gentoo resync : 30.05.2020

4 files changed, 392 insertions, 0 deletions

diff --git a/mail-mta/netqmail/files/netqmail-1.06-CVE-2005-1513.patch b/mail-mta/netqmail/files/netqmail-1.06-CVE-2005-1513.patch
new file mode 100644
index 000000000000..58af5a9cee11
--- /dev/null
+++ b/mail-mta/netqmail/files/netqmail-1.06-CVE-2005-1513.patch
@@ -0,0 +1,66 @@
+From bb92ea678c2a2a524d2ee6e9d598275a659168d2 Mon Sep 17 00:00:00 2001
+From: Rolf Eike Beer <eike@sf-mail.de>
+Date: Mon, 11 May 2020 18:30:13 +0200
+Subject: [PATCH 3/4] mimimum fix for CVE-2005-1513
+
+The first allocation at the tail of the function is not changed as that
+one starts with a small number of elements and grows only on
+subsequent call.s
+---
+ gen_allocdefs.h | 27 ++++++++++++++++++++++-----
+ 1 file changed, 22 insertions(+), 5 deletions(-)
+
+diff --git a/gen_allocdefs.h b/gen_allocdefs.h
+index 783a9b1..0588441 100644
+--- a/gen_allocdefs.h
++++ b/gen_allocdefs.h
+@@ -4,24 +4,41 @@
+ #define GEN_ALLOC_ready(ta,type,field,len,a,i,n,x,base,ta_ready) \
+ int ta_ready(x,n) register ta *x; register unsigned int n; \
+ { register unsigned int i; \
++  unsigned int nlen; \
+   if (x->field) { \
+     i = x->a; \
+     if (n > i) { \
+-      x->a = base + n + (n >> 3); \
+-      if (alloc_re(&x->field,i * sizeof(type),x->a * sizeof(type))) return 1; \
++      unsigned int nnum; \
++      if (__builtin_add_overflow(base, n, &nlen)) \
++        return 0; \
++      if (__builtin_add_overflow(nlen, n >> 3, &nlen)) \
++        return 0; \
++      if (__builtin_mul_overflow(nlen, sizeof(type), &nnum)) \
++        return 0; \
++      x->a = nlen; \
++      if (alloc_re(&x->field,i * sizeof(type),nnum)) return 1; \
+       x->a = i; return 0; } \
+     return 1; } \
+   x->len = 0; \
+   return !!(x->field = (type *) alloc((x->a = n) * sizeof(type))); }
+ 
+ #define GEN_ALLOC_readyplus(ta,type,field,len,a,i,n,x,base,ta_rplus) \
+-int ta_rplus(x,n) register ta *x; register unsigned int n; \
++int ta_rplus(x,n) register ta *x; unsigned int n; \
+ { register unsigned int i; \
+   if (x->field) { \
+     i = x->a; n += x->len; \
++    if (__builtin_add_overflow(n, x->len, &n)) \
++      return 0; \
+     if (n > i) { \
+-      x->a = base + n + (n >> 3); \
+-      if (alloc_re(&x->field,i * sizeof(type),x->a * sizeof(type))) return 1; \
++      unsigned int nlen, nnum; \
++      if (__builtin_add_overflow(base, n, &nlen)) \
++        return 0; \
++      if (__builtin_add_overflow(nlen, n >> 3, &nlen)) \
++        return 0; \
++      if (__builtin_mul_overflow(nlen, sizeof(type), &nnum)) \
++        return 0; \
++      x->a = nlen; \
++      if (alloc_re(&x->field,i * sizeof(type),nnum)) return 1; \
+       x->a = i; return 0; } \
+     return 1; } \
+   x->len = 0; \
+-- 
+2.26.1
+
diff --git a/mail-mta/netqmail/files/netqmail-1.06-CVE-2005-1514.patch b/mail-mta/netqmail/files/netqmail-1.06-CVE-2005-1514.patch
new file mode 100644
index 000000000000..3876c290b676
--- /dev/null
+++ b/mail-mta/netqmail/files/netqmail-1.06-CVE-2005-1514.patch
@@ -0,0 +1,39 @@
+From dc617a2f2d31e4c448b806791b3f8736cf9d1ffb Mon Sep 17 00:00:00 2001
+From: Rolf Eike Beer <eike@sf-mail.de>
+Date: Tue, 12 May 2020 20:06:38 +0200
+Subject: [PATCH 2/4] fix possible signed integer overflow in commands()
+ (CVE-2005-1514)
+
+Fix it as suggested by the Qualys Security Advisory team.
