80,17 @@ typedef enum {DS_UNK=-1, DS_NO, DS_YES} dnssec_status_t; + + typedef struct host_item { + struct host_item *next; +- const uschar *name; /* Host name */ +- const uschar *address; /* IP address in text form */ +- int port; /* port value in host order (if SRV lookup) */ +- int mx; /* MX value if found via MX records */ +- int sort_key; /* MX*1000 plus random "fraction" */ +- int status; /* Usable, unusable, or unknown */ +- int why; /* Why host is unusable */ +- int last_try; /* Time of last try if known */ ++ const uschar *name; /* Host name */ ++#ifndef DISABLE_TLS ++ const uschar *certname; /* Name used for certificate checks */ ++#endif ++ const uschar *address; /* IP address in text form */ ++ int port; /* port value in host order (if SRV lookup) */ ++ int mx; /* MX value if found via MX records */ ++ int sort_key; /* MX*1000 plus random "fraction" */ ++ int status; /* Usable, unusable, or unknown */ ++ int why; /* Why host is unusable */ ++ int last_try; /* Time of last try if known */ + dnssec_status_t dnssec; + } host_item; + +diff --git src/tls-gnu.c src/tls-gnu.c +index 24114f05e..875c82efa 100644 +--- src/tls-gnu.c ++++ src/tls-gnu.c +@@ -2601,9 +2601,9 @@ if (verify_check_given_host(CUSS &ob->tls_verify_cert_hostnames, host) == OK) + { + state->exp_tls_verify_cert_hostnames = + #ifdef SUPPORT_I18N +- string_domain_utf8_to_alabel(host->name, NULL); ++ string_domain_utf8_to_alabel(host->certname, NULL); + #else +- host->name; ++ host->certname; + #endif + DEBUG(D_tls) + debug_printf("TLS: server cert verification includes hostname: \"%s\".\n", +diff --git src/tls-openssl.c src/tls-openssl.c +index 8c9d8aa69..a62322928 100644 +--- src/tls-openssl.c ++++ src/tls-openssl.c +@@ -372,10 +372,10 @@ typedef struct ocsp_resp { + } ocsp_resplist; + + typedef struct tls_ext_ctx_cb { +- tls_support * tlsp; +- uschar *certificate; +- uschar *privatekey; +- BOOL is_server; ++ tls_support * tlsp; ++ uschar * certificate; ++ uschar * privatekey; ++ BOOL is_server; + #ifndef DISABLE_OCSP + STACK_OF(X509) *verify_stack; /* chain for verifying the proof */ + union { +@@ -390,14 +390,14 @@ typedef struct tls_ext_ctx_cb { + } client; + } u_ocsp; + #endif +- uschar *dhparam; ++ uschar * dhparam; + /* these are cached from first expand */ +- uschar *server_cipher_list; ++ uschar * server_cipher_list; + /* only passed down to tls_error: */ +- host_item *host; ++ host_item * host; + const uschar * verify_cert_hostnames; + #ifndef DISABLE_EVENT +- uschar * event_action; ++ uschar * event_action; + #endif + } tls_ext_ctx_cb; + +@@ -2915,9 +2915,9 @@ if (verify_check_given_host(CUSS &ob->tls_verify_cert_hostnames, host) == OK) + { + cbinfo->verify_cert_hostnames = + #ifdef SUPPORT_I18N +- string_domain_utf8_to_alabel(host->name, NULL); ++ string_domain_utf8_to_alabel(host->certname, NULL); + #else +- host->name; ++ host->certname; + #endif + DEBUG(D_tls) debug_printf("Cert hostname to check: \"%s\"\n", + cbinfo->verify_cert_hostnames); +-- +2.24.3 (Apple Git-128) + Copied: branches/2020Q3/mail/exim/files/patch-z0011-Taint-fix-radius-expansion-condition (from