Accepting request 1114822 from home:pwcau:branches:server:mail

- security update to exim 4.96.1 * fixes CVE-2023-42114 (bsc#1215784) * fixes CVE-2023-42115 (bsc#1215785) * fixes CVE-2023-42116 (bsc#1215786) OBS-URL: https://build.opensuse.org/request/show/1114822 OBS-URL: https://build.opensuse.org/package/show/server:mail/exim?expand=0&rev=276
2023-10-02 13:23:30 +00:00 · 2023-10-02 13:23:30 +00:00 · 1b126813a8
commit 1b126813a8
parent d358e67d5d
8 changed files with 20 additions and 445 deletions
--- a/exim-4.96.1.tar.gz
+++ b/exim-4.96.1.tar.gz
@ -0,0 +1,3 @@
 version https://git-lfs.github.com/spec/v1
 oid sha256:6d06845e07c699e7dabbe1ca1edf23fe8b17083dc9fe0736f0b4a90351ac708e
 size 2587066
--- a/exim-4.96.1.tar.gz.asc
+++ b/exim-4.96.1.tar.gz.asc
@ -0,0 +1,11 @@
 -----BEGIN PGP SIGNATURE-----
 iQEzBAABCgAdFiEE0L/WueylaUpvFJ3Or0zGdqa2wUIFAmUam7wACgkQr0zGdqa2
 wUJTWAf/ThDZFIOGAB4rTFJF2dZjZnlNPWAYB//ZGG4ZbeCPBPeLlQcNtRA7KX2B
 vaWo3iGneYqn6Zf2DHjeeGsqtRE62hh9S8d0wkSkGA9VnRSK6kh8eFEotWA/pXAp
 ZsYhBlOHxqzaDy9l0S3o+AXXG+Ag/Qg+ZjhkBHRZg+rq0xDwzF+3KxVhbRrUTtKL
 Tl7Z+uvepeXmfN0TU2nAnbHtp7+IOVaZlMGPC3J0xL6vdQt5N+peccg3lDn09OPw
 pcrDbG/IFYqB4d/ae9Y4kYV/S5o1c8reNC7u6ovPqBCNusSEmdS6aXCVHQWGeZoa
 nYCzFqFTB3yqOUq2Yae3NzG2CmzMTg==
 =c4Fg
 -----END PGP SIGNATURE-----
--- a/exim-4.96.tar.bz2
+++ b/exim-4.96.tar.bz2
@ -1,3 +0,0 @@
 version https://git-lfs.github.com/spec/v1
 oid sha256:c7a413fec601cc44a8f5fe9e5b64cb24a7d133f3a4a976f33741d98ff0ec6b91
 size 2047632
--- a/exim-4.96.tar.bz2.asc
+++ b/exim-4.96.tar.bz2.asc
@ -1,11 +0,0 @@
 -----BEGIN PGP SIGNATURE-----
 iQFEBAABCAAuFiEEqYbzpr1jd9hzCVjevOWMjOQfMt8FAmK3D24QHGpnaEB3aXpt
 YWlsLm9yZwAKCRC85YyM5B8y3/p6B/4kKhljnbyvsjc/4HTLpPgRXAdSxQTibZKI
 cRSnO5HXyLGqFCj+7WYFfHPWuSmmPhahfQ7mMuNUxcvJkQ32yTDYH4zjam9HpspU
 k6rdGNR3SurJ/3pxG4Adcyg3uZ2MSK0fbCmNd6N1MVa0riXxb0PT2pvniaRFKzrD
 H3UQ8Yy//R9CGzoUKKs6g063gTc4L+1y+hZJYKodZ7TvKODVp9X024Qvp0gKaF0K
 dnDdRNxqqNgUClig13Q4f/KNuGeeChP67AuG/kX+0qZBaduYgmCPoYJQ87jIMLgz
 ps6DUyiVVWLVz4N+mSZX6TPbeZ8OqHH6B1crbbhqpdurg4VcBT7A
 =HSmJ
 -----END PGP SIGNATURE-----
--- a/exim.changes
+++ b/exim.changes
@ -1,9 +1,9 @@
 Mon Oct  2 05:53:32 UTC 2023 - Peter Wullinger <wullinger@rz.uni-kiel.de>
- add patch (patch-CVE-2023-42115-CVE-2023-42116-CVE-2023-42114.patch) for
+- security update to exim 4.96.1
-  * CVE-2023-42114 (bsc#1215784)
+  * fixes CVE-2023-42114 (bsc#1215784)
-  * CVE-2023-42115 (bsc#1215785)
+  * fixes CVE-2023-42115 (bsc#1215785)
-  * CVE-2023-42116 (bsc#1215786)
+  * fixes CVE-2023-42116 (bsc#1215786)
 -------------------------------------------------------------------
 Tue Mar 28 13:46:34 UTC 2023 - Peter Wullinger <wullinger@rz.uni-kiel.de>
--- a/exim.spec
+++ b/exim.spec
