From deba8115d2c2af26df42966b91ef04ff4dd79cde Mon Sep 17 00:00:00 2001 From: V3n3RiX Date: Thu, 14 May 2020 11:09:11 +0100 Subject: gentoo resync : 14.05.2020 --- .../exim/files/exim-4.82-makefile-freebsd.patch | 45 ---- .../exim/files/exim-4.89-as-needed-ldflags.patch | 145 ----------- .../files/exim-4.92-fix-eval-expansion-32bit.patch | 51 ---- .../exim/files/exim-4.92-localscan_dlopen.patch | 267 --------------------- mail-mta/exim/files/exim-4.93-CVE-2020-12783.patch | 83 +++++++ .../exim/files/exim-4.93-localscan_dlopen.patch | 4 +- mail-mta/exim/files/exim-4.93-radius.patch | 66 +++++ 7 files changed, 152 insertions(+), 509 deletions(-) delete mode 100644 mail-mta/exim/files/exim-4.82-makefile-freebsd.patch delete mode 100644 mail-mta/exim/files/exim-4.89-as-needed-ldflags.patch delete mode 100644 mail-mta/exim/files/exim-4.92-fix-eval-expansion-32bit.patch delete mode 100644 mail-mta/exim/files/exim-4.92-localscan_dlopen.patch create mode 100644 mail-mta/exim/files/exim-4.93-CVE-2020-12783.patch create mode 100644 mail-mta/exim/files/exim-4.93-radius.patch (limited to 'mail-mta/exim/files') diff --git a/mail-mta/exim/files/exim-4.82-makefile-freebsd.patch b/mail-mta/exim/files/exim-4.82-makefile-freebsd.patch deleted file mode 100644 index 9693d4945ad9..000000000000 --- a/mail-mta/exim/files/exim-4.82-makefile-freebsd.patch +++ /dev/null @@ -1,45 +0,0 @@ ---- OS/Makefile-FreeBSD.orig 2013-09-30 19:59:09.000000000 +0200 -+++ OS/Makefile-FreeBSD 2013-09-30 20:01:22.000000000 +0200 -@@ -1,10 +1,8 @@ --# Exim: OS-specific make file for FreeBSD --# There's no setting of CFLAGS here, to allow the system default --# for "make" to be the default. -- --CHOWN_COMMAND=/usr/sbin/chown --STRIP_COMMAND=/usr/bin/strip --CHMOD_COMMAND=/bin/chmod -+# Exim: OS-specific FreeBSD make file, modified for Gentoo Prefix -+ -+CHOWN_COMMAND=look_for_it -+STRIP_COMMAND= -+CHMOD_COMMAND=look_for_it - - HAVE_SA_LEN=YES - -@@ -15,17 +13,9 @@ - CFLAGS_DYNAMIC=-shared -rdynamic -fPIC - - # FreeBSD always ships with Berkeley DB -+DBMLIB = -ldb - USE_DB=yes - --# This code for building outside ports suggested by Richard Clayton --.ifdef X11BASE --X11=${X11BASE} --.elifdef LOCALBASE --X11=$(LOCALBASE) --.else --X11=/usr/local --.endif -- - # nb: FreeBSD is entirely elf; objformat was removed prior to FreeBSD 7 - # http://www.freebsd.org/cgi/cvsweb.cgi/src/usr.bin/objformat/Attic/objformat.c - # deleted Jan 2007. -@@ -37,6 +27,7 @@ - # switch to default to ELF came with FreeBSD 3. elf(5) claims ELF support - # introduced in FreeBSD 2.2.6. - # -+X11=/usr/X11R6 - XINCLUDE=-I$(X11)/include - XLFLAGS=-L$(X11)/lib -Wl,-rpath,${X11}/lib - X11_LD_LIB=$(X11)/lib diff --git a/mail-mta/exim/files/exim-4.89-as-needed-ldflags.patch b/mail-mta/exim/files/exim-4.89-as-needed-ldflags.patch deleted file mode 100644 index 49e430939fcd..000000000000 --- a/mail-mta/exim/files/exim-4.89-as-needed-ldflags.patch +++ /dev/null @@ -1,145 +0,0 @@ -https://bugs.gentoo.org/show_bug.cgi?id=352265 - -Make sure LDFLAGS comes first, such that all libraries are considered, -and not discarded when --as-needed is in effect. - -https://bugs.gentoo.org/show_bug.cgi?id=391279 - -Use LDFLAGS for all targets, not just the exim binary, such that ---as-needed works as well. - - ---- OS/Makefile-Base -+++ OS/Makefile-Base -@@ -346,12 +346,12 @@ - buildrouters buildtransports \ - $(OBJ_EXIM) version.o - @echo "$(LNCC) -o