+---
+ commands.c | 7 ++++---
+ 1 file changed, 4 insertions(+), 3 deletions(-)
+
+diff --git a/commands.c b/commands.c
+index b0d3f61..90a50c9 100644
+--- a/commands.c
++++ b/commands.c
+@@ -10,16 +10,17 @@ int commands(ss,c)
+ substdio *ss;
+ struct commands *c;
+ {
+-  int i;
++  unsigned int i;
+   char *arg;
+ 
+   for (;;) {
+     if (!stralloc_copys(&cmd,"")) return -1;
+ 
+     for (;;) {
++      int j;
+       if (!stralloc_readyplus(&cmd,1)) return -1;
+-      i = substdio_get(ss,cmd.s + cmd.len,1);
+-      if (i != 1) return i;
++      j = substdio_get(ss,cmd.s + cmd.len,1);
++      if (j != 1) return j;
+       if (cmd.s[cmd.len] == '\n') break;
+       ++cmd.len;
+     }
+-- 
+2.26.1
+
diff --git a/mail-mta/netqmail/files/netqmail-1.06-CVE-2005-1515.patch b/mail-mta/netqmail/files/netqmail-1.06-CVE-2005-1515.patch
new file mode 100644
index 000000000000..f1df70022e17
--- /dev/null
+++ b/mail-mta/netqmail/files/netqmail-1.06-CVE-2005-1515.patch
@@ -0,0 +1,64 @@
+From 5540e1b47ac043033e6661b4e04dcaf958db0110 Mon Sep 17 00:00:00 2001
+From: Rolf Eike Beer <eike@sf-mail.de>
+Date: Mon, 11 May 2020 18:55:11 +0200
+Subject: [PATCH 1/4] fix signedness wraparound in substdio_put()
+ (CVE-2005-1515)
+
+---
+ qmail.c   |  2 +-
+ substdo.c | 14 ++++++++------
+ 2 files changed, 9 insertions(+), 7 deletions(-)
+
+diff --git a/qmail.c b/qmail.c
+index 186c092..7c86a04 100644
+--- a/qmail.c
++++ b/qmail.c
+@@ -61,7 +61,7 @@ void qmail_fail(qq) struct qmail *qq;
+   qq->flagerr = 1;
+ }
+ 
+-void qmail_put(qq,s,len) struct qmail *qq; char *s; int len;
++void qmail_put(qq,s,len) struct qmail *qq; char *s; unsigned int len;
+ {
+   if (!qq->flagerr) if (substdio_put(&qq->ss,s,len) == -1) qq->flagerr = 1;
+ }
+diff --git a/substdo.c b/substdo.c
+index fb616f7..bccf0d6 100644
+--- a/substdo.c
++++ b/substdo.c
+@@ -7,7 +7,7 @@ static int allwrite(op,fd,buf,len)
+ register int (*op)();
+ register int fd;
+ register char *buf;
+-register int len;
++register unsigned int len;
+ {
+   register int w;
+ 
+@@ -55,16 +55,18 @@ register int len;
+ int substdio_put(s,buf,len)
+ register substdio *s;
+ register char *buf;
+-register int len;
++register unsigned int len;
+ {
+-  register int n;
++  register unsigned int n = s->n; /* how many bytes to write in next chunk */
+  
+-  n = s->n;
+-  if (len > n - s->p) {
++  /* check if the input would fit in the buffer without flushing */
++  if (len > n - (unsigned int)s->p) {
+     if (substdio_flush(s) == -1) return -1;
+     /* now s->p == 0 */
+     if (n < SUBSTDIO_OUTSIZE) n = SUBSTDIO_OUTSIZE;
+-    while (len > s->n) {
++    /* as long as the remainder would not fit into s->x write it directly
++     * from buf to s->fd. */
++    while (len > (unsigned int)s->n) {
+       if (n > len) n = len;
+       if (allwrite(s->op,s->fd,buf,n) == -1) return -1;
+       buf += n;
+-- 
+2.26.1
+
diff --git a/mail-mta/netqmail/files/netqmail-1.06-overflows.patch b/mail-mta/netqmail/files/netqmail-1.06-overflows.patch
new file mode 100644
index 000000000000..d9932df972c4
--- /dev/null
