From 1b126813a8b12a85af9a738124414e8b6997676af7d7f1a3ded811198b653786 Mon Sep 17 00:00:00 2001 From: Peter Wullinger Date: Mon, 2 Oct 2023 13:23:30 +0000 Subject: [PATCH] Accepting request 1114822 from home:pwcau:branches:server:mail - security update to exim 4.96.1 * fixes CVE-2023-42114 (bsc#1215784) * fixes CVE-2023-42115 (bsc#1215785) * fixes CVE-2023-42116 (bsc#1215786) OBS-URL: https://build.opensuse.org/request/show/1114822 OBS-URL: https://build.opensuse.org/package/show/server:mail/exim?expand=0&rev=276 --- exim-4.96.1.tar.gz | 3 + exim-4.96.1.tar.gz.asc | 11 + exim-4.96.tar.bz2 | 3 - exim-4.96.tar.bz2.asc | 11 - exim.changes | 8 +- exim.spec | 8 +- ...-42115-CVE-2023-42116-CVE-2023-42114.patch | 294 ------------------ patch-cve-2022-3559 | 127 -------- 8 files changed, 20 insertions(+), 445 deletions(-) create mode 100644 exim-4.96.1.tar.gz create mode 100644 exim-4.96.1.tar.gz.asc delete mode 100644 exim-4.96.tar.bz2 delete mode 100644 exim-4.96.tar.bz2.asc delete mode 100644 patch-CVE-2023-42115-CVE-2023-42116-CVE-2023-42114.patch delete mode 100644 patch-cve-2022-3559 diff --git a/exim-4.96.1.tar.gz b/exim-4.96.1.tar.gz new file mode 100644 index 0000000..7819ae7 --- /dev/null +++ b/exim-4.96.1.tar.gz @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:6d06845e07c699e7dabbe1ca1edf23fe8b17083dc9fe0736f0b4a90351ac708e +size 2587066 diff --git a/exim-4.96.1.tar.gz.asc b/exim-4.96.1.tar.gz.asc new file mode 100644 index 0000000..d7cbe38 --- /dev/null +++ b/exim-4.96.1.tar.gz.asc @@ -0,0 +1,11 @@ +-----BEGIN PGP SIGNATURE----- + +iQEzBAABCgAdFiEE0L/WueylaUpvFJ3Or0zGdqa2wUIFAmUam7wACgkQr0zGdqa2 +wUJTWAf/ThDZFIOGAB4rTFJF2dZjZnlNPWAYB//ZGG4ZbeCPBPeLlQcNtRA7KX2B +vaWo3iGneYqn6Zf2DHjeeGsqtRE62hh9S8d0wkSkGA9VnRSK6kh8eFEotWA/pXAp +ZsYhBlOHxqzaDy9l0S3o+AXXG+Ag/Qg+ZjhkBHRZg+rq0xDwzF+3KxVhbRrUTtKL +Tl7Z+uvepeXmfN0TU2nAnbHtp7+IOVaZlMGPC3J0xL6vdQt5N+peccg3lDn09OPw +pcrDbG/IFYqB4d/ae9Y4kYV/S5o1c8reNC7u6ovPqBCNusSEmdS6aXCVHQWGeZoa +nYCzFqFTB3yqOUq2Yae3NzG2CmzMTg== +=c4Fg +-----END PGP SIGNATURE----- diff --git a/exim-4.96.tar.bz2 b/exim-4.96.tar.bz2 deleted file mode 100644 index 0581e0c..0000000 --- a/exim-4.96.tar.bz2 +++ /dev/null @@ -1,3 +0,0 @@ -version https://git-lfs.github.com/spec/v1 -oid sha256:c7a413fec601cc44a8f5fe9e5b64cb24a7d133f3a4a976f33741d98ff0ec6b91 -size 2047632 diff --git a/exim-4.96.tar.bz2.asc b/exim-4.96.tar.bz2.asc deleted file mode 100644 index 80d7b60..0000000 --- a/exim-4.96.tar.bz2.asc +++ /dev/null @@ -1,11 +0,0 @@ ------BEGIN PGP SIGNATURE----- - -iQFEBAABCAAuFiEEqYbzpr1jd9hzCVjevOWMjOQfMt8FAmK3D24QHGpnaEB3aXpt -YWlsLm9yZwAKCRC85YyM5B8y3/p6B/4kKhljnbyvsjc/4HTLpPgRXAdSxQTibZKI -cRSnO5HXyLGqFCj+7WYFfHPWuSmmPhahfQ7mMuNUxcvJkQ32yTDYH4zjam9HpspU -k6rdGNR3SurJ/3pxG4Adcyg3uZ2MSK0fbCmNd6N1MVa0riXxb0PT2pvniaRFKzrD -H3UQ8Yy//R9CGzoUKKs6g063gTc4L+1y+hZJYKodZ7TvKODVp9X024Qvp0gKaF0K -dnDdRNxqqNgUClig13Q4f/KNuGeeChP67AuG/kX+0qZBaduYgmCPoYJQ87jIMLgz -ps6DUyiVVWLVz4N+mSZX6TPbeZ8OqHH6B1crbbhqpdurg4VcBT7A -=HSmJ ------END PGP SIGNATURE----- diff --git a/exim.changes b/exim.changes index ec1dd0f..26ff9de 100644 --- a/exim.changes +++ b/exim.changes @@ -1,9 +1,9 @@ Mon Oct 2 05:53:32 UTC 2023 - Peter Wullinger -- add patch (patch-CVE-2023-42115-CVE-2023-42116-CVE-2023-42114.patch) for - * CVE-2023-42114 (bsc#1215784) - * CVE-2023-42115 (bsc#1215785) - * CVE-2023-42116 (bsc#1215786) +- security update to exim 4.96.1 + * fixes CVE-2023-42114 (bsc#1215784) + * fixes CVE-2023-42115 (bsc#1215785) + * fixes CVE-2023-42116 (bsc#1215786) ------------------------------------------------------------------- Tue Mar 28 13:46:34 UTC 2023 - Peter Wullinger diff --git a/exim.spec b/exim.spec index e5e5799..c1d8fb8 100644 --- a/exim.spec +++ b/exim.spec @@ -74,8 +74,8 @@ Requires(pre): group(mail) %endif Requires(pre): fileutils textutils %endif -Version: 4.96 -Release: 2 +Version: 4.96.1 +Release: 0 %if %{with_mysql} BuildRequires: mysql-devel %endif @@ -106,8 +106,6 @@ Source41: exim_db.8.gz Patch0: exim-tail.patch Patch1: gnu_printf.patch Patch2: patch-no-exit-on-rewrite-malformed-address.patch -Patch3: patch-cve-2022-3559 -Patch4: patch-CVE-2023-42115-CVE-2023-42116-CVE-2023-42114.patch %package -n eximon Summary: Eximon, an graphical frontend to administer Exim's mail queue @@ -152,8 +150,6 @@ once, if at all. The rest is done by logrotate / cron.) %patch0 %patch1 -p1 %patch2 -p1 -%patch3 -p1 -%patch4 -p1 # build with fPIE/pie on SUSE 10.0 or newer, or on any other platform %if %{?suse_version:%suse_version}%{?!suse_version:99999} > 930 fPIE="-fPIE" diff --git a/patch-CVE-2023-42115-CVE-2023-42116-CVE-2023-42114.patch b/patch-CVE-2023-42115-CVE-2023-42116-CVE-2023-42114.patch deleted file mode 100644 index 7fc5cf8..0000000 --- a/patch-CVE-2023-42115-CVE-2023-42116-CVE-2023-42114.patch +++ /dev/null @@ -1,294 +0,0 @@ -diff --git a/src/auths/auth-spa.c b/src/auths/auth-spa.c -index 8d886b6b6..bb3d327d1 100644 ---- a/src/auths/auth-spa.c -+++ b/src/auths/auth-spa.c -@@ -155,6 +155,9 @@ int main (int argc, char ** argv) - up with a different answer to the one above) - */ - -+#ifndef MACRO_PREDEF -+ -+ - #define DEBUG_X(a,b) ; - - extern int DEBUGLEVEL; -@@ -1211,7 +1214,9 @@ char versionString[] = "libntlm version 0.21"; - - #define spa_bytes_add(ptr, header, buf, count) \ - { \ --if (buf && (count) != 0) /* we hate -Wint-in-bool-contex */ \ -+if ( buf && (count) != 0 /* we hate -Wint-in-bool-contex */ \ -+ && ptr->bufIndex + count < sizeof(ptr->buffer) \ -+ ) \ - { \ - SSVAL(&ptr->header.len,0,count); \ - SSVAL(&ptr->header.maxlen,0,count); \ -@@ -1229,35 +1234,30 @@ else \ - - #define spa_string_add(ptr, header, string) \ - { \ --char *p = string; \ -+uschar * p = string; \ - int len = 0; \ --if (p) len = strlen(p); \ --spa_bytes_add(ptr, header, (US p), len); \ -+if (p) len = Ustrlen(p); \ -+spa_bytes_add(ptr, header, p, len); \ - } - - #define spa_unicode_add_string(ptr, header, string) \ - { \ --char *p = string; \ --uschar *b = NULL; \ -+uschar * p = string; \ -+uschar * b = NULL; \ - int len = 0; \ - if (p) \ - { \ -- len = strlen(p); \ -- b = strToUnicode(p); \ -+ len = Ustrlen(p); \ -+ b = US strToUnicode(CS p); \ - } \ - spa_bytes_add(ptr, header, b, len*2); \ - } - - --#define GetUnicodeString(structPtr, header) \ --unicodeToString(((char*)structPtr) + IVAL(&structPtr->header.offset,0) , SVAL(&structPtr->header.len,0)/2) --#define GetString(structPtr, header) \ --toString(((CS structPtr) + IVAL(&structPtr->header.offset,0)), SVAL(&structPtr->header.len,0)) -- - #ifdef notdef - - #define DumpBuffer(fp, structPtr, header) \ --dumpRaw(fp,(US structPtr)+IVAL(&structPtr->header.offset,0),SVAL(&structPtr->header.len,0)) -+ dumpRaw(fp,(US structPtr)+IVAL(&structPtr->header.offset,0),SVAL(&structPtr->header.len,0)) - - - static void -@@ -1321,8 +1321,33 @@ buf[len] = 0; - return buf; - } - -+static inline uschar * -+get_challenge_unistr(SPAAuthChallenge * challenge, SPAStrHeader * hdr) -+{ -+int off = IVAL(&hdr->offset, 0); -+int len = SVAL(&hdr->len, 0); -+return off + len < sizeof(SPAAuthChallenge) -+ ? US unicodeToString(CS challenge + off, len/2) : US""; -+} -+ -+static inline uschar * -+get_challenge_str(SPAAuthChallenge * challenge, SPAStrHeader * hdr) -+{ -+int off = IVAL(&hdr->offset, 0); -+int len = SVAL(&hdr->len, 0); -+return off + len < sizeof(SPAAuthChallenge) -+ ? US toString(CS challenge + off, len) : US""; -+} -+ - #ifdef notdef - -+#define GetUnicodeString(structPtr, header) \ -+ unicodeToString(((char*)structPtr) + IVAL(&structPtr->header.offset,0) , SVAL(&structPtr->header.len,0)/2) -+ -+#define GetString(structPtr, header) \ -+ toString(((CS structPtr) + IVAL(&structPtr->header.offset,0)), SVAL(&structPtr->header.len,0)) -+ -+ - void - dumpSmbNtlmAuthRequest (FILE * fp, SPAAuthRequest * request) - { -@@ -1366,15 +1391,15 @@ fprintf (fp, " Flags = %08x\n", IVAL (&response->flags, 0)); - #endif - - void --spa_build_auth_request (SPAAuthRequest * request, char *user, char *domain) -+spa_build_auth_request (SPAAuthRequest * request, uschar * user, uschar * domain) - { --char *u = strdup (user); --char *p = strchr (u, '@'); -+uschar * u = string_copy(user); -+uschar * p = Ustrchr(u, '@'); - - if (p) - { - if (!domain) -- domain = p + 1; -+ domain = p + 1; - *p = '\0'; - } - -@@ -1384,7 +1409,6 @@ SIVAL (&request->msgType, 0, 1); - SIVAL (&request->flags, 0, 0x0000b207); /* have to figure out what these mean */ - spa_string_add (request, user, u); - spa_string_add (request, domain, domain); --free (u); - } - - -@@ -1475,16 +1499,16 @@ free (u); - - void - spa_build_auth_response (SPAAuthChallenge * challenge, -- SPAAuthResponse * response, char *user, -- char *password) -+ SPAAuthResponse * response, uschar * user, -+ uschar * password) - { - uint8x lmRespData[24]; - uint8x ntRespData[24]; - uint32x cf = IVAL(&challenge->flags, 0); --char *u = strdup (user); --char *p = strchr (u, '@'); --char *d = NULL; --char *domain; -+uschar * u = string_copy(user); -+uschar * p = Ustrchr(u, '@'); -+uschar * d = NULL; -+uschar * domain; - - if (p) - { -@@ -1492,33 +1516,33 @@ if (p) - *p = '\0'; - } - --else domain = d = strdup((cf & 0x1)? -- CCS GetUnicodeString(challenge, uDomain) : -- CCS GetString(challenge, uDomain)); -+else domain = d = string_copy(cf & 0x1 -+ ? CUS get_challenge_unistr(challenge, &challenge->uDomain) -+ : CUS get_challenge_str(challenge, &challenge->uDomain)); - --spa_smb_encrypt (US password, challenge->challengeData, lmRespData); --spa_smb_nt_encrypt (US password, challenge->challengeData, ntRespData); -+spa_smb_encrypt(password, challenge->challengeData, lmRespData); -+spa_smb_nt_encrypt(password, challenge->challengeData, ntRespData); - - response->bufIndex = 0; - memcpy (response->ident, "NTLMSSP\0\0\0", 8); - SIVAL (&response->msgType, 0, 3); - --spa_bytes_add (response, lmResponse, lmRespData, (cf & 0x200) ? 