exim" -- $(FE)$(PURIFY) $(LNCC) -o exim $(LFLAGS) $(OBJ_EXIM) version.o \ -+ $(FE)$(PURIFY) $(LNCC) -o exim $(LDFLAGS) $(OBJ_EXIM) version.o \ - routers/routers.a transports/transports.a lookups/lookups.a \ - auths/auths.a pdkim/pdkim.a \ - $(LIBRESOLV) $(LIBS) $(LIBS_EXIM) $(IPV6_LIBS) $(EXTRALIBS) \ - $(EXTRALIBS_EXIM) $(DBMLIB) $(LOOKUP_LIBS) $(AUTH_LIBS) \ -- $(PERL_LIBS) $(TLS_LIBS) $(PCRE_LIBS) $(LDFLAGS) -+ $(PERL_LIBS) $(TLS_LIBS) $(PCRE_LIBS) $(LFLAGS) - @if [ x"$(STRIP_COMMAND)" != x"" ]; then \ - echo $(STRIP_COMMAND) exim; \ - $(STRIP_COMMAND) exim; \ -@@ -367,8 +367,8 @@ - - exim_dumpdb: $(OBJ_DUMPDB) - @echo "$(LNCC) -o exim_dumpdb" -- $(FE)$(LNCC) $(CFLAGS) $(INCLUDE) -o exim_dumpdb $(LFLAGS) $(OBJ_DUMPDB) \ -- $(LIBS) $(EXTRALIBS) $(DBMLIB) -+ $(FE)$(LNCC) $(CFLAGS) $(INCLUDE) -o exim_dumpdb $(LDFLAGS) $(OBJ_DUMPDB) \ -+ $(LIBS) $(EXTRALIBS) $(DBMLIB) $(LFLAGS) - @if [ x"$(STRIP_COMMAND)" != x"" ]; then \ - echo $(STRIP_COMMAND) exim_dumpdb; \ - $(STRIP_COMMAND) exim_dumpdb; \ -@@ -382,8 +382,8 @@ - - exim_fixdb: $(OBJ_FIXDB) buildauths - @echo "$(LNCC) -o exim_fixdb" -- $(FE)$(LNCC) $(CFLAGS) $(INCLUDE) -o exim_fixdb $(LFLAGS) $(OBJ_FIXDB) \ -- auths/auths.a $(LIBS) $(EXTRALIBS) $(DBMLIB) -+ $(FE)$(LNCC) $(CFLAGS) $(INCLUDE) -o exim_fixdb $(LDFLAGS) $(OBJ_FIXDB) \ -+ auths/auths.a $(LIBS) $(EXTRALIBS) $(DBMLIB) $(LFLAGS) - @if [ x"$(STRIP_COMMAND)" != x"" ]; then \ - echo $(STRIP_COMMAND) exim_fixdb; \ - $(STRIP_COMMAND) exim_fixdb; \ -@@ -397,8 +397,8 @@ - - exim_tidydb: $(OBJ_TIDYDB) - @echo "$(LNCC) -o exim_tidydb" -- $(FE)$(LNCC) $(CFLAGS) $(INCLUDE) -o exim_tidydb $(LFLAGS) $(OBJ_TIDYDB) \ -- $(LIBS) $(EXTRALIBS) $(DBMLIB) -+ $(FE)$(LNCC) $(CFLAGS) $(INCLUDE) -o exim_tidydb $(LDFLAGS) $(OBJ_TIDYDB) \ -+ $(LIBS) $(EXTRALIBS) $(DBMLIB) $(LFLAGS) - @if [ x"$(STRIP_COMMAND)" != x"" ]; then \ - echo $(STRIP_COMMAND) exim_tidydb; \ - $(STRIP_COMMAND) exim_tidydb; \ -@@ -410,8 +410,8 @@ - - exim_dbmbuild: exim_dbmbuild.o - @echo "$(LNCC) -o exim_dbmbuild" -- $(FE)$(LNCC) $(CFLAGS) $(INCLUDE) -o exim_dbmbuild $(LFLAGS) exim_dbmbuild.o \ -- $(LIBS) $(EXTRALIBS) $(DBMLIB) -+ $(FE)$(LNCC) $(CFLAGS) $(INCLUDE) -o exim_dbmbuild $(LDFLAGS) exim_dbmbuild.o \ -+ $(LIBS) $(EXTRALIBS) $(DBMLIB) $(LFLAGS) - @if [ x"$(STRIP_COMMAND)" != x"" ]; then \ - echo $(STRIP_COMMAND) exim_dbmbuild; \ - $(STRIP_COMMAND) exim_dbmbuild; \ -@@ -425,8 +425,8 @@ - @echo "$(CC) exim_lock.c" - $(FE)$(CC) -c $(CFLAGS) $(INCLUDE) exim_lock.c - @echo "$(LNCC) -o exim_lock" -- $(FE)$(LNCC) -o exim_lock $(LFLAGS) exim_lock.o \ -- $(LIBS) $(EXTRALIBS) -+ $(FE)$(LNCC) -o exim_lock $(LDFLAGS) exim_lock.o \ -+ $(LIBS) $(EXTRALIBS) $(LFLAGS) - @if [ x"$(STRIP_COMMAND)" != x"" ]; then \ - echo $(STRIP_COMMAND) exim_lock; \ - $(STRIP_COMMAND) exim_lock; \ -@@ -462,9 +462,9 @@ - $(FE)$(CC) -o em_version.o -c \ - $(CFLAGS) $(XINCLUDE) -I. ../exim_monitor/em_version.c - @echo "$(LNCC) -o eximon.bin" -- $(FE)$(PURIFY) $(LNCC) -o eximon.bin em_version.o $(LFLAGS) $(XLFLAGS) \ -+ $(FE)$(PURIFY) $(LNCC) -o eximon.bin em_version.o $(LDFLAGS) $(XLFLAGS) \ - $(OBJ_MONBIN) -lXaw -lXmu -lXt -lXext -lX11 $(PCRE_LIBS) \ -- $(LIBS) $(LIBS_EXIMON) $(EXTRALIBS) $(EXTRALIBS_EXIMON) -lc -+ $(LIBS) $(LIBS_EXIMON) $(EXTRALIBS) $(EXTRALIBS_EXIMON) -lc $(LFLAGS) - @if [ x"$(STRIP_COMMAND)" != x"" ]; then \ - echo $(STRIP_COMMAND) eximon.bin; \ - $(STRIP_COMMAND) eximon.bin; \ -@@ -780,9 +780,9 @@ - string.o tod.o