@ -74,8 +74,8 @@ Requires(pre):  group(mail)
 %endif
 Requires(pre):  fileutils textutils
 %endif
-Version:        4.96
+Version:        4.96.1
-Release:        2
+Release:        0
 %if %{with_mysql}
 BuildRequires:  mysql-devel
 %endif
@ -106,8 +106,6 @@ Source41:       exim_db.8.gz
 Patch0:         exim-tail.patch
 Patch1:         gnu_printf.patch
 Patch2:         patch-no-exit-on-rewrite-malformed-address.patch
 Patch3:         patch-cve-2022-3559
 Patch4:         patch-CVE-2023-42115-CVE-2023-42116-CVE-2023-42114.patch
 %package -n eximon
 Summary:        Eximon, an graphical frontend to administer Exim's mail queue
@ -152,8 +150,6 @@ once, if at all. The rest is done by logrotate / cron.)
 %patch0
 %patch1 -p1
 %patch2 -p1
 %patch3 -p1
 %patch4 -p1
 # build with fPIE/pie on SUSE 10.0 or newer, or on any other platform
 %if %{?suse_version:%suse_version}%{?!suse_version:99999} > 930
 fPIE="-fPIE"
--- a/patch-CVE-2023-42115-CVE-2023-42116-CVE-2023-42114.patch
+++ b/patch-CVE-2023-42115-CVE-2023-42116-CVE-2023-42114.patch
@ -1,294 +0,0 @@
 diff --git a/src/auths/auth-spa.c b/src/auths/auth-spa.c
 index 8d886b6b6..bb3d327d1 100644
 --- a/src/auths/auth-spa.c
 +++ b/src/auths/auth-spa.c
@@ -155,6 +155,9 @@ int main (int argc, char ** argv)
    up with a different answer to the one above)
 */
 +#ifndef MACRO_PREDEF
 +
 +
 #define DEBUG_X(a,b) ;
 extern int DEBUGLEVEL;
@@ -1211,7 +1214,9 @@ char versionString[] = "libntlm version 0.21";
 #define spa_bytes_add(ptr, header, buf, count) \
 { \
 -if (buf && (count) != 0) /* we hate -Wint-in-bool-contex */ \
 +if (  buf && (count) != 0	/* we hate -Wint-in-bool-contex */ \
 +   && ptr->bufIndex + count < sizeof(ptr->buffer)		\
 +   ) \
   { \
   SSVAL(&ptr->header.len,0,count); \
   SSVAL(&ptr->header.maxlen,0,count); \
@@ -1229,35 +1234,30 @@ else \
 #define spa_string_add(ptr, header, string) \
 { \
 -char *p = string; \
 +uschar * p = string; \
 int len = 0; \
 -if (p) len = strlen(p); \
 -spa_bytes_add(ptr, header, (US p), len); \
 +if (p) len = Ustrlen(p); \
 +spa_bytes_add(ptr, header, p, len); \
 }
 #define spa_unicode_add_string(ptr, header, string) \
 { \
 -char *p = string; \
 -uschar *b = NULL; \
 +uschar * p = string; \
 +uschar * b = NULL; \
 int len = 0; \
 if (p) \
   { \
 -  len = strlen(p); \
 -  b = strToUnicode(p); \
 +  len = Ustrlen(p); \
 +  b = US strToUnicode(CS p); \
   } \
 spa_bytes_add(ptr, header, b, len*2); \
 }
 -#define GetUnicodeString(structPtr, header) \
 -unicodeToString(((char*)structPtr) + IVAL(&structPtr->header.offset,0) , SVAL(&structPtr->header.len,0)/2)
 -#define GetString(structPtr, header) \
 -toString(((CS structPtr) + IVAL(&structPtr->header.offset,0)), SVAL(&structPtr->header.len,0))
