pool/libesmtp
SHA256
2
0
Fork 1
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Accepting request 1045487 from home:polslinux:branches:server:mail

Browse Source 
- Update to 1.1.0: 
  * CVE-2019-19977: avoid potential stack overflow in NTLM authenticator.
  * Migrate build system to Meson
  * Remove GNU libltdl support, assume dlopen() always available.
  * Use a linker map to restrict public symbols to API only.
  * Add sentinel and ‘format printf’ attributes to function declarations.
  * Remove getaddrinfo() implementation.
  * Use strlcpy() for safer string copies, provide implementation
    for systems that need it.
  * Update ‘application data’ APIs
  * Add ‘smtp_get_server_name()’ API.
  * Collect replacement functions into missing.c
  * Prohibit Resent-Reply-To: header.
  * Use canonic domain name of MTA where known 
  * Implement rfc2822date() with strftime() if available.
  * add option for XDG file layout convention instead of ~/.authenticate
  * OpenSSL
    + Remove support for OpenSSL versions before v1.1.0
    + Update OpenSSL API calls used for modern versions
    + Require TLS v1 or higher
  * Add add_ntlm.patch
  * Drop the following patches:
    + libesmtp-removedecls.diff
    + libesmtp-1.0.4-bloat.patch
    + libesmtp-fix-cve-2019-19977.patch
    + libesmtp-openssl11.patch
    + libesmtp-tlsv12.patch

OBS-URL: https://build.opensuse.org/request/show/1045487
OBS-URL: https://build.opensuse.org/package/show/server:mail/libesmtp?expand=0&rev=8
This commit is contained in:
Jan Engelhardt 2023-01-02 00:21:27 +00:00 committed by Git OBS Bridge
parent aa877c7d61
commit 440d916ee1
10 changed files with 148 additions and 353 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

84
add_ntlm.patch Normal file
View File

@ -0,0 +1,84 @@
From 1c304e7886a08fb56485e41614ff3f8685afb59d Mon Sep 17 00:00:00 2001
From: Jiaqing Zhao <jiaqing.zhao@intel.com>
Date: Tue, 8 Mar 2022 15:05:32 +0000
Subject: [PATCH] Add build option for NTLM support
Currently, NTLM plugin is built by default when openssl is available
and STARTTLS is enabled. But in libesmtp 1.0.6, there is a separate
build option. This commits adds the 'ntlm' option back. It's also
disabled by default.
Like 1.0.6, it will check openssl MD4 algorithm support as MD4 is
insecure and modern systems may drop MD4 support.
Signed-off-by: Jiaqing Zhao <jiaqing.zhao@intel.com>
---
meson.build | 13 ++++++++++---
meson_options.txt | 1 +
ntlm/meson.build | 2 +-
3 files changed, 12 insertions(+), 4 deletions(-)
Index: libESMTP-1.1.0/meson.build
===================================================================
--- libESMTP-1.1.0.orig/meson.build
+++ libESMTP-1.1.0/meson.build
@@ -63,6 +63,7 @@ add_project_arguments(cc.get_supported_a
################################################################################
dldep = cc.find_library('dl')
ssldep = dependency('openssl', version : '>=1.1.0', required : get_option('tls'))
+ntlmdep = dependency('openssl', version : '>=1.1.0', required : get_option('ntlm'))
threaddep = dependency('threads', required : get_option('pthreads'))
#XXX add test for libbind9.so
@@ -71,6 +72,7 @@ lwresdep = cc.find_library('lwres', requ
deps = [
dldep,
ssldep,
+ ntlmdep,
threaddep,
lwresdep,
]
@@ -220,8 +222,12 @@ include_dir = include_directories('.')
subdir('login')
subdir('plain')
subdir('crammd5')
-if ssldep.found()
- subdir('ntlm')
+if ntlmdep.found()
+ if cc.has_header('openssl/md4.h') and cc.has_function('MD4_Init', dependencies : ntlmdep)
+ subdir('ntlm')
+ else
+ error('MD4 is not supported in current openssl, unable to build NTLM plugin')
+ endif
endif
################################################################################
@@ -247,4 +253,5 @@ summary({'current:revision:age': libesmt
'STARTTLS': ssldep.found(),
'CHUNKING': get_option('bdat'),
'ETRN': get_option('etrn'),
- 'XUSR': get_option('xusr')})
+ 'XUSR': get_option('xusr'),
+ 'NTLM': ntlmdep.found()})
Index: libESMTP-1.1.0/meson_options.txt
===================================================================
--- libESMTP-1.1.0.orig/meson_options.txt
+++ libESMTP-1.1.0/meson_options.txt
@@ -5,3 +5,4 @@ option('lwres', type : 'feature', value
option('bdat', type : 'boolean', value : 'true', description : 'enable SMTP BDAT extension')
option('etrn', type : 'boolean', value : 'true', description : 'enable SMTP ETRN extension')
option('xusr', type : 'boolean', value : 'true', description : 'enable sendmail XUSR extension')
+option('ntlm', type : 'feature', value : 'disabled', description : 'build with support for NTLM authentication')
Index: libESMTP-1.1.0/ntlm/meson.build
===================================================================
--- libESMTP-1.1.0.orig/ntlm/meson.build
+++ libESMTP-1.1.0/ntlm/meson.build
@@ -5,7 +5,7 @@ sasl_ntlm_sources = [
'ntlmstruct.c',
]
-ntlm_deps = [ ssldep, ]
+ntlm_deps = [ ntlmdep, ]
sasl_ntlm = shared_module('ntlm', sasl_ntlm_sources,
name_prefix : 'sasl-',