r542419, head/mail/exim/files/patch-z0011-Taint-fix-radius-expansion-condition) ============================================================================== --- /dev/null 00:00:00 1970 (empty, because file is newly added) +++ branches/2020Q3/mail/exim/files/patch-z0011-Taint-fix-radius-expansion-condition Sat Jul 18 09:54:49 2020 (r542486, copy of r542419, head/mail/exim/files/patch-z0011-Taint-fix-radius-expansion-condition) @@ -0,0 +1,40 @@ +From 94d719d803caf2c0c902dceeb787795eac11a63b Mon Sep 17 00:00:00 2001 +From: Jeremy Harris +Date: Fri, 12 Jun 2020 00:46:34 +0100 +Subject: [PATCH 11/26] Taint: fix radius expansion condition + +(cherry picked from commit f91219c114a3d95792d052555664a5a7a3984a8d) +--- + doc/ChangeLog | 2 +- + src/auths/call_radius.c | 3 +-- + +diff --git doc/ChangeLog doc/ChangeLog +index 612005803..41d8c6276 100644 +--- doc/ChangeLog ++++ doc/ChangeLog +@@ -9,7 +9,7 @@ Since Exim version 4.94 + JH/02 Bug 2587: Fix pam expansion condition. Tainted values are commonly used + as arguments, so an implementation trying to copy these into a local + buffer was taking a taint-enforcement trap. Fix by using dynamically +- created buffers. ++ created buffers. Similar fix for radius expansion condition. + + JH/03 Bug 2586: Fix listcount expansion operator. Using tainted arguments is + reasonable, eg. to count headers. Fix by using dynamically created +diff --git src/auths/call_radius.c src/auths/call_radius.c +index cc269dcd5..9d10b34c6 100644 +--- src/auths/call_radius.c ++++ src/auths/call_radius.c +@@ -96,8 +96,7 @@ int sep = 0; + #endif + + +-user = string_nextinlist(&radius_args, &sep, big_buffer, big_buffer_size); +-if (!user) user = US""; ++if (!(user = string_nextinlist(&radius_args, &sep, NULL, 0))) user = US""; + + DEBUG(D_auth) debug_printf("Running RADIUS authentication for user \"%s\" " + "and \"%s\"\n", user, radius_args); +-- +2.24.3 (Apple Git-128) + Copied: branches/2020Q3/mail/exim/files/patch-z0012-smtp_accept_map_per_host-call-search_tidyup-in-fail-path.- (from r542419, head/mail/exim/files/patch-z0012-smtp_accept_map_per_host-call-search_tidyup-in-fail-path.-) ============================================================================== --- /dev/null 00:00:00 1970 (empty, because file is newly added) +++ branches/2020Q3/mail/exim/files/patch-z0012-smtp_accept_map_per_host-call-search_tidyup-in-fail-path.- Sat Jul 18 09:54:49 2020 (r542486, copy of r542419, head/mail/exim/files/patch-z0012-smtp_accept_map_per_host-call-search_tidyup-in-fail-path.-) @@ -0,0 +1,42 @@ +From c165e95889471bc1a644104dd9a6129c47c56c09 Mon Sep 17 00:00:00 2001 +From: Jeremy Harris +Date: Fri, 12 Jun 2020 20:43:43 +0100 +Subject: [PATCH 12/26] smtp_accept_map_per_host: call search_tidyup in fail + path. Bug 2597 + +(cherry-picked from: d3a538c8fe) +--- + doc/ChangeLog | 5 +++++ + src/daemon.c | 1 + + +diff --git doc/ChangeLog doc/ChangeLog +index 41d8c6276..92298e7fc 100644 +--- doc/ChangeLog ++++ doc/ChangeLog +@@ -31,6 +31,11 @@ JH/06 Bug 2594: Change the name used for certificate name checks in the smtp + the head of the CNAME chain leading