pool/exim
SHA256
4
0
Fork 1
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Accepting request 603159 from server:mail

Browse Source 
OBS-URL: https://build.opensuse.org/request/show/603159
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/exim?expand=0&rev=48
This commit is contained in:
Dominique Leuenberger 2018-05-15 08:04:24 +00:00 committed by Git OBS Bridge
commit 9294bc0009
10 changed files with 174 additions and 256 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

94
exim-4.86.2-mariadb_102_compile_fix.patch
View File

@ -1,94 +0,0 @@
Index: exim-4.86.2/src/lookups/mysql.c
===================================================================
--- exim-4.86.2.orig/src/lookups/mysql.c
+++ exim-4.86.2/src/lookups/mysql.c
@@ -14,6 +14,53 @@ functions. */
#include <mysql.h> /* The system header */
+/* We define symbols for *_VERSION_ID (numeric), *_VERSION_STR (char*)
+and *_BASE_STR (char*). It's a bit of guesswork. Especially for mariadb
+with versions before 10.2, as they do not define there there specific symbols.
+*/
+
+// Newer (>= 10.2) MariaDB
+#if defined MARIADB_VERSION_ID
+#define EXIM_MxSQL_VERSION_ID MARIADB_VERSION_ID
+
+// MySQL defines MYSQL_VERSION_ID, and MariaDB does so
+// https://dev.mysql.com/doc/refman/5.7/en/c-api-server-client-versions.html
+#elif defined LIBMYSQL_VERSION_ID
+#define EXIM_MxSQL_VERSION_ID LIBMYSQL_VERSION_ID
+#elif defined MYSQL_VERSION_ID
+#define EXIM_MxSQL_VERSION_ID MYSQL_VERSION_ID
+
+#else
+#define EXIM_MYSQL_VERSION_ID 0
+#endif
+
+// Newer (>= 10.2) MariaDB
+#ifdef MARIADB_CLIENT_VERSION_STR
+#define EXIM_MxSQL_VERSION_STR MARIADB_CLIENT_VERSION_STR
+
+// Mysql uses MYSQL_SERVER_VERSION
+#elif defined LIBMYSQL_VERSION
+#define EXIM_MxSQL_VERSION_STR LIBMYSQL_VERSION
+#elif defined MYSQL_SERVER_VERSION
+#define EXIM_MxSQL_VERSION_STR MYSQL_SERVER_VERSION
+
+#else
+#define EXIM_MxSQL_VERSION_STR "N.A."
+#endif
+
+#if defined MARIADB_BASE_VERSION
+#define EXIM_MxSQL_BASE_STR MARIADB_BASE_VERSION
+
+#elif defined MARIADB_PACKAGE_VERSION
+#define EXIM_MxSQL_BASE_STR "mariadb"
+
+#elif defined MYSQL_BASE_VERSION
+#define EXIM_MxSQL_BASE_STR MYSQL_BASE_VERSION
+
+#else
+#define EXIM_MxSQL_BASE_STR "n.A."
+#endif
+
/* Structure and anchor for caching connections. */
@@ -423,10 +470,10 @@ return quoted;
void
mysql_version_report(FILE *f)
{
-fprintf(f, "Library version: MySQL: Compile: %s [%s]\n"
- " Runtime: %s\n",
- MYSQL_SERVER_VERSION, MYSQL_COMPILATION_COMMENT,
- mysql_get_client_info());
+fprintf(f, "Library version: MySQL: Compile: %lu %s [%s]\n"
+ " Runtime: %lu %s\n",
+ (long)EXIM_MxSQL_VERSION_ID, EXIM_MxSQL_VERSION_STR, EXIM_MxSQL_BASE_STR,
+ mysql_get_client_version(), mysql_get_client_info());
#ifdef DYNLOOKUP
fprintf(f, " Exim version %s\n", EXIM_VERSION_STR);
#endif
Index: exim-4.86.2/src/EDITME
===================================================================
--- exim-4.86.2.orig/src/EDITME
+++ exim-4.86.2/src/EDITME
@@ -253,7 +253,7 @@ TRANSPORT_SMTP=yes
# you perform upgrades and revert them. You should consider the benefit of
# embedding the Exim version number into LOOKUP_MODULE_DIR, so that you can
# maintain two concurrent sets of modules.
-#
+#
# *BEWARE*: ability to modify the files in LOOKUP_MODULE_DIR is equivalent to
# the ability to modify the Exim binary, which is often setuid root! The Exim
# developers only intend this functionality be used by OS software packagers
@@ -301,6 +301,7 @@ LOOKUP_DNSDB=yes
# LOOKUP_IBASE=yes
# LOOKUP_LDAP=yes
# LOOKUP_MYSQL=yes
+# LOOKUP_MYSQL_PC=mariadb
# LOOKUP_NIS=yes
# LOOKUP_NISPLUS=yes
# LOOKUP_ORACLE=yes

