Accepting request 1114683 from home:pwcau:branches:server:mail

- add patch for * CVE-2023-42114 (bsc#1215784) * CVE-2023-42115 (bsc#1215785) * CVE-2023-42116 (bsc#1215786) OBS-URL: https://build.opensuse.org/request/show/1114683 OBS-URL: https://build.opensuse.org/package/show/server:mail/exim?expand=0&rev=274
2023-10-02 06:36:36 +00:00 · 2023-10-02 06:36:36 +00:00 · d4072b44a4
commit d4072b44a4
parent 6568568245
3 changed files with 303 additions and 0 deletions
--- a/exim.changes
+++ b/exim.changes
@ -1,3 +1,10 @@
+Mon Oct  2 05:53:32 UTC 2023 - Peter Wullinger <wullinger@rz.uni-kiel.de>
+
+- add patch for
+  * CVE-2023-42114 (bsc#1215784)
+  * CVE-2023-42115 (bsc#1215785)
+  * CVE-2023-42116 (bsc#1215786)
+
 -------------------------------------------------------------------
 Tue Mar 28 13:46:34 UTC 2023 - Peter Wullinger <wullinger@rz.uni-kiel.de>

--- a/exim.spec
+++ b/exim.spec
@ -107,6 +107,7 @@ Patch0:         exim-tail.patch
 Patch1:         gnu_printf.patch
 Patch2:         patch-no-exit-on-rewrite-malformed-address.patch
 Patch3:         patch-cve-2022-3559
+Patch4:         patch-CVE-2023-42115-CVE-2023-42116-CVE-2023-42114.patch

 %package -n eximon
 Summary:        Eximon, an graphical frontend to administer Exim's mail queue
@ -152,6 +153,7 @@ once, if at all. The rest is done by logrotate / cron.)
 %patch1 -p1
 %patch2 -p1
 %patch3 -p1
+%patch4 -p1
 # build with fPIE/pie on SUSE 10.0 or newer, or on any other platform
 %if %{?suse_version:%suse_version}%{?!suse_version:99999} > 930
 fPIE="-fPIE"
--- a/patch-CVE-2023-42115-CVE-2023-42116-CVE-2023-42114.patch
+++ b/patch-CVE-2023-42115-CVE-2023-42116-CVE-2023-42114.patch
@ -0,0 +1,294 @@
+diff --git a/src/auths/auth-spa.c b/src/auths/auth-spa.c
+index 8d886b6b6..bb3d327d1 100644
+--- a/src/auths/auth-spa.c
+++ b/src/auths/auth-spa.c
+@@ -155,6 +155,9 @@ int main (int argc, char ** argv)
+    up with a different answer to the one above)
+ */
+ 
+#ifndef MACRO_PREDEF
+
+
+ #define DEBUG_X(a,b) ;
+ 
+ extern int DEBUGLEVEL;
+@@ -1211,7 +1214,9 @@ char versionString[] = "libntlm version 0.21";
+ 
+ #define spa_bytes_add(ptr, header, buf, count) \
+ { \
+-if (buf && (count) != 0) /* we hate -Wint-in-bool-contex */ \
+if (  buf && (count) != 0	/* we hate -Wint-in-bool-contex */ \
+   && ptr->bufIndex + count < sizeof(ptr->buffer)		\
+   ) \
+   { \
+   SSVAL(&ptr->header.len,0,count); \
+   SSVAL(&ptr->header.maxlen,0,count); \
+@@ -1229,35 +1234,30 @@ else \
+ 
+ #define spa_string_add(ptr, header, string) \
+ { \
+-char *p = string; \
+uschar * p = string; \
+ int len = 0; \
+-if (p) len = strlen(p); \
+-spa_bytes_add(ptr, header, (US p), len); \
+if (p) len = Ustrlen(p); \
+spa_bytes_add(ptr, header, p, len); \
+ }
+ 
+ #define spa_unicode_add_string(ptr, header, string) \
+ { \
+-char *p = string; \
+-uschar *b = NULL; \
+uschar * p = string; \
+uschar * b = NULL; \
+ int len = 0; \
+ if (p) \
+   { \
+-  len = strlen(p); \
+-  b = strToUnicode(p); \
+  len = Ustrlen(p); \
+  b = US strToUnicode(CS p); \
+   } \
+ spa_bytes_add(ptr, header, b, len*2); \