 -
 #ifdef notdef
 #define DumpBuffer(fp, structPtr, header) \
 -dumpRaw(fp,(US structPtr)+IVAL(&structPtr->header.offset,0),SVAL(&structPtr->header.len,0))
 + dumpRaw(fp,(US structPtr)+IVAL(&structPtr->header.offset,0),SVAL(&structPtr->header.len,0))
 static void
@@ -1321,8 +1321,33 @@ buf[len] = 0;
 return buf;
 }
 +static inline uschar *
 +get_challenge_unistr(SPAAuthChallenge * challenge, SPAStrHeader * hdr)
 +{
 +int off = IVAL(&hdr->offset, 0);
 +int len = SVAL(&hdr->len, 0);
 +return off + len < sizeof(SPAAuthChallenge)
 +  ? US unicodeToString(CS challenge + off, len/2) : US"";
 +}
 +
 +static inline uschar *
 +get_challenge_str(SPAAuthChallenge * challenge, SPAStrHeader * hdr)
 +{
 +int off = IVAL(&hdr->offset, 0);
 +int len = SVAL(&hdr->len, 0);
 +return off + len < sizeof(SPAAuthChallenge)
 +  ? US toString(CS challenge + off, len) : US"";
 +}
 +
 #ifdef notdef
 +#define GetUnicodeString(structPtr, header) \
 + unicodeToString(((char*)structPtr) + IVAL(&structPtr->header.offset,0) , SVAL(&structPtr->header.len,0)/2)
 +
 +#define GetString(structPtr, header) \
 + toString(((CS structPtr) + IVAL(&structPtr->header.offset,0)), SVAL(&structPtr->header.len,0))
 +
 +
 void
 dumpSmbNtlmAuthRequest (FILE * fp, SPAAuthRequest * request)
 {
@@ -1366,15 +1391,15 @@ fprintf (fp, "      Flags = %08x\n", IVAL (&response->flags, 0));
 #endif
 void
 -spa_build_auth_request (SPAAuthRequest * request, char *user, char *domain)
 +spa_build_auth_request (SPAAuthRequest * request, uschar * user, uschar * domain)
 {
 -char *u = strdup (user);
 -char *p = strchr (u, '@');
 +uschar * u = string_copy(user);
 +uschar * p = Ustrchr(u, '@');
 if (p)
   {
   if (!domain)
 -   domain = p + 1;
 +    domain = p + 1;
   *p = '\0';
   }
@@ -1384,7 +1409,6 @@ SIVAL (&request->msgType, 0, 1);
 SIVAL (&request->flags, 0, 0x0000b207);      /* have to figure out what these mean */
 spa_string_add (request, user, u);
 spa_string_add (request, domain, domain);
 -free (u);
 }
@@ -1475,16 +1499,16 @@ free (u);
 void
 spa_build_auth_response (SPAAuthChallenge * challenge,
 -                        SPAAuthResponse * response, char *user,
 -                        char *password)
 +                        SPAAuthResponse * response, uschar * user,
 +                        uschar * password)
 {
 uint8x lmRespData[24];
 uint8x ntRespData[24];
 uint32x cf = IVAL(&challenge->flags, 0);
 -char *u = strdup (user);
 -char *p = strchr (u, '@');
 -char *d = NULL;
 -char *domain;
 +uschar * u = string_copy(user);
 +uschar * p = Ustrchr(u, '@');
 +uschar * d = NULL;
 +uschar * domain;
 if (p)
   {
@@ -1492,33 +1516,33 @@ if (p)
   *p = '\0';
   }
 -else domain = d = strdup((cf & 0x1)?
