Accepting request 108391 from home:lmuelle:branches:server:mail

- update to 4.77 - update to 4.77 - Package /var/log/exim owned by user and group mail; (bnc#670711). See the package changelog for the full history. OBS-URL: https://build.opensuse.org/request/show/108391 OBS-URL: https://build.opensuse.org/package/show/server:mail/exim?expand=0&rev=115
2012-03-07 16:07:13 +00:00 · 2012-03-07 16:07:13 +00:00 · 4c73601dcb
commit 4c73601dcb
parent ae50c719aa
7 changed files with 155 additions and 135 deletions
--- a/109066729a54f6ba5c4e8bc174133da33242e930.diff
+++ b/109066729a54f6ba5c4e8bc174133da33242e930.diff
@ -1,52 +0,0 @@
-From 109066729a54f6ba5c4e8bc174133da33242e930 Mon Sep 17 00:00:00 2001
-From: Phil Pennock <pdp@exim.org>
-Date: Tue, 22 Mar 2011 06:43:34 -0400
-Subject: [PATCH] Make ldap_require_cert work (not segfault).
-
-The clang complaint, which also triggered a gcc complaint, was
-legitimate. My first test, which suggested no problem, was flawed.
-
-This:
-  ldap_start_tls
-  ldap_require_cert = demand
-would cause a segfault on LDAP lookup.
-
-fixes bug 230
---
- doc/doc-txt/ChangeLog  |    6 ++++++
- src/src/lookups/ldap.c |    2 +-
- 2 files changed, 7 insertions(+), 1 deletions(-)
-
-diff --git a/doc/doc-txt/ChangeLog b/doc/doc-txt/ChangeLog
-index 853f3a5..94952af 100644
--- a/doc/doc/ChangeLog
-+++ b/doc/doc/ChangeLog
-@@ -3,6 +3,12 @@ $Cambridge: exim/doc/doc-txt/ChangeLog,v 1.632 2010/06/12 15:21:25 jetmore Exp $
- Change log file for Exim from version 4.21
- -------------------------------------------
- 
-+Exim version 4.76
-+-----------------
-+
-+PP/01 The new ldap_require_cert option would segfault if used.  Fixed.
-+
-+
- Exim version 4.75
- -----------------
- 
-diff --git a/src/src/lookups/ldap.c b/src/src/lookups/ldap.c
-index ddf803e..06b7494 100644
--- a/src/src/lookups/ldap.c
-+++ b/src/src/lookups/ldap.c
-@@ -481,7 +481,7 @@ if (lcp == NULL)
-       {
-       cert_option = LDAP_OPT_X_TLS_TRY;
-       }
-    ldap_set_option(ld, LDAP_OPT_X_TLS_REQUIRE_CERT, cert_option);
-+    ldap_set_option(ld, LDAP_OPT_X_TLS_REQUIRE_CERT, &cert_option);
-     }
-   #endif
- 
-- 
-1.6.3.2
-
--- a/exim-4.12-tail.patch
+++ b/exim-4.12-tail.patch
@ -7,7 +7,7 @@ Index: scripts/Configure-config.h
 ===================================================================
 --- scripts/Configure-config.h.orig
 +++ scripts/Configure-config.h
-@@ -48,7 +48,7 @@ fi
+@@ -47,7 +47,7 @@ fi
 
