diff --git a/109066729a54f6ba5c4e8bc174133da33242e930.diff b/109066729a54f6ba5c4e8bc174133da33242e930.diff deleted file mode 100644 index 0eccbda..0000000 --- a/109066729a54f6ba5c4e8bc174133da33242e930.diff +++ /dev/null @@ -1,52 +0,0 @@ -From 109066729a54f6ba5c4e8bc174133da33242e930 Mon Sep 17 00:00:00 2001 -From: Phil Pennock -Date: Tue, 22 Mar 2011 06:43:34 -0400 -Subject: [PATCH] Make ldap_require_cert work (not segfault). - -The clang complaint, which also triggered a gcc complaint, was -legitimate. My first test, which suggested no problem, was flawed. - -This: - ldap_start_tls - ldap_require_cert = demand -would cause a segfault on LDAP lookup. - -fixes bug 230 ---- - doc/doc-txt/ChangeLog | 6 ++++++ - src/src/lookups/ldap.c | 2 +- - 2 files changed, 7 insertions(+), 1 deletions(-) - -diff --git a/doc/doc-txt/ChangeLog b/doc/doc-txt/ChangeLog -index 853f3a5..94952af 100644 ---- a/doc/doc/ChangeLog -+++ b/doc/doc/ChangeLog -@@ -3,6 +3,12 @@ $Cambridge: exim/doc/doc-txt/ChangeLog,v 1.632 2010/06/12 15:21:25 jetmore Exp $ - Change log file for Exim from version 4.21 - ------------------------------------------- - -+Exim version 4.76 -+----------------- -+ -+PP/01 The new ldap_require_cert option would segfault if used. Fixed. -+ -+ - Exim version 4.75 - ----------------- - -diff --git a/src/src/lookups/ldap.c b/src/src/lookups/ldap.c -index ddf803e..06b7494 100644 ---- a/src/src/lookups/ldap.c -+++ b/src/src/lookups/ldap.c -@@ -481,7 +481,7 @@ if (lcp == NULL) - { - cert_option = LDAP_OPT_X_TLS_TRY; - } -- ldap_set_option(ld, LDAP_OPT_X_TLS_REQUIRE_CERT, cert_option); -+ ldap_set_option(ld, LDAP_OPT_X_TLS_REQUIRE_CERT, &cert_option); - } - #endif - --- -1.6.3.2 - diff --git a/exim-4.12-tail.patch b/exim-4.12-tail.patch index 0299b5f..0b1106b 100644 --- a/exim-4.12-tail.patch +++ b/exim-4.12-tail.patch @@ -7,7 +7,7 @@ Index: scripts/Configure-config.h =================================================================== --- scripts/Configure-config.h.orig +++ scripts/Configure-config.h -@@ -48,7 +48,7 @@ fi +@@ -47,7 +47,7 @@ fi # Double-check that config.h is complete. diff --git a/exim-4.75.tar.bz2 b/exim-4.75.tar.bz2 deleted file mode 100644 index fe69675..0000000 --- a/exim-4.75.tar.bz2 +++ /dev/null @@ -1,3 +0,0 @@ -version https://git-lfs.github.com/spec/v1 -oid sha256:dc6ef216dcf5b44b6c43f00a3ccb16c4b22e1cb2a414e324df22e991fd490ded -size 1600867 diff --git a/exim-4.77.tar.bz2 b/exim-4.77.tar.bz2 new file mode 100644 index 0000000..9494c8e --- /dev/null +++ b/exim-4.77.tar.bz2 @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:0ccc13cf2f052b1163fcdf71c55a3578765050848ba413a6473d3ab5d20b1475 +size 1576148 diff --git a/exim.changes b/exim.changes index 4245725..cf5bebb 100644 --- a/exim.changes +++ b/exim.changes @@ -1,3 +1,86 @@ +------------------------------------------------------------------- +Wed Mar 7 15:33:12 UTC 2012 - lmuelle@suse.de + +- update to 4.77 + - DKIM Verification: Fix relaxed canon for empty headers w/o + whitespace trailer + - Fix a couple more cases where we did not log the error message + when unlink() failed. See also change 4.74-TF/03. + - Make the exiwhat support code