version.o utf8.o - $(CC) -c $(CFLAGS) $(INCLUDE) -DSTAND_ALONE dbfn.c - $(CC) -c $(CFLAGS) $(INCLUDE) -DCOMPILE_UTILITY store.c -- $(LNCC) -o test_dbfn $(LFLAGS) dbfn.o \ -+ $(LNCC) -o test_dbfn $(LDFLAGS) dbfn.o \ - dummies.o sa-globals.o sa-os.o store.o string.o \ -- tod.o version.o utf8.o $(LIBS) $(DBMLIB) $(LDFLAGS) -+ tod.o version.o utf8.o $(LIBS) $(DBMLIB) $(LFLAGS) - rm -f dbfn.o store.o - - test_host: config.h child.c host.c dns.c dummies.c sa-globals.o os.o \ -@@ -790,29 +790,29 @@ - $(CC) -c $(CFLAGS) $(INCLUDE) -DSTAND_ALONE -DTEST_HOST host.c - $(CC) -c $(CFLAGS) $(INCLUDE) -DSTAND_ALONE -DTEST_HOST dns.c - $(CC) -c $(CFLAGS) $(INCLUDE) -DSTAND_ALONE -DTEST_HOST dummies.c -- $(LNCC) -o test_host $(LFLAGS) \ -+ $(LNCC) -o test_host $(LDFLAGS) \ - host.o child.o dns.o dummies.o sa-globals.o os.o store.o string.o \ -- tod.o tree.o $(LIBS) $(LIBRESOLV) -+ tod.o tree.o $(LIBS) $(LIBRESOLV) $(LFLAGS) - rm -f child.o dummies.o host.o dns.o - - test_os: os.h os.c dummies.o sa-globals.o store.o string.o tod.o utf8.o - $(CC) -c $(CFLAGS) $(INCLUDE) -DSTAND_ALONE os.c -- $(LNCC) -o test_os $(LFLAGS) os.o dummies.o \ -- sa-globals.o store.o string.o tod.o utf8.o $(LIBS) $(LDFLAGS) -+ $(LNCC) -o test_os $(LDFLAGS) os.o dummies.o \ -+ sa-globals.o store.o string.o tod.o utf8.o $(LIBS) $(LFLAGS) - rm -f os.o - - test_parse: config.h parse.c dummies.o sa-globals.o \ - store.o string.o tod.o version.o utf8.o - $(CC) -c $(CFLAGS) $(INCLUDE) -DSTAND_ALONE parse.c -- $(LNCC) -o test_parse $(LFLAGS) parse.o \ -+ $(LNCC) -o test_parse $(LDFLAGS) parse.o \ - dummies.o sa-globals.o store.o string.o tod.o version.o \ -- utf8.o $(LDFLAGS) -+ utf8.o $(LFLAGS) - rm -f parse.o - - test_string: config.h string.c dummies.o sa-globals.o store.o tod.o utf8.o - $(CC) -c $(CFLAGS) $(INCLUDE) -DSTAND_ALONE string.c -- $(LNCC) -o test_string $(LFLAGS) -DSTAND_ALONE string.o \ -- dummies.o sa-globals.o store.o tod.o utf8.o $(LIBS) $(LDFLAGS) -+ $(LNCC) -o test_string $(LDFLAGS) -DSTAND_ALONE string.o \ -+ dummies.o sa-globals.o store.o tod.o utf8.o $(LIBS) $(LFLAGS) - rm -f string.o - - # End diff --git a/mail-mta/exim/files/exim-4.92-fix-eval-expansion-32bit.patch b/mail-mta/exim/files/exim-4.92-fix-eval-expansion-32bit.patch deleted file mode 100644 index 17d7d21113de..000000000000 --- a/mail-mta/exim/files/exim-4.92-fix-eval-expansion-32bit.patch +++ /dev/null @@ -1,51 +0,0 @@ -Extract from complete patch from -https://git.exim.org/exim.git/patch/26dd3aa007b3b77969610c031f59388e0953bd00 -to only take the buildconfig.c change because the git directory -structure is different from a release tarball causing this patch to fail -otherwise. - -From 26dd3aa007b3b77969610c031f59388e0953bd00 Mon Sep 17 00:00:00 2001 -From: Jeremy Harris -Date: Fri, 7 Jun 2019 11:54:10 +0100 -Subject: [PATCH] Fix detection of 32b platform at build time. Bug 2405 - ---- - src/src/buildconfig.c | 12 +++++--- - test/scripts/0000-Basic/0002 | 72 +++++++++++++++++++++++--------------------- - test/stdout/0002 | 72 +++++++++++++++++++++++--------------------- - 3 files changed, 83 insertions(+), 73 deletions(-) - -diff --git a/src/src/buildconfig.c b/src/src/buildconfig.c -index 71cf97b..a680b34 100644 ---- a/src/src/buildconfig.c -+++ b/src/src/buildconfig.c -@@ -111,6 +111,7 @@ unsigned long test_ulong_t = 0L; - unsigned int test_uint_t = 0; - #endif - long test_long_t = 0; -+long long test_longlong_t = 0; - int