 # Double-check that config.h is complete.
 
--- a/exim-4.75.tar.bz2
+++ b/exim-4.75.tar.bz2
@ -1,3 +0,0 @@
-version https://git-lfs.github.com/spec/v1
-oid sha256:dc6ef216dcf5b44b6c43f00a3ccb16c4b22e1cb2a414e324df22e991fd490ded
-size 1600867
--- a/exim-4.77.tar.bz2
+++ b/exim-4.77.tar.bz2
@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:0ccc13cf2f052b1163fcdf71c55a3578765050848ba413a6473d3ab5d20b1475
+size 1576148
--- a/exim.changes
+++ b/exim.changes
@ -1,3 +1,86 @@
+-------------------------------------------------------------------
+Wed Mar  7 15:33:12 UTC 2012 - lmuelle@suse.de
+
+- update to 4.77
+  - DKIM Verification: Fix relaxed canon for empty headers w/o
+    whitespace trailer
+  - Fix a couple more cases where we did not log the error message
+    when unlink() failed. See also change 4.74-TF/03.
+  - Make the exiwhat support code safe for signals. Previously Exim might
+    lock up or crash if it happened to be inside a call to libc when it
+    got a SIGUSR1 from exiwhat.
+  - The SIGUSR1 handler appends the current process status to the process
+    log which is later printed by exiwhat. It used to use the general
+    purpose logging code to do this, but several functions it calls are
+    not safe for signals.
+  - The new output code in the SIGUSR1 handler is specific to the process
+    log, and simple enough that it's easy to inspect for signal safety.
+    Removing some special cases also simplifies the general logging code.
+    Removing the spurious timestamps from the process log simplifies
+    exiwhat.
+  - Improved ratelimit ACL condition.
+  - Removed obsolete $Cambridge$ CVS revision strings.
+  - Removed a few PCRE remnants.
+  - Automatically extract Exim's version number from tags in the git
+    repository when doing development or release builds.
+  - Raise smtp_cmd_buffer_size to 16kB.
+    Bugzilla 879.  Patch from Paul Fisher.
+  - Implement SSL-on-connect outbound with protocol=smtps on smtp transport.
+    Heavily based on revision 40f9a89a from Simon Arlott's tree.
+    Bugzilla 97.
+  - Use .dylib instead of .so for dynamic library loading on MacOS.
+  - Variable $av_failed, true if the AV scanner deferred.
+    Bugzilla 1078.  Patch from John Horne.
+  - Stop make process more reliably on build failure.
+    Bugzilla 1087.  Patch from Heiko Schlittermann.
+  - Make maildir_use_size_file an _expandable_ boolean.
+    Bugzilla 1089.  Patch from Heiko Schlittermann.
+  - Handle ${run} returning more data than OS pipe buffer size.
+    Bugzilla 1131.  Patch from Holger Weiß.
+  - Handle IPv6 addresses with SPF.
+    Bugzilla 860.  Patch from Wolfgang Breyha.
+  - GnuTLS: support TLS 1.2 & 1.1.
+    Bugzilla 1156.
+    Use gnutls_certificate_verify_peers2() [patch from Andreas Metzler].
+    Bugzilla 1095.
+  - match_* no longer expand right-hand-side by default.
+    New compile-time build option, EXPAND_LISTMATCH_RHS.
+    New expansion conditions, "inlist", "inlisti".
+  - fix uninitialised greeting string from PP/03 (smtps client support).
+  - shell and compiler warnings fixes for RC1-RC4 changes.
+  - fix log_write() format string regression from TF/03.
+    Bugzilla 1152.  Patch from Dmitry Isaikin.
+
+- update to 4.77
+  - The new ldap_require_cert option would segfault if used.  Fixed.
+  - Harmonised TLS library version reporting; only show if debugging.
+    Layout now matches that introduced for other libraries in 4.74 PP/03.
+  - New openssl_options items: no_sslv2 no_sslv3 no_ticket no_tlsv1
+  - New "dns_use_edns0" global option.
+  - Don't segfault on misconfiguration of ref:name exim-user as uid.
+    Bugzilla 1098.
+  - Extra paranoia around buffer usage at the STARTTLS transition.
+    nb: Exim is not vulnerable to http://www.kb.cert.org/vuls/id/555316
+  - Updated PolarSSL code to 0.14.2.
+    Bugzilla 1097. Patch from Andreas Metzler.
+  - Catch divide-by-zero in ${eval:...}.
+    Fixes bugzilla 1102.
+  - Condition negation of bool{}/bool_lax{} did not negate.  Fixed.
+    Bugzilla 1104.
+  - Bugzilla 1106: CVE-2011-1764 - DKIM log line was subject to a
+    format-string attack -- SECURITY: remote arbitrary code execution.
+  - SECURITY - DKIM signature header parsing was double-expanded, second
+    time unintentionally subject to list matching rules, letting the header
+    cause arbitrary Exim lookups (of items which can occur in lists, *not*
+    arbitrary string expansion). This allowed for information disclosure.
+  - Fix another SIGFPE (x86) in ${eval:...} expansion, this time related to
+    INT_MIN/-1 -- value coerced to INT_MAX.
+
+-------------------------------------------------------------------
+Wed Mar  7 14:58:55 UTC 2012 - lmuelle@suse.de
+
+- Package /var/log/exim owned by user and group mail; (bnc#670711).
+
 -------------------------------------------------------------------
 Mon May  9 13:32:55 CEST 2011 - dmueller@suse.de