safe for signals. Previously Exim might + lock up or crash if it happened to be inside a call to libc when it + got a SIGUSR1 from exiwhat. + - The SIGUSR1 handler appends the current process status to the process + log which is later printed by exiwhat. It used to use the general + purpose logging code to do this, but several functions it calls are + not safe for signals. + - The new output code in the SIGUSR1 handler is specific to the process + log, and simple enough that it's easy to inspect for signal safety. + Removing some special cases also simplifies the general logging code. + Removing the spurious timestamps from the process log simplifies + exiwhat. + - Improved ratelimit ACL condition. + - Removed obsolete $Cambridge$ CVS revision strings. + - Removed a few PCRE remnants. + - Automatically extract Exim's version number from tags in the git + repository when doing development or release builds. + - Raise smtp_cmd_buffer_size to 16kB. + Bugzilla 879. Patch from Paul Fisher. + - Implement SSL-on-connect outbound with protocol=smtps on smtp transport. + Heavily based on revision 40f9a89a from Simon Arlott's tree. + Bugzilla 97. + - Use .dylib instead of .so for dynamic library loading on MacOS. + - Variable $av_failed, true if the AV scanner deferred. + Bugzilla 1078. Patch from John Horne. + - Stop make process more reliably on build failure. + Bugzilla 1087. Patch from Heiko Schlittermann. + - Make maildir_use_size_file an _expandable_ boolean. + Bugzilla 1089. Patch from Heiko Schlittermann. + - Handle ${run} returning more data than OS pipe buffer size. + Bugzilla 1131. Patch from Holger Weiß. + - Handle IPv6 addresses with SPF. + Bugzilla 860. Patch from Wolfgang Breyha. + - GnuTLS: support TLS 1.2 & 1.1. + Bugzilla 1156. + Use gnutls_certificate_verify_peers2() [patch from Andreas Metzler]. + Bugzilla 1095. + - match_* no longer expand right-hand-side by default. + New compile-time build option, EXPAND_LISTMATCH_RHS. + New expansion conditions, "inlist", "inlisti". + - fix uninitialised greeting string from PP/03 (smtps client support). + - shell and compiler warnings fixes for RC1-RC4 changes. + - fix log_write() format string regression from TF/03. + Bugzilla 1152. Patch from Dmitry Isaikin. + +- update to 4.77 + - The new ldap_require_cert option would segfault if used. Fixed. + - Harmonised TLS library version reporting; only show if debugging. + Layout now matches that introduced for other libraries in 4.74 PP/03. + - New openssl_options items: no_sslv2 no_sslv3 no_ticket no_tlsv1 + - New "dns_use_edns0" global option. + - Don't segfault on misconfiguration of ref:name exim-user as uid. + Bugzilla 1098. + - Extra paranoia around buffer usage at the STARTTLS transition. + nb: Exim is not vulnerable to http://www.kb.cert.org/vuls/id/555316 + - Updated PolarSSL code to 0.14.2. + Bugzilla 1097. Patch from Andreas Metzler. + - Catch divide-by-zero in ${eval:...