13
libesmtp-1.0.4-bloat.patch
View File

@ -1,13 +0,0 @@
Index: libesmtp-config.in
===================================================================
--- libesmtp-config.in.orig 2001-12-12 15:30:37.000000000 +0100
+++ libesmtp-config.in 2007-09-04 08:34:01.000000000 +0200
@@ -69,7 +69,7 @@ while test $# -gt 0; do
;;
--libs)
- echo @PTHREAD_LDFLAGS@ -L@libdir@ -lesmtp @LIBS@ @PTHREAD_LIBS@
+ echo -lesmtp
;;
--plugindir)

3
libesmtp-1.0.6.tar.bz2
View File

@ -1,3 +0,0 @@
version https://git-lfs.github.com/spec/v1
oid sha256:d0a61a5c52d99fa7ce7d00ed0a07e341dbda67101dbed1ab0cdae3f37db4eb0b
size 365506

BIN
libesmtp-1.1.0.tar.gz (Stored with Git LFS) Normal file
View File

Binary file not shown.

179
libesmtp-fix-cve-2019-19977.patch
View File

@ -1,179 +0,0 @@
From 8c85278d28ff4da32106714a1420371fe37ef349 Mon Sep 17 00:00:00 2001
From: Brian Stafford <contact@brianstafford.info>
Date: Mon, 24 Aug 2020 16:11:13 +0100
Subject: [PATCH] CVE-2019-19977 avoid stach overrwrite #6
---
ntlm/ntlm.h | 2 +-
ntlm/ntlmdes.c | 9 ++++--
ntlm/ntlmstruct.c | 76 ++++++++++++++---------------------------------
3 files changed, 30 insertions(+), 57 deletions(-)
Index: libesmtp-1.0.6/ntlm/ntlm.h
===================================================================
--- libesmtp-1.0.6.orig/ntlm/ntlm.h
+++ libesmtp-1.0.6/ntlm/ntlm.h
@@ -24,7 +24,7 @@
* Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
*/
-char *lm_uccpy (char *dst, size_t dstlen, const char *src);
+int lm_uccpy (char *dst, size_t dstlen, const char *src);
unsigned char *nt_unicode (const char *string, size_t len);
void lm_hash_password (unsigned char *hash, const char *pass);
Index: libesmtp-1.0.6/ntlm/ntlmdes.c
===================================================================
--- libesmtp-1.0.6.orig/ntlm/ntlmdes.c
+++ libesmtp-1.0.6/ntlm/ntlmdes.c
@@ -66,19 +66,19 @@ lm_deshash (void *result, const_des_cblo
/* Copy and convert to upper case. If supplied string is shorter than the
destination, zero pad the remainder. */
-char *
+int
lm_uccpy (char *dst, size_t dstlen, const char *src)
{
char *p;
size_t len;
- if ((len = strlen (src)) > dstlen)
+ if ((len = src != NULL ? strlen (src) : 0) > dstlen)
len = dstlen;
for (p = dst; len > 0; p++, src++, len--)
*p = toupper (*src);
if (p < dst + dstlen)
memset (p, 0, dst + dstlen - p);
- return dst;
+ return len;
}
/* create LanManager hashed password */
@@ -101,6 +101,9 @@ nt_unicode (const char *string, size_t l
{
unsigned char *uni, *pp;
+ if (len == 0)
+ return NULL;
+
uni = malloc (len * 2);
if ((pp = uni) != NULL)
while (len-- > 0)
Index: libesmtp-1.0.6/ntlm/ntlmstruct.c
===================================================================
--- libesmtp-1.0.6.orig/ntlm/ntlmstruct.c
+++ libesmtp-1.0.6/ntlm/ntlmstruct.c
@@ -187,7 +187,6 @@ ntlm_build_type_1 (char *buf, size_t buf
{
size_t offset = T1SIZE;
size_t len;