--- a/exim.spec
+++ b/exim.spec
@ -40,7 +40,7 @@ Provides:       smtp_daemon
 Requires:       logrotate
 PreReq:         %insserv_prereq %fillup_prereq /usr/sbin/useradd fileutils textutils
 %endif
-Version:        4.75
+Version:        4.77
 Release:        3
 %if %{?build_with_mysql:1}0
 BuildRequires:  mysql-devel
@ -62,9 +62,8 @@ Source20:       http://www.logic.univie.ac.at/~ametzler/debian/exim4manpages/exi
 Source30:       eximstats-html-update.py
 Source31:       eximstats.conf
 Patch:          exim-4.12-tail.patch
-Patch1:         109066729a54f6ba5c4e8bc174133da33242e930.diff
 Patch2:         format-security.diff
-%if !%{?build_with_mysql:1}0 && !%{?build_with_pgsql:1}0 
+%if !%{?build_with_mysql:1}0 && !%{?build_with_pgsql:1}0

 %package -n eximon
 License:        GPL-2.0+
@ -93,7 +92,7 @@ Authors:
 --------
    Philip Hazel <ph10@cus.cam.ac.uk>

-%if !%{?build_with_mysql:1}0 && !%{?build_with_pgsql:1}0 
+%if !%{?build_with_mysql:1}0 && !%{?build_with_pgsql:1}0

 %description -n eximon
 This allows administrators to view the exim agent's mail queue and
@ -130,7 +129,6 @@ Authors:
 %prep
 %setup -q -n exim-%{version}
 %patch
-%patch1 -p2
 %patch2
 # build with fPIE/pie on SUSE 10.0 or newer, or on any other platform
 %if %{?suse_version:%suse_version}%{?!suse_version:99999} > 930
@ -280,17 +278,17 @@ do
 done
 ln -sf exim $RPM_BUILD_ROOT/usr/sbin/sendmail
 ln -sv ../../etc/init.d/exim $RPM_BUILD_ROOT/usr/sbin/rcexim
-%if !%{?build_with_mysql:1}0 && !%{?build_with_pgsql:1}0 
+%if !%{?build_with_mysql:1}0 && !%{?build_with_pgsql:1}0
 mv $RPM_BUILD_ROOT/usr/sbin/eximon* $RPM_BUILD_ROOT/usr/bin/
 %else
-rm $RPM_BUILD_ROOT/usr/sbin/eximon* 
+rm $RPM_BUILD_ROOT/usr/sbin/eximon*
 %endif
 cp -p %{S:1} $RPM_BUILD_ROOT/var/adm/fillup-templates/sysconfig.exim
 install -m 644 %{S:2} $RPM_BUILD_ROOT/etc/logrotate.d/exim
 # man pages
 mv doc/exim.8 $RPM_BUILD_ROOT/%{_mandir}/man8/
 pod2man --center=EXIM --section=8 $RPM_BUILD_ROOT/usr/sbin/eximstats > $RPM_BUILD_ROOT/%{_mandir}/man8/eximstats.8
-tar xvjf %{S:20} 
+tar xvjf %{S:20}
 cp -p exim4-manpages/* $RPM_BUILD_ROOT/%{_mandir}/man8/
 for i in \
 	sendmail \
@ -298,14 +296,14 @@ for i in \
 	rsmtp \
 	mailq \
 	newaliases
-do 
+do
 	ln -sf exim.8.gz $RPM_BUILD_ROOT/%{_mandir}/man8/$i.8.gz
 done
 for i in \
 	exim_dumpdb \
 	exim_fixdb \
-	exim_tidydb 
-do 
+	exim_tidydb
+do
 	ln -sf exim_db.8.gz $RPM_BUILD_ROOT/%{_mandir}/man8/$i.8.gz
 done
 perl -pi -e 's%/usr/share/doc/exim4%/usr/share/doc/packages/exim%g' `find $RPM_BUILD_ROOT/%{_mandir}/man8 -name "*.8"`
@ -320,7 +318,7 @@ install -m 0755 -d $RPM_BUILD_ROOT/etc/permissions.d
 install -m 0644 $RPM_SOURCE_DIR/permissions.exim $RPM_BUILD_ROOT/etc/permissions.d/exim
 %endif
 # eximstats-html files
-%if !%{?build_with_mysql:1}0 && !%{?build_with_pgsql:1}0 
+%if !%{?build_with_mysql:1}0 && !%{?build_with_pgsql:1}0
 mkdir -p $RPM_BUILD_ROOT/srv/www/eximstats
 mkdir -p $RPM_BUILD_ROOT/etc/apache2/conf.d/
 cp -p $RPM_SOURCE_DIR/eximstats.conf $RPM_BUILD_ROOT/etc/apache2/conf.d/
@ -331,12 +329,12 @@ install -D -m 0644 $RPM_SOURCE_DIR/apparmor.usr.sbin.exim $RPM_BUILD_ROOT/etc/ap

