MFH: r556289

mail/exim: import exim-4.94+fixes branch as state of 2020.11.25

Used git diffs:

[38/42] GnuTLS: clear errno before any data i/o op, so error logging does not see stale values
[39/42] Fix non-TLS build
[40/42] eximon: fix FreeBSD build
[41/42] LDAP: fix taint-check in server list walk. Bug 2646
[42/42] Pass authenticator pubname through spool. Bug 2648

Also patch files/150.exim-tidydb to prevent its output when daily_show_success=NO. [1]

Submitted by:	Dmitry Selivanov <sd@rlan.ru> via email [1]

Approved by:	ports-secteam (with hat on)
This commit is contained in:
Dima Panov 2020-11-25 12:39:08 +00:00
parent 1eccc841ac
commit a2162f9837
Notes: svn2git 2021-03-31 03:12:20 +00:00
svn path=/branches/2020Q4/; revision=556290
7 changed files with 314 additions and 2 deletions

View File

@ -3,7 +3,7 @@
PORTNAME= exim
PORTVERSION?= ${EXIM_VERSION}
PORTREVISION?= 2
PORTREVISION?= 3
CATEGORIES= mail
MASTER_SITES= EXIM:exim
MASTER_SITE_SUBDIR= /exim4/:exim \

View File

@ -38,7 +38,12 @@ case "$exim_tidydb_enable" in
echo ""
echo "Tidying Exim hints databases:"
eval tidy "$exim_tidydb_filter"
rc=1;;
if [ $? = 0 ]; then
rc=0
else
rc=1
fi
;;
*) rc=0;;
esac

View File

@ -0,0 +1,41 @@
From 49d173f4e4c05bbc9e6f256f8914979dad85e9d3 Mon Sep 17 00:00:00 2001
From: Jeremy Harris <jgh146exb@wizmail.org>
Date: Sun, 6 Sep 2020 12:15:10 +0100
Subject: [PATCH 38/42] GnuTLS: clear errno before any data i/o op, so error
logging does not see stale values
(cherry picked from commit d52a8ce8499fbb88f4670623df9f52d3e790292b)
---
src/tls-gnu.c | 3 +++
diff --git src/tls-gnu.c src/tls-gnu.c
index dafe1be0c..6ee603595 100644
--- src/tls-gnu.c
+++ src/tls-gnu.c
@@ -3162,6 +3162,7 @@ DEBUG(D_tls) debug_printf("Calling gnutls_record_recv(session=%p, buffer=%p, buf
sigalrm_seen = FALSE;
if (smtp_receive_timeout > 0) ALARM(smtp_receive_timeout);
+errno = 0;
do
inbytes = gnutls_record_recv(state->session, state->xfer_buffer,
MIN(ssl_xfer_buffer_size, lim));
@@ -3322,6 +3323,7 @@ DEBUG(D_tls)
debug_printf("Calling gnutls_record_recv(session=%p, buffer=%p, len=" SIZE_T_FMT ")\n",
state->session, buff, len);
+errno = 0;
do
inbytes = gnutls_record_recv(state->session, buff, len);
while (inbytes == GNUTLS_E_AGAIN);
@@ -3385,6 +3387,7 @@ while (left > 0)
DEBUG(D_tls) debug_printf("gnutls_record_send(session=%p, buffer=%p, left=" SIZE_T_FMT ")\n",
state->session, buff, left);
+ errno = 0;
do
outbytes = gnutls_record_send(state->session, buff, left);
while (outbytes == GNUTLS_E_AGAIN);
--
2.29.2