- unsigned char *up;
char string[256];
if (buflen < offset)
@@ -195,25 +194,13 @@ ntlm_build_type_1 (char *buf, size_t buf
memcpy (buf, NTLMSSP, 8);
write_uint32 (buf, MSGTYPE, 1);
write_uint32 (buf, T1FLAGS, flags);
- up = NULL;
- len = 0;
- if (domain != NULL)
- {
- len = strlen (domain);
- if (offset + len > buflen)
- return 0;
- lm_uccpy (string, len, domain);
- }
+ len = lm_uccpy (string, sizeof string, domain);
+ if (offset + len > buflen)
+ return 0;
write_string (buf, T1DOMAIN, &offset, string, len);
- up = NULL;
- len = 0;
- if (workstation != NULL)
- {
- len = strlen (workstation);
- if (offset + len > buflen)
- return 0;
- lm_uccpy (string, len, workstation);
- }
+ len = lm_uccpy (string, sizeof string, workstation);
+ if (offset + len > buflen)
+ return 0;
write_string (buf, T1WKSTN, &offset, string, len);
return offset;
}
@@ -232,16 +219,11 @@ ntlm_build_type_2 (char *buf, size_t buf
return 0;
memcpy (buf, NTLMSSP, 8);
write_uint32 (buf, MSGTYPE, 2);
- up = NULL;
- len = 0;
- if (domain != NULL)
- {
- len = strlen (domain);
- if (offset + 2 * len > buflen)
- return 0;
- up = nt_unicode (lm_uccpy (string, len, domain), 2 * len);
- }
- write_string (buf, T2AUTHTARGET, &offset, up, len);
+ len = lm_uccpy (string, sizeof string, domain);
+ if (offset + 2 * len > buflen)
+ return 0;
+ up = nt_unicode (string, len);
+ write_string (buf, T2AUTHTARGET, &offset, up, 2 * len);
if (up != NULL)
free (up);
write_uint32 (buf, T2FLAGS, flags);
@@ -267,39 +249,24 @@ ntlm_build_type_3 (char *buf, size_t buf
write_uint32 (buf, MSGTYPE, 3);
write_string (buf, T3LMRESPONSE, &offset, lm_resp, 24);
write_string (buf, T3NTRESPONSE, &offset, nt_resp, 24);
- up = NULL;
- len = 0;
- if (domain != NULL)
- {
- len = strlen (domain);
- if (offset + 2 * len > buflen)
- return 0;
- up = nt_unicode (lm_uccpy (string, len, domain), 2 * len);
- }
+ len = lm_uccpy (string, sizeof string, domain);
+ if (offset + 2 * len > buflen)
+ return 0;
+ up = nt_unicode (string, len);
write_string (buf, T3DOMAIN, &offset, up, 2 * len);
if (up != NULL)
free (up);
- up = NULL;
- len = 0;
- if (user != NULL)
- {
- len = strlen (user);
- if (offset + 2 * len > buflen)
- return 0;
- up = nt_unicode (lm_uccpy (string, len, user), 2 * len);
- }
+ len = lm_uccpy (string, sizeof string, user);
+ if (offset + 2 * len > buflen)
+ return 0;
+ up = nt_unicode (string, len);
write_string (buf, T3USER, &offset, up, 2 * len);
if (up != NULL)
free (up);
- up = NULL;
- len = 0;
- if (workstation != NULL)
- {
- len = strlen (workstation);
- if (offset + 2 * len > buflen)
- return 0;
- up = nt_unicode (lm_uccpy (string, len, workstation), 2 * len);
- }
+ len = lm_uccpy (string, sizeof string, workstation);
+ if (offset + 2 * len > buflen)
+ return 0;
+ up = nt_unicode (string, len);
write_string (buf, T3WKSTN, &offset, up, 2 * len);
if (up != NULL)
free (up);