 -  CCS GetUnicodeString(challenge, uDomain) :
 -  CCS GetString(challenge, uDomain));
 +else domain = d = string_copy(cf & 0x1
 +  ? CUS get_challenge_unistr(challenge, &challenge->uDomain)
 +  : CUS get_challenge_str(challenge, &challenge->uDomain));
 -spa_smb_encrypt (US password, challenge->challengeData, lmRespData);
 -spa_smb_nt_encrypt (US password, challenge->challengeData, ntRespData);
 +spa_smb_encrypt(password, challenge->challengeData, lmRespData);
 +spa_smb_nt_encrypt(password, challenge->challengeData, ntRespData);
 response->bufIndex = 0;
 memcpy (response->ident, "NTLMSSP\0\0\0", 8);
 SIVAL (&response->msgType, 0, 3);
 -spa_bytes_add (response, lmResponse, lmRespData, (cf & 0x200) ? 24 : 0);
 -spa_bytes_add (response, ntResponse, ntRespData, (cf & 0x8000) ? 24 : 0);
 +spa_bytes_add(response, lmResponse, lmRespData, cf & 0x200 ? 24 : 0);
 +spa_bytes_add(response, ntResponse, ntRespData, cf & 0x8000 ? 24 : 0);
 if (cf & 0x1) {      /* Unicode Text */
 -     spa_unicode_add_string (response, uDomain, domain);
 -     spa_unicode_add_string (response, uUser, u);
 -     spa_unicode_add_string (response, uWks, u);
 +     spa_unicode_add_string(response, uDomain, domain);
 +     spa_unicode_add_string(response, uUser, u);
 +     spa_unicode_add_string(response, uWks, u);
 } else {             /* OEM Text */
 -     spa_string_add (response, uDomain, domain);
 -     spa_string_add (response, uUser, u);
 -     spa_string_add (response, uWks, u);
 +     spa_string_add(response, uDomain, domain);
 +     spa_string_add(response, uUser, u);
 +     spa_string_add(response, uWks, u);
 }
 -spa_string_add (response, sessionKey, NULL);
 +spa_string_add(response, sessionKey, NULL);
 response->flags = challenge->flags;
 -
 -if (d != NULL) free (d);
 -free (u);
 }
 +
 +
 +#endif   /*!MACRO_PREDEF*/
 diff --git a/src/auths/auth-spa.h b/src/auths/auth-spa.h
 index cfe1b086d..3b0b3a9e3 100644
 --- a/src/auths/auth-spa.h
 +++ b/src/auths/auth-spa.h
@@ -79,10 +79,10 @@ typedef struct
 void spa_bits_to_base64 (unsigned char *, const unsigned char *, int);
 int spa_base64_to_bits(char *, int, const char *);
 -void spa_build_auth_response (SPAAuthChallenge *challenge,
 -       SPAAuthResponse *response, char *user, char *password);
 -void spa_build_auth_request (SPAAuthRequest *request, char *user,
 -       char *domain);
 +void spa_build_auth_response (SPAAuthChallenge * challenge,
 +       SPAAuthResponse * response, uschar * user, uschar * password);
 +void spa_build_auth_request (SPAAuthRequest * request, uschar * user,
 +       uschar * domain);
 extern void spa_smb_encrypt (unsigned char * passwd, unsigned char * c8,
                              unsigned char * p24);
 extern void spa_smb_nt_encrypt (unsigned char * passwd, unsigned char * c8,
 diff --git a/src/auths/external.c b/src/auths/external.c
 index 7e7fca841..790b98159 100644
 --- a/src/auths/external.c
 +++ b/src/auths/external.c
@@ -103,7 +103,7 @@ if (expand_nmax == 0) 	/* skip if rxd data */
 if (ob->server_param2)
   {
   uschar * s = expand_string(ob->server_param2);
 -  auth_vars[expand_nmax] = s;
 +  auth_vars[expand_nmax = 1] = s;
   expand_nstring[++expand_nmax] = s;
   expand_nlength[expand_nmax] = Ustrlen(s);
