From 32d22ea744bbfb70a4ee12ec79b66a493c5d92dd172a70f7e1724794b8f54188 Mon Sep 17 00:00:00 2001 From: Peter Wullinger Date: Wed, 5 May 2021 05:27:16 +0000 Subject: [PATCH 1/3] Accepting request 890519 from home:pwcau:branches:server:mail - update to exim-4.94.2 security update * CVE-2020-28007: Link attack in Exim's log directory * CVE-2020-28008: Assorted attacks in Exim's spool directory * CVE-2020-28014: Arbitrary PID file creation * CVE-2020-28011: Heap buffer overflow in queue_run() * CVE-2020-28010: Heap out-of-bounds write in main() * CVE-2020-28013: Heap buffer overflow in parse_fix_phrase() * CVE-2020-28016: Heap out-of-bounds write in parse_fix_phrase() * CVE-2020-28015: New-line injection into spool header file (local) * CVE-2020-28012: Missing close-on-exec flag for privileged pipe * CVE-2020-28009: Integer overflow in get_stdinput() * CVE-2020-28017: Integer overflow in receive_add_recipient() * CVE-2020-28020: Integer overflow in receive_msg() * CVE-2020-28023: Out-of-bounds read in smtp_setup_msg() * CVE-2020-28021: New-line injection into spool header file (remote) * CVE-2020-28022: Heap out-of-bounds read and write in extract_option() * CVE-2020-28026: Line truncation and injection in spool_read_header() * CVE-2020-28019: Failure to reset function pointer after BDAT error * CVE-2020-28024: Heap buffer underflow in smtp_ungetc() * CVE-2020-28018: Use-after-free in tls-openssl.c * CVE-2020-28025: Heap out-of-bounds read in pdkim_finish_bodyhash() - update to exim-4.94.1 * Fix security issue in BDAT state confusion. Ensure we reset known-good where we know we need to not be reading BDAT data, as a general case fix, and move the places where we switch to BDAT mode until after various protocol state checks. Fixes CVE-2020-BDATA reported by Qualys. * Fix security issue in SMTP verb option parsing (CVE-2020-EXOPT) * Fix security issue with too many recipients on a message (to remove a known security problem if someone does set recipients_max to unlimited, or if local additions add to the recipient list). Fixes CVE-2020-RCPTL reported by Qualys. * Fix CVE-2020-28016 (PFPZA): Heap out-of-bounds write in parse_fix_phrase() * Fix security issue CVE-2020-PFPSN and guard against cmdline invoker providing a particularly obnoxious sender full name. * Fix Linux security issue CVE-2020-SLCWD and guard against PATH_MAX better. OBS-URL: https://build.opensuse.org/request/show/890519 OBS-URL: https://build.opensuse.org/package/show/server:mail/exim?expand=0&rev=248 --- exim-4.94.2.tar.bz2 | 3 + exim-4.94.2.tar.bz2.asc | 11 ++ exim-4.94.tar.bz2 | 3 - exim-4.94.tar.bz2.asc | 11 -- exim.changes | 44 +++++++ exim.spec | 6 +- ...s-0e8319c3edebfec2158fbaa4898af27cb3225c99 | 112 ------------------ 7 files changed, 60 insertions(+), 130 deletions(-) create mode 100644 exim-4.94.2.tar.bz2 create mode 100644 exim-4.94.2.tar.bz2.asc delete mode 100644 exim-4.94.tar.bz2 delete mode 100644 exim-4.94.tar.bz2.asc delete mode 100644 patch-exim-4.94+fixes-0e8319c3edebfec2158fbaa4898af27cb3225c99 diff --git a/exim-4.94.2.tar.bz2 b/exim-4.94.2.tar.bz2 new file mode 100644 index 0000000..4f1c57f --- /dev/null +++ b/exim-4.94.2.tar.bz2 @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:902e611486400608691dff31e1d8725eb9e23602399ad75670ec18878643bc4f +size 2007178 diff --git a/exim-4.94.2.tar.bz2.asc b/exim-4.94.2.tar.bz2.asc new file mode 100644 