3
exim-4.88.tar.bz2
View File

@ -1,3 +0,0 @@
version https://git-lfs.github.com/spec/v1
oid sha256:119d5fd7e31fc224e84dfa458fe182f200856bae7adf852a8287c242161f8a2d
size 1824610

10
exim-4.88.tar.bz2.asc
View File

@ -1,10 +0,0 @@
-----BEGIN PGP SIGNATURE-----
iQEcBAABAgAGBQJYVqBoAAoJELzljIzkHzLf5vIH/R4gcGqdEwGkFDRwQA5ImNif
USPeSli63U2tL2YRpf8E/sMWlf2ywZl9vGkVWhvYFvMWI4gn+hNAh0jUj2BakCdI
aEjUk0KSA0nXHzIGmNyf0lAcC1VONRq0KLxfQvlGF8RrKnBL7urg46EVFagmU8g9
m3KVHPjv1cUIICZdJVWICUChjjm23pBvtqr1M9TgUAhWQU0FaG9dmgY2Kh4s2pnG
0o+llbQdU1hvtk0lTMzZYmYTtS3totoyR3aKYdws/epOnE1MgVOIlnp2q5R9FMO1
RE5bHa2Qg5UCf5wwAKSOxIDLPEVUoX6qkbP7inByuGKZ5dSvBQwUGPAt+b2Lb38=
=jgHZ
-----END PGP SIGNATURE-----

3
exim-4.91.tar.bz2 Normal file
View File

@ -0,0 +1,3 @@
version https://git-lfs.github.com/spec/v1
oid sha256:eff5b41276a0039e89af4b447da13aaa61c5823d4ec2c37353dc23577cfb02d3
size 1912811

10
exim-4.91.tar.bz2.asc Normal file
View File

@ -0,0 +1,10 @@
-----BEGIN PGP SIGNATURE-----
iQEcBAABAgAGBQJa01I+AAoJELzljIzkHzLfBRAH/R4DJhI01BTVIl6/7gQOVfST
fmhBh3rTRXhkSR7XfzxWgNR2jJnDJReitBdjDvkgLdYZ7+S3G7+WIJeSuoP2+PPO
VfSEWQdaeYYyvz6C81xPHo+UARnQcGTygPQpLk9XDiVYZ7X9TYUuomNX4MsK1EXb
2ZJUJ1Sm1DoZx9MbPXJfUSPXeBJGMJwjSjh9KRssFg5VddjBc/oNHf3oL/ThodzU
SmMyPc29r8ZZe+EC5lVumN6G8UalDFPROa/0VEYkJsj7zFG6JgIlRhWgYaIq3nGn
m6ghRaRNQFSktjzISD+mf3ttiqyoJAPRc4x2fbvDAnUjpNQ3VuxOP8uz758cPTw=
=I/a+
-----END PGP SIGNATURE-----