}. + Fixes bugzilla 1102. + - Condition negation of bool{}/bool_lax{} did not negate. Fixed. + Bugzilla 1104. + - Bugzilla 1106: CVE-2011-1764 - DKIM log line was subject to a + format-string attack -- SECURITY: remote arbitrary code execution. + - SECURITY - DKIM signature header parsing was double-expanded, second + time unintentionally subject to list matching rules, letting the header + cause arbitrary Exim lookups (of items which can occur in lists, *not* + arbitrary string expansion). This allowed for information disclosure. + - Fix another SIGFPE (x86) in ${eval:...} expansion, this time related to + INT_MIN/-1 -- value coerced to INT_MAX. + +------------------------------------------------------------------- +Wed Mar 7 14:58:55 UTC 2012 - lmuelle@suse.de + +- Package /var/log/exim owned by user and group mail; (bnc#670711). + ------------------------------------------------------------------- Mon May 9 13:32:55 CEST 2011 - dmueller@suse.de diff --git a/exim.spec b/exim.spec index fe549c2..bdd4d85 100644 --- a/exim.spec +++ b/exim.spec @@ -40,7 +40,7 @@ Provides: smtp_daemon Requires: logrotate PreReq: %insserv_prereq %fillup_prereq /usr/sbin/useradd fileutils textutils %endif -Version: 4.75 +Version: 4.77 Release: 3 %if %{?build_with_mysql:1}0 BuildRequires: mysql-devel @@ -62,9 +62,8 @@ Source20: http://www.logic.univie.ac.at/~ametzler/debian/exim4manpages/exi Source30: eximstats-html-update.py Source31: eximstats.conf Patch: exim-4.12-tail.patch -Patch1: 109066729a54f6ba5c4e8bc174133da33242e930.diff Patch2: format-security.diff -%if !%{?build_with_mysql:1}0 && !%{?build_with_pgsql:1}0 +%if !%{?build_with_mysql:1}0 && !%{?build_with_pgsql:1}0 %package -n eximon License: GPL-2.0+ @@ -93,7 +92,7 @@ Authors: -------- Philip Hazel -%if !%{?build_with_mysql:1}0 && !%{?build_with_pgsql:1}0 +%if !%{?build_with_mysql:1}0 && !%{?build_with_pgsql:1}0 %description -n eximon This allows administrators to view the exim agent's mail queue and @@ -130,7 +129,6 @@ Authors: %prep %setup -q -n exim-%{version} %patch -%patch1 -p2 %patch2 # build with fPIE/pie on SUSE 10.0 or newer, or on any other platform %if %{?suse_version:%suse_version}%{?!suse_version:99999} > 930 @@ -280,17 +278,17 @@ do done ln -sf exim $RPM_BUILD_ROOT/usr/sbin/sendmail ln -sv ../../etc/init.d/exim $RPM_BUILD_ROOT/usr/sbin/rcexim -%if !%{?build_with_mysql:1}0 && !%{?build_with_pgsql:1}0 +%if !%{?build_with_mysql:1}0 && !%{?build_with_pgsql:1}0 mv $RPM_BUILD_ROOT/usr/sbin/eximon* $RPM_BUILD_ROOT/usr/bin/ %else -rm $RPM_BUILD_ROOT/usr/sbin/eximon* +rm $RPM_BUILD_ROOT/usr/sbin/eximon* %endif cp -p %{S:1} $RPM_BUILD_ROOT/var/adm/fillup-templates/sysconfig.exim install -m 644 %{S:2} $RPM_BUILD_ROOT/etc/logrotate.d/exim # man pages mv doc/exim.8 $RPM_BUILD_ROOT/%{_mandir}/man8/ pod2man --center=EXIM --section=8 $RPM_BUILD_ROOT/usr/sbin/eximstats > $RPM_BUILD_ROOT/%{_mandir}/man8/eximstats.8 -tar xvjf %{S:20} +tar xvjf %{S:20} cp -p exim4-manpages/* $RPM_BUILD_ROOT/%{_mandir}/man8/ for i in \ sendmail \ @@ -298,14 +296,14 @@ for i in \ rsmtp \ mailq \ newaliases -do +do ln -sf exim.8.gz $RPM_BUILD_ROOT/%{_mandir}/man8/$i.8.gz done for i in \ exim_dumpdb \ exim_fixdb \ - exim_tidydb -do + exim_tidydb +do ln -sf exim_db.8.gz $RPM_BUILD_ROOT/%{_mandir}/man8/$i.8.gz done perl -pi -e 's%/usr/share/doc/exim4%/usr/share/doc/packages/exim%g' `find $RPM_BUILD_ROOT/%{_mandir}/man8 -name "*.8"` @@ -320,7 +318,7 @@ install -m 0755 -d $RPM_BUILD_ROOT/etc/permissions.d install -m 0644 $RPM_SOURCE_DIR/permissions.exim $RPM_BUILD_ROOT/etc/permissions.d/exim %endif # eximstats-html files -%if !