test_int_t = 0; - FILE *base; - FILE *new; -@@ -155,15 +156,16 @@ This assumption is known to be OK for the common operating systems. */ - - fprintf(new, "#ifndef OFF_T_FMT\n"); - if (sizeof(test_off_t) > sizeof(test_long_t)) -- { - fprintf(new, "# define OFF_T_FMT \"%%lld\"\n"); -- fprintf(new, "# define LONGLONG_T long long int\n"); -- } - else -- { - fprintf(new, "# define OFF_T_FMT \"%%ld\"\n"); -+fprintf(new, "#endif\n\n"); -+ -+fprintf(new, "#ifndef LONGLONG_T\n"); -+if (sizeof(test_longlong_t) > sizeof(test_long_t)) -+ fprintf(new, "# define LONGLONG_T long long int\n"); -+else - fprintf(new, "# define LONGLONG_T long int\n"); -- } - fprintf(new, "#endif\n\n"); - - /* Now do the same thing for time_t variables. If the length is greater than diff --git a/mail-mta/exim/files/exim-4.92-localscan_dlopen.patch b/mail-mta/exim/files/exim-4.92-localscan_dlopen.patch deleted file mode 100644 index 57363e56d50e..000000000000 --- a/mail-mta/exim/files/exim-4.92-localscan_dlopen.patch +++ /dev/null @@ -1,267 +0,0 @@ -diff -ur exim-4.92.orig/src/config.h.defaults exim-4.92/src/config.h.defaults ---- exim-4.92.orig/src/config.h.defaults 2019-01-30 14:59:52.000000000 +0100 -+++ exim-4.92/src/config.h.defaults 2019-02-16 18:17:24.547216157 +0100 -@@ -32,6 +32,8 @@ - - #define AUTH_VARS 3 - -+#define DLOPEN_LOCAL_SCAN -+ - #define BIN_DIRECTORY - - #define CONFIGURE_FILE -Only in exim-4.92/src: config.h.defaults.orig -diff -ur exim-4.92.orig/src/EDITME exim-4.92/src/EDITME ---- exim-4.92.orig/src/EDITME 2019-01-30 14:59:52.000000000 +0100 -+++ exim-4.92/src/EDITME 2019-02-16 18:17:24.547216157 +0100 -@@ -824,6 +824,24 @@ - - - #------------------------------------------------------------------------------ -+# On systems which support dynamic loading of shared libraries, Exim can -+# load a local_scan function specified in its config file instead of having -+# to be recompiled with the desired local_scan function. For a full -+# description of the API to this function, see the Exim specification. -+ -+#DLOPEN_LOCAL_SCAN=yes -+ -+# If you set DLOPEN_LOCAL_SCAN, then you need to include -rdynamic in the -+# linker flags. Without it, the loaded .so won't be able to access any -+# functions from exim. -+ -+LFLAGS = -rdynamic -+ifeq ($(OSTYPE),Linux) -+LFLAGS += -ldl -+endif -+ -+ -+#------------------------------------------------------------------------------ - # The default distribution of Exim contains only the plain text form of the - # documentation. Other forms are available separately. If you want to install - # the documentation in "info" format, first fetch the Texinfo documentation -Only in exim-4.92/src: EDITME.orig -diff -ur exim-4.92.orig/src/globals.c exim-4.92/src/globals.c ---- exim-4.92.orig/src/globals.c 2019-01-30 14:59:52.000000000 +0100 -+++ exim-4.92/src/globals.c 2019-02-16 18:17:24.549216150 +0100 -@@ -41,6 +41,10 @@ - - uschar *no_aliases = NULL; - -+#ifdef DLOPEN_LOCAL_SCAN -+uschar *local_scan_path = NULL; -+#endif -+ - - /* For comments on these variables, see globals.h. I'm too idle to - duplicate them here... */ -Only in exim-4.92/src: globals.c.orig -diff -ur exim-4.92.orig/src/globals.h exim-4.92/src/globals.h ---- exim-4.92.orig/src/globals.h 2019-01-30 14:59:52.000000000 +0100 -+++ exim-4.92/src/globals.h 2019-02-16 18:17:24.549216150 +0100 -@@ -152,6 +152,9 @@ - extern int (*receive_ferror)(void); - extern BOOL (*receive_smtp_buffered)(void); - -+#ifdef DLOPEN_LOCAL_SCAN -+extern uschar *local_scan_path; /* Path to local_scan() library */ -+#endif - - /* For clearing, saving, restoring address expansion variables. We have to have - the size of this vector set explicitly, because it is referenced from more than -Only in exim-4.92/src: globals.h.orig -diff -ur exim-4.92.orig/src/local_scan.c exim-4.92/src/local_scan.c ---- exim-4.92.orig/src/local_scan.c 2019-01-30 14:59:52.000000000 +0100 -+++ exim-4.92/src/local_scan.c 2019-02-16 18:29:56.832732592 +0100 -@@ -5,61 +5,131 @@ - /* Copyright (c) University of Cambridge 1995 - 2009 */ - /* See the file NOTICE for conditions of use and distribution. */ - -+#include "exim.h" - --/****************************************************************************** --This file contains a template local_scan() function that just returns ACCEPT. --If you want to implement your own version, you should copy this file to, say --Local/local_scan.c, and edit the copy. To use your version instead of the --default, you must set -- --HAVE_LOCAL_SCAN=yes --LOCAL_SCAN_SOURCE=Local/local_scan.c -- --in your Local/Makefile. This makes it easy to copy your version for use with --subsequent Exim releases. -- --For a full description of the API to this function, see the Exim specification. --******************************************************************************/ -- -- --/* This is the only Exim header that you should include. The effect of --including any other Exim header is not defined, and may change from release to --release. Use only the documented interface! */ -- --#include "local_scan.h" -- -- --/* This is a "do-nothing" version of a local_scan() function. The arguments --are: -- -- fd The file descriptor of the open -D file, which contains the -- body of the message. The file is open for reading and -- writing, but modifying it is dangerous and not recommended. -- -- return_text A pointer to an unsigned char* variable which you can set in -- order to return a text string. It is initialized to NULL. -- --The return values of this function are: -- -- LOCAL_SCAN_ACCEPT -- The message is to be accepted. The return_text argument is -- saved in $local_scan_data. -- -- LOCAL_SCAN_REJECT -- The message is to be rejected. The returned text is used -- in the rejection message. -- -- LOCAL_SCAN_TEMPREJECT -- This specifies a temporary rejection. The returned text -- is used in the rejection message. --*/ -+#ifdef DLOPEN_LOCAL_SCAN -+#include -+static int (*local_scan_fn)(int fd, uschar **return_text) = NULL; -+static int load_local_scan_library(void); -+#endif - - int - local_scan(int fd, uschar **return_text) - { - fd = fd; /* Keep picky compilers happy */ - return_text = return_text; --return LOCAL_SCAN_ACCEPT; -+#ifdef DLOPEN_LOCAL_SCAN -+/* local_scan_path is defined AND not the empty string */ -+if (local_scan_path && *local_scan_path) -+ { -+ if (!local_scan_fn) -+ { -+ if (!load_local_scan_library()) -+ { -+ char *base_msg , *error_msg , *final_msg ; -+ int final_length = -1 ; -+ -+ base_msg=US"Local configuration error - local_scan() library failure\n"; -+ error_msg = dlerror() ; -+ -+ final_length = strlen(base_msg) + strlen(error_msg) + 1 ; -+ final_msg = (char*)malloc( final_length*sizeof(char) ) ; -+ *final_msg = '\0' ; -+ -+ strcat( final_msg , base_msg ) ; -+ strcat( final_msg , error_msg ) ; -+ -+ *return_text = final_msg ; -+ return