there (if there is one). This seems + to align better with RFC 6125. + ++JH/07 Bug 2597: Fix a resource leak. Using a lookup in obtaining a value for ++ smtp_accept_max_per_host allocated resources which were not released ++ when the limit was exceeded. This eventually crashed the daemon. Fix ++ by adding a relase action in that path. ++ + + Exim version 4.94 + ----------------- +diff --git src/daemon.c src/daemon.c +index 2bed143a1..9d491593f 100644 +--- src/daemon.c ++++ src/daemon.c +@@ -336,6 +336,7 @@ if ((max_for_this_host > 0) && + log_write(L_connection_reject, + LOG_MAIN, "Connection from %s refused: too many connections " + "from that IP address", whofrom->s); ++ search_tidyup(); + goto ERROR_RETURN; + } + } +-- +2.24.3 (Apple Git-128) + Copied: branches/2020Q3/mail/exim/files/patch-z0013-Taint-fix-verify.-Bug-2598 (from r542419, head/mail/exim/files/patch-z0013-Taint-fix-verify.-Bug-2598) ============================================================================== --- /dev/null 00:00:00 1970 (empty, because file is newly added) +++ branches/2020Q3/mail/exim/files/patch-z0013-Taint-fix-verify.-Bug-2598 Sat Jul 18 09:54:49 2020 (r542486, copy of r542419, head/mail/exim/files/patch-z0013-Taint-fix-verify.-Bug-2598) @@ -0,0 +1,50 @@ +From ecf1e77accda6355ebb745a0a03e97ba7eb298b2 Mon Sep 17 00:00:00 2001 +From: Jeremy Harris +Date: Sun, 14 Jun 2020 22:14:11 +0100 +Subject: [PATCH 13/26] Taint: fix verify. Bug 2598 + +(cherry-picked from 2b60ac1021 and 9eed571fd7) +--- + doc/ChangeLog | 4 +++ + src/acl.c | 4 +-- + +diff --git doc/ChangeLog doc/ChangeLog +index 92298e7fc..859e87b00 100644 +--- doc/ChangeLog ++++ doc/ChangeLog +@@ -36,6 +36,10 @@ JH/07 Bug 2597: Fix a resource leak. Using a lookup in obtaining a value for + when the limit was exceeded. This eventually crashed the daemon. Fix + by adding a relase action in that path. + ++JH/08 Bug 2598: Fix verify ACL condition. The options for the condition are ++ expanded; previously using tainted values was rejected. Fix by using ++ dynamically-created buffers. ++ + + Exim version 4.94 + ----------------- +diff --git src/acl.c src/acl.c +index 8619cd5ef..11d1fd028 100644 +--- src/acl.c ++++ src/acl.c +@@ -1767,7 +1767,7 @@ switch(vp->value) + /* Remaining items are optional; they apply to sender and recipient + verification, including "header sender" verification. */ + +-while ((ss = string_nextinlist(&list, &sep, big_buffer, big_buffer_size))) ++while ((ss = string_nextinlist(&list, &sep, NULL, 0))) + { + if (strcmpic(ss, US"defer_ok") == 0) defer_ok = TRUE; + else if (strcmpic(ss, US"no_details") == 0) no_details = TRUE; +@@ -1804,7 +1804,7 @@ while ((ss = string_nextinlist(&list, &sep, big_buffer, big_buffer_size))) + uschar * opt; + + while (isspace(*sublist)) sublist++; +- while ((opt = string_nextinlist(&sublist, &optsep, buffer, sizeof(buffer)))) ++ while ((opt = string_nextinlist(&sublist, &optsep, NULL, 0))) + { + callout_opt_t * op; + double period = 1.0F; +-- +2.24.3 (Apple Git-128) + Copied: branches/2020Q3/mail/exim/files/patch-z0014-Fix-string_copy-macro-to-not-multiple-eval-args.