77
libesmtp-openssl11.patch
View File

@ -1,77 +0,0 @@
Index: libesmtp-1.0.6/ntlm/ntlmdes.c
===================================================================
--- libesmtp-1.0.6.orig/ntlm/ntlmdes.c
+++ libesmtp-1.0.6/ntlm/ntlmdes.c
@@ -26,9 +26,21 @@
#include <ctype.h>
#include <openssl/des.h>
#include <openssl/md4.h>
+#include <openssl/opensslv.h>
#include "ntlm.h"
+/* OpenSSL 1.1 compat shim */
+#if (OPENSSL_VERSION_NUMBER >= 0x10100000L)
+# define des_cblock DES_cblock
+# define const_des_cblock const_DES_cblock
+# define des_key_schedule DES_key_schedule
+# define des_set_odd_parity(k) DES_set_odd_parity((k))
+# define des_set_key(k,ks) DES_set_key((k),&(ks))
+# define des_ecb_encrypt(i,o,k,e) DES_ecb_encrypt((i),(o),&(k),(e))
+
+#endif
+
static void
lm_deshash (void *result, const_des_cblock *iv, const void *secret)
{
Index: libesmtp-1.0.6/configure.ac
===================================================================
--- libesmtp-1.0.6.orig/configure.ac
+++ libesmtp-1.0.6/configure.ac
@@ -303,17 +303,8 @@ if test x$with_openssl != xno ; then
)
fi
if test x$with_openssl != xno ; then
- AC_CHECK_LIB(ssl, SSL_library_init, [
- with_openssl=yes
- LIBS="-lssl -lcrypto $LIBS"
- ], [
- if test x"$with_openssl" = xyes ; then
- AC_MSG_ERROR([cannot find the ssl library])
- else
- with_openssl=no
- fi],
- -lcrypto
- )
+PKG_CHECK_MODULES([SSL], [libssl])
+PKG_CHECK_MODULES([CRYPTO], [libcrypto])
fi
dnl #########################################################################
Index: libesmtp-1.0.6/ntlm/Makefile.am
===================================================================
--- libesmtp-1.0.6.orig/ntlm/Makefile.am
+++ libesmtp-1.0.6/ntlm/Makefile.am
@@ -8,4 +8,5 @@ AM_CFLAGS = @CFLAGS@ @EXTRA_CFLAGS@
lib_LTLIBRARIES = sasl-ntlm.la
sasl_ntlm_la_SOURCES = client-ntlm.c ntlmdes.c ntlmstruct.c ntlm.h
-sasl_ntlm_la_LDFLAGS = -module -avoid-version @NTLM_LIBS@
+sasl_ntlm_la_LDFLAGS = -no-undefined -module -shared -avoid-version -export-dynamic
+sasl_ntlm_la_LIBADD = $(CRYPTO_LIBS)
Index: libesmtp-1.0.6/Makefile.am
===================================================================
--- libesmtp-1.0.6.orig/Makefile.am
+++ libesmtp-1.0.6/Makefile.am
@@ -18,9 +18,9 @@ libesmtp_la_SOURCES = auth-client.c base
libesmtp-private.h message-source.h protocol-states.h \
protocol.h rfc2822date.h siobuf.h tokens.h \
getaddrinfo.h gethostbyname.h missing.h
-libesmtp_la_LIBADD = @LTLIBOBJS@
+libesmtp_la_LIBADD = @LTLIBOBJS@ $(CRYPTO_LIBS) $(SSL_LIBS)
-libesmtp_la_LDFLAGS = -export-dynamic \
+libesmtp_la_LDFLAGS = -export-dynamic -Wl,--no-undefined \
-version-info $(LIBESMTP_VERSION)
include_HEADERS = libesmtp.h auth-client.h auth-plugin.h