LOCAL_SCAN_TEMPREJECT; -+ } -+ } -+ return local_scan_fn(fd, return_text); -+ } -+else -+#endif -+ return LOCAL_SCAN_ACCEPT; -+} -+ -+#ifdef DLOPEN_LOCAL_SCAN -+ -+static int load_local_scan_library(void) -+{ -+/* No point in keeping local_scan_lib since we'll never dlclose() anyway */ -+void *local_scan_lib = NULL; -+int (*local_scan_version_fn)(void); -+int vers_maj; -+int vers_min; -+ -+local_scan_lib = dlopen(local_scan_path, RTLD_NOW); -+if (!local_scan_lib) -+ { -+ log_write(0, LOG_MAIN|LOG_REJECT, "local_scan() library open failed - " -+ "message temporarily rejected"); -+ return FALSE; -+ } -+ -+local_scan_version_fn = dlsym(local_scan_lib, "local_scan_version_major"); -+if (!local_scan_version_fn) -+ { -+ dlclose(local_scan_lib); -+ log_write(0, LOG_MAIN|LOG_REJECT, "local_scan() library doesn't contain " -+ "local_scan_version_major() function - message temporarily rejected"); -+ return FALSE; -+ } -+ -+/* The major number is increased when the ABI is changed in a non -+ backward compatible way. */ -+vers_maj = local_scan_version_fn(); -+ -+local_scan_version_fn = dlsym(local_scan_lib, "local_scan_version_minor"); -+if (!local_scan_version_fn) -+ { -+ dlclose(local_scan_lib); -+ log_write(0, LOG_MAIN|LOG_REJECT, "local_scan() library doesn't contain " -+ "local_scan_version_minor() function - message temporarily rejected"); -+ return FALSE; -+ } -+ -+/* The minor number is increased each time a new feature is added (in a -+ way that doesn't break backward compatibility) -- Marc */ -+vers_min = local_scan_version_fn(); -+ -+ -+if (vers_maj != LOCAL_SCAN_ABI_VERSION_MAJOR) -+ { -+ dlclose(local_scan_lib); -+ local_scan_lib = NULL; -+ log_write(0, LOG_MAIN|LOG_REJECT, "local_scan() has an incompatible major" -+ "version number, you need to recompile your module for this version" -+ "of exim (The module was compiled for version %d.%d and this exim provides" -+ "ABI version %d.%d)", vers_maj, vers_min, LOCAL_SCAN_ABI_VERSION_MAJOR, -+ LOCAL_SCAN_ABI_VERSION_MINOR); -+ return FALSE; -+ } -+else if (vers_min > LOCAL_SCAN_ABI_VERSION_MINOR) -+ { -+ dlclose(local_scan_lib); -+ local_scan_lib = NULL; -+ log_write(0, LOG_MAIN|LOG_REJECT, "local_scan() has an incompatible minor" -+ "version number, you need to recompile your module for this version" -+ "of exim (The module was compiled for version %d.%d and this exim provides" -+ "ABI version %d.%d)", vers_maj, vers_min, LOCAL_SCAN_ABI_VERSION_MAJOR, -+ LOCAL_SCAN_ABI_VERSION_MINOR); -+ return FALSE; -+ } -+ -+local_scan_fn = dlsym(local_scan_lib, "local_scan"); -+if (!local_scan_fn) -+ { -+ dlclose(local_scan_lib); -+ log_write(0, LOG_MAIN|LOG_REJECT, "local_scan() library doesn't contain " -+ "local_scan() function - message temporarily rejected"); -+ return FALSE; -+ } -+ -+return TRUE; - } - -+#endif /* DLOPEN_LOCAL_SCAN */ -+ - /* End of local_scan.c */ -diff -ur exim-4.92.orig/src/readconf.c exim-4.92/src/readconf.c ---- exim-4.92.orig/src/readconf.c 2019-01-30 14:59:52.000000000 +0100 -+++ exim-4.92/src/readconf.c 2019-02-16 18:18:46.013947455 +0100 -@@ -199,6 +199,9 @@ - { "local_from_prefix", opt_stringptr, &local_from_prefix }, - { "local_from_suffix", opt_stringptr, &local_from_suffix }, - { "local_interfaces", opt_stringptr, &local_interfaces }, -+#ifdef DLOPEN_LOCAL_SCAN -+ { "local_scan_path", opt_stringptr, &local_scan_path }, -+#endif - #ifdef HAVE_LOCAL_SCAN - { "local_scan_timeout", opt_time, &local_scan_timeout }, - #endif diff --git a/mail-mta/exim/files/exim-4.93-CVE-2020-12783.patch b/mail-mta/exim/files/exim-4.93-CVE-2020-12783.patch new file mode 100644 index 000000000000..c957d5541e47 --- /dev/null +++ b/mail-mta/exim/files/exim-4.93-CVE-2020-12783.patch @@ -0,0 +1,83 @@ +auths/spa: fix for CVE-2020-12783 + +This is a combined patch of git commits: + +57aa14b216432be381b6295c312065b2fd034f86 +a04174dc2a84ae1008c23b6a7109e7fa3fb7b8b0 + +leaving out whitespace noise for a smaller patch +and made it apply to the 4.93 release + +modified paths because Exim dists differ in layout from the git repo + +Fix SPA authenticator, checking client-supplied data before using it. Bug 2571 +Rework SPA fix to avoid overflows. Bug 2571 + + +--- a/src/auths/auth-spa.c ++++ b/src/auths/auth-spa.c +@@ -405,7 +405,7 @@ int + /* base 64 to raw bytes in quasi-big-endian order, returning count of bytes */ + { + int len = 0; +- register uschar digit1, digit2, digit3, digit4; ++ uschar digit1, digit2, digit3, digit4; + + if (in[0] == '+' && in[1] == ' ') + in += 2; +--- a/src/auths/spa.c ++++ b/src/auths/spa.c +@@ -139,7 +139,8 @@ SPAAuthChallenge challenge; + SPAAuthResponse response; + SPAAuthResponse *responseptr = &response; + uschar msgbuf[2048]; +-uschar *clearpass; ++uschar *clearpass, *s; ++unsigned off; + + /* send a 334, MS Exchange style, and grab the client's request, + unless we already have it via an initial response. */ +@@ -194,9 +195,19 @@ that causes failure if the size of msgbuf is exceeded. ****/ + + { + int i; +- char *p = ((char*)responseptr) + IVAL(&responseptr->uUser.offset,0); ++ char * p; + int len = SVAL(&responseptr->uUser.len,0)/2; + ++ if ( (off = IVAL(&responseptr->uUser.offset,0)) >= sizeof(SPAAuthResponse) ++ || len >= sizeof(responseptr->buffer)/2 ++ || (p = (CS responseptr) + off) + len*2 >= CS (responseptr+1) ++ ) ++ { ++ DEBUG(D_auth) ++ debug_printf("auth_spa_server(): bad uUser spec in response\n"); ++ return FAIL; ++ } ++ + if (len + 1 >= sizeof(msgbuf)) return FAIL; + for (i = 0; i < len; ++i) + { +@@ -245,12 +256,16 @@ spa_smb_nt_encrypt(clearpass, challenge.challengeData, ntRespData); + + /* compare NT hash (LM may not be available) */ + +-if (memcmp(ntRespData, +- ((unsigned char*)responseptr)+IVAL(&responseptr->ntResponse.offset,0), +- 24) == 0) +- /* success. we have a winner. */ +- { ++off = IVAL(&responseptr->ntResponse.offset,0); ++if (off >= sizeof(SPAAuthResponse) - 24) ++ { ++ DEBUG(D_auth) ++ debug_printf("auth_spa_server(): bad ntRespData spec in response\n"); ++ return FAIL; ++ } ++s = (US responseptr) + off; ++ ++if (memcmp(ntRespData, s, 24) == 0) + return auth_check_serv_cond(ablock); +- } + + /* Expand server_condition as an authorization check (PH) */ diff --git a/mail-mta/exim/files/exim-4.93-localscan_dlopen.patch b/mail-mta/exim/files/exim-4.93-localscan_dlopen.patch index d2a5e63128aa..0d016dbeb26d 100644 --- a/mail-mta/exim/files/exim-4.93-localscan_dlopen.patch +++ b/mail-mta/exim/files/exim-4.93-localscan_dlopen.patch @@ -72,7 +72,7 @@ Only in exim-4.92/src: globals.h.orig diff -ur exim-4.92.orig/src/local_scan.c exim-4.92/src/local_scan.c --- exim-4.92.orig/src/local_scan.c 2019-01-30 14:59:52.000000000 +0100 +++ exim-4.92/src/local_scan.c 2019-02-16 18:29:56.832732592 +0100 -@@ -5,61 +5,131 @@ +@@ -5,61 +5,133 @@ /* Copyright (c) University of Cambridge 1995 - 2009 */ /* See the file NOTICE for conditions of