+++ b/mail-mta/netqmail/files/netqmail-1.06-overflows.patch
@@ -0,0 +1,223 @@
+From e8a1e037afc8729bd65d4bda36dedf444f301c0f Mon Sep 17 00:00:00 2001
+From: Rolf Eike Beer <eike@sf-mail.de>
+Date: Mon, 11 May 2020 18:30:13 +0200
+Subject: [PATCH 4/4] fix additional length overflows
+
+---
+ Makefile        |  6 +++---
+ alloc.c         | 21 ++++++++++++++-------
+ qmail-local.c   |  3 ++-
+ qmail-pop3d.c   |  3 ++-
+ quote.c         | 10 +++++++++-
+ stralloc_catb.c |  8 +++++++-
+ stralloc_opyb.c |  8 +++++++-
+ substdo.c       |  4 ++--
+ 8 files changed, 46 insertions(+), 17 deletions(-)
+
+diff --git a/Makefile b/Makefile
+index 0f0e31a..4b592c6 100644
+--- a/Makefile
++++ b/Makefile
+@@ -1673,7 +1673,7 @@ qsutil.h
+ 	./compile qsutil.c
+ 
+ quote.o: \
+-compile quote.c stralloc.h gen_alloc.h str.h quote.h
++compile quote.c stralloc.h gen_alloc.h str.h quote.h error.h
+ 	./compile quote.c
+ 
+ rcpthosts.o: \
+@@ -1965,7 +1965,7 @@ compile stralloc_cat.c byte.h stralloc.h gen_alloc.h
+ 	./compile stralloc_cat.c
+ 
+ stralloc_catb.o: \
+-compile stralloc_catb.c stralloc.h gen_alloc.h byte.h
++compile stralloc_catb.c stralloc.h gen_alloc.h byte.h error.h
+ 	./compile stralloc_catb.c
+ 
+ stralloc_cats.o: \
+@@ -1982,7 +1982,7 @@ gen_allocdefs.h
+ 	./compile stralloc_eady.c
+ 
+ stralloc_opyb.o: \
+-compile stralloc_opyb.c stralloc.h gen_alloc.h byte.h
++compile stralloc_opyb.c stralloc.h gen_alloc.h byte.h error.h
+ 	./compile stralloc_opyb.c
+ 
+ stralloc_opys.o: \
+diff --git a/alloc.c b/alloc.c
+index c661453..3ab5f6f 100644
+--- a/alloc.c
++++ b/alloc.c
+@@ -1,7 +1,6 @@
++#include <stdlib.h>
+ #include "alloc.h"
+ #include "error.h"
+-extern char *malloc();
+-extern void free();
+ 
+ #define ALIGNMENT 16 /* XXX: assuming that this alignment is enough */
+ #define SPACE 4096 /* must be multiple of ALIGNMENT */
+@@ -11,15 +10,23 @@ static aligned realspace[SPACE / ALIGNMENT];
+ #define space ((char *) realspace)
+ static unsigned int avail = SPACE; /* multiple of ALIGNMENT; 0<=avail<=SPACE */
+ 
++static char *m_alloc(unsigned int n)
++{
++  char *x = malloc(n);
++  if (!x) errno = error_nomem;
++  return x;
++}
++
+ /*@null@*//*@out@*/char *alloc(n)
+ unsigned int n;
+ {
+-  char *x;
+-  n = ALIGNMENT + n - (n & (ALIGNMENT - 1)); /* XXX: could overflow */
++  if (n >= SPACE)
++    return m_alloc(n);
++  /* Round it up to the next multiple of alignment. Could overflow if n is
++   * close to 2**32, but by the check above this is already ruled out. */
++  n = ALIGNMENT + n - (n & (ALIGNMENT - 1));
+   if (n <= avail) { avail -= n; return space + avail; }
+-  x = malloc(n);
+-  if (!x) errno = error_nomem;
+-  return x;
++  return m_alloc(n);
+ }
+ 
+ void alloc_free(x)
+diff --git a/qmail-local.c b/qmail-local.c
+index 6fec288..f5e33fd 100644
+--- a/qmail-local.c
++++ b/qmail-local.c
+@@ -1,5 +1,6 @@
+ #include <sys/types.h>
+ #include <sys/stat.h>
++#include <stdlib.h>
+ #include "readwrite.h"
+ #include "sig.h"
+ #include "env.h"
+@@ -633,7 +634,7 @@ char **argv;
+      i = j + 1;
+     }
+ 
+- recips = (char **) alloc((numforward + 1) * sizeof(char *));
