gentoo auto-resync : 08:11:2023 - 10:24:46

3 files changed, 0 insertions, 455 deletions

diff --git a/mail-mta/exim/files/exim-4.94-CVE-2022-3559.patch b/mail-mta/exim/files/exim-4.94-CVE-2022-3559.patch
deleted file mode 100644
index 533aaf1f9e51..000000000000
--- a/mail-mta/exim/files/exim-4.94-CVE-2022-3559.patch
+++ /dev/null
@@ -1,99 +0,0 @@
-Patch cleaned up for Gentoo
-- applied to 4.94
-- removed unnecessary whitespace changes
-
-From 4e9ed49f8f12eb331b29bd5b6dc3693c520fddc2 Mon Sep 17 00:00:00 2001
-From: Jeremy Harris <jgh146exb@wizmail.org>
-Date: Wed, 31 Aug 2022 15:37:40 +0100
-Subject: [PATCH 1/1] Fix $regex<n> use-after-free.  Bug 2915
-
---- exim-4.94.2/src/exim.c	2021-04-30 14:08:21.000000000 +0200
-+++ exim-4.94.2/src/exim.c	2022-10-19 09:15:58.611447982 +0200
-@@ -1886,8 +1886,6 @@
-   regex_must_compile(US"^[A-Za-z0-9_/.-]*$", FALSE, TRUE);
- #endif
- 
--for (i = 0; i < REGEX_VARS; i++) regex_vars[i] = NULL;
--
- /* If the program is called as "mailq" treat it as equivalent to "exim -bp";
- this seems to be a generally accepted convention, since one finds symbolic
- links called "mailq" in standard OS configurations. */
-@@ -5841,7 +5839,7 @@
-   deliver_localpart_data = deliver_domain_data =
-   recipient_data = sender_data = NULL;
-   acl_var_m = NULL;
--  for(int i = 0; i < REGEX_VARS; i++) regex_vars[i] = NULL;
-+  regex_vars_clear();
- 
-   store_reset(reset_point);
-   }
---- exim-4.94.2/src/functions.h	2021-04-30 14:08:21.000000000 +0200
-+++ exim-4.94.2/src/functions.h	2022-10-19 09:17:44.882122667 +0200
-@@ -417,6 +417,7 @@
- #endif
- extern BOOL    regex_match_and_setup(const pcre *, const uschar *, int, int);
- extern const pcre *regex_must_compile(const uschar *, BOOL, BOOL);
-+extern void    regex_vars_clear(void);
- extern void    retry_add_item(address_item *, uschar *, int);
- extern BOOL    retry_check_address(const uschar *, host_item *, uschar *, BOOL,
-                  uschar **, uschar **);
---- exim-4.94.2/src/globals.c	2022-10-19 09:14:19.344751853 +0200
-+++ exim-4.94.2/src/globals.c	2022-10-19 09:18:27.675991666 +0200
-@@ -1289,7 +1289,7 @@
- #endif
- const pcre *regex_ismsgid      = NULL;
- const pcre *regex_smtp_code    = NULL;
--uschar *regex_vars[REGEX_VARS];
-+uschar *regex_vars[REGEX_VARS] = { 0 };
- #ifdef WHITELIST_D_MACROS
- const pcre *regex_whitelisted_macro = NULL;
- #endif
---- exim-4.94.2/src/regex.c	2021-04-30 14:08:21.000000000 +0200
-+++ exim-4.94.2/src/regex.c	2022-10-19 09:35:03.229084750 +0200
-@@ -98,7 +106,7 @@
- int ret = FAIL;
- 
- /* reset expansion variable */
--regex_match_string = NULL;
-+regex_vars_clear();
- 
- if (!mime_stream)				/* We are in the DATA ACL */
-   {
-@@ -166,8 +174,7 @@
- int mime_subject_len = 0;
- int ret;
- 
--/* reset expansion variable */
--regex_match_string = NULL;
-+regex_vars_clear();
- 
- /* precompile our regexes */
- if (!(re_list_head = compile(*listptr)))
-@@ -213,3 +205,14 @@
- }
- 
- #endif /* WITH_CONTENT_SCAN */
-+
-+/* reset expansion variables */
-+void
-+regex_vars_clear(void)
-+{
-+#ifdef WITH_CONTENT_SCAN
-+regex_match_string = NULL;
-+#endif
-+for (int i = 0; i < REGEX_VARS; i++) regex_vars[i] = NULL;
-+}
-+
---- exim-4.94.2/src/smtp_in.c	2021-04-30 14:08:21.000000000 +0200
-+++ exim-4.94.2/src/smtp_in.c	2022-10-19 09:15:58.613447975 +0200