use and distribution. */ @@ -126,9 +126,11 @@ diff -ur exim-4.92.orig/src/local_scan.c exim-4.92/src/local_scan.c - is used in the rejection message. -*/ +#ifdef DLOPEN_LOCAL_SCAN ++#include +#include +static int (*local_scan_fn)(int fd, uschar **return_text) = NULL; +static int load_local_scan_library(void); ++extern uschar *local_scan_path; /* Path to local_scan() library */ +#endif int diff --git a/mail-mta/exim/files/exim-4.93-radius.patch b/mail-mta/exim/files/exim-4.93-radius.patch new file mode 100644 index 000000000000..55c52bee561f --- /dev/null +++ b/mail-mta/exim/files/exim-4.93-radius.patch @@ -0,0 +1,66 @@ +From 70b28b113e21d21a528876c3abe88ccb5f7cc77d Mon Sep 17 00:00:00 2001 +From: Fabian Groffen +Date: Sat, 9 May 2020 11:35:12 +0200 +Subject: [PATCH] call_radius: fix compilation due to incorrect usage of + string_sprintf + +Since f3ebb786e451da973560f1c9d8cdb151d25108b5, string_sprintf cannot be +used without arguments any more, so use US directly. + +While at it, also make newline usage consistent to not return a newline +in errptr, when it is debug-printed, a newline is added. + +https://bugs.gentoo.org/720364 + +Signed-off-by: Fabian Groffen +--- + src/src/auths/call_radius.c | 16 ++++++++-------- + 1 file changed, 8 insertions(+), 8 deletions(-) + +diff --git a/src/src/auths/call_radius.c b/src/src/auths/call_radius.c +index c3637436d..253fd75cd 100644 +--- a/src/src/auths/call_radius.c ++++ b/src/src/auths/call_radius.c +@@ -115,16 +115,16 @@ if (rc_read_config(RADIUS_CONFIG_FILE) != 0) + *errptr = string_sprintf("RADIUS: can't open %s", RADIUS_CONFIG_FILE); + + else if (rc_read_dictionary(rc_conf_str("dictionary")) != 0) +- *errptr = string_sprintf("RADIUS: can't read dictionary"); ++ *errptr = US("RADIUS: can't read dictionary"); + + else if (rc_avpair_add(&send, PW_USER_NAME, user, 0) == NULL) +- *errptr = string_sprintf("RADIUS: add user name failed\n"); ++ *errptr = US("RADIUS: add user name failed"); + + else if (rc_avpair_add(&send, PW_USER_PASSWORD, CS radius_args, 0) == NULL) +- *errptr = string_sprintf("RADIUS: add password failed\n"); ++ *errptr = US("RADIUS: add password failed"); + + else if (rc_avpair_add(&send, PW_SERVICE_TYPE, &service, 0) == NULL) +- *errptr = string_sprintf("RADIUS: add service type failed\n"); ++ *errptr = US("RADIUS: add service type failed"); + + #else /* RADIUS_LIB_RADIUSCLIENT unset => RADIUS_LIB_RADIUSCLIENT2 */ + +@@ -132,17 +132,17 @@ if ((h = rc_read_config(RADIUS_CONFIG_FILE)) == NULL) + *errptr = string_sprintf("RADIUS: can't open %s", RADIUS_CONFIG_FILE); + + else if (rc_read_dictionary(h, rc_conf_str(h, "dictionary")) != 0) +- *errptr = string_sprintf("RADIUS: can't read dictionary"); ++ *errptr = US("RADIUS: can't read dictionary"); + + else if (rc_avpair_add(h, &send, PW_USER_NAME, user, Ustrlen(user), 0) == NULL) +- *errptr = string_sprintf("RADIUS: add user name failed\n"); ++ *errptr = US("RADIUS: add user name failed"); + + else if (rc_avpair_add(h, &send, PW_USER_PASSWORD, CS radius_args, + Ustrlen(radius_args), 0) == NULL) +- *errptr = string_sprintf("RADIUS: add password failed\n"); ++ *errptr = US("RADIUS: add password failed"); + + else if (rc_avpair_add(h, &send, PW_SERVICE_TYPE, &service, 0, 0) == NULL) +- *errptr = string_sprintf("RADIUS: add service type failed\n"); ++ *errptr = US("RADIUS: add service type failed"); + + #endif /* RADIUS_LIB_RADIUSCLIENT */ + -- cgit v1.2.3