++ recips = (char **) calloc(numforward + 1, sizeof(char *));
+  if (!recips) temp_nomem();
+  numforward = 0;
+ 
+diff --git a/qmail-pop3d.c b/qmail-pop3d.c
+index 0ca4f9c..1916433 100644
+--- a/qmail-pop3d.c
++++ b/qmail-pop3d.c
+@@ -1,5 +1,6 @@
+ #include <sys/types.h>
+ #include <sys/stat.h>
++#include <stdlib.h>
+ #include "commands.h"
+ #include "sig.h"
+ #include "getln.h"
+@@ -131,7 +132,7 @@ void getlist()
+   if (maildir_scan(&pq,&filenames,1,1) == -1) die_scan();
+  
+   numm = pq.p ? pq.len : 0;
+-  m = (struct message *) alloc(numm * sizeof(struct message));
++  m = (struct message *) calloc(numm, sizeof(struct message));
+   if (!m) die_nomem();
+  
+   for (i = 0;i < numm;++i) {
+diff --git a/quote.c b/quote.c
+index 659cfcd..73b7214 100644
+--- a/quote.c
++++ b/quote.c
+@@ -1,3 +1,4 @@
++#include "error.h"
+ #include "stralloc.h"
+ #include "str.h"
+ #include "quote.h"
+@@ -23,8 +24,15 @@ stralloc *sain;
+  char ch;
+  int i;
+  int j;
++ unsigned int nlen;
+ 
+- if (!stralloc_ready(saout,sain->len * 2 + 2)) return 0;
++ /* make sure the size calculation below does not overflow */
++ if (__builtin_mul_overflow(sain->len, 2, &nlen) ||
++     __builtin_add_overflow(nlen, 2, &nlen)) {
++   errno = error_nomem;
++   return 0;
++ }
++ if (!stralloc_ready(saout,nlen)) return 0;
+  j = 0;
+  saout->s[j++] = '"';
+  for (i = 0;i < sain->len;++i)
+diff --git a/stralloc_catb.c b/stralloc_catb.c
+index 67dbcc0..a315810 100644
+--- a/stralloc_catb.c
++++ b/stralloc_catb.c
+@@ -1,13 +1,19 @@
+ #include "stralloc.h"
+ #include "byte.h"
++#include "error.h"
+ 
+ int stralloc_catb(sa,s,n)
+ stralloc *sa;
+ char *s;
+ unsigned int n;
+ {
++  unsigned int i;
+   if (!sa->s) return stralloc_copyb(sa,s,n);
+-  if (!stralloc_readyplus(sa,n + 1)) return 0;
++  if (__builtin_add_overflow(n, 1, &i)) {
++    errno = error_nomem;
++    return 0;
++  }
++  if (!stralloc_readyplus(sa,i)) return 0;
+   byte_copy(sa->s + sa->len,n,s);
+   sa->len += n;
+   sa->s[sa->len] = 'Z'; /* ``offensive programming'' */
+diff --git a/stralloc_opyb.c b/stralloc_opyb.c
+index ac258b3..8a6f305 100644
+--- a/stralloc_opyb.c
++++ b/stralloc_opyb.c
+@@ -1,12 +1,18 @@
+ #include "stralloc.h"
+ #include "byte.h"
++#include "error.h"
+ 
+ int stralloc_copyb(sa,s,n)
+ stralloc *sa;
+ char *s;
+ unsigned int n;
+ {
+-  if (!stralloc_ready(sa,n + 1)) return 0;
++  unsigned int i;
++  if (__builtin_add_overflow(n, 1, &i)) {
++    errno = error_nomem;
++    return 0;
++  }
++  if (!stralloc_ready(sa,i)) return 0;
+   byte_copy(sa->s,n,s);
+   sa->len = n;
+   sa->s[n] = 'Z'; /* ``offensive programming'' */
+diff --git a/substdo.c b/substdo.c
+index bccf0d6..ad7232a 100644
+--- a/substdo.c
++++ b/substdo.c
+@@ -38,9 +38,9 @@ register substdio *s;
+ int substdio_bput(s,buf,len)
+ register substdio *s;
+ register char *buf;
+-register int len;
++register unsigned int len;
+ {
+-  register int n;
++  register unsigned int n;
+  
+   while (len > (n = s->n - s->p)) {
+     byte_copy(s->x + s->p,n,buf); s->p += n; buf += n; len -= n;
+-- 
+2.26.1
+