+ }
+ 
+ 
+-#define GetUnicodeString(structPtr, header) \
+-unicodeToString(((char*)structPtr) + IVAL(&structPtr->header.offset,0) , SVAL(&structPtr->header.len,0)/2)
+-#define GetString(structPtr, header) \
+-toString(((CS structPtr) + IVAL(&structPtr->header.offset,0)), SVAL(&structPtr->header.len,0))
+-
+ #ifdef notdef
+ 
+ #define DumpBuffer(fp, structPtr, header) \
+-dumpRaw(fp,(US structPtr)+IVAL(&structPtr->header.offset,0),SVAL(&structPtr->header.len,0))
+ dumpRaw(fp,(US structPtr)+IVAL(&structPtr->header.offset,0),SVAL(&structPtr->header.len,0))
+ 
+ 
+ static void
+@@ -1321,8 +1321,33 @@ buf[len] = 0;
+ return buf;
+ }
+ 
+static inline uschar *
+get_challenge_unistr(SPAAuthChallenge * challenge, SPAStrHeader * hdr)
+{
+int off = IVAL(&hdr->offset, 0);
+int len = SVAL(&hdr->len, 0);
+return off + len < sizeof(SPAAuthChallenge)
+  ? US unicodeToString(CS challenge + off, len/2) : US"";
+}
+
+static inline uschar *
+get_challenge_str(SPAAuthChallenge * challenge, SPAStrHeader * hdr)
+{
+int off = IVAL(&hdr->offset, 0);
+int len = SVAL(&hdr->len, 0);
+return off + len < sizeof(SPAAuthChallenge)
+  ? US toString(CS challenge + off, len) : US"";
+}
+
+ #ifdef notdef
+ 
+#define GetUnicodeString(structPtr, header) \
+ unicodeToString(((char*)structPtr) + IVAL(&structPtr->header.offset,0) , SVAL(&structPtr->header.len,0)/2)
+
+#define GetString(structPtr, header) \
+ toString(((CS structPtr) + IVAL(&structPtr->header.offset,0)), SVAL(&structPtr->header.len,0))
+
+
+ void
+ dumpSmbNtlmAuthRequest (FILE * fp, SPAAuthRequest * request)
+ {
+@@ -1366,15 +1391,15 @@ fprintf (fp, "      Flags = %08x\n", IVAL (&response->flags, 0));
+ #endif
+ 
+ void
+-spa_build_auth_request (SPAAuthRequest * request, char *user, char *domain)
+spa_build_auth_request (SPAAuthRequest * request, uschar * user, uschar * domain)
+ {
+-char *u = strdup (user);
+-char *p = strchr (u, '@');
+uschar * u = string_copy(user);
+uschar * p = Ustrchr(u, '@');
+ 
+ if (p)
+   {
+   if (!domain)
+-   domain = p + 1;
+    domain = p + 1;
+   *p = '\0';
+   }
+ 
+@@ -1384,7 +1409,6 @@ SIVAL (&request->msgType, 0, 1);
+ SIVAL (&request->flags, 0, 0x0000b207);      /* have to figure out what these mean */
+ spa_string_add (request, user, u);
+ spa_string_add (request, domain, domain);
+-free (u);
+ }
+ 
+ 
+@@ -1475,16 +1499,16 @@ free (u);
+ 
+ void
+ spa_build_auth_response (SPAAuthChallenge * challenge,
+-                        SPAAuthResponse * response, char *user,
+-                        char *password)
+                        SPAAuthResponse * response, uschar * user,
+                        uschar * password)
+ {
+ uint8x lmRespData[24];
+ uint8x ntRespData[24];
+ uint32x cf = IVAL(&challenge->flags, 0);
+-char *u = strdup (user);
+-char *p = strchr (u, '@');
+-char *d = NULL;
+-char *domain;
+uschar * u = string_copy(user);
+uschar * p = Ustrchr(u, '@');
+uschar * d = NULL;
+uschar * domain;
+ 
+ if (p)
+   {
+@@ -1492,33 +1516,33 @@ if (p)
+   *p = '\0';
+   }
+ 
+-else domain = d = strdup((cf & 0x1)?