%{?build_with_mysql:1}0 && !%{?build_with_pgsql:1}0 +%if !%{?build_with_mysql:1}0 && !%{?build_with_pgsql:1}0 mkdir -p $RPM_BUILD_ROOT/srv/www/eximstats mkdir -p $RPM_BUILD_ROOT/etc/apache2/conf.d/ cp -p $RPM_SOURCE_DIR/eximstats.conf $RPM_BUILD_ROOT/etc/apache2/conf.d/ @@ -331,12 +329,12 @@ install -D -m 0644 $RPM_SOURCE_DIR/apparmor.usr.sbin.exim $RPM_BUILD_ROOT/etc/ap %post %run_permissions -if ! test -s etc/exim/exim.conf; then +if ! test -s etc/exim/exim.conf; then if test -s etc/exim.conf; then mv etc/exim.conf etc/exim/ - echo moving exim.conf to /etc/exim/ + echo moving exim.conf to /etc/exim/ else - cp -p usr/share/doc/packages/%{name}/configure.default etc/exim/exim.conf + cp -p usr/share/doc/packages/%{name}/configure.default etc/exim/exim.conf echo copying default config file to /etc/exim/exim.conf fi fi @@ -398,8 +396,8 @@ exit 0 /usr/sbin/sendmail /usr/lib/sendmail /var/adm/fillup-templates/sysconfig.exim -%dir %attr(750,root,mail) /var/log/exim -%if !%{?build_with_mysql:1}0 && !%{?build_with_pgsql:1}0 +%dir %attr(750,mail,mail) /var/log/exim +%if !%{?build_with_mysql:1}0 && !%{?build_with_pgsql:1}0 %files -n eximon %defattr(-,root,root) diff --git a/format-security.diff b/format-security.diff index 416f443..0045811 100644 --- a/format-security.diff +++ b/format-security.diff @@ -1,6 +1,8 @@ ---- exim_monitor/em_log.c +Index: exim_monitor/em_log.c +=================================================================== +--- exim_monitor/em_log.c.orig +++ exim_monitor/em_log.c -@@ -58,6 +58,8 @@ +@@ -56,6 +56,8 @@ static int scrolled = FALSE; static int size = 0; static int top = 0; @@ -9,7 +11,7 @@ static void show_log(char *s, ...) { int length, newtop; -@@ -364,7 +366,7 @@ +@@ -362,7 +364,7 @@ link count of zero on the currently open if (log_datestamping) { uschar log_file_wanted[256]; @@ -18,9 +20,11 @@ if (Ustrcmp(log_file_wanted, log_file_open) != 0) { if (LOG != NULL) ---- exim_monitor/em_main.c +Index: exim_monitor/em_main.c +=================================================================== +--- exim_monitor/em_main.c.orig +++ exim_monitor/em_main.c -@@ -656,7 +656,7 @@ +@@ -654,7 +654,7 @@ today.) */ if (log_file[0] != 0) { @@ -29,9 +33,11 @@ log_datestamping = string_datestamp_offset >= 0; LOG = fopen(CS log_file_open, "r"); ---- exim_monitor/em_text.c +Index: exim_monitor/em_text.c +=================================================================== +--- exim_monitor/em_text.c.orig +++ exim_monitor/em_text.c -@@ -60,6 +60,8 @@ +@@ -58,6 +58,8 @@ XawTextSetInsertionPoint(w, text_count); * Display text from format * *************************************************/ @@ -40,9 +46,11 @@ void text_showf(Widget w, char *s, ...) { va_list ap; ---- src/demime.c +Index: src/demime.c +=================================================================== +--- src/demime.c.orig +++ src/demime.c -@@ -823,7 +823,7 @@ +@@ -821,7 +821,7 @@ void mime_trigger_error(int level, uscha (void)string_vformat(US