16
libesmtp-removedecls.diff
View File

@ -1,16 +0,0 @@
--- missing.h
+++ missing.h
@@ -24,7 +24,7 @@
/* Collect together some declarations that might not be present on
some systems */
-
+#if 0
#ifndef HAVE_STRDUP
char *strdup (const char *s1);
#endif
@@ -50,3 +50,4 @@
#endif
#endif
+#endif

20
libesmtp-tlsv12.patch
View File

@ -1,20 +0,0 @@
Index: libesmtp-1.0.6/smtp-tls.c
===================================================================
--- libesmtp-1.0.6.orig/smtp-tls.c
+++ libesmtp-1.0.6/smtp-tls.c
@@ -201,8 +201,13 @@ starttls_create_ctx (smtp_session_t sess
3207. Servers typically support SSL as well as TLS because some
versions of Netscape do not support TLS. I am assuming that all
currently deployed servers correctly support TLS. */
- ctx = SSL_CTX_new (TLSv1_client_method ());
-
+#if (OPENSSL_VERSION_NUMBER >= 0x10100000L)
+ ctx = SSL_CTX_new (TLS_client_method());
+ SSL_CTX_set_min_proto_version(ctx, TLS1_VERSION);
+#else
+ ctx = SSL_CTX_new (SSLv23_client_method ());
+ SSL_CTX_set_options(ctx, SSL_OP_NO_SSLv2 | SSL_OP_NO_SSLv3);
+#endif
/* Load our keys and certificates. To avoid messing with configuration
variables etc, use fixed paths for the certificate store. These are
as follows :-

31
libesmtp.changes
View File

@ -1,3 +1,34 @@
-------------------------------------------------------------------
Tue Dec 27 10:32:59 UTC 2022 - Paolo Stivanin <info@paolostivanin.com>
- Update to 1.1.0:
* CVE-2019-19977: avoid potential stack overflow in NTLM authenticator.
* Migrate build system to Meson
* Remove GNU libltdl support, assume dlopen() always available.
* Use a linker map to restrict public symbols to API only.
* Add sentinel and format printf attributes to function declarations.
* Remove getaddrinfo() implementation.
* Use strlcpy() for safer string copies, provide implementation
for systems that need it.
* Update application data APIs
* Add smtp_get_server_name() API.
* Collect replacement functions into missing.c
* Prohibit Resent-Reply-To: header.
* Use canonic domain name of MTA where known
* Implement rfc2822date() with strftime() if available.
* add option for XDG file layout convention instead of ~/.authenticate
* OpenSSL
+ Remove support for OpenSSL versions before v1.1.0
+ Update OpenSSL API calls used for modern versions
+ Require TLS v1 or higher
* Add add_ntlm.patch
* Drop the following patches:
+ libesmtp-removedecls.diff
+ libesmtp-1.0.4-bloat.patch
+ libesmtp-fix-cve-2019-19977.patch
+ libesmtp-openssl11.patch
+ libesmtp-tlsv12.patch
-------------------------------------------------------------------
Fri Aug 6 09:16:53 UTC 2021 - Yifan Jiang <yfjiang@suse.com>