index 0000000..3a8244e --- /dev/null +++ b/exim-4.94.2.tar.bz2.asc @@ -0,0 +1,11 @@ +-----BEGIN PGP SIGNATURE----- + +iQEzBAABCgAdFiEE0L/WueylaUpvFJ3Or0zGdqa2wUIFAmCL9CUACgkQr0zGdqa2 +wULhwAgAy1T60wVzeey/1mJKkq5kugAMF3CeGYW63RHUHOKlw/U1dm5kHd7bakgF +y0t4zcE+6bdBiVaLz+kllq6lclaFRKtR79Qv2c5Mw1T2bMNRgyK38dvTwpnxAJLe +9eLfnxAJx6kxKNpGhkkujRwXTl9AfIFXz4ZGQdsYs/22EOHE3cS1idpl7pyyKwVd +NGAQimod9FzBXRiddDQ1C5z4wIx/XuqXVxpJm7KYqmiwRUQRdBd2pAIoR0sZK/qB +vTfkC3NGSABJvnbsVdpmTUUt+0SMhQx81okJdSIVCf9UUUcBjd2FERHdy3RIUN3I +Vmpqq87TL+3RLPc+HIS+PAw0cqlOqg== +=dNau +-----END PGP SIGNATURE----- diff --git a/exim-4.94.tar.bz2 b/exim-4.94.tar.bz2 deleted file mode 100644 index ce6bd33..0000000 --- a/exim-4.94.tar.bz2 +++ /dev/null @@ -1,3 +0,0 @@ -version https://git-lfs.github.com/spec/v1 -oid sha256:73feeaa5ddb43363782db0c307b593aacb49542dd7e4b795a2880779595affe5 -size 1997217 diff --git a/exim-4.94.tar.bz2.asc b/exim-4.94.tar.bz2.asc deleted file mode 100644 index 853126d..0000000 --- a/exim-4.94.tar.bz2.asc +++ /dev/null @@ -1,11 +0,0 @@ ------BEGIN PGP SIGNATURE----- - -iQFEBAABCAAuFiEEqYbzpr1jd9hzCVjevOWMjOQfMt8FAl7VFJAQHGpnaEB3aXpt -YWlsLm9yZwAKCRC85YyM5B8y3y45CADBlbw+sH3fhIhhwWdremJFiED5xr/4bPjd -jnU/qOWKTg9Iv9F1gBbjpacwBZa+dc49DgeSkLWgx5z3AKke1BzFpA9/mPpVCGvZ -Q934OZ47jixuP38PSoKpEbh1peRf1o+z9tqc/SEty8q+lyH7J2IhQKx8komUI0Y7 -6we1gx1Nm7J6Z2vy0owkU6vx/iuqVE79/lV4avAIqMGBEsLfDNS+tTqe0f6lkPqM -CT+ya0/fUppQfxqSKNrVYU2reGM6H0yEtFAeD2FbFSAGUhH+MecBl/xLbRfKCoCn -WrYvgwrB8eHO3ZS9MSZJIbr9fr02xZF1k2et1oCCJ66/DZSl0BQV -=cjE1 ------END PGP SIGNATURE----- diff --git a/exim.changes b/exim.changes index 0ae6cee..6aa9ad4 100644 --- a/exim.changes +++ b/exim.changes @@ -1,3 +1,47 @@ +Tue May 4 16:45:17 CEST 2021 - wullinger@rz.uni-kiel.de + +- update to exim-4.94.2 + security update + * CVE-2020-28007: Link attack in Exim's log directory + * CVE-2020-28008: Assorted attacks in Exim's spool directory + * CVE-2020-28014: Arbitrary PID file creation + * CVE-2020-28011: Heap buffer overflow in queue_run() + * CVE-2020-28010: Heap out-of-bounds write in main() + * CVE-2020-28013: Heap buffer overflow in parse_fix_phrase() + * CVE-2020-28016: Heap out-of-bounds write in parse_fix_phrase() + * CVE-2020-28015: New-line injection into spool header file (local) + * CVE-2020-28012: Missing close-on-exec flag for privileged pipe + * CVE-2020-28009: Integer overflow in get_stdinput() + * CVE-2020-28017: Integer overflow in receive_add_recipient() + * CVE-2020-28020: Integer overflow in receive_msg() + * CVE-2020-28023: Out-of-bounds read in smtp_setup_msg() + * CVE-2020-28021: New-line injection into spool header file (remote) + * CVE-2020-28022: Heap out-of-bounds read and write in extract_option() + * CVE-2020-28026: Line truncation and injection in spool_read_header() + * CVE-2020-28019: Failure to reset function pointer after BDAT error + * CVE-2020-28024: Heap buffer underflow in smtp_ungetc() + * CVE-2020-28018: Use-after-free in tls-openssl.c + * CVE-2020-28025: Heap out-of-bounds read in pdkim_finish_bodyhash() + +Wed Apr 28 13:55:29 CEST 2021 - wullinger@rz.uni-kiel.de + +- update to exim-4.94.1 + * Fix security issue in BDAT state confusion. + Ensure we reset known-good where we know we need to not be reading BDAT + data, as a general case fix, and move the places where we switch to BDAT + mode until after various protocol state checks. + Fixes CVE-2020-BDATA