From 488a048fdd01e509825a75cd2f74ec45ccecdd82abe67d3d11d5487795b2292f Mon Sep 17 00:00:00 2001 From: Peter Wullinger Date: Tue, 18 Oct 2022 11:52:11 +0000 Subject: [PATCH] Accepting request 1029726 from home:pwcau:branches:server:mail - add patch-cve-2022-3559 (fixes CVE-2022-3559, bsc#1204427, Bug 2915) OBS-URL: https://build.opensuse.org/request/show/1029726 OBS-URL: https://build.opensuse.org/package/show/server:mail/exim?expand=0&rev=268 --- exim.changes | 4 ++ exim.spec | 4 +- patch-cve-2022-3559 | 127 ++++++++++++++++++++++++++++++++++++++++++++ 3 files changed, 134 insertions(+), 1 deletion(-) create mode 100644 patch-cve-2022-3559 diff --git a/exim.changes b/exim.changes index 8f2724a..9fac123 100644 --- a/exim.changes +++ b/exim.changes @@ -1,3 +1,7 @@ +Tue Oct 18 10:00:39 UTC 2022 - Peter Wullinger + +- add patch-cve-2022-3559 (fixes CVE-2022-3559, bsc#1204427, Bug 2915) + ------------------------------------------------------------------- Thu Sep 29 13:36:20 UTC 2022 - Peter Wullinger diff --git a/exim.spec b/exim.spec index c3d071f..c97abea 100644 --- a/exim.spec +++ b/exim.spec @@ -75,7 +75,7 @@ Requires(pre): group(mail) Requires(pre): fileutils textutils %endif Version: 4.96 -Release: 1 +Release: 2 %if %{with_mysql} BuildRequires: mysql-devel %endif @@ -106,6 +106,7 @@ Source41: exim_db.8.gz Patch0: exim-tail.patch Patch1: gnu_printf.patch Patch2: patch-no-exit-on-rewrite-malformed-address.patch +Patch3: patch-cve-2022-3559 %package -n eximon Summary: Eximon, an graphical frontend to administer Exim's mail queue @@ -150,6 +151,7 @@ once, if at all. The rest is done by logrotate / cron.) %patch0 %patch1 -p1 %patch2 -p1 +%patch3 -p1 # build with fPIE/pie on SUSE 10.0 or newer, or on any other platform %if %{?suse_version:%suse_version}%{?!suse_version:99999} > 930 fPIE="-fPIE" diff --git a/patch-cve-2022-3559 b/patch-cve-2022-3559 new file mode 100644 index 0000000..45f2cf5 --- /dev/null +++ b/patch-cve-2022-3559 @@ -0,0 +1,127 @@ +diff -ru a/src/exim.c b/src/exim.c +--- a/src/exim.c 2022-06-23 15:41:10.000000000 +0200 ++++ b/src/exim.c 2022-10-18 13:38:30.366261000 +0200 +@@ -2001,8 +2001,6 @@ + regex_must_compile(US"^[A-Za-z0-9_/.-]*$", FALSE, TRUE); + #endif + +-for (i = 0; i < REGEX_VARS; i++) regex_vars[i] = NULL; +- + /* If the program is called as "mailq" treat it as equivalent to "exim -bp"; + this seems to be a generally accepted convention, since one finds symbolic + links called "mailq" in standard OS configurations. */ +@@ -6084,7 +6082,7 @@ + deliver_localpart_data = deliver_domain_data = + recipient_data = sender_data = NULL; + acl_var_m = NULL; +- for(int i = 0; i < REGEX_VARS; i++) regex_vars[i] = NULL; ++ regex_vars_clear(); + + store_reset(reset_point); + } +diff -ru a/src/expand.c b/src/expand.c +--- a/src/expand.c 2022-06-23 15:41:10.000000000 +0200 ++++ b/src/expand.c 2022-10-18 13:38:30.368690000 +0200 +@@ -1873,7 +1873,7 @@ + return node ? node->data.ptr : strict_acl_vars ? NULL : US""; + } + +-/* Handle $auth variables. */ ++/* Handle $auth, $regex variables. */ + + if (Ustrncmp(name, "auth", 4) == 0) + { +diff -ru a/src/functions.h b/src/functions.h +--- a/src/functions.h 2022-06-23 15:41:10.000000000 +0200 ++++ b/src/functions.h 2022-10-18 13:39:21.953979000 +0200 +@@ -438,6 +438,7 @@ + extern BOOL regex_match(const pcre2_code *, const uschar *, int, uschar **); + extern BOOL regex_match_and_setup(const pcre2_code *, const uschar *, int, int); + extern const pcre2_code *regex_must_compile(const uschar *, BOOL, BOOL); ++extern void regex_vars_clear(void); + extern void retry_add_item(address_item *, uschar *, int); + extern BOOL retry_check_address(const uschar *, host_item *, uschar *, BOOL, + uschar **, uschar **); +Only in b/src: functions.h.rej +diff -ru a/src/globals.c b/src/globals.c +--- a/src/globals.c 2022-06-23 15:41:10.000000000 +0200 ++++ b/src/globals.c 2022-10-18 13:46:22.093392000 +0200 +@@ -1315,7 +1315,7 @@ + #endif + const pcre2_code *regex_ismsgid = NULL; + const pcre2_code *regex_smtp_code = NULL; +-const uschar *regex_vars[REGEX_VARS]; ++const uschar *regex_vars[REGEX_VARS] = { 0 }; + #ifdef WHITELIST_D_MACROS + const pcre2_code *regex_whitelisted_macro = NULL; + #endif +Only in b/src: globals.c.rej +diff -ru a/src/regex.c b/src/regex.c +--- a/src/regex.c 2022-06-23 15:41:10.000000000 +0200 ++++ b/src/regex.c 2022-10-18 13:43:13.041903000 +0200 +@@ -96,18 +96,26 @@ + return FAIL; + } + ++/* reset expansion variables */ ++void ++regex_vars_clear(void) ++{ ++regex_match_string = NULL; ++for (int i = 0; i < REGEX_VARS; i++) regex_vars[i] = NULL; ++} ++ ++ + int +-regex(const uschar **listptr) ++regex(const uschar ** listptr) + { + unsigned long mbox_size; +-FILE *mbox_file; +-pcre_list *re_list_head; +-uschar *linebuffer; ++FILE * mbox_file; ++pcre_list * re_list_head; ++uschar * linebuffer; + long f_pos = 0; + int ret = FAIL; + +-/* reset expansion variable */ +-regex_match_string = NULL; ++regex_vars_clear(); + + if (!mime_stream) /* We are in the DATA ACL */ + { +@@ -169,14 +177,13 @@ + int + mime_regex(const uschar **listptr) + { +-pcre_list *re_list_head = NULL; +-FILE *f; +-uschar *mime_subject = NULL; ++pcre_list * re_list_head = NULL; ++FILE * f; ++uschar * mime_subject = NULL; + int mime_subject_len = 0; + int ret; + +-/* reset expansion variable */ +-regex_match_string = NULL; ++regex_vars_clear(); + + /* precompile our regexes */ + if (!(re_list_head = compile(*listptr))) +diff -ru a/src/smtp_in.c b/src/smtp_in.c +--- a/src/smtp_in.c 2022-06-23 15:41:10.000000000 +0200 ++++ b/src/smtp_in.c 2022-10-18 13:38:30.372819000 +0200 +@@ -2157,8 +2157,10 @@ + #ifdef SUPPORT_I18N + message_smtputf8 = FALSE; + #endif ++regex_vars_clear(); + body_linecount = body_zerocount = 0; + ++lookup_value = NULL; /* Can be set by ACL */ + sender_rate = sender_rate_limit = sender_rate_period = NULL; + ratelimiters_mail = NULL; /* Updated by ratelimit ACL condition */ + /* Note that ratelimiters_conn persists across resets. */