75
libesmtp.spec
View File

@ -1,7 +1,7 @@
#
# spec file for package libesmtp
#
# Copyright (c) 2016 SUSE LINUX GmbH, Nuernberg, Germany.
# Copyright (c) 2022 SUSE LLC
#
# All modifications and additions to the file contributed by third parties
# remain the property of their copyright owners, unless otherwise agreed
@ -12,31 +12,26 @@
# license that conforms to the Open Source Definition (Version 1.9)
# published by the Open Source Initiative.
# Please submit bugfixes or comments via http://bugs.opensuse.org/
# Please submit bugfixes or comments via https://bugs.opensuse.org/
#
%define so_ver 6.2.0
%define lname libesmtp6_2_0
Name: libesmtp
%define lname libesmtp6
Version: 1.0.6
Version: 1.1.0
Release: 0
Summary: A Library for Posting Electronic Mail
License: GPL-2.0+ and LGPL-2.1+
License: GPL-2.0-or-later AND LGPL-2.1-or-later
Group: Development/Libraries/C and C++
Url: http://www.stafford.uklinux.net/libesmtp/
Source0: %{name}-%{version}.tar.bz2
# PATCH-MISSING-TAG -- See http://wiki.opensuse.org/Packaging/Patches
Patch0: libesmtp-removedecls.diff
# PATCH-MISSING-TAG -- See http://wiki.opensuse.org/Packaging/Patches
Patch1: libesmtp-1.0.4-bloat.patch
# PATCH-FIX-UPSTREAM libesmtp-tlsv12.patch crrodriguez@opensuse.org -- All TLS clients must support and use the highest TLS version available
Patch2: libesmtp-tlsv12.patch
Patch3: libesmtp-openssl11.patch
# PATCH-FIX-UPSTREAM libesmtp-fix-cve-2019-19977.patch yfjiang@suse.com bsc#1189097 bsc#1160462 - Fix stack-based buffer over-read in ntlm/ntlmstruct.c.
Patch4: libesmtp-fix-cve-2019-19977.patch
BuildRequires: openssl-devel
URL: https://libesmtp.github.io/
Source0: https://github.com/libesmtp/libESMTP/archive/refs/tags/v%{version}.tar.gz#/%{name}-%{version}.tar.gz
Patch0: add_ntlm.patch
BuildRequires: libtool
BuildRoot: %{_tmppath}/%{name}-%{version}-build
BuildRequires: meson >= 0.50.0
BuildRequires: openssl-devel >= 1.1.0
BuildRequires: pkgconfig
BuildRequires: pkgconfig(libntlm)
%description
libESMTP is a library to manage posting (or submission of) electronic
@ -45,11 +40,11 @@ be used as part of a Mail User Agent (MUA) or another program that
must be able to post electronic mail but where mail functionality is
not that program's primary purpose.
%package -n %lname
%package -n %{lname}
Summary: A Library for Posting Electronic Mail
Group: System/Libraries
%description -n %lname
%description -n %{lname}
libESMTP is a library to manage posting (or submission of) electronic
mail using SMTP to a preconfigured Mail Transport Agent (MTA). It may
be used as part of a Mail User Agent (MUA) or another program that
@ -59,7 +54,7 @@ not that program's primary purpose.
%package devel
Summary: A Library for Posting Electronic Mail
Group: Development/Libraries/C and C++
Requires: %lname = %version
Requires: %{lname} = %{version}
%description devel
libESMTP is a library to manage posting (or submission of) electronic
@ -68,38 +63,28 @@ mail using SMTP to a preconfigured Mail Transport Agent (MTA).
This subpackage contains the API definition files.
%prep
%setup -q
%patch0
%patch1
%patch2 -p1
%patch3 -p1
%patch4 -p1
%autosetup -p1 -n libESMTP-%{version}
%build
autoreconf -fiv
%configure --with-openssl=yes --disable-static --enable-ntlm --enable-etrn \
--disable-isoc --with-auth-plugin-dir="%_libdir/%lname-plugins"
make %{?_smp_mflags}
%meson \
-Dntlm=enabled
%meson_build
%install
%make_install
# library uses dlsym not ltdl
find "%buildroot" -type f -name "*.la" -delete
%meson_install
%post -n %lname -p /sbin/ldconfig
%postun -n %lname -p /sbin/ldconfig
%post -n %{lname} -p /sbin/ldconfig
%postun -n %{lname} -p /sbin/ldconfig
%files -n %lname
%defattr(-,root,root)
%doc README AUTHORS ChangeLog
%license COPYING
%_libdir/%lname-plugins/
%{_libdir}/libesmtp.*so.*
%files -n %{lname}
%license LICENSE
%doc README.md docs/*
%{_libdir}/esmtp-plugins-%{so_ver}
%{_libdir}/libesmtp.so.%{so_ver}
%files devel
%defattr(-,root,root)
%{_bindir}/libesmtp-config
%{_includedir}/*.h
%{_libdir}/libesmtp.*so
%{_libdir}/libesmtp.so
%{_libdir}/pkgconfig/libesmtp-1.0.pc
%changelog