reported by Qualys. + * Fix security issue in SMTP verb option parsing (CVE-2020-EXOPT) + * Fix security issue with too many recipients on a message (to remove a + known security problem if someone does set recipients_max to unlimited, + or if local additions add to the recipient list). + Fixes CVE-2020-RCPTL reported by Qualys. + * Fix CVE-2020-28016 (PFPZA): Heap out-of-bounds write in parse_fix_phrase() + * Fix security issue CVE-2020-PFPSN and guard against cmdline invoker + providing a particularly obnoxious sender full name. + * Fix Linux security issue CVE-2020-SLCWD and guard against PATH_MAX + better. + Mon Aug 24 11:13:55 CEST 2020 - wullinger@rz.uni-kiel.de - bring back missing exim_db.8 manual page diff --git a/exim.spec b/exim.spec index 91fb324..ed50587 100644 --- a/exim.spec +++ b/exim.spec @@ -72,8 +72,8 @@ Requires(pre): group(mail) %endif Requires(pre): fileutils textutils %endif -Version: 4.94 -Release: 2 +Version: 4.94.2 +Release: 1 %if %{with_mysql} BuildRequires: mysql-devel %endif @@ -103,7 +103,6 @@ Source40: exim.service Source41: exim_db.8.gz Patch0: exim-tail.patch Patch1: gnu_printf.patch -Patch2: patch-exim-4.94+fixes-0e8319c3edebfec2158fbaa4898af27cb3225c99 %package -n eximon Summary: Eximon, an graphical frontend to administer Exim's mail queue @@ -147,7 +146,6 @@ once, if at all. The rest is done by logrotate / cron.) %setup -q -n exim-%{version} %patch0 %patch1 -p1 -%patch2 -p1 # build with fPIE/pie on SUSE 10.0 or newer, or on any other platform %if %{?suse_version:%suse_version}%{?!suse_version:99999} > 930 fPIE="-fPIE" diff --git a/patch-exim-4.94+fixes-0e8319c3edebfec2158fbaa4898af27cb3225c99 b/patch-exim-4.94+fixes-0e8319c3edebfec2158fbaa4898af27cb3225c99 deleted file mode 100644 index d5043a7..0000000 --- a/patch-exim-4.94+fixes-0e8319c3edebfec2158fbaa4898af27cb3225c99 +++ /dev/null @@ -1,112 +0,0 @@ -diff -ru a/README.UPDATING b/README.UPDATING ---- a/README.UPDATING 2020-05-30 22:35:38.000000000 +0200 -+++ b/README.UPDATING 2020-06-08 10:36:12.136106000 +0200 -@@ -31,9 +31,9 @@ - - Some Transports now refuse to use tainted data in constructing their delivery - location; this WILL BREAK configurations which are not updated accordingly. --In particular: any Transport use of $local_user which has been relying upon -+In particular: any Transport use of $local_part which has been relying upon - check_local_user far away in the Router to make it safe, should be updated to --replace $local_user with $local_part_data. -+replace $local_part with $local_part_data. - - Attempting to remove, in router or transport, a header name that ends with - an asterisk (which is a standards-legal name) will now result in all headers -diff -ru a/src/acl.c b/src/acl.c ---- a/src/acl.c 2020-05-30 22:35:38.000000000 +0200 -+++ b/src/acl.c 2020-06-08 10:36:13.865973000 +0200 -@@ -3349,11 +3349,11 @@ - { - /* Separate the regular expression and any optional parameters. */ - const uschar * list = arg; -- uschar *ss = string_nextinlist(&list, &sep, big_buffer, big_buffer_size); -+ uschar *ss = string_nextinlist(&list, &sep, NULL, 0); - /* Run the dcc backend. */ - rc = dcc_process(&ss); - /* Modify return code based upon the existence of options. */ -- while ((ss = string_nextinlist(&list, &sep, big_buffer, big_buffer_size))) -+ while ((ss = string_nextinlist(&list, &sep, NULL, 0))) - if (strcmpic(ss, US"defer_ok") == 0 && rc == DEFER) - rc = FAIL; /* FAIL so that the message is passed to the next ACL */ - } -@@ -3514,7 +3514,7 @@ - int sep = 0; - const uschar *s = arg; - uschar * ss; -- while ((ss = string_nextinlist(&s, &sep, big_buffer, big_buffer_size))) -+ while ((ss = string_nextinlist(&s, &sep, NULL, 0))) - { - if (Ustrcmp(ss, "main") == 0) logbits |= LOG_MAIN; - else if (Ustrcmp(ss, "panic") == 0) logbits |= LOG_PANIC; -@@ -3567,7 +3567,7 @@ - { - /* Separate the regular expression and any optional parameters. */ - const uschar * list = arg; -- uschar * ss = string_nextinlist(&list, &sep, big_buffer, big_buffer_size); -+ uschar * ss = string_nextinlist(&list, &sep, NULL, 0); - uschar * opt; - BOOL defer_ok = FALSE; - int timeout = 0; -@@ -3672,11 +3672,11 @@ - { - /* Separate the regular expression and any optional parameters. */ - const uschar * list = arg; -- uschar *ss = string_nextinlist(&list, &sep, big_buffer, big_buffer_size); -+ uschar *ss = string_nextinlist(&list, &sep, NULL, 0); - - rc = spam(CUSS &ss); - /* Modify return code based upon the existence of options. */ -- while ((ss = string_nextinlist(&list, &sep, big_buffer, big_buffer_size))) -+ while ((ss = string_nextinlist(&list, &sep, NULL, 0))) - if (strcmpic(ss, US"defer_ok") == 0 && rc == DEFER) - rc = FAIL; /* FAIL so that the message is passed to the next ACL */ - } -diff -ru a/src/auths/call_pam.c b/src/auths/call_pam.c ---- a/src/auths/call_pam.c 2020-05-30 22:35:38.000000000 +0200 -+++ b/src/auths/call_pam.c 2020-06-08 10:36:12.138178000 +0200 -@@ -83,8 +83,7 @@ - { - case PAM_PROMPT_ECHO_ON: - case PAM_PROMPT_ECHO_OFF: -- arg = string_nextinlist(&pam_args, &sep, big_buffer, big_buffer_size); -- if (!arg) -+ if (!(arg = string_nextinlist(&pam_args, &sep, NULL, 0))) - { - arg = US""; - pam_arg_ended = TRUE; -@@ -155,7 +154,7 @@ - fail. PAM doesn't support authentication with an empty user (it prompts for it, - causing a potential mis-interpretation). */ - --user = string_nextinlist(&pam_args, &sep, big_buffer, big_buffer_size); -+user = string_nextinlist(&pam_args, &sep, NULL, 0); - if (user == NULL || user[0] == 0) return FAIL; - - /* Start off PAM interaction */ -diff -ru a/src/exim.c b/src/exim.c ---- a/src/exim.c 2020-05-30 22:35:38.000000000 +0200 -+++ b/src/exim.c 2020-06-08 10:36:13.871593000 +0200 -@@ -2148,7 +2148,7 @@ - concept of *the* alias file, but since Sun's YP make script calls - sendmail this way, some support must be provided. */ - case 'i': -- if (!*++argrest) bi_option = TRUE; -+ if (!*argrest) bi_option = TRUE; - else badarg = TRUE; - break; - -diff -ru a/src/expand.c b/src/expand.c ---- a/src/expand.c 2020-05-30 22:35:38.000000000 +0200 -+++ b/src/expand.c 2020-06-08 10:36:13.873752000 +0200 -@@ -7208,9 +7208,8 @@ - { - int cnt = 0; - int sep = 0; -- uschar buffer[256]; - -- while (string_nextinlist(CUSS &sub, &sep, buffer, sizeof(buffer))) cnt++; -+ while (string_nextinlist(CUSS &sub, &sep, NULL, 0)) cnt++; - yield = string_fmt_append(yield, "%d", cnt); - continue; - } From 574d198a2b71742202a032b37449bb4deab08faf08cd079782ce41e57d2c95e8 Mon Sep 17 00:00:00 2001 From: Peter Wullinger Date: Wed, 5 May 2021 09:20:29 +0000 Subject: [PATCH 2/3] add bugzilla reference (bsc#1185631) OBS-URL: https://build.opensuse.org/package/show/server:mail/exim?expand=0&rev=249 --- exim.changes | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/exim.changes