-Bug-2603 (from r542419, head/mail/exim/files/patch-z0014-Fix-string_copy-macro-to-not-multiple-eval-args.-Bug-2603) ============================================================================== --- /dev/null 00:00:00 1970 (empty, because file is newly added) +++ branches/2020Q3/mail/exim/files/patch-z0014-Fix-string_copy-macro-to-not-multiple-eval-args.-Bug-2603 Sat Jul 18 09:54:49 2020 (r542486, copy of r542419, head/mail/exim/files/patch-z0014-Fix-string_copy-macro-to-not-multiple-eval-args.-Bug-2603) @@ -0,0 +1,48 @@ +From 5c608b75d5bd734ddca41e4468fb22544ef96265 Mon Sep 17 00:00:00 2001 +From: Jeremy Harris +Date: Sat, 20 Jun 2020 00:54:05 +0100 +Subject: [PATCH 14/26] Fix string_copy() macro to not multiple-eval args. Bug + 2603 + +Broken-by: a76d120aed +(cherry picked from commit 80c2ec2e47c556daff00c79ee068ce68f25fd264) +--- + doc/ChangeLog | 6 ++++++ + src/functions.h | 4 ++-- + +diff --git doc/ChangeLog doc/ChangeLog +index 859e87b00..1173b3651 100644 +--- doc/ChangeLog ++++ doc/ChangeLog +@@ -40,6 +40,12 @@ JH/08 Bug 2598: Fix verify ACL condition. The options for the condition are + expanded; previously using tainted values was rejected. Fix by using + dynamically-created buffers. + ++JH/10 Bug 2603: Fix coding of string copying to only evaluate arguments once. ++ Previously a macro used one argument twice; when called with the ++ argument as an expression having side-effects, incorrect operation ++ resulted. Use an inlineable function. ++ ++ + + Exim version 4.94 + ----------------- +diff --git src/functions.h src/functions.h +index 0028deb0d..0050cdeeb 100644 +--- src/functions.h ++++ src/functions.h +@@ -767,9 +767,9 @@ string_copy_trc(const uschar * s, const char * func, int line) + /* Simple string-copy functions maintaining the taint */ + + #define string_copyn(s, len) \ +- string_copyn_taint_trc((s), (len), is_tainted(s), __FUNCTION__, __LINE__) ++ string_copyn_trc((s), (len), __FUNCTION__, __LINE__) + #define string_copy(s) \ +- string_copy_taint_trc((s), is_tainted(s), __FUNCTION__, __LINE__) ++ string_copy_trc((s), __FUNCTION__, __LINE__) + + + /************************************************* +-- +2.24.3 (Apple Git-128) + Copied: branches/2020Q3/mail/exim/files/patch-z0015-Cutthrough-handle-request-when-a-callout-hold-is-active.-B (from r542419, head/mail/exim/files/patch-z0015-Cutthrough-handle-request-when-a-callout-hold-is-active.-B) ============================================================================== --- /dev/null 00:00:00 1970 (empty, because file is newly added) +++ branches/2020Q3/mail/exim/files/patch-z0015-Cutthrough-handle-request-when-a-callout-hold-is-active.-B Sat Jul 18 09:54:49 2020 (r542486, copy of r542419, head/mail/exim/files/patch-z0015-Cutthrough-handle-request-when-a-callout-hold-is-active.