43
exim-CVE-2017-1000369.patch
View File

@ -1,43 +0,0 @@
commit 65e061b76867a9ea7aeeb535341b790b90ae6c21
Author: Heiko Schlittermann (HS12-RIPE) <hs@schlittermann.de>
Date: Wed May 31 23:08:56 2017 +0200
Cleanup (prevent repeated use of -p/-oMr to avoid mem leak)
diff --git a/src/exim.c b/src/src/exim.c
index 67583e58..88e11977 100644
--- a/src/exim.c
+++ b/src/exim.c
@@ -3106,7 +3106,14 @@ for (i = 1; i < argc; i++)
/* -oMr: Received protocol */
- else if (Ustrcmp(argrest, "Mr") == 0) received_protocol = argv[++i];
+ else if (Ustrcmp(argrest, "Mr") == 0)
+
+ if (received_protocol)
+ {
+ fprintf(stderr, "received_protocol is set already\n");
+ exit(EXIT_FAILURE);
+ }
+ else received_protocol = argv[++i];
/* -oMs: Set sender host name */
@@ -3202,7 +3209,15 @@ for (i = 1; i < argc; i++)
if (*argrest != 0)
{
- uschar *hn = Ustrchr(argrest, ':');
+ uschar *hn;
+
+ if (received_protocol)
+ {
+ fprintf(stderr, "received_protocol is set already\n");
+ exit(EXIT_FAILURE);
+ }
+
+ hn = Ustrchr(argrest, ':');
if (hn == NULL)
{
received_protocol = argrest;

40
exim-CVE-2017-16943.patch
View File

@ -1,40 +0,0 @@
From 4e6ae6235c68de243b1c2419027472d7659aa2b4 Mon Sep 17 00:00:00 2001
From: Jeremy Harris <jgh146exb@wizmail.org>
Date: Fri, 24 Nov 2017 20:22:33 +0000
Subject: [PATCH] Avoid release of store if there have been later allocations.
Bug 2199
---
src/src/receive.c | 7 ++++---
1 file changed, 4 insertions(+), 3 deletions(-)
diff --git a/src/src/receive.c b/src/src/receive.c
index e7e518a..d9b5001 100644
--- a/src/receive.c
+++ b/src/receive.c
@@ -1810,8 +1810,8 @@ for (;;)
(and sometimes lunatic messages can have ones that are 100s of K long) we
call store_release() for strings that have been copied - if the string is at
the start of a block (and therefore the only thing in it, because we aren't
- doing any other gets), the block gets freed. We can only do this because we
- know there are no other calls to store_get() going on. */
+ doing any other gets), the block gets freed. We can only do this release if
+ there were no allocations since the once that we want to free. */
if (ptr >= header_size - 4)
{
@@ -1820,9 +1820,10 @@ for (;;)
header_size *= 2;
if (!store_extend(next->text, oldsize, header_size))
{
+ BOOL release_ok = store_last_get[store_pool] == next->text;
uschar *newtext = store_get(header_size);
memcpy(newtext, next->text, ptr);
- store_release(next->text);
+ if (release_ok) store_release(next->text);
next->text = newtext;
}
}
--
1.9.1

41
exim-CVE-2017-16944.patch
View File

@ -1,41 +0,0 @@
diff -ru a/src/receive.c b/src/receive.c
--- a/src/receive.c 2017-11-30 09:15:29.593364805 +0100
+++ b/src/receive.c 2017-11-30 09:17:32.026970431 +0100
@@ -1759,7 +1759,7 @@
prevent further reading), and break out of the loop, having freed the
empty header, and set next = NULL to indicate no data line. */
- if (ptr == 0 && ch == '.' && (smtp_input || dot_ends))
+ if (ptr == 0 && ch == '.' && dot_ends)
{
ch = (receive_getc)();
if (ch == '\r')
diff -ru a/src/smtp_in.c b/src/smtp_in.c
--- a/src/smtp_in.c 2017-11-30 09:15:29.593364805 +0100
+++ b/src/smtp_in.c 2017-11-30 09:41:47.270055566 +0100
@@ -4751,11 +4751,17 @@
? CHUNKING_LAST : CHUNKING_ACTIVE;
chunking_data_left = chunking_datasize;
+ /* push the current receive_* function on the "stack", and
+ replace them by bdat_getc(), which in turn will use the lwr_receive_*
+ functions to do the dirty work. */
lwr_receive_getc = receive_getc;
lwr_receive_ungetc = receive_ungetc;
+
receive_getc = bdat_getc;
receive_ungetc = bdat_ungetc;
+ dot_ends = FALSE;
+
DEBUG(D_any)
debug_printf("chunking state %d\n", (int)chunking_state);
goto DATA_BDAT;
@@ -4763,6 +4769,7 @@
case DATA_CMD:
HAD(SCH_DATA);
+ dot_ends = TRUE;
DATA_BDAT: /* Common code for DATA and BDAT */
if (!discarded && recipients_count <= 0)