-@@ -2161,8 +2161,10 @@
- #ifdef SUPPORT_I18N
- message_smtputf8 = FALSE;
- #endif
-+regex_vars_clear();
- body_linecount = body_zerocount = 0;
- 
-+lookup_value = NULL;				/* Can be set by ACL */
- sender_rate = sender_rate_limit = sender_rate_period = NULL;
- ratelimiters_mail = NULL;           /* Updated by ratelimit ACL condition */
-                    /* Note that ratelimiters_conn persists across resets. */
diff --git a/mail-mta/exim/files/exim-4.94.2-fix-crash-resolve.patch b/mail-mta/exim/files/exim-4.94.2-fix-crash-resolve.patch
deleted file mode 100644
index 27e68bfdd74f..000000000000
--- a/mail-mta/exim/files/exim-4.94.2-fix-crash-resolve.patch
+++ /dev/null
@@ -1,24 +0,0 @@
-From d4bc023436e4cce7c23c5f8bb5199e178b4cc743 Mon Sep 17 00:00:00 2001
-From: "Heiko Schlittermann (HS12-RIPE)" <hs@schlittermann.de>
-Date: Sun, 16 May 2021 19:11:19 +0200
-Subject: [PATCH] Fix host_name_lookup (Close 2747)
-
-https://bugs.exim.org/show_bug.cgi?id=2747
-
-(cherry picked from commit 20812729e3e47a193a21d326ecd036d67a8b2724)
----
- src/src/host.c | 4 ++--
- 1 file changed, 2 insertions(+), 2 deletions(-)
-
-diff --git a/src/src/host.c b/src/src/host.c
---- a/src/host.c
-+++ b/src/host.c
-@@ -1691,7 +1691,7 @@ while ((ordername = string_nextinlist(&list, &sep, NULL, 0)))
-       {
-       uschar **aptr = NULL;
-       int ssize = 264;
--      int count = 0;
-+      int count = 1;  /* need 1 more for terminating NULL */
-       int old_pool = store_pool;
- 
-       sender_host_dnssec = dns_is_secure(dnsa);
diff --git a/mail-mta/exim/files/exim-4.94.2-openssl3.patch b/mail-mta/exim/files/exim-4.94.2-openssl3.patch
deleted file mode 100644
index f9758515bef1..000000000000
--- a/mail-mta/exim/files/exim-4.94.2-openssl3.patch
+++ /dev/null
@@ -1,332 +0,0 @@
-Original commits from upstream applied to 4.94.2 release tarball
-
-From a5d79c99f4948d9fd288a1bfaca3a44cf2caaa32 Mon Sep 17 00:00:00 2001
-From: Jeremy Harris <jgh146exb@wizmail.org>
-Date: Wed, 1 Dec 2021 17:36:18 +0000
-Subject: [PATCH] OpenSSL: use nondeprecated D-H functions under 3.0.0.
-
-From c6a290f4d8df3734b3cdc2232b4334ff8386c1da Mon Sep 17 00:00:00 2001
-From: Jeremy Harris <jgh146exb@wizmail.org>
-Date: Wed, 1 Dec 2021 18:52:21 +0000
-Subject: [PATCH] OpenSSL: tidy DH and ECDH param setup Testsuite: expand DH
- testcase
-
-From ff7829398d74e67f1c1f40339a772fd76708e5ac Mon Sep 17 00:00:00 2001
-From: =?UTF-8?q?Jaroslav=20=C5=A0karvada?= <jskarvad@redhat.com>
-Date: Sat, 27 Nov 2021 21:07:15 +0000
-Subject: [PATCH] Fix build for OpenSSL 3.0.0 .  Bug 2810
-
-From ca4014de81e6aa367aa0a54c49b4c3d4b137814c Mon Sep 17 00:00:00 2001
-From: Jeremy Harris <jgh146exb@wizmail.org>
-Date: Sun, 1 Jan 2023 12:18:38 +0000
-Subject: [PATCH] OpenSSL: fix tls_eccurve setting explicit curve/group.  Bug
- 2954
-
-From 7fa5764c203f2f4a900898a79ed02d674075313f Mon Sep 17 00:00:00 2001
-From: Jeremy Harris <jgh146exb@wizmail.org>
-Date: Mon, 2 Jan 2023 15:04:14 +0000
-Subject: [PATCH] OpenSSL: Fix tls_eccurve on earlier versions than 3.0.0.  Bug
- 2954
-
-Broken-by: ca4014de81e6
-
---- a/src/tls-openssl.c
-+++ b/src/tls-openssl.c
-@@ -227,12 +227,16 @@
-   { US"no_tlsv1", SSL_OP_NO_TLSv1 },
- #endif
- #ifdef SSL_OP_NO_TLSv1_1
--#if SSL_OP_NO_TLSv1_1 == 0x00000400L