-B) @@ -0,0 +1,118 @@ +From cdee8a5f76cc013de5622112cd04e42d0dcf333b Mon Sep 17 00:00:00 2001 +From: Jeremy Harris +Date: Mon, 22 Jun 2020 17:27:18 +0100 +Subject: [PATCH 15/26] Cutthrough: handle request when a callout-hold is + active. Bug 2604 + +(cherry picked from commit 99bfcf2b678e7bd8125a7eb44409e46549bfc111) +--- + doc/ChangeLog | 4 +++ + src/acl.c | 50 +++++++++++++++++-------------- + src/verify.c | 4 +-- + +diff --git doc/ChangeLog doc/ChangeLog +index 1173b3651..de11b4f09 100644 +--- doc/ChangeLog ++++ doc/ChangeLog +@@ -45,6 +45,10 @@ JH/10 Bug 2603: Fix coding of string copying to only evaluate arguments once. + argument as an expression having side-effects, incorrect operation + resulted. Use an inlineable function. + ++JH/11 Bug 2604: Fix request to cutthrough-deliver when a connection is already ++ held open for a verify callout. Previously this wan not accounted for ++ and a corrupt onward SMTP conversation resulted. ++ + + + Exim version 4.94 +diff --git src/acl.c src/acl.c +index 11d1fd028..62cb68561 100644 +--- src/acl.c ++++ src/acl.c +@@ -3264,37 +3264,41 @@ for (; cb; cb = cb->next) + the case where both sides handle prdr and this-node prdr acl + is "accept" */ + ignored = US"PRDR active"; ++ else if (f.deliver_freeze) ++ ignored = US"frozen"; ++ else if (f.queue_only_policy) ++ ignored = US"queue-only"; ++ else if (fake_response == FAIL) ++ ignored = US"fakereject"; ++ else if (rcpt_count != 1) ++ ignored = US"nonfirst rcpt"; ++ else if (cutthrough.delivery) ++ ignored = US"repeated"; ++ else if (cutthrough.callout_hold_only) ++ { ++ DEBUG(D_acl) ++ debug_printf_indent(" cutthrough request upgrades callout hold\n"); ++ cutthrough.callout_hold_only = FALSE; ++ cutthrough.delivery = TRUE; /* control accepted */ ++ } + else + { +- if (f.deliver_freeze) +- ignored = US"frozen"; +- else if (f.queue_only_policy) +- ignored = US"queue-only"; +- else if (fake_response == FAIL) +- ignored = US"fakereject"; +- else ++ cutthrough.delivery = TRUE; /* control accepted */ ++ while (*p == '/') + { +- if (rcpt_count == 1) ++ const uschar * pp = p+1; ++ if (Ustrncmp(pp, "defer=", 6) == 0) + { +- cutthrough.delivery = TRUE; /* control accepted */ +- while (*p == '/') +- { +- const uschar * pp = p+1; +- if (Ustrncmp(pp, "defer=", 6) == 0) +- { +- pp += 6; +- if (Ustrncmp(pp, "pass", 4) == 0) cutthrough.defer_pass = TRUE; +- /* else if (Ustrncmp(pp, "spool") == 0) ; default */ +- } +- else +- while (*pp && *pp != '/') pp++; +- p = pp; +- } ++ pp += 6; ++ if (Ustrncmp(pp, "pass", 4) == 0) cutthrough.defer_pass = TRUE; ++ /* else if (Ustrncmp(pp, "spool") == 0) ; default */ + } + else +- ignored = US"nonfirst rcpt"; ++ while (*pp && *pp != '/') pp++; ++ p = pp; + } + } ++ + DEBUG(D_acl) if (ignored) + debug_printf(" cutthrough request ignored on %s item\n", ignored); + } +diff --git src/verify.c src/verify.c +index fba1f6e9e..5f4181de9 100644 +--- src/verify.c ++++ src/verify.c +@@ -875,12 +875,12 @@ tls_retry_connection: + case PENDING_OK: done = TRUE; + new_address_record.result = ccache_accept; + break; +- case FAIL: done = TRUE; ++ case FAIL: done = TRUE; + yield = FAIL; + *failure_ptr = US"recipient"; + new_address_record.result = ccache_reject; + break; +- default: break; ++ default: break; + } + break; + +-- +2.24.3 (Apple Git-128) + Copied: branches/2020Q3/mail/exim/files/patch-z0016-Lookups-Fix-subdir-filter-on-a-dsearch (from