 %post
 %run_permissions
-if ! test -s etc/exim/exim.conf; then 
+if ! test -s etc/exim/exim.conf; then
 	if test -s etc/exim.conf; then
 		mv etc/exim.conf etc/exim/
-		echo moving exim.conf to /etc/exim/ 
+		echo moving exim.conf to /etc/exim/
 	else
-		cp -p usr/share/doc/packages/%{name}/configure.default etc/exim/exim.conf 
+		cp -p usr/share/doc/packages/%{name}/configure.default etc/exim/exim.conf
 		echo copying default config file to /etc/exim/exim.conf
 	fi
 fi
@ -398,8 +396,8 @@ exit 0
 /usr/sbin/sendmail
 /usr/lib/sendmail
 /var/adm/fillup-templates/sysconfig.exim
-%dir %attr(750,root,mail) /var/log/exim
-%if !%{?build_with_mysql:1}0 && !%{?build_with_pgsql:1}0 
+%dir %attr(750,mail,mail) /var/log/exim
+%if !%{?build_with_mysql:1}0 && !%{?build_with_pgsql:1}0

 %files -n eximon
 %defattr(-,root,root)
--- a/format-security.diff
+++ b/format-security.diff
@ -1,6 +1,8 @@
--- exim_monitor/em_log.c
+Index: exim_monitor/em_log.c
+===================================================================
+--- exim_monitor/em_log.c.orig
 +++ exim_monitor/em_log.c
-@@ -58,6 +58,8 @@
+@@ -56,6 +56,8 @@ static int scrolled = FALSE;
 static int size = 0;
 static int top = 0;
 
@ -9,7 +11,7 @@
 static void show_log(char *s, ...)
 {
 int length, newtop;
-@@ -364,7 +366,7 @@
+@@ -362,7 +364,7 @@ link count of zero on the currently open
 if (log_datestamping)
   {
   uschar log_file_wanted[256];
@ -18,9 +20,11 @@
   if (Ustrcmp(log_file_wanted, log_file_open) != 0)
     {
     if (LOG != NULL)
--- exim_monitor/em_main.c
+Index: exim_monitor/em_main.c
+===================================================================
+--- exim_monitor/em_main.c.orig
 +++ exim_monitor/em_main.c
-@@ -656,7 +656,7 @@
+@@ -654,7 +654,7 @@ today.) */
 
 if (log_file[0] != 0)
   {
@ -29,9 +33,11 @@
   log_datestamping = string_datestamp_offset >= 0;
 
   LOG = fopen(CS log_file_open, "r");
--- exim_monitor/em_text.c
+Index: exim_monitor/em_text.c
+===================================================================
+--- exim_monitor/em_text.c.orig
 +++ exim_monitor/em_text.c
-@@ -60,6 +60,8 @@
+@@ -58,6 +58,8 @@ XawTextSetInsertionPoint(w, text_count);
 *           Display text from format             *
 *************************************************/
 