24 : 0); --spa_bytes_add (response, ntResponse, ntRespData, (cf & 0x8000) ? 24 : 0); -+spa_bytes_add(response, lmResponse, lmRespData, cf & 0x200 ? 24 : 0); -+spa_bytes_add(response, ntResponse, ntRespData, cf & 0x8000 ? 24 : 0); - - if (cf & 0x1) { /* Unicode Text */ -- spa_unicode_add_string (response, uDomain, domain); -- spa_unicode_add_string (response, uUser, u); -- spa_unicode_add_string (response, uWks, u); -+ spa_unicode_add_string(response, uDomain, domain); -+ spa_unicode_add_string(response, uUser, u); -+ spa_unicode_add_string(response, uWks, u); - } else { /* OEM Text */ -- spa_string_add (response, uDomain, domain); -- spa_string_add (response, uUser, u); -- spa_string_add (response, uWks, u); -+ spa_string_add(response, uDomain, domain); -+ spa_string_add(response, uUser, u); -+ spa_string_add(response, uWks, u); - } - --spa_string_add (response, sessionKey, NULL); -+spa_string_add(response, sessionKey, NULL); - response->flags = challenge->flags; -- --if (d != NULL) free (d); --free (u); - } -+ -+ -+#endif /*!MACRO_PREDEF*/ -diff --git a/src/auths/auth-spa.h b/src/auths/auth-spa.h -index cfe1b086d..3b0b3a9e3 100644 ---- a/src/auths/auth-spa.h -+++ b/src/auths/auth-spa.h -@@ -79,10 +79,10 @@ typedef struct - - void spa_bits_to_base64 (unsigned char *, const unsigned char *, int); - int spa_base64_to_bits(char *, int, const char *); --void spa_build_auth_response (SPAAuthChallenge *challenge, -- SPAAuthResponse *response, char *user, char *password); --void spa_build_auth_request (SPAAuthRequest *request, char *user, -- char *domain); -+void spa_build_auth_response (SPAAuthChallenge * challenge, -+ SPAAuthResponse * response, uschar * user, uschar * password); -+void spa_build_auth_request (SPAAuthRequest * request, uschar * user, -+ uschar * domain); - extern void spa_smb_encrypt (unsigned char * passwd, unsigned char * c8, - unsigned char * p24); - extern void spa_smb_nt_encrypt (unsigned char * passwd, unsigned char * c8, -diff --git a/src/auths/external.c b/src/auths/external.c -index 7e7fca841..790b98159 100644 ---- a/src/auths/external.c -+++ b/src/auths/external.c -@@ -103,7 +103,7 @@ if (expand_nmax == 0) /* skip if rxd data */ - if (ob->server_param2) - { - uschar * s = expand_string(ob->server_param2); -- auth_vars[expand_nmax] = s; -+ auth_vars[expand_nmax = 1] = s; - expand_nstring[++expand_nmax] = s; - expand_nlength[expand_nmax] = Ustrlen(s); - if (ob->server_param3) -diff --git a/src/auths/spa.c b/src/auths/spa.c -index ff90d33a3..bfaccefda 100644 ---- a/src/auths/spa.c -+++ b/src/auths/spa.c -@@ -284,14 +284,13 @@ SPAAuthRequest request; - SPAAuthChallenge challenge; - SPAAuthResponse response; - char msgbuf[2048]; --char *domain = NULL; --char *username, *password; -+uschar * domain = NULL, * username, * password; - - /* Code added by PH to expand the options */ - - *buffer = 0; /* Default no message when cancelled */ - --if (!