View File

@ -0,0 +1,83 @@
From 7a534c812646a7a6f680827352d6209c6ff7be96 Mon Sep 17 00:00:00 2001
From: Jeremy Harris <jgh146exb@wizmail.org>
Date: Thu, 27 Aug 2020 21:15:19 +0100
Subject: [PATCH 39/42] Fix non-TLS build
(cherry picked from commit b38a477da0a5248ed1d2b7590922c89c6337ec3b)
---
src/transports/smtp.c | 18 +++++++++---------
diff --git src/transports/smtp.c src/transports/smtp.c
index 77335af09..b0dedfa8c 100644
--- src/transports/smtp.c
+++ src/transports/smtp.c
@@ -1989,7 +1989,7 @@ if (sx->smtps)
DEFER, FALSE, &sx->delivery_start);
return ERROR;
}
-#endif
+#else
/* If we have a proxied TLS connection, check usability for this message */
@@ -1998,7 +1998,7 @@ if (continue_hostname && continue_proxy_cipher)
int rc;
const uschar * sni = US"";
-#ifdef SUPPORT_DANE
+# ifdef SUPPORT_DANE
/* Check if the message will be DANE-verified; if so force its SNI */
tls_out.dane_verified = FALSE;
@@ -2018,14 +2018,14 @@ if (continue_hostname && continue_proxy_cipher)
string_sprintf("DANE error: tlsa lookup %s",
rc_to_string(rc)),
rc, FALSE, &sx->delivery_start);
-# ifndef DISABLE_EVENT
+# ifndef DISABLE_EVENT
(void) event_raise(sx->conn_args.tblock->event_action,
US"dane:fail", sx->dane_required
? US"dane-required" : US"dnssec-invalid");
-# endif
+# endif
return rc;
}
-#endif
+# endif
/* If the SNI or the DANE status required for the new message differs from the
existing conn drop the connection to force a new one. */
@@ -2035,7 +2035,7 @@ if (continue_hostname && continue_proxy_cipher)
"<%s>: failed to expand transport's tls_sni value: %s",
sx->addrlist->address, expand_string_message);
-#ifdef SUPPORT_DANE
+# ifdef SUPPORT_DANE
if ( (continue_proxy_sni ? (Ustrcmp(continue_proxy_sni, sni) == 0) : !*sni)
&& continue_proxy_dane == sx->conn_args.dane)
{
@@ -2043,10 +2043,10 @@ if (continue_hostname && continue_proxy_cipher)
if ((tls_out.dane_verified = continue_proxy_dane))
sx->conn_args.host->dnssec = DS_YES;
}
-#else
+# else
if ((continue_proxy_sni ? (Ustrcmp(continue_proxy_sni, sni) == 0) : !*sni))
tls_out.sni = US sni;
-#endif
+# endif
else
{
DEBUG(D_transport)
@@ -2062,7 +2062,7 @@ if (continue_hostname && continue_proxy_cipher)
back through reporting pipe. */
}
}
-
+#endif /*!DISABLE_TLS*/
/* Make a connection to the host if this isn't a continued delivery, and handle
the initial interaction and HELO/EHLO/LHLO. Connect timeout errors are handled
--
2.29.2

View File

@ -0,0 +1,25 @@
From f521f0d2120be2ccfb93306cc05790b9b0f162c1 Mon Sep 17 00:00:00 2001
From: Richard Clayton <richard@highwayman.com>
Date: Sat, 12 Sep 2020 22:10:04 +0100
Subject: [PATCH 40/42] eximon: fix FreeBSD build
(cherry picked from commit ba00bdd4609501dd3ffe187074ff7f8197a9059f)
---
exim_monitor/em_menu.c | 2 +-
diff --git exim_monitor/em_menu.c exim_monitor/em_menu.c
index 33b3e0c94..2a70a1831 100644
--- exim_monitor/em_menu.c
+++ exim_monitor/em_menu.c
@@ -670,7 +670,7 @@ if (spool_read_header(buffer, TRUE, FALSE) != spool_read_OK)
sprintf(CS big_buffer, "%s/input/%s", spool_directory, buffer);
if (Ustat(big_buffer, &statbuf) == 0)
text_showf(text, "Format error in spool file %s: size=%lu\n", buffer,
- (ulong)statbuf.st_size);
+ (unsigned long)statbuf.st_size);
else text_showf(text, "Format error in spool file %s\n", buffer);
}
else text_showf(text, "Read error for spool file %s\n", buffer);
--
2.29.2

View File

@ -0,0 +1,51 @@
From e12d2e7bc2e9f0c30a1029602e57e5ae8df1b9db Mon Sep 17 00:00:00 2001
From: Jeremy Harris <jgh146exb@wizmail.org>
Date: Fri, 30 Oct 2020 13:58:01 +0000
Subject: [PATCH 41/42] LDAP: fix taint-check in server list walk. Bug
2646
(cherry picked from commit 51b611aa81d7ee01243b196abc34a0e2eabd293c)
---
doc/ChangeLog | 5 +++++
src/lookups/ldap.c | 3 +--
diff --git doc/ChangeLog doc/ChangeLog
index ec1b03304..9924fca5c 100644
--- doc/ChangeLog
+++ doc/ChangeLog
@@ -102,6 +102,11 @@ JH/22 Bug 2265: Force SNI usage for smtp transport DANE'd connections, to be
JH/23 Logging: with the +tls_sni log_selector, do not wrap the received SNI
in quotes.
+JH/26 Bug 2646: fix a memory usage issue in ldap lookups. Previously, when more
+ than one server was defined and depending on the platform memory layout
+ details, an internal consistency trap could be hit while walking the list
+ of servers.
+
Exim version 4.94
-----------------
diff --git src/lookups/ldap.c src/lookups/ldap.c
index ef550a08d..34908a351 100644
--- src/lookups/ldap.c
+++ src/lookups/ldap.c
@@ -1093,7 +1093,6 @@ uschar *password = NULL;
uschar *local_servers = NULL;
uschar *server;
const uschar *list;
-uschar buffer[512];
while (isspace(*url)) url++;
@@ -1254,7 +1253,7 @@ if (!eldap_default_servers && !local_servers || p[3] != '/')
/* Loop through the default servers until OK or FAIL. Use local_servers list
* if defined in the lookup, otherwise use the global default list */
list = !local_servers ? eldap_default_servers : local_servers;
-while ((server = string_nextinlist(&list, &sep, buffer, sizeof(buffer))))
+while ((server = string_nextinlist(&list, &sep, NULL, 0)))
{
int rc;
int port = 0;
--
2.29.2