@ -40,9 +46,11 @@
 void text_showf(Widget w, char *s, ...)
 {
 va_list ap;
--- src/demime.c
+Index: src/demime.c
+===================================================================
+--- src/demime.c.orig
 +++ src/demime.c
-@@ -823,7 +823,7 @@
+@@ -821,7 +821,7 @@ void mime_trigger_error(int level, uscha
     (void)string_vformat(US f, 16383,(char *)format, ap);
     va_end(ap);
     f-=22;
@ -51,30 +59,11 @@
     /* then copy to demime_reason_buffer if new
     level is greater than old level */
     if (level > demime_errorlevel) {
--- src/dkim.c
-+++ src/dkim.c
-@@ -176,7 +176,7 @@
-     }
- 
-     logmsg[ptr] = '\0';
-    log_write(0, LOG_MAIN, (char *)logmsg);
-+    log_write(0, LOG_MAIN, "%s", (char *)logmsg);
- 
-     /* Build a colon-separated list of signing domains (and identities, if present) in dkim_signers */
-     dkim_signers = string_append(dkim_signers,
--- src/exim_dbutil.c
-+++ src/exim_dbutil.c
-@@ -59,6 +59,7 @@
- #include "dbstuff.h"
- #include "osfunctions.h"
- #include "store.h"
-+#include "local_scan.h"
- 
- 
- /* Identifiers for the different database types. */
--- src/functions.h
+Index: src/functions.h
+===================================================================
+--- src/functions.h.orig
 +++ src/functions.h
-@@ -82,7 +82,7 @@
+@@ -80,7 +80,7 @@ extern void    decode_bits(unsigned int
                   int, int, uschar *, bit_table *, int, uschar *, int);
 extern address_item *deliver_make_addr(uschar *, BOOL);
 extern int     deliver_message(uschar *, BOOL, BOOL);
@ -83,68 +72,70 @@
 extern void    deliver_set_expansions(address_item *);
 extern int     deliver_split_address(address_item *);
 extern void    deliver_succeeded(address_item *);
-@@ -181,9 +181,9 @@
+@@ -180,9 +180,9 @@ extern int     mime_regex(uschar **);
 extern uschar *moan_check_errorcopy(uschar *);
 extern BOOL    moan_skipped_syntax_errors(uschar *, error_block *, uschar *,
                  BOOL, uschar *);
-extern void    moan_smtp_batch(uschar *, char *, ...);
-+extern void    moan_smtp_batch(uschar *, char *, ...) PRINTF_FUNCTION(2,3);
- extern void    moan_tell_someone(uschar *, address_item *, uschar *, char *,
-                 ...);
-+                 ...) PRINTF_FUNCTION(4,5);
+-extern void    moan_smtp_batch(uschar *, const char *, ...);
+extern void    moan_smtp_batch(uschar *, const char *, ...) PRINTF_FUNCTION(2,3);
+ extern void    moan_tell_someone(uschar *, address_item *,
+-                 const uschar *, const char *, ...);
+                 const uschar *, const char *, ...) PRINTF_FUNCTION(4,5);
 extern BOOL    moan_to_sender(int, error_block *, header_line *, FILE *, BOOL);
 extern void    moan_write_from(FILE *);
- extern FILE   *modefopen(uschar *, char *, mode_t);
-@@ -271,7 +271,7 @@
+ extern FILE   *modefopen(const uschar *, const char *, mode_t);
+@@ -270,7 +270,7 @@ extern int     search_findtype_partial(u
                  int *);
 extern void   *search_open(uschar *, int, int, uid_t *, gid_t *);
 extern void    search_tidyup(void);
-extern void    set_process_info(char *, ...);
-+extern void    set_process_info(char *, ...) PRINTF_FUNCTION(1,2);
+-extern void    set_process_info(const char *, ...);
+extern void    set_process_info(const char *, ...) PRINTF_FUNCTION(1,2);
 extern void    sha1_end(sha1 *, const uschar *, int, uschar *);
 extern void    sha1_mid(sha1 *, const uschar *);
 extern void    sha1_start(sha1 *);
-@@ -299,7 +299,7 @@
+@@ -298,7 +298,7 @@ extern int     smtp_setup_msg(void);
 extern BOOL    smtp_start_session(void);