+-  CCS GetUnicodeString(challenge, uDomain) :
+-  CCS GetString(challenge, uDomain));
+else domain = d = string_copy(cf & 0x1
+  ? CUS get_challenge_unistr(challenge, &challenge->uDomain)
+  : CUS get_challenge_str(challenge, &challenge->uDomain));
+ 
+-spa_smb_encrypt (US password, challenge->challengeData, lmRespData);
+-spa_smb_nt_encrypt (US password, challenge->challengeData, ntRespData);
+spa_smb_encrypt(password, challenge->challengeData, lmRespData);
+spa_smb_nt_encrypt(password, challenge->challengeData, ntRespData);
+ 
+ response->bufIndex = 0;
+ memcpy (response->ident, "NTLMSSP\0\0\0", 8);
+ SIVAL (&response->msgType, 0, 3);
+ 
+-spa_bytes_add (response, lmResponse, lmRespData, (cf & 0x200) ? 24 : 0);
+-spa_bytes_add (response, ntResponse, ntRespData, (cf & 0x8000) ? 24 : 0);
+spa_bytes_add(response, lmResponse, lmRespData, cf & 0x200 ? 24 : 0);
+spa_bytes_add(response, ntResponse, ntRespData, cf & 0x8000 ? 24 : 0);
+ 
+ if (cf & 0x1) {      /* Unicode Text */
+-     spa_unicode_add_string (response, uDomain, domain);
+-     spa_unicode_add_string (response, uUser, u);
+-     spa_unicode_add_string (response, uWks, u);
+     spa_unicode_add_string(response, uDomain, domain);
+     spa_unicode_add_string(response, uUser, u);
+     spa_unicode_add_string(response, uWks, u);
+ } else {             /* OEM Text */
+-     spa_string_add (response, uDomain, domain);
+-     spa_string_add (response, uUser, u);
+-     spa_string_add (response, uWks, u);
+     spa_string_add(response, uDomain, domain);
+     spa_string_add(response, uUser, u);
+     spa_string_add(response, uWks, u);
+ }
+ 
+-spa_string_add (response, sessionKey, NULL);
+spa_string_add(response, sessionKey, NULL);
+ response->flags = challenge->flags;
+-
+-if (d != NULL) free (d);
+-free (u);
+ }
+
+
+#endif   /*!MACRO_PREDEF*/
+diff --git a/src/auths/auth-spa.h b/src/auths/auth-spa.h
+index cfe1b086d..3b0b3a9e3 100644
+--- a/src/auths/auth-spa.h
+++ b/src/auths/auth-spa.h
+@@ -79,10 +79,10 @@ typedef struct
+ 
+ void spa_bits_to_base64 (unsigned char *, const unsigned char *, int);
+ int spa_base64_to_bits(char *, int, const char *);
+-void spa_build_auth_response (SPAAuthChallenge *challenge,
+-       SPAAuthResponse *response, char *user, char *password);
+-void spa_build_auth_request (SPAAuthRequest *request, char *user,
+-       char *domain);
+void spa_build_auth_response (SPAAuthChallenge * challenge,
+       SPAAuthResponse * response, uschar * user, uschar * password);
+void spa_build_auth_request (SPAAuthRequest * request, uschar * user,
+       uschar * domain);
+ extern void spa_smb_encrypt (unsigned char * passwd, unsigned char * c8,
+                              unsigned char * p24);
+ extern void spa_smb_nt_encrypt (unsigned char * passwd, unsigned char * c8,
+diff --git a/src/auths/external.c b/src/auths/external.c