View File

@ -0,0 +1,107 @@
From a3ab48f23ee4a83f796440ef67d7ac7b43aad4b5 Mon Sep 17 00:00:00 2001
From: Jeremy Harris <jgh146exb@wizmail.org>
Date: Sat, 31 Oct 2020 23:58:11 +0000
Subject: [PATCH 42/42] Pass authenticator pubname through spool. Bug 2648
(cherry picked from commit a75ebe0dcc5faeb915cacb0d9db66d2475789116)
---
doc/ChangeLog | 4 ++++
exim_monitor/em_globals.c | 1 +
src/smtp_in.c | 12 +++++++-----
src/spool_in.c | 4 +++-
src/spool_out.c | 6 ++++--
diff --git doc/ChangeLog doc/ChangeLog
index 9924fca5c..4759e018e 100644
--- doc/ChangeLog
+++ doc/ChangeLog
@@ -107,6 +107,10 @@ JH/26 Bug 2646: fix a memory usage issue in ldap lookups. Previously, when more
details, an internal consistency trap could be hit while walking the list
of servers.
+JH/27 Bug 2648: fix the passing of an authenticator public-name through spool
+ files. The value is used by the authresults expansion item. Previously
+ if this was used in a router or transport, a crash could result.
+
Exim version 4.94
-----------------
diff --git exim_monitor/em_globals.c exim_monitor/em_globals.c
index 925e88e05..30d22b5eb 100644
--- exim_monitor/em_globals.c
+++ exim_monitor/em_globals.c
@@ -205,6 +205,7 @@ uschar *sender_address = NULL;
uschar *sender_fullhost = NULL;
uschar *sender_helo_name = NULL;
uschar *sender_host_address = NULL;
+uschar *sender_host_auth_pubname = NULL;
uschar *sender_host_authenticated = NULL;
uschar *sender_host_name = NULL;
int sender_host_port = 0;
diff --git src/smtp_in.c src/smtp_in.c
index a13f0ed63..f53c3cf65 100644
--- src/smtp_in.c
+++ src/smtp_in.c
@@ -5935,12 +5935,14 @@ if (!sender_host_authenticated)
g = string_append(g, 2, US";\n\tauth=pass (", sender_host_auth_pubname);
-if (Ustrcmp(sender_host_auth_pubname, "tls") != 0)
- g = string_append(g, 2, US") smtp.auth=", authenticated_id);
-else if (authenticated_id)
- g = string_append(g, 2, US") x509.auth=", authenticated_id);
+if (Ustrcmp(sender_host_auth_pubname, "tls") == 0)
+ g = authenticated_id
+ ? string_append(g, 2, US") x509.auth=", authenticated_id)
+ : string_cat(g, US") reason=x509.auth");
else
- g = string_catn(g, US") reason=x509.auth", 17);
+ g = authenticated_id
+ ? string_append(g, 2, US") smtp.auth=", authenticated_id)
+ : string_cat(g, US", no id saved)");
if (authenticated_sender)
g = string_append(g, 2, US" smtp.mailfrom=", authenticated_sender);
diff --git src/spool_in.c src/spool_in.c
index 1b4cefdb2..35e44df26 100644
--- src/spool_in.c
+++ src/spool_in.c
@@ -253,7 +253,7 @@ sender_helo_name = NULL;
sender_host_address = NULL;
sender_host_name = NULL;
sender_host_port = 0;
-sender_host_authenticated = NULL;
+sender_host_authenticated = sender_host_auth_pubname = NULL;
sender_ident = NULL;
f.sender_local = FALSE;
f.sender_set_untrusted = FALSE;
@@ -580,6 +580,8 @@ for (;;)
host_lookup_deferred = TRUE;
else if (Ustrcmp(p, "ost_lookup_failed") == 0)
host_lookup_failed = TRUE;
+ else if (Ustrncmp(p, "ost_auth_pubname", 16) == 0)
+ sender_host_auth_pubname = string_copy_taint(var + 18, tainted);
else if (Ustrncmp(p, "ost_auth", 8) == 0)
sender_host_authenticated = string_copy_taint(var + 10, tainted);
else if (Ustrncmp(p, "ost_name", 8) == 0)
diff --git src/spool_out.c src/spool_out.c
index 4b6539ecd..0851ce956 100644
--- src/spool_out.c
+++ src/spool_out.c
@@ -174,9 +174,11 @@ if (sender_host_address)
fprintf(fp, "-host_address %s.%d\n", sender_host_address, sender_host_port);
if (sender_host_name)
spool_var_write(fp, US"host_name", sender_host_name);
- if (sender_host_authenticated)
- spool_var_write(fp, US"host_auth", sender_host_authenticated);
}
+if (sender_host_authenticated)
+ spool_var_write(fp, US"host_auth", sender_host_authenticated);
+if (sender_host_auth_pubname)
+ spool_var_write(fp, US"host_auth_pubname", sender_host_auth_pubname);
/* Also about the interface a message came in on */
--
2.29.2