 extern int     smtp_ungetc(int);
 extern BOOL    smtp_verify_helo(void);
-extern int     smtp_write_command(smtp_outblock *, BOOL, char *, ...);
-+extern int     smtp_write_command(smtp_outblock *, BOOL, char *, ...) PRINTF_FUNCTION(3,4);
+-extern int     smtp_write_command(smtp_outblock *, BOOL, const char *, ...);
+extern int     smtp_write_command(smtp_outblock *, BOOL, const char *, ...) PRINTF_FUNCTION(3,4);
 #ifdef WITH_CONTENT_SCAN
 extern int     spam(uschar **);
 extern FILE   *spool_mbox(unsigned long *, uschar *);
-@@ -321,13 +321,13 @@
+@@ -320,13 +320,13 @@ extern uschar *string_copy_malloc(uschar
 extern uschar *string_copylc(uschar *);
 extern uschar *string_copynlc(uschar *, int);
 extern uschar *string_dequote(uschar **);
-extern BOOL    string_format(uschar *, int, char *, ...);
-+extern BOOL    string_format(uschar *, int, char *, ...) PRINTF_FUNCTION(3,4);
+-extern BOOL    string_format(uschar *, int, const char *, ...);
+extern BOOL    string_format(uschar *, int, const char *, ...) PRINTF_FUNCTION(3,4);
 extern uschar *string_format_size(int, uschar *);
 extern int     string_interpret_escape(uschar **);
 extern int     string_is_ip_address(uschar *, int *);
 extern uschar *string_log_address(address_item *, BOOL, BOOL);
 extern uschar *string_nextinlist(uschar **, int *, uschar *, int);
-extern uschar *string_open_failed(int, char *, ...);
-+extern uschar *string_open_failed(int, char *, ...) PRINTF_FUNCTION(2,3);
+-extern uschar *string_open_failed(int, const char *, ...);
+extern uschar *string_open_failed(int, const char *, ...) PRINTF_FUNCTION(2,3);
 extern uschar *string_printing2(uschar *, BOOL);
 extern uschar *string_split_message(uschar *);
- extern BOOL    string_vformat(uschar *, int, char *, va_list);
--- src/local_scan.h
+ extern BOOL    string_vformat(uschar *, int, const char *, va_list);
+Index: src/local_scan.h
+===================================================================
+--- src/local_scan.h.orig
 +++ src/local_scan.h
-@@ -175,7 +175,7 @@
- extern void    header_remove(int, uschar *);
- extern BOOL    header_testname(header_line *, uschar *, int, BOOL);
- extern BOOL    header_testname_incomplete(header_line *, uschar *, int, BOOL);
-extern void    log_write(unsigned int, int, char *format, ...);
-+extern void    log_write(unsigned int, int, char *format, ...) PRINTF_FUNCTION(3,4);
+@@ -173,7 +173,7 @@ extern void    header_add_at_position(BO
+ extern void    header_remove(int, const uschar *);
+ extern BOOL    header_testname(header_line *, const uschar *, int, BOOL);
+ extern BOOL    header_testname_incomplete(header_line *, const uschar *, int, BOOL);
+-extern void    log_write(unsigned int, int, const char *format, ...);
+extern void    log_write(unsigned int, int, const char *format, ...) PRINTF_FUNCTION(3,4);
 extern int     lss_b64decode(uschar *, uschar **);
 extern uschar *lss_b64encode(uschar *, int);
 extern int     lss_match_domain(uschar *, uschar *);
-@@ -190,6 +190,6 @@
- extern void    smtp_vprintf(char *, va_list);
+@@ -188,6 +188,6 @@ extern void    smtp_printf(const char *,
+ extern void    smtp_vprintf(const char *, va_list);
 extern uschar *string_copy(uschar *);
 extern uschar *string_copyn(uschar *, int);
-extern uschar *string_sprintf(char *, ...);
-+extern uschar *string_sprintf(char *, ...) PRINTF_FUNCTION(1,2);
+-extern uschar *string_sprintf(const char *, ...);
+extern uschar *string_sprintf(const char *, ...) PRINTF_FUNCTION(1,2);
 
 /* End of local_scan.h */