f, 16383,(char *)format, ap); va_end(ap); f-=22; @@ -51,30 +59,11 @@ /* then copy to demime_reason_buffer if new level is greater than old level */ if (level > demime_errorlevel) { ---- src/dkim.c -+++ src/dkim.c -@@ -176,7 +176,7 @@ - } - - logmsg[ptr] = '\0'; -- log_write(0, LOG_MAIN, (char *)logmsg); -+ log_write(0, LOG_MAIN, "%s", (char *)logmsg); - - /* Build a colon-separated list of signing domains (and identities, if present) in dkim_signers */ - dkim_signers = string_append(dkim_signers, ---- src/exim_dbutil.c -+++ src/exim_dbutil.c -@@ -59,6 +59,7 @@ - #include "dbstuff.h" - #include "osfunctions.h" - #include "store.h" -+#include "local_scan.h" - - - /* Identifiers for the different database types. */ ---- src/functions.h +Index: src/functions.h +=================================================================== +--- src/functions.h.orig +++ src/functions.h -@@ -82,7 +82,7 @@ +@@ -80,7 +80,7 @@ extern void decode_bits(unsigned int int, int, uschar *, bit_table *, int, uschar *, int); extern address_item *deliver_make_addr(uschar *, BOOL); extern int deliver_message(uschar *, BOOL, BOOL); @@ -83,68 +72,70 @@ extern void deliver_set_expansions(address_item *); extern int deliver_split_address(address_item *); extern void deliver_succeeded(address_item *); -@@ -181,9 +181,9 @@ +@@ -180,9 +180,9 @@ extern int mime_regex(uschar **); extern uschar *moan_check_errorcopy(uschar *); extern BOOL moan_skipped_syntax_errors(uschar *, error_block *, uschar *, BOOL, uschar *); --extern void moan_smtp_batch(uschar *, char *, ...); -+extern void moan_smtp_batch(uschar *, char *, ...) PRINTF_FUNCTION(2,3); - extern void moan_tell_someone(uschar *, address_item *, uschar *, char *, -- ...); -+ ...) PRINTF_FUNCTION(4,5); +-extern void moan_smtp_batch(uschar *, const char *, ...); ++extern void moan_smtp_batch(uschar *, const char *, ...) PRINTF_FUNCTION(2,3); + extern void moan_tell_someone(uschar *, address_item *, +- const uschar *, const char *, ...); ++ const uschar *, const char *, ...) PRINTF_FUNCTION(4,5); extern BOOL moan_to_sender(int, error_block *, header_line *, FILE *, BOOL); extern void moan_write_from(FILE *); - extern FILE *modefopen(uschar *, char *, mode_t); -@@ -271,7 +271,7 @@ + extern FILE *modefopen(const uschar *, const char *, mode_t); +@@ -270,7 +270,7 @@ extern int search_findtype_partial(u int *); extern void *search_open(uschar *, int, int, uid_t *, gid_t *); extern void search_tidyup(void); --extern void set_process_info(char *, ...); -+extern void set_process_info(char *, ...) PRINTF_FUNCTION(1,2); +-extern void set_process_info(const char *, ...); ++extern void set_process_info(const char *, ...) PRINTF_FUNCTION(1,2); extern void sha1_end(sha1 *, const uschar *, int, uschar *); extern void sha1_mid(sha1 *, const uschar *); extern void sha1_start(sha1 *); -@@ -299,7 +299,7 @@ +@@ -298,7 +298,7 @@ extern int smtp_setup_msg(void); extern BOOL smtp_start_session(void); extern int smtp_ungetc(int); extern BOOL smtp_verify_helo(void); --extern int smtp_write_command(smtp_outblock *, BOOL, char *, ...); -+extern int smtp_write_command(smtp_outblock *, BOOL, char *, ...) PRINTF_FUNCTION(3,4); +-extern