exim.git
3 years agogsasl authenticator: do not try to clear server password after use, if
Jeremy Harris [Mon, 17 May 2021 11:40:51 +0000 (12:40 +0100)]
gsasl authenticator: do not try to clear server password after use, if
from config text

3 years agoSmall config, with:
Jeremy Harris [Sun, 16 May 2021 19:22:45 +0000 (20:22 +0100)]
Small config, with:

----Exit nonpool max:  18 kB in 8 blocks
----Exit npools  max:  95 kB
----Exit  pool 0 max:  12 kB in 2 blocks at order 13 untainted main
----Exit  pool 1 max:   4 kB in 1 blocks at order 13 untainted perm
----Exit  pool 2 max:   4 kB in 1 blocks at order 13    untainted config
----Exit  pool 3 max:   4 kB in 1 blocks at order 13    untainted search
----Exit  pool 4 max:   4 kB in 1 blocks at order 13    untainted message
----Exit  pool 5 max:   4 kB in 1 blocks at order 13    tainted main
----Exit  pool 6 max:  52 kB in 3 blocks at order 15    tainted perm
----Exit  pool 7 max:   4 kB in 1 blocks at order 13    tainted config
----Exit  pool 8 max:   4 kB in 1 blocks at order 13    tainted search
----Exit  pool 9 max:   4 kB in 1 blocks at order 13    tainted message

Small config, without:

----Exit nonpool max:  18 kB in 8 blocks
----Exit npools  max:  87 kB
----Exit  pool 0 max:  12 kB in 2 blocks at order 13 untainted main
----Exit  pool 1 max:   4 kB in 1 blocks at order 13 untainted perm
----Exit  pool 2 max:   4 kB in 1 blocks at order 13    untainted search
----Exit  pool 3 max:   4 kB in 1 blocks at order 13    untainted message
----Exit  pool 4 max:   4 kB in 1 blocks at order 13    tainted main
----Exit  pool 5 max:  52 kB in 3 blocks at order 15    tainted perm
----Exit  pool 6 max:   4 kB in 1 blocks at order 13    tainted search
----Exit  pool 7 max:   4 kB in 1 blocks at order 13    tainted message

Large config, with:

----Exit nonpool max:  17 kB in 30 blocks
----Exit npools  max: 309 kB
----Exit  pool 0 max: 124 kB in 5 blocks at order 17    untainted main
----Exit  pool 1 max:  60 kB in 4 blocks at order 15    untainted perm
----Exit  pool 2 max: 298 kB in 2 blocks at order 13    untainted config
----Exit  pool 3 max:  12 kB in 2 blocks at order 13    untainted search
----Exit  pool 4 max:   4 kB in 1 blocks at order 13    untainted message
----Exit  pool 5 max:  60 kB in 4 blocks at order 15    tainted main
----Exit  pool 6 max:  52 kB in 3 blocks at order 15    tainted perm
----Exit  pool 7 max:   4 kB in 1 blocks at order 13    tainted config
----Exit  pool 8 max:   4 kB in 1 blocks at order 13    tainted search
----Exit  pool 9 max:   4 kB in 1 blocks at order 13    tainted message

Large config, without:

----Exit nonpool max: 212 kB in 30 blocks
----Exit npools  max: 591 kB
----Exit  pool 0 max: 508 kB in 7 blocks at order 19    untainted main
----Exit  pool 1 max:  12 kB in 2 blocks at order 13    untainted perm
----Exit  pool 2 max:   4 kB in 1 blocks at order 13    untainted search
----Exit  pool 3 max:   4 kB in 1 blocks at order 13    untainted message
----Exit  pool 4 max:   4 kB in 1 blocks at order 13    tainted main
----Exit  pool 5 max:  52 kB in 3 blocks at order 15    tainted perm
----Exit  pool 6 max:   4 kB in 1 blocks at order 13    tainted search
----Exit  pool 7 max:   4 kB in 1 blocks at order 13    tainted message

3 years agopaniclog sigsegv events
Jeremy Harris [Sun, 16 May 2021 14:37:18 +0000 (15:37 +0100)]
paniclog sigsegv events

3 years agoopenssl config strings are immutable
Jeremy Harris [Sun, 16 May 2021 12:22:20 +0000 (13:22 +0100)]
openssl config strings are immutable

3 years agoConfig lines are immutable during -bP config dump
Jeremy Harris [Sun, 16 May 2021 11:52:36 +0000 (12:52 +0100)]
Config lines are immutable during  -bP config  dump

3 years agoautorepy never_mail strings are immutable
Jeremy Harris [Sat, 15 May 2021 15:52:12 +0000 (16:52 +0100)]
autorepy never_mail strings are immutable

3 years agoavoid mofying config text
Jeremy Harris [Sat, 15 May 2021 15:32:57 +0000 (16:32 +0100)]
avoid mofying config text