(username = CS expand_string(ob->spa_username))) -+if (!(username = expand_string(ob->spa_username))) - { - if (f.expand_string_forcedfail) return CANCELLED; - string_format(buffer, buffsize, "expansion of \"%s\" failed in %s " -@@ -300,7 +299,7 @@ if (!(username = CS expand_string(ob->spa_username))) - return ERROR; - } - --if (!(password = CS expand_string(ob->spa_password))) -+if (!(password = expand_string(ob->spa_password))) - { - if (f.expand_string_forcedfail) return CANCELLED; - string_format(buffer, buffsize, "expansion of \"%s\" failed in %s " -@@ -310,7 +309,7 @@ if (!(password = CS expand_string(ob->spa_password))) - } - - if (ob->spa_domain) -- if (!(domain = CS expand_string(ob->spa_domain))) -+ if (!(domain = expand_string(ob->spa_domain))) - { - if (f.expand_string_forcedfail) return CANCELLED; - string_format(buffer, buffsize, "expansion of \"%s\" failed in %s " -@@ -330,7 +329,7 @@ if (!smtp_read_response(sx, US buffer, buffsize, '3', timeout)) - - DSPA("\n\n%s authenticator: using domain %s\n\n", ablock->name, domain); - --spa_build_auth_request(&request, CS username, domain); -+spa_build_auth_request(&request, username, domain); - spa_bits_to_base64(US msgbuf, US &request, spa_request_length(&request)); - - DSPA("\n\n%s authenticator: sending request (%s)\n\n", ablock->name, msgbuf); -@@ -347,7 +346,7 @@ if (!smtp_read_response(sx, US buffer, buffsize, '3', timeout)) - DSPA("\n\n%s authenticator: challenge (%s)\n\n", ablock->name, buffer + 4); - spa_base64_to_bits(CS (&challenge), sizeof(challenge), CCS (buffer + 4)); - --spa_build_auth_response(&challenge, &response, CS username, CS password); -+spa_build_auth_response(&challenge, &response, username, password); - spa_bits_to_base64(US msgbuf, US &response, spa_request_length(&response)); - DSPA("\n\n%s authenticator: challenge response (%s)\n\n", ablock->name, msgbuf); - diff --git a/patch-cve-2022-3559 b/patch-cve-2022-3559 deleted file mode 100644 index 45f2cf5..0000000 --- a/patch-cve-2022-3559 +++ /dev/null @@ -1,127 +0,0 @@ -diff -ru a/src/exim.c b/src/exim.c ---- a/src/exim.c 2022-06-23 15:41:10.000000000 +0200 -+++ b/src/exim.c 2022-10-18 13:38:30.366261000 +0200 -@@ -2001,8 +2001,6 @@ - regex_must_compile(US"^[A-Za-z0-9_/.-]*$", FALSE, TRUE); - #endif - --for (i = 0; i < REGEX_VARS; i++) regex_vars[i] = NULL; -- - /* If the program is called as "mailq" treat it as equivalent to "exim -bp"; - this seems to be a generally accepted convention, since one finds symbolic - links called "mailq" in standard OS configurations. */ -@@ -6084,7 +6082,7 @@ - deliver_localpart_data = deliver_domain_data = - recipient_data = sender_data = NULL; - acl_var_m = NULL; -- for(int i = 0; i < REGEX_VARS; i++) regex_vars[i] = NULL; -+ regex_vars_clear(); - - store_reset(reset_point); - } -diff -ru a/src/expand.c b/src/expand.c ---- a/src/expand.c 2022-06-23 15:41:10.000000000 +0200 -+++ b/src/expand.c 