r542419, head/mail/exim/files/patch-z0016-Lookups-Fix-subdir-filter-on-a-dsearch) ============================================================================== --- /dev/null 00:00:00 1970 (empty, because file is newly added) +++ branches/2020Q3/mail/exim/files/patch-z0016-Lookups-Fix-subdir-filter-on-a-dsearch Sat Jul 18 09:54:49 2020 (r542486, copy of r542419, head/mail/exim/files/patch-z0016-Lookups-Fix-subdir-filter-on-a-dsearch) @@ -0,0 +1,53 @@ +From 777ee8ae75277c05fb72cc94f568ba4d2bfe15a6 Mon Sep 17 00:00:00 2001 +From: Jeremy Harris +Date: Thu, 25 Jun 2020 11:16:54 +0100 +Subject: [PATCH 16/26] Lookups: Fix "subdir" filter on a dsearch. + +(cherry picked from commit e0e21929b7426b9b5bbf5e3747797043801b1151) +--- + doc/ChangeLog | 2 ++ + src/lookups/dsearch.c | 7 +++---- + +diff --git doc/ChangeLog doc/ChangeLog +index de11b4f09..bae9abb85 100644 +--- doc/ChangeLog ++++ doc/ChangeLog +@@ -49,6 +49,8 @@ JH/11 Bug 2604: Fix request to cutthrough-deliver when a connection is already + held open for a verify callout. Previously this wan not accounted for + and a corrupt onward SMTP conversation resulted. + ++JH/13 Fix dsearch "subdir" filter to ignore ".". Previously only ".." was ++ excluded, not matching the documentation. + + + Exim version 4.94 +diff --git src/lookups/dsearch.c src/lookups/dsearch.c +index 455273fb1..501293ac0 100644 +--- src/lookups/dsearch.c ++++ src/lookups/dsearch.c +@@ -125,8 +125,7 @@ if ( Ulstat(filename, &statbuf) >= 0 + && S_ISDIR(statbuf.st_mode) + && ( flags & FILTER_DIR + || keystring[0] != '.' +- || keystring[1] != '.' +- || keystring[1] && keystring[2] ++ || keystring[1] && keystring[1] != '.' + ) ) ) ) + { + /* Since the filename exists in the filesystem, we can return a +@@ -135,10 +134,10 @@ if ( Ulstat(filename, &statbuf) >= 0 + return OK; + } + +-if (errno == ENOENT) return FAIL; ++if (errno == ENOENT || errno == 0) return FAIL; + + save_errno = errno; +-*errmsg = string_sprintf("%s: lstat failed", filename); ++*errmsg = string_sprintf("%s: lstat: %s", filename, strerror(errno)); + errno = save_errno; + return DEFER; + } +-- +2.24.3 (Apple Git-128) + Copied: branches/2020Q3/mail/exim/files/patch-z0018-Sqlite-fix-segfault-on-bad-missing-sqlite_dbfile.-Bug-2606 (from r542419, head/mail/exim/files/patch-z0018-Sqlite-fix-segfault-on-bad-missing-sqlite_dbfile.-Bug-2606) ============================================================================== --- /dev/null 00:00:00 1970 (empty, because file is newly added) +++ branches/2020Q3/mail/exim/files/patch-z0018-Sqlite-fix-segfault-on-bad-missing-sqlite_dbfile.-Bug-2606 Sat Jul 18 09:54:49 2020 (r542486, copy of r542419, head/mail/exim/files/patch-z0018-Sqlite-fix-segfault-on-bad-missing-sqlite_dbfile.