3 years agosmtp tpt fallback_hosts list must be mutable
Jeremy Harris [Sat, 15 May 2021 14:41:43 +0000 (15:41 +0100)]
smtp tpt fallback_hosts list must be mutable

3 years agoacceptable log output change
Jeremy Harris [Sat, 15 May 2021 14:18:22 +0000 (15:18 +0100)]
acceptable log output change

3 years agohostlist for router fallback_hosts must be mutable
Jeremy Harris [Sat, 15 May 2021 00:11:41 +0000 (01:11 +0100)]
hostlist for router fallback_hosts must be mutable

3 years agoconsification
Jeremy Harris [Fri, 14 May 2021 23:48:40 +0000 (00:48 +0100)]
consification

3 years agoavoid modifying source text in parse_forward_list()
Jeremy Harris [Fri, 14 May 2021 23:37:43 +0000 (00:37 +0100)]
avoid modifying source text in parse_forward_list()

3 years agoavoid modifying source text, in appendfile
Jeremy Harris [Fri, 14 May 2021 23:19:26 +0000 (00:19 +0100)]
avoid modifying source text, in appendfile

3 years agotree nodes for acls must be mutable
Jeremy Harris [Fri, 14 May 2021 23:03:01 +0000 (00:03 +0100)]
tree nodes for acls must be mutable

3 years agoavoid modifying possible config text during :fail: delivery
Jeremy Harris [Fri, 14 May 2021 23:01:27 +0000 (00:01 +0100)]
avoid modifying possible config text during :fail: delivery

3 years agocopy transport struct for modifying for **bypassed** postprocess
Jeremy Harris [Fri, 14 May 2021 23:00:06 +0000 (00:00 +0100)]
copy transport struct for modifying for **bypassed** postprocess

3 years agouse store_get_perm()
Jeremy Harris [Fri, 14 May 2021 22:58:32 +0000 (23:58 +0100)]
use store_get_perm()

3 years agodriver options blocks must be mutable
Jeremy Harris [Thu, 13 May 2021 21:19:10 +0000 (22:19 +0100)]
driver options blocks must be mutable

3 years agorouter instance must be mutable
Jeremy Harris [Thu, 13 May 2021 20:59:25 +0000 (21:59 +0100)]
router instance must be mutable

3 years agonamedlist_block has to be allocated mutably, to cache lookups
Jeremy Harris [Thu, 13 May 2021 20:31:16 +0000 (21:31 +0100)]
namedlist_block has to be allocated mutably, to cache lookups
paniclog from 5 - subprocess crashes

3 years agofirst go. crashes in 0003
Jeremy Harris [Mon, 10 May 2021 21:47:01 +0000 (22:47 +0100)]
first go.  crashes in 0003

3 years agoSuggestion from Qalys:
Jeremy Harris [Fri, 7 May 2021 12:09:12 +0000 (13:09 +0100)]
Suggestion from Qalys:

If I may add one more thing, there is an issue that should be addressed
sooner rather than later: the writable configuration at the beginning of
the heap. A short-term (and hopefully non-intrusive) solution may be to
mmap() the configuration instead, and then mprotect(PROT_READ) it. This
would mitigate the exploitation technique that almost all Exim exploits
have been using.

3 years agoFix Solaris 10 build, more
Jeremy Harris [Sun, 27 Jun 2021 23:29:09 +0000 (00:29 +0100)]
Fix Solaris 10 build, more

3 years agoFix Solaris 10 build, for intro of taintwarn
Jeremy Harris [Sun, 27 Jun 2021 20:15:45 +0000 (21:15 +0100)]
Fix Solaris 10 build, for intro of taintwarn

Broken-by: f9a3fcddba
3 years agoTLS: track changing fd of file-watcher when creds are releaded.
Jeremy Harris [Sun, 27 Jun 2021 17:58:44 +0000 (18:58 +0100)]
TLS: track changing fd of file-watcher when creds are releaded.

Broken-by: 5fd673807d
3 years agoMerge branch 'hs/taintwarn'
Heiko Schlittermann (HS12-RIPE) [Fri, 25 Jun 2021 08:02:47 +0000 (10:02 +0200)]
Merge branch 'hs/taintwarn'

This is a "forward" port of the taintwarn patches that are applied to
4.94.2+fixes.