149
exim.changes
View File

@ -1,3 +1,152 @@
-------------------------------------------------------------------
Mon Apr 16 13:57:17 UTC 2018 - wullinger@rz.uni-kiel.de
- update to 4.91
* DEFER rather than ERROR on redis cluster MOVED response.
* Catch and remove uninitialized value warning in exiqsumm
* Disallow '/' characters in queue names specified for the "queue=" ACL
modifier. This matches the restriction on the commandline.
* Fix pgsql lookup for multiple result-tuples with a single column.
Previously only the last row was returned.
* Bug 2217: Tighten up the parsing of DKIM signature headers.
* Bug 2215: Fix crash associated with dnsdb lookup done from DKIM ACL.
* Fix issue with continued-connections when the DNS shifts unreliably.
* Bug 2214: Fix SMTP responses resulting from non-accept result of MIME ACL.
* The "support for" informational output now, which built with Content
Scanning support, has a line for the malware scanner interfaces compiled
in. Interface can be individually included or not at build time.
* The "aveserver", "kavdaemon" and "mksd" interfaces are now not included
by the template makefile "src/EDITME". The "STREAM" support for an older
ClamAV interface method is removed.
* Bug 2223: Fix mysql lookup returns for the no-data case (when the number of
rows affected is given instead).
* The runtime Berkeley DB library version is now additionally output by
"exim -d -bV". Previously only the compile-time version was shown.
* Bug 2230: Fix cutthrough routing for nonfirst messages in an initiating
SMTP connection.
* Bug 2229: Fix cutthrough routing for nonstandard port numbers defined by
routers.
* Bug 2174: A timeout on connect for a callout was also erroneously seen as
a timeout on read on a GnuTLS initiating connection, resulting in the
initiating connection being dropped.
* Relax results from ACL control request to enable cutthrough, in
unsupported situations, from error to silently (except under debug)
ignoring.
* Fix Buffer overflow in base64d() (CVE-2018-6789)
* Fix bug in DKIM verify: a buffer overflow could corrupt the malloc
metadata, resulting in a crash in free().
* Fix broken Heimdal GSSAPI authenticator integration.
* Bug 2113: Fix conversation closedown with the Avast malware scanner.
* Bug 2239: Enforce non-usability of control=utf8_downconvert in the mail ACL.
* Speed up macro lookups during configuration file read, by skipping non-
macro text after a replacement (previously it was only once per line) and
by skipping builtin macros when searching for an uppercase lead character.
* DANE support moved from Experimental to mainline. The Makefile control
for the build is renamed.
* Fix memory leak during multi-message connections using STARTTLS.
* Bug 2236: When a DKIM verification result is overridden by ACL, DMARC
reported the original. Fix to report (as far as possible) the ACL
result replacing the original.
* Fix memory leak during multi-message connections using STARTTLS under
OpenSSL
* Bug 2242: Fix exim_dbmbuild to permit directoryless filenames.
* Fix utf8_downconvert propagation through a redirect router.
* Bug 2253: For logging delivery lines under PRDR, append the overall
DATA response info to the (existing) per-recipient response info for
the "C=" log element.
* Bug 2251: Fix ldap lookups that return a single attribute having zero-
length value.
* Support Avast multiline protocol, this allows passing flags to
newer versions of the scanner.
* Ensure that variables possibly set during message acceptance are marked
dead before release of memory in the daemon loop.
* Bug 2250: Fix a longstanding bug in heavily-pipelined SMTP input (such
as a multi-recipient message from a mailinglist manager).
* The (EXPERIMENTAL_DMARC) variable $dmarc_ar_header is withdrawn, being
replaced by the ${authresults } expansion.
* Bug 2257: Fix pipe transport to not use a socket-only syscall.
* Set a handler for SIGTERM and call exit(3) if running as PID 1. This
allows proper process termination in container environments.
* Bug 2258: Fix spool_wireformat in combination with LMTP transport.
Previously the "final dot" had a newline after it; ensure it is CR,LF.