-+# if OPENSSL_VERSION_NUMBER < 0x30000000L
-+#  if SSL_OP_NO_TLSv1_1 == 0x00000400L
-   /* Error in chosen value in 1.0.1a; see first item in CHANGES for 1.0.1b */
--#warning OpenSSL 1.0.1a uses a bad value for SSL_OP_NO_TLSv1_1, ignoring
--#else
-+#   warning OpenSSL 1.0.1a uses a bad value for SSL_OP_NO_TLSv1_1, ignoring
-+#   define NO_SSL_OP_NO_TLSv1_1
-+#  endif
-+# endif
-+# ifndef NO_SSL_OP_NO_TLSv1_1
-   { US"no_tlsv1_1", SSL_OP_NO_TLSv1_1 },
--#endif
-+# endif
- #endif
- #ifdef SSL_OP_NO_TLSv1_2
-   { US"no_tlsv1_2", SSL_OP_NO_TLSv1_2 },
-@@ -1017,23 +1021,27 @@
- *************************************************/
- 
- /* If dhparam is set, expand it, and load up the parameters for DH encryption.
-+Server only.
- 
- Arguments:
-   sctx      The current SSL CTX (inbound or outbound)
-   dhparam   DH parameter file or fixed parameter identity string
--  host      connected host, if client; NULL if server
-   errstr    error string pointer
- 
- Returns:    TRUE if OK (nothing to set up, or setup worked)
- */
- 
- static BOOL
--init_dh(SSL_CTX *sctx, uschar *dhparam, const host_item *host, uschar ** errstr)
-+init_dh(SSL_CTX * sctx, uschar * dhparam, uschar ** errstr)
- {
--BIO *bio;
--DH *dh;
--uschar *dhexpanded;
--const char *pem;
-+BIO * bio;
-+#if OPENSSL_VERSION_NUMBER < 0x30000000L
-+DH * dh;
-+#else
-+EVP_PKEY * pkey;
-+#endif
-+uschar * dhexpanded;
-+const char * pem;
- int dh_bitsize;
- 
- if (!expand_check(dhparam, US"tls_dhparam", &dhexpanded, errstr))
-@@ -1046,7 +1054,7 @@
-   if (!(bio = BIO_new_file(CS dhexpanded, "r")))
-     {
-     tls_error(string_sprintf("could not read dhparams file %s", dhexpanded),
--          host, US strerror(errno), errstr);
-+          NULL, US strerror(errno), errstr);
-     return FALSE;
-     }
-   }
-@@ -1061,17 +1069,23 @@
-   if (!(pem = std_dh_prime_named(dhexpanded)))
-     {
-     tls_error(string_sprintf("Unknown standard DH prime \"%s\"", dhexpanded),
--        host, US strerror(errno), errstr);
-+        NULL, US strerror(errno), errstr);
-     return FALSE;
-     }
-   bio = BIO_new_mem_buf(CS pem, -1);
-   }
- 
--if (!(dh = PEM_read_bio_DHparams(bio, NULL, NULL, NULL)))
-+if (!(
-+#if OPENSSL_VERSION_NUMBER < 0x30000000L
-+      dh = PEM_read_bio_DHparams(bio, NULL, NULL, NULL)
-+#else
-+      pkey = PEM_read_bio_Parameters_ex(bio, NULL, NULL, NULL)
-+#endif
-+   ) )
-   {
-   BIO_free(bio);
-   tls_error(string_sprintf("Could not read tls_dhparams \"%s\"", dhexpanded),
--      host, NULL, errstr);
-+      NULL, NULL, errstr);
-   return FALSE;
-   }
- 
-@@ -1081,33 +1095,54 @@
-  * If someone wants to dance at the edge, then they can raise the limit or use
-  * current libraries. */
--#ifdef EXIM_HAVE_OPENSSL_DH_BITS
-+#if OPENSSL_VERSION_NUMBER < 0x30000000L
-+# ifdef EXIM_HAVE_OPENSSL_DH_BITS
- /* Added in commit 26c79d5641d; `git describe --contains` says OpenSSL_1_1_0-pre1~1022
-  * This predates OpenSSL_1_1_0 (before a, b, ...) so is in all 1.1.0 */
- dh_bitsize = DH_bits(dh);
--#else
-+# else
- dh_bitsize = 8 * DH_size(dh);
-+# endif
-+#else	/* 3.0.0 + */
-+dh_bitsize = EVP_PKEY_get_bits(pkey);
- #endif
- 
--/* Even if it is larger, we silently return success rather than cause things
-- * to fail out, so that a too-large DH will not knock out all TLS; it's a
-- * debatable choice. */