   if (ob->server_param3)
 diff --git a/src/auths/spa.c b/src/auths/spa.c
 index ff90d33a3..bfaccefda 100644
 --- a/src/auths/spa.c
 +++ b/src/auths/spa.c
@@ -284,14 +284,13 @@ SPAAuthRequest   request;
 SPAAuthChallenge challenge;
 SPAAuthResponse  response;
 char msgbuf[2048];
 -char *domain = NULL;
 -char *username, *password;
 +uschar * domain = NULL, * username, * password;
 /* Code added by PH to expand the options */
 *buffer = 0;    /* Default no message when cancelled */
 -if (!(username = CS expand_string(ob->spa_username)))
 +if (!(username = expand_string(ob->spa_username)))
   {
   if (f.expand_string_forcedfail) return CANCELLED;
   string_format(buffer, buffsize, "expansion of \"%s\" failed in %s "
@@ -300,7 +299,7 @@ if (!(username = CS expand_string(ob->spa_username)))
   return ERROR;
   }
 -if (!(password = CS expand_string(ob->spa_password)))
 +if (!(password = expand_string(ob->spa_password)))
   {
   if (f.expand_string_forcedfail) return CANCELLED;
   string_format(buffer, buffsize, "expansion of \"%s\" failed in %s "
@@ -310,7 +309,7 @@ if (!(password = CS expand_string(ob->spa_password)))
   }
 if (ob->spa_domain)
 -  if (!(domain = CS expand_string(ob->spa_domain)))
 +  if (!(domain = expand_string(ob->spa_domain)))
     {
     if (f.expand_string_forcedfail) return CANCELLED;
     string_format(buffer, buffsize, "expansion of \"%s\" failed in %s "
@@ -330,7 +329,7 @@ if (!smtp_read_response(sx, US buffer, buffsize, '3', timeout))
 DSPA("\n\n%s authenticator: using domain %s\n\n", ablock->name, domain);
 -spa_build_auth_request(&request, CS username, domain);
 +spa_build_auth_request(&request, username, domain);
 spa_bits_to_base64(US msgbuf, US &request, spa_request_length(&request));
 DSPA("\n\n%s authenticator: sending request (%s)\n\n", ablock->name, msgbuf);
@@ -347,7 +346,7 @@ if (!smtp_read_response(sx, US buffer, buffsize, '3', timeout))
 DSPA("\n\n%s authenticator: challenge (%s)\n\n", ablock->name, buffer + 4);
 spa_base64_to_bits(CS (&challenge), sizeof(challenge), CCS (buffer + 4));
 -spa_build_auth_response(&challenge, &response, CS username, CS password);
 +spa_build_auth_response(&challenge, &response, username, password);
 spa_bits_to_base64(US msgbuf, US &response, spa_request_length(&response));
 DSPA("\n\n%s authenticator: challenge response (%s)\n\n", ablock->name, msgbuf);
--- a/127
+++ b/127
@ -1,127 +0,0 @@
 diff -ru a/src/exim.c b/src/exim.c
 --- a/src/exim.c	2022-06-23 15:41:10.000000000 +0200
 +++ b/src/exim.c	2022-10-18 13:38:30.366261000 +0200
@@ -2001,8 +2001,6 @@
   regex_must_compile(US"^[A-Za-z0-9_/.-]*$", FALSE, TRUE);
 #endif
 -for (i = 0; i < REGEX_VARS; i++) regex_vars[i] = NULL;
 -
 /* If the program is called as "mailq" treat it as equivalent to "exim -bp";
 this seems to be a generally accepted convention, since one finds symbolic
 links called "mailq" in standard OS configurations. */
@@ -6084,7 +6082,7 @@
   deliver_localpart_data = deliver_domain_data =
   recipient_data = sender_data = NULL;
   acl_var_m = NULL;
 -  for(int i = 0; i < REGEX_VARS; i++) regex_vars[i] = NULL;
 +  regex_vars_clear();
   store_reset(reset_point);
   }
 diff -ru a/src/expand.c b/src/expand.c
 --- a/src/expand.c	2022-06-23 15:41:10.000000000 +0200