* SPF: remove support for the "spf" ACL condition outcome values "err_temp"
and "err_perm", deprecated since 4.83 when the RFC-defined words
" temperror" and "permerror" were introduced.
* Re-introduce enforcement of no cutthrough delivery on transports having
transport-filters or DKIM-signing.
* Cutthrough: for a final-dot response timeout (and nonunderstood responses)
in defer=pass mode supply a 450 to the initiator. Previously the message
would be spooled.
* DANE: add dane_require_tls_ciphers SMTP Transport option; if unset,
tls_require_ciphers is used as before.
* Malware Avast: Better match the Avast multiline protocol.
* Fix reinitialisation of DKIM logging variable between messages.
* Bug 2255: Revert the disable of the OpenSSL session caching.
* Add util/renew-opendmarc-tlds.sh script for safe renewal of public
suffix list.
* DKIM: accept Ed25519 pubkeys in SubjectPublicKeyInfo-wrapped form,
since the IETF WG has not yet settled on that versus the original
"bare" representation.
* Fix syslog logging for syslog_timestamp=no and log_selector +millisec.
Previously the millisecond value corrupted the output.
Fix also for syslog_pid=no and log_selector +pid, for which the pid
corrupted the output.
-------------------------------------------------------------------
Thu Mar 15 20:22:09 UTC 2018 - crrodriguez@opensuse.org
- Replace xorg-x11-devel by individual pkgconfig() buildrequires.
-------------------------------------------------------------------
Tue Feb 13 13:39:34 UTC 2018 - kbabioch@suse.com
- update to 4.90.1
* Allow PKG_CONFIG_PATH to be set in Local/Makefile and use it correctly
during configuration. Wildcards are allowed and expanded.
* Shorten the log line for daemon startup by collapsing adjacent sets of
identical IP addresses on different listening ports. Will also affect
"exiwhat" output.
* Tighten up the checking in isip4 (et al): dotted-quad components larger
than 255 are no longer allowed.
* Default openssl_options to include +no_ticket, to reduce load on peers.
Disable the session-cache too, which might reduce our load. Since we
currrectly use a new context for every connection, both as server and
client, there is no benefit for these.
* Add $SOURCE_DATE_EPOCH support for reproducible builds, per spec at
<https://reproducible-builds.org/specs/source-date-epoch/>.
* Fix smtp transport use of limited max_rcpt under mua_wrapper. Previously
the check for any unsuccessful recipients did not notice the limit, and
erroneously found still-pending ones.
* Pipeline CHUNKING command and data together, on kernels that support
MSG_MORE. Only in-clear (not on TLS connections).
* Avoid using a temporary file during transport using dkim. Unless a
transport-filter is involved we can buffer the headers in memory for
creating the signature, and read the spool data file once for the
signature and again for transmission.
* Enable use of sendfile in Linux builds as default. It was disabled in
4.77 as the kernel support then wasn't solid, having issues in 64bit
mode. Now, it's been long enough. Add support for FreeBSD also.
* Add commandline_checks_require_admin option.
* Do pipelining under TLS.
* For the "sock" variant of the malware scanner interface, accept an empty
cmdline element to get the documented default one. Previously it was
inaccessible.
* Prevent repeated use of -p/-oMr
* DKIM: enforce the DNS pubkey record "h" permitted-hashes optional field,
if present.
* DKIM: when a message has multiple signatures matching an identity given
in dkim_verify_signers, run the dkim acl once for each.
* Support IDNA2008.
* The path option on a pipe transport is now expanded before use
* Have the EHLO response advertise VRFY, if there is a vrfy ACL defined.
- Several bug fixes
- Fix for buffer overflow in base64decode() (bsc#1079832 CVE-2018-6789)
- removed patches (included upstream now):
* exim-CVE-2017-1000369.patch
* exim-CVE-2017-16943.patch
* exim-CVE-2017-16944.patch
* exim-4.86.2-mariadb_102_compile_fix.patch
-------------------------------------------------------------------
Thu Nov 30 08:32:50 UTC 2017 - wullinger@rz.uni-kiel.de