--if (dh_bitsize > tls_dh_max_bits)
-+/* Even if it is larger, we silently return success rather than cause things to
-+fail out, so that a too-large DH will not knock out all TLS; it's a debatable
-+choice.  Likewise for a failing attempt to set one. */
-+
-+if (dh_bitsize <= tls_dh_max_bits)
-   {
--  DEBUG(D_tls)
--    debug_printf("dhparams file %d bits, is > tls_dh_max_bits limit of %d\n",
--        dh_bitsize, tls_dh_max_bits);
-+  if (
-+#if OPENSSL_VERSION_NUMBER < 0x30000000L
-+      SSL_CTX_set_tmp_dh(sctx, dh)
-+#else
-+      SSL_CTX_set0_tmp_dh_pkey(sctx, pkey)
-+#endif
-+      == 0)
-+    {
-+    ERR_error_string_n(ERR_get_error(), ssl_errstring, sizeof(ssl_errstring));
-+    log_write(0, LOG_MAIN|LOG_PANIC, "TLS error (D-H param setting '%s'): %s",
-+	dhexpanded ? dhexpanded : US"default", ssl_errstring);
-+#if OPENSSL_VERSION_NUMBER >= 0x30000000L
-+    /* EVP_PKEY_free(pkey);  crashes */
-+#endif
-+    }
-+  else
-+    DEBUG(D_tls)
-+      debug_printf("Diffie-Hellman initialized from %s with %d-bit prime\n",
-+	dhexpanded ? dhexpanded : US"default", dh_bitsize);
-   }
- else
--  {
--  SSL_CTX_set_tmp_dh(sctx, dh);
-   DEBUG(D_tls)
--    debug_printf("Diffie-Hellman initialized from %s with %d-bit prime\n",
--      dhexpanded ? dhexpanded : US"default", dh_bitsize);
--  }
-+    debug_printf("dhparams '%s' %d bits, is > tls_dh_max_bits limit of %d\n",
-+	dhexpanded ? dhexpanded : US"default", dh_bitsize, tls_dh_max_bits);
- 
-+#if OPENSSL_VERSION_NUMBER < 0x30000000L
- DH_free(dh);
--BIO_free(bio);
-+#endif
-+/* The EVP_PKEY ownership stays with the ctx; do not free it */
- 
-+BIO_free(bio);
- return TRUE;
- }
- 
-@@ -1118,7 +1154,7 @@
- *               Initialize for ECDH              *
- *************************************************/
- 
--/* Load parameters for ECDH encryption.
-+/* Load parameters for ECDH encryption.  Server only.
- 
- For now, we stick to NIST P-256 because: it's simple and easy to configure;
- it avoids any patent issues that might bite redistributors; despite events in
-@@ -1136,37 +1172,40 @@
- 
- Arguments:
-   sctx      The current SSL CTX (inbound or outbound)
--  host      connected host, if client; NULL if server
-   errstr    error string pointer
- 
- Returns:    TRUE if OK (nothing to set up, or setup worked)
- */
- 
- static BOOL
--init_ecdh(SSL_CTX * sctx, host_item * host, uschar ** errstr)
-+init_ecdh(SSL_CTX * sctx, uschar ** errstr)
- {
- #ifdef OPENSSL_NO_ECDH
- return TRUE;
- #else
- 
--EC_KEY * ecdh;
- uschar * exp_curve;
--int nid;
--BOOL rv;
--
--if (host)	/* No ECDH setup for clients, only for servers */
--  return TRUE;
-+int nid, rc;
- 
- # ifndef EXIM_HAVE_ECDH
- DEBUG(D_tls)
--  debug_printf("No OpenSSL API to define ECDH parameters, skipping\n");
-+  debug_printf(" No OpenSSL API to define ECDH parameters, skipping\n");
- return TRUE;
- # else
- 
- if (!expand_check(tls_eccurve, US"tls_eccurve", &exp_curve, errstr))
-   return FALSE;
-+
-+/* Is the option deliberately empty? */
-+
- if (!exp_curve || !*exp_curve)
-+  {
-+#if OPENSSL_VERSION_NUMBER >= 0x10002000L
-+  DEBUG(D_tls) debug_printf( " ECDH OpenSSL 1.0.2+: clearing curves list\n");
-+  (void) SSL_CTX_set1_curves(sctx, &nid, 0);
-+#endif
-   return TRUE;
-+  }
- 
- /* "auto" needs to be handled carefully.