+index 7e7fca841..790b98159 100644
+--- a/src/auths/external.c
+++ b/src/auths/external.c
+@@ -103,7 +103,7 @@ if (expand_nmax == 0) 	/* skip if rxd data */
+ if (ob->server_param2)
+   {
+   uschar * s = expand_string(ob->server_param2);
+-  auth_vars[expand_nmax] = s;
+  auth_vars[expand_nmax = 1] = s;
+   expand_nstring[++expand_nmax] = s;
+   expand_nlength[expand_nmax] = Ustrlen(s);
+   if (ob->server_param3)
+diff --git a/src/auths/spa.c b/src/auths/spa.c
+index ff90d33a3..bfaccefda 100644
+--- a/src/auths/spa.c
+++ b/src/auths/spa.c
+@@ -284,14 +284,13 @@ SPAAuthRequest   request;
+ SPAAuthChallenge challenge;
+ SPAAuthResponse  response;
+ char msgbuf[2048];
+-char *domain = NULL;
+-char *username, *password;
+uschar * domain = NULL, * username, * password;
+ 
+ /* Code added by PH to expand the options */
+ 
+ *buffer = 0;    /* Default no message when cancelled */
+ 
+-if (!(username = CS expand_string(ob->spa_username)))
+if (!(username = expand_string(ob->spa_username)))
+   {
+   if (f.expand_string_forcedfail) return CANCELLED;
+   string_format(buffer, buffsize, "expansion of \"%s\" failed in %s "
+@@ -300,7 +299,7 @@ if (!(username = CS expand_string(ob->spa_username)))
+   return ERROR;
+   }
+ 
+-if (!(password = CS expand_string(ob->spa_password)))
+if (!(password = expand_string(ob->spa_password)))
+   {
+   if (f.expand_string_forcedfail) return CANCELLED;
+   string_format(buffer, buffsize, "expansion of \"%s\" failed in %s "
+@@ -310,7 +309,7 @@ if (!(password = CS expand_string(ob->spa_password)))
+   }
+ 
+ if (ob->spa_domain)
+-  if (!(domain = CS expand_string(ob->spa_domain)))
+  if (!(domain = expand_string(ob->spa_domain)))
+     {
+     if (f.expand_string_forcedfail) return CANCELLED;
+     string_format(buffer, buffsize, "expansion of \"%s\" failed in %s "
+@@ -330,7 +329,7 @@ if (!smtp_read_response(sx, US buffer, buffsize, '3', timeout))
+ 
+ DSPA("\n\n%s authenticator: using domain %s\n\n", ablock->name, domain);
+ 
+-spa_build_auth_request(&request, CS username, domain);
+spa_build_auth_request(&request, username, domain);
+ spa_bits_to_base64(US msgbuf, US &request, spa_request_length(&request));
+ 
+ DSPA("\n\n%s authenticator: sending request (%s)\n\n", ablock->name, msgbuf);
+@@ -347,7 +346,7 @@ if (!smtp_read_response(sx, US buffer, buffsize, '3', timeout))
+ DSPA("\n\n%s authenticator: challenge (%s)\n\n", ablock->name, buffer + 4);
+ spa_base64_to_bits(CS (&challenge), sizeof(challenge), CCS (buffer + 4));
+ 
+-spa_build_auth_response(&challenge, &response, CS username, CS password);
+spa_build_auth_response(&challenge, &response, username, password);
+ spa_bits_to_base64(US msgbuf, US &response, spa_request_length(&response));
+ DSPA("\n\n%s authenticator: challenge response (%s)\n\n", ablock->name, msgbuf);
+