 +++ b/src/expand.c	2022-10-18 13:38:30.368690000 +0200
@@ -1873,7 +1873,7 @@
   return node ? node->data.ptr : strict_acl_vars ? NULL : US"";
   }
 -/* Handle $auth<n> variables. */
 +/* Handle $auth<n>, $regex<n> variables. */
 if (Ustrncmp(name, "auth", 4) == 0)
   {
 diff -ru a/src/functions.h b/src/functions.h
 --- a/src/functions.h	2022-06-23 15:41:10.000000000 +0200
 +++ b/src/functions.h	2022-10-18 13:39:21.953979000 +0200
@@ -438,6 +438,7 @@
 extern BOOL    regex_match(const pcre2_code *, const uschar *, int, uschar **);
 extern BOOL    regex_match_and_setup(const pcre2_code *, const uschar *, int, int);
 extern const pcre2_code *regex_must_compile(const uschar *, BOOL, BOOL);
 +extern void    regex_vars_clear(void);
 extern void    retry_add_item(address_item *, uschar *, int);
 extern BOOL    retry_check_address(const uschar *, host_item *, uschar *, BOOL,
                  uschar **, uschar **);
 Only in b/src: functions.h.rej
 diff -ru a/src/globals.c b/src/globals.c
 --- a/src/globals.c	2022-06-23 15:41:10.000000000 +0200
 +++ b/src/globals.c	2022-10-18 13:46:22.093392000 +0200
@@ -1315,7 +1315,7 @@
 #endif
 const pcre2_code *regex_ismsgid      = NULL;
 const pcre2_code *regex_smtp_code    = NULL;
 -const uschar *regex_vars[REGEX_VARS];
 +const uschar *regex_vars[REGEX_VARS] = { 0 };
 #ifdef WHITELIST_D_MACROS
 const pcre2_code *regex_whitelisted_macro = NULL;
 #endif
 Only in b/src: globals.c.rej
 diff -ru a/src/regex.c b/src/regex.c
 --- a/src/regex.c	2022-06-23 15:41:10.000000000 +0200
 +++ b/src/regex.c	2022-10-18 13:43:13.041903000 +0200
@@ -96,18 +96,26 @@
 return FAIL;
 }
 +/* reset expansion variables */
 +void
 +regex_vars_clear(void)
 +{
 +regex_match_string = NULL;
 +for (int i = 0; i < REGEX_VARS; i++) regex_vars[i] = NULL;
 +}
 +
 +
 int
 -regex(const uschar **listptr)
 +regex(const uschar ** listptr)
 {
 unsigned long mbox_size;
 -FILE *mbox_file;
 -pcre_list *re_list_head;
 -uschar *linebuffer;
 +FILE * mbox_file;
 +pcre_list * re_list_head;
 +uschar * linebuffer;
 long f_pos = 0;
 int ret = FAIL;
 -/* reset expansion variable */
 -regex_match_string = NULL;
 +regex_vars_clear();
 if (!mime_stream)				/* We are in the DATA ACL */
   {
@@ -169,14 +177,13 @@
 int
 mime_regex(const uschar **listptr)
 {
 -pcre_list *re_list_head = NULL;
 -FILE *f;
 -uschar *mime_subject = NULL;
 +pcre_list * re_list_head = NULL;
 +FILE * f;
 +uschar * mime_subject = NULL;
 int mime_subject_len = 0;
 int ret;
 -/* reset expansion variable */
 -regex_match_string = NULL;
 +regex_vars_clear();
 /* precompile our regexes */
 if (!(re_list_head = compile(*listptr)))
 diff -ru a/src/smtp_in.c b/src/smtp_in.c
 --- a/src/smtp_in.c	2022-06-23 15:41:10.000000000 +0200
 +++ b/src/smtp_in.c	2022-10-18 13:38:30.372819000 +0200
@@ -2157,8 +2157,10 @@
 #ifdef SUPPORT_I18N
 message_smtputf8 = FALSE;
 #endif
 +regex_vars_clear();
 body_linecount = body_zerocount = 0;
 +lookup_value = NULL;                           /* Can be set by ACL */
 sender_rate = sender_rate_limit = sender_rate_period = NULL;
 ratelimiters_mail = NULL;           /* Updated by ratelimit ACL condition */
                    /* Note that ratelimiters_conn persists across resets. */