-Bug-2606) @@ -0,0 +1,59 @@ +From 2be77199fc9009ab796ad2d67eed20d8da4773c7 Mon Sep 17 00:00:00 2001 +From: Jeremy Harris +Date: Sun, 28 Jun 2020 15:24:21 +0100 +Subject: [PATCH 18/26] Sqlite: fix segfault on bad/missing sqlite_dbfile. + Bug 2606 + +(cherry picked from commit 3d0472791a0928963a3f8184fe28479e80d1a47d) +--- + doc/ChangeLog | 3 +++ + src/lookups/sqlite.c | 13 ++++++++++--- + +diff --git doc/ChangeLog doc/ChangeLog +index bae9abb85..8a13bda87 100644 +--- doc/ChangeLog ++++ doc/ChangeLog +@@ -52,6 +52,9 @@ JH/11 Bug 2604: Fix request to cutthrough-deliver when a connection is already + JH/13 Fix dsearch "subdir" filter to ignore ".". Previously only ".." was + excluded, not matching the documentation. + ++JH/14 Bug 2606: Fix a segfault in sqlite lookups. When no, or a bad, filename ++ was given for the sqlite_dbfile a trap resulted. ++ + + Exim version 4.94 + ----------------- +diff --git src/lookups/sqlite.c src/lookups/sqlite.c +index dc4439153..1638ea401 100644 +--- src/lookups/sqlite.c ++++ src/lookups/sqlite.c +@@ -24,16 +24,23 @@ sqlite_open(const uschar * filename, uschar ** errmsg) + sqlite3 *db = NULL; + int ret; + +-if (!filename || !*filename) filename = sqlite_dbfile; +-if (*filename != '/') ++if (!filename || !*filename) ++ { ++ DEBUG(D_lookup) debug_printf_indent("Using sqlite_dbfile: %s\n", sqlite_dbfile); ++ filename = sqlite_dbfile; ++ } ++if (!filename || *filename != '/') + *errmsg = US"absolute file name expected for \"sqlite\" lookup"; + else if ((ret = sqlite3_open(CCS filename, &db)) != 0) + { + *errmsg = (void *)sqlite3_errmsg(db); ++ sqlite3_close(db); ++ db = NULL; + DEBUG(D_lookup) debug_printf_indent("Error opening database: %s\n", *errmsg); + } + +-sqlite3_busy_timeout(db, 1000 * sqlite_lock_timeout); ++if (db) ++ sqlite3_busy_timeout(db, 1000 * sqlite_lock_timeout); + return db; + } + +-- +2.24.3 (Apple Git-128) + Copied: branches/2020Q3/mail/exim/files/patch-z0019-Taint-fix-ACL-spam-condition-to-permit-tainted-name-argume (from r542419, head/mail/exim/files/patch-z0019-Taint-fix-ACL-spam-condition-to-permit-tainted-name-argume) ============================================================================== --- /dev/null 00:00:00 1970 (empty, because file is newly added) +++ branches/2020Q3/mail/exim/files/patch-z0019-Taint-fix-ACL-spam-condition-to-permit-tainted-name-argume Sat Jul 18 09:54:49 2020 (r542486, copy of r542419, head/mail/exim/files/patch-z0019-Taint-fix-ACL-spam-condition-to-permit-tainted-name-argume) @@ -0,0 +1,52 @@ +From 5f3e2ac9f39db5c8ef5a408929c8a5aba957b20f Mon Sep 17 00:00:00 2001 +From: Jeremy Harris +Date: Mon, 29 Jun 2020 17:26:36 +0100 +Subject: [PATCH 19/26] Taint: fix ACL "spam" condition, to permit tainted + name arguments. + +Cherry-picked from: 62b2ccce05 +--- + doc/ChangeLog | 4 ++++ + src/spam.c | 5 +---- + +diff --git doc/ChangeLog doc/ChangeLog +index 8a13bda87..6a867c716 100644 +--- doc/ChangeLog ++++ doc/ChangeLog +@@ -55,6 +55,10 @@ JH/13 Fix dsearch "subdir" filter to ignore ".". Previously only ".." was + JH/14 Bug 2606: Fix a segfault in sqlite lookups. When no, or a bad, filename + was given for the sqlite_dbfile a trap resulted. + ++JH/15 Fix "spam" ACL condition. Previously, tainted values for the "name" ++ argument resulted in a trap. There is no reason to disallow such; this ++ was a coding error. ++ + + Exim version 4.94 + ----------------- +diff --git src/spam.c src/spam.c +index 5eff1ad5c..63ced4f65 100644 *** DIFF OUTPUT TRUNCATED AT 1000 LINES ***