2022-10-18 13:38:30.368690000 +0200 -@@ -1873,7 +1873,7 @@ - return node ? node->data.ptr : strict_acl_vars ? NULL : US""; - } - --/* Handle $auth variables. */ -+/* Handle $auth, $regex variables. */ - - if (Ustrncmp(name, "auth", 4) == 0) - { -diff -ru a/src/functions.h b/src/functions.h ---- a/src/functions.h 2022-06-23 15:41:10.000000000 +0200 -+++ b/src/functions.h 2022-10-18 13:39:21.953979000 +0200 -@@ -438,6 +438,7 @@ - extern BOOL regex_match(const pcre2_code *, const uschar *, int, uschar **); - extern BOOL regex_match_and_setup(const pcre2_code *, const uschar *, int, int); - extern const pcre2_code *regex_must_compile(const uschar *, BOOL, BOOL); -+extern void regex_vars_clear(void); - extern void retry_add_item(address_item *, uschar *, int); - extern BOOL retry_check_address(const uschar *, host_item *, uschar *, BOOL, - uschar **, uschar **); -Only in b/src: functions.h.rej -diff -ru a/src/globals.c b/src/globals.c ---- a/src/globals.c 2022-06-23 15:41:10.000000000 +0200 -+++ b/src/globals.c 2022-10-18 13:46:22.093392000 +0200 -@@ -1315,7 +1315,7 @@ - #endif - const pcre2_code *regex_ismsgid = NULL; - const pcre2_code *regex_smtp_code = NULL; --const uschar *regex_vars[REGEX_VARS]; -+const uschar *regex_vars[REGEX_VARS] = { 0 }; - #ifdef WHITELIST_D_MACROS - const pcre2_code *regex_whitelisted_macro = NULL; - #endif -Only in b/src: globals.c.rej -diff -ru a/src/regex.c b/src/regex.c ---- a/src/regex.c 2022-06-23 15:41:10.000000000 +0200 -+++ b/src/regex.c 2022-10-18 13:43:13.041903000 +0200 -@@ -96,18 +96,26 @@ - return FAIL; - } - -+/* reset expansion variables */ -+void -+regex_vars_clear(void) -+{ -+regex_match_string = NULL; -+for (int i = 0; i < REGEX_VARS; i++) regex_vars[i] = NULL; -+} -+ -+ - int --regex(const uschar **listptr) -+regex(const uschar ** listptr) - { - unsigned long mbox_size; --FILE *mbox_file; --pcre_list *re_list_head; --uschar *linebuffer; -+FILE * mbox_file; -+pcre_list * re_list_head; -+uschar * linebuffer; - long f_pos = 0; - int ret = FAIL; - --/* reset expansion variable */ --regex_match_string = NULL; -+regex_vars_clear(); - - if (!mime_stream) /* We are in the DATA ACL */ - { -@@ -169,14 +177,13 @@ - int - mime_regex(const uschar **listptr) - { --pcre_list *re_list_head = NULL; --FILE *f; --uschar *mime_subject = NULL; -+pcre_list * re_list_head = NULL; -+FILE * f; -+uschar * mime_subject = NULL; - int mime_subject_len = 0; - int ret; - --/* reset expansion variable */ --regex_match_string = NULL; -+regex_vars_clear(); - - /* precompile our regexes */ - if (!(re_list_head = compile(*listptr))) -diff -ru a/src/smtp_in.c b/src/smtp_in.c ---- a/src/smtp_in.c 2022-06-23 15:41:10.000000000 +0200 -+++ b/src/smtp_in.c 2022-10-18 13:38:30.372819000 +0200 -@@ -2157,8 +2157,10 @@ - #ifdef SUPPORT_I18N - message_smtputf8 = FALSE; - #endif -+regex_vars_clear(); - body_linecount = body_zerocount = 0; - -+lookup_value = NULL; /* Can be set by ACL */ - sender_rate = sender_rate_limit = sender_rate_period = NULL; - ratelimiters_mail = NULL; /* Updated by ratelimit ACL condition */ - /* Note that ratelimiters_conn persists across resets. */