b/exim.changes index 6aa9ad4..30fe508 100644 --- a/exim.changes +++ b/exim.changes @@ -1,7 +1,7 @@ Tue May 4 16:45:17 CEST 2021 - wullinger@rz.uni-kiel.de - update to exim-4.94.2 - security update + security update (bsc#1185631) * CVE-2020-28007: Link attack in Exim's log directory * CVE-2020-28008: Assorted attacks in Exim's spool directory * CVE-2020-28014: Arbitrary PID file creation From 5d0e28acb233bce977559bc5bfa512e47593ac58f463fee99aec7a6dd8c7b412 Mon Sep 17 00:00:00 2001 From: Peter Wullinger Date: Wed, 5 May 2021 09:48:27 +0000 Subject: [PATCH 3/3] Accepting request 890643 from home:AndreasStieger:branches:server:mail some changelog OCD OBS-URL: https://build.opensuse.org/request/show/890643 OBS-URL: https://build.opensuse.org/package/show/server:mail/exim?expand=0&rev=250 --- exim.changes | 9 +++++++++ 1 file changed, 9 insertions(+) diff --git a/exim.changes b/exim.changes index 30fe508..babae4a 100644 --- a/exim.changes +++ b/exim.changes @@ -1,3 +1,4 @@ +------------------------------------------------------------------- Tue May 4 16:45:17 CEST 2021 - wullinger@rz.uni-kiel.de - update to exim-4.94.2 @@ -23,6 +24,7 @@ Tue May 4 16:45:17 CEST 2021 - wullinger@rz.uni-kiel.de * CVE-2020-28018: Use-after-free in tls-openssl.c * CVE-2020-28025: Heap out-of-bounds read in pdkim_finish_bodyhash() +------------------------------------------------------------------- Wed Apr 28 13:55:29 CEST 2021 - wullinger@rz.uni-kiel.de - update to exim-4.94.1 @@ -42,11 +44,13 @@ Wed Apr 28 13:55:29 CEST 2021 - wullinger@rz.uni-kiel.de * Fix Linux security issue CVE-2020-SLCWD and guard against PATH_MAX better. +------------------------------------------------------------------- Mon Aug 24 11:13:55 CEST 2020 - wullinger@rz.uni-kiel.de - bring back missing exim_db.8 manual page (fixes bsc#1173693) +------------------------------------------------------------------- Mon Jun 8 11:24:08 CEST 2020 - wullinger@rz.uni-kiel.de - bring in changes from current +fixes (lots of taint check fixes) @@ -68,6 +72,7 @@ Mon Jun 8 11:24:08 CEST 2020 - wullinger@rz.uni-kiel.de broken the (no-op) support for this sendmail command. Restore it to doing nothing, silently, and returning good status. +------------------------------------------------------------------- Tue Jun 2 07:12:55 CEST 2020 - wullinger@rz.uni-kiel.de - update to exim 4.94 @@ -83,11 +88,13 @@ Tue Jun 2 07:12:55 CEST 2020 - wullinger@rz.uni-kiel.de ------------------------------------------------------------------- Tue May 19 13:47:05 CEST 2020 - wullinger@rz.uni-kiel.de + - switch pretrans to use lua (fixes bsc#1171877) ------------------------------------------------------------------- Tue May 12 08:19:17 UTC 2020 - wullinger@rz.uni-kiel.de + - bring changes from current in +fixes branch (patch-exim-fixes-ee83de04d3087efaf808d1f2235a988275c2ee94) * fixes CVE-2020-12783 (bsc#1171490) @@ -118,11 +125,13 @@ Tue May 12 08:19:17 UTC 2020 - wullinger@rz.uni-kiel.de ------------------------------------------------------------------- Wed Apr 1 12:52:10 UTC 2020 - wullinger@rz.uni-kiel.de + - don't create logfiles during install * fixes CVE-2020-8015 (bsc#1154183) ------------------------------------------------------------------- Mon Jan 13 08:48:53 CET 2020 - wullinger@rz.uni-kiel.de + - add a spec-file workaround for bsc#1160726 -------------------------------------------------------------------