-  * OpenSSL <  1.0.2: we do not select anything, but fallback to prime256v1
-@@ -1202,27 +1241,41 @@
- #   endif
-    )
-   {
--  tls_error(string_sprintf("Unknown curve name tls_eccurve '%s'", exp_curve),
--    host, NULL, errstr);
-+  uschar * s = string_sprintf("Unknown curve name tls_eccurve '%s'", exp_curve);
-+  DEBUG(D_tls) debug_printf("TLS error '%s'\n", s);
-+  if (errstr) *errstr = s;
-   return FALSE;
-   }
- 
--if (!(ecdh = EC_KEY_new_by_curve_name(nid)))
--  {
--  tls_error(US"Unable to create ec curve", host, NULL, errstr);
--  return FALSE;
--  }
-+# if OPENSSL_VERSION_NUMBER < 0x30000000L
-+ {
-+  EC_KEY * ecdh;
-+  if (!(ecdh = EC_KEY_new_by_curve_name(nid)))
-+    {
-+    tls_error(US"Unable to create ec curve", NULL, NULL, errstr);
-+    return FALSE;
-+    }
- 
--/* The "tmp" in the name here refers to setting a temporary key
--not to the stability of the interface. */
-+  /* The "tmp" in the name here refers to setting a temporary key
-+  not to the stability of the interface. */
- 
--if ((rv = SSL_CTX_set_tmp_ecdh(sctx, ecdh) == 0))
--  tls_error(string_sprintf("Error enabling '%s' curve", exp_curve), host, NULL, errstr);
-+  if ((rc = SSL_CTX_set_tmp_ecdh(sctx, ecdh)) == 0)
-+    tls_error(string_sprintf("Error enabling '%s' curve", exp_curve), NULL, NULL, errstr);
-+  else
-+    DEBUG(D_tls) debug_printf(" ECDH: enabled '%s' curve\n", exp_curve);
-+  EC_KEY_free(ecdh);
-+ }
-+
-+#else	/* v 3.0.0 + */
-+
-+if ((rc = SSL_CTX_set1_groups(sctx, &nid, 1)) == 0)
-+  tls_error(string_sprintf("Error enabling '%s' group", exp_curve), NULL, NULL, errstr);
- else
--  DEBUG(D_tls) debug_printf("ECDH: enabled '%s' curve\n", exp_curve);
-+  DEBUG(D_tls) debug_printf(" ECDH: enabled '%s' group\n", exp_curve);
-+
-+#endif
- 
--EC_KEY_free(ecdh);
--return !rv;
-+return !!rc;
- 
- # endif	/*EXIM_HAVE_ECDH*/
- #endif /*OPENSSL_NO_ECDH*/
-@@ -1727,8 +1780,8 @@
- SSL_CTX_set_tlsext_servername_callback(server_sni, tls_servername_cb);
- SSL_CTX_set_tlsext_servername_arg(server_sni, cbinfo);
- 
--if (  !init_dh(server_sni, cbinfo->dhparam, NULL, &dummy_errstr)
--   || !init_ecdh(server_sni, NULL, &dummy_errstr)
-+if (  !init_dh(server_sni, cbinfo->dhparam, &dummy_errstr)
-+   || !init_ecdh(server_sni, &dummy_errstr)
-    )
-   goto bad;
- 
-@@ -2213,8 +2266,8 @@
- /* Initialize with DH parameters if supplied */
- /* Initialize ECDH temp key parameter selection */
- 
--if (  !init_dh(ctx, dhparam, host, errstr)
--   || !init_ecdh(ctx, host, errstr)
-+if (  !init_dh(ctx, dhparam, errstr)
-+   || !init_ecdh(ctx, errstr)
-    )
-   return DEFER;
-