37
exim.spec
View File

@ -1,7 +1,7 @@
#
# spec file for package exim
#
# Copyright (c) 2017 SUSE LINUX GmbH, Nuernberg, Germany.
# Copyright (c) 2018 SUSE LINUX GmbH, Nuernberg, Germany.
#
# All modifications and additions to the file contributed by third parties
# remain the property of their copyright owners, unless otherwise agreed
@ -47,17 +47,12 @@ BuildRequires: pam-devel
BuildRequires: openldap2-devel
%endif
BuildRequires: pcre-devel
%if %{?suse_version:1}%{?!suse_version:0}
BuildRequires: libopenssl-devel
BuildRequires: tcpd-devel
BuildRequires: xorg-x11-devel
%else
BuildRequires: libXaw-devel
BuildRequires: libXext-devel
BuildRequires: libXt-devel
BuildRequires: openssl-devel
BuildRequires: tcp_wrappers
%endif
BuildRequires: pkgconfig(libcrypto)
BuildRequires: pkgconfig(libssl)
BuildRequires: pkgconfig(xaw7)
BuildRequires: pkgconfig(xmu)
BuildRequires: pkgconfig(xt)
Url: http://www.exim.org/
Conflicts: sendmail sendmail-tls postfix
Provides: smtp_daemon
@ -78,7 +73,7 @@ Requires(pre): group(mail)
%endif
Requires(pre): fileutils textutils
%endif
Version: 4.88
Version: 4.91
Release: 0
%if %{with_mysql}
BuildRequires: mysql-devel
@ -90,11 +85,11 @@ BuildRequires: postgresql-devel
BuildRequires: sqlite3-devel
%endif
Summary: The Exim Mail Transfer Agent, a Replacement for sendmail
License: GPL-2.0+
License: GPL-2.0-or-later
Group: Productivity/Networking/Email/Servers
BuildRoot: %{_tmppath}/%{name}-%{version}-build
Source: http://ftp.exim.org/pub/exim/exim4/old/exim-%{version}.tar.bz2
Source3: http://ftp.exim.org/pub/exim/exim4/old/exim-%{version}.tar.bz2.asc
Source: http://ftp.exim.org/pub/exim/exim4/exim-%{version}.tar.bz2
Source3: http://ftp.exim.org/pub/exim/exim4/exim-%{version}.tar.bz2.asc
# http://ftp.exim.org/pub/exim/Exim-Maintainers-Keyring.asc
Source4: exim.keyring
Source1: sysconfig.exim
@ -107,10 +102,6 @@ Source31: eximstats.conf
Source32: eximstats.conf-2.2
Source40: exim.service
Patch0: exim-tail.patch
Patch3: exim-CVE-2017-1000369.patch
Patch4: exim-CVE-2017-16943.patch
Patch5: exim-CVE-2017-16944.patch
Patch6: exim-4.86.2-mariadb_102_compile_fix.patch
%package -n eximon
Summary: Eximon, an graphical frontend to administer Exim's mail queue
@ -153,10 +144,6 @@ once, if at all. The rest is done by logrotate / cron.)
%prep
%setup -q -n exim-%{version}
%patch0
%patch3 -p 1
%patch4 -p 1
%patch5 -p 1
%patch6 -p 1
# build with fPIE/pie on SUSE 10.0 or newer, or on any other platform
%if %{?suse_version:%suse_version}%{?!suse_version:99999} > 930
fPIE="-fPIE"
@ -294,7 +281,7 @@ cat <<-EOF > Local/Makefile
EXPERIMENTAL_DSN=yes
SYSTEM_ALIASES_FILE=/etc/aliases
%if %{with dane}
EXPERIMENTAL_DANE=yes
DANE=yes
%endif
EXPERIMENTAL_SOCKS=yes
%if %{with i18n}
@ -328,7 +315,7 @@ make inst_dest=$RPM_BUILD_ROOT/usr/sbin \
inst_info=$RPM_BUILD_ROOT/%{_infodir} \
INSTALL_ARG=-no_chown install
#mv $RPM_BUILD_ROOT/usr/sbin/exim-%{version}* $RPM_BUILD_ROOT/usr/sbin/exim
mv $RPM_BUILD_ROOT/usr/sbin/exim-4.8* $RPM_BUILD_ROOT/usr/sbin/exim
mv $RPM_BUILD_ROOT/usr/sbin/exim-4.9* $RPM_BUILD_ROOT/usr/sbin/exim
mv $RPM_BUILD_ROOT/etc/exim/exim.conf src/configure.default # with all substitutions done
%if 0%{?suse_version} > 1220
install -m 0644 %{S:40} $RPM_BUILD_ROOT/%{_unitdir}/exim.service