int smtp_write_command(smtp_outblock *, BOOL, const char *, ...); ++extern int smtp_write_command(smtp_outblock *, BOOL, const char *, ...) PRINTF_FUNCTION(3,4); #ifdef WITH_CONTENT_SCAN extern int spam(uschar **); extern FILE *spool_mbox(unsigned long *, uschar *); -@@ -321,13 +321,13 @@ +@@ -320,13 +320,13 @@ extern uschar *string_copy_malloc(uschar extern uschar *string_copylc(uschar *); extern uschar *string_copynlc(uschar *, int); extern uschar *string_dequote(uschar **); --extern BOOL string_format(uschar *, int, char *, ...); -+extern BOOL string_format(uschar *, int, char *, ...) PRINTF_FUNCTION(3,4); +-extern BOOL string_format(uschar *, int, const char *, ...); ++extern BOOL string_format(uschar *, int, const char *, ...) PRINTF_FUNCTION(3,4); extern uschar *string_format_size(int, uschar *); extern int string_interpret_escape(uschar **); extern int string_is_ip_address(uschar *, int *); extern uschar *string_log_address(address_item *, BOOL, BOOL); extern uschar *string_nextinlist(uschar **, int *, uschar *, int); --extern uschar *string_open_failed(int, char *, ...); -+extern uschar *string_open_failed(int, char *, ...) PRINTF_FUNCTION(2,3); +-extern uschar *string_open_failed(int, const char *, ...); ++extern uschar *string_open_failed(int, const char *, ...) PRINTF_FUNCTION(2,3); extern uschar *string_printing2(uschar *, BOOL); extern uschar *string_split_message(uschar *); - extern BOOL string_vformat(uschar *, int, char *, va_list); ---- src/local_scan.h + extern BOOL string_vformat(uschar *, int, const char *, va_list); +Index: src/local_scan.h +=================================================================== +--- src/local_scan.h.orig +++ src/local_scan.h -@@ -175,7 +175,7 @@ - extern void header_remove(int, uschar *); - extern BOOL header_testname(header_line *, uschar *, int, BOOL); - extern BOOL header_testname_incomplete(header_line *, uschar *, int, BOOL); --extern void log_write(unsigned int, int, char *format, ...); -+extern void log_write(unsigned int, int, char *format, ...) PRINTF_FUNCTION(3,4); +@@ -173,7 +173,7 @@ extern void header_add_at_position(BO + extern void header_remove(int, const uschar *); + extern BOOL header_testname(header_line *, const uschar *, int, BOOL); + extern BOOL header_testname_incomplete(header_line *, const uschar *, int, BOOL); +-extern void log_write(unsigned int, int, const char *format, ...); ++extern void log_write(unsigned int, int, const char *format, ...) PRINTF_FUNCTION(3,4); extern int lss_b64decode(uschar *, uschar **); extern uschar *lss_b64encode(uschar *, int); extern int lss_match_domain(uschar *, uschar *); -@@ -190,6 +190,6 @@ - extern void smtp_vprintf(char *, va_list); +@@ -188,6 +188,6 @@ extern void smtp_printf(const char *, + extern void smtp_vprintf(const char *, va_list); extern uschar *string_copy(uschar *); extern uschar *string_copyn(uschar *, int); --extern uschar *string_sprintf(char *, ...); -+extern uschar *string_sprintf(char *, ...) PRINTF_FUNCTION(1,2); +-extern uschar *string_sprintf(const char *, ...); ++extern uschar *string_sprintf(const char *, ...) PRINTF_FUNCTION(1,2); /* End of local_scan.h */