3 years agoTestsuite: Fix 608 hs/taintwarn
Heiko Schlittermann (HS12-RIPE) [Wed, 16 Jun 2021 20:22:50 +0000 (22:22 +0200)]
Testsuite: Fix 608

3 years agoFix logging with build-time config and empty elements (Closes 2733)
Heiko Schlittermann (HS12-RIPE) [Sat, 15 May 2021 11:40:46 +0000 (13:40 +0200)]
Fix logging with build-time config and empty elements (Closes 2733)

(cherry picked from commit 66392b270e3a6c8202e4626d43bbc9b77545ae23)

3 years agoFix logging with empty element in log_file_path (Bug 2733)
Jeremy Harris [Sat, 15 May 2021 11:37:04 +0000 (13:37 +0200)]
Fix logging with empty element in log_file_path (Bug 2733)

(cherry picked from commit e19790f7707cc901435849e78d20f249056c16b5)

3 years agoRevert "testsuite: adjust 622 for taintwarn"
Heiko Schlittermann (HS12-RIPE) [Sun, 20 Jun 2021 17:02:59 +0000 (19:02 +0200)]
Revert "testsuite: adjust 622 for taintwarn"

This reverts commit 7ab3a6cd7fe7b033b5e267617f3be8a99b33db31.

3 years agotestsuite: adjust 622 for taintwarn
Heiko Schlittermann (HS12-RIPE) [Sun, 25 Apr 2021 08:17:57 +0000 (10:17 +0200)]
testsuite: adjust 622 for taintwarn

(cherry picked from commit 460aac0eb9a289af1ab0f32a242a27dab851fa18)

3 years agoSilence the compiler
Heiko Schlittermann (HS12-RIPE) [Sun, 25 Apr 2021 16:58:35 +0000 (18:58 +0200)]
Silence the compiler

(cherry picked from commit 33d5b8e8e4c2f23b4e834e3a095e3c9dd9f0686b)

3 years agoDo not close the (main)_log, if we do not see a chance to open it again.
Heiko Schlittermann (HS12-RIPE) [Fri, 23 Apr 2021 20:41:57 +0000 (22:41 +0200)]
Do not close the (main)_log, if we do not see a chance to open it again.

The process doing local deliveries runs as an unprivileged user. If this
process needs to log failures or warnings (as caused by the
is_tainting2() function), it can't re-open the main_log and just exits.

(cherry picked from commit 235c7030ee9ee1c1aad507786506a470b580bfe2)

3 years agoSilence compiler
Heiko Schlittermann (HS12-RIPE) [Fri, 23 Apr 2021 15:40:40 +0000 (17:40 +0200)]
Silence compiler

(cherry picked from commit 2c9869d0622cc690b424cc74166d4a8393017ece)

3 years agotidy log.c
Heiko Schlittermann (HS12-RIPE) [Mon, 12 Apr 2021 07:19:21 +0000 (09:19 +0200)]
tidy log.c

(cherry picked from commit 0327b6460eec64da6b0c1543c7e9b3d0f8cb9294)
(cherry picked from commit 8021b95c2e266861aba29c97b4bb90dc6f7637a2)

3 years agotestsuite: add 0990 for allow_insecure_tainted_data
Heiko Schlittermann (HS12-RIPE) [Mon, 5 Apr 2021 14:06:24 +0000 (16:06 +0200)]
testsuite: add 0990 for allow_insecure_tainted_data

(cherry picked from commit 56213337357265eb42c40dd04a22f6ac433b9e81)

3 years agoupdate doc
Heiko Schlittermann (HS12-RIPE) [Sat, 3 Apr 2021 07:29:13 +0000 (09:29 +0200)]
update doc

(cherry picked from commit 77cc1ad3058e4ef7ae82adb914ccff0be9fe2c8b)

3 years agosmtp
Heiko Schlittermann (HS12-RIPE) [Thu, 1 Apr 2021 20:02:27 +0000 (22:02 +0200)]
smtp

(cherry picked from commit 8b7d4ba8903ace7e3e3db70343798a5a0b7cea23)

3 years agosmtp_out
Heiko Schlittermann (HS12-RIPE) [Thu, 1 Apr 2021 19:42:38 +0000 (21:42 +0200)]
smtp_out

(cherry picked from commit b9b967cca71a4da51506f8ba596b9ae40cfcef57)

3 years agodeliver
Heiko Schlittermann (HS12-RIPE) [Sat, 3 Apr 2021 08:54:22 +0000 (10:54 +0200)]
deliver

(cherry picked from commit 2bafe3fc82cf62f0c21f939f5891b8d067f3abc7)

3 years agorf_get_transport
Heiko Schlittermann (HS12-RIPE) [Fri, 2 Apr 2021 06:36:24 +0000 (08:36 +0200)]
rf_get_transport

(cherry picked from commit 015fff57c854184f8bce61476c46a2830a97daf8)

3 years agolf_sqlperform
Heiko Schlittermann (HS12-RIPE) [Thu, 1 Apr 2021 19:36:12 +0000 (21:36 +0200)]
lf_sqlperform

(cherry picked from commit 9810dfc25d8b9687b46e57963a3ac30bf5c9b2c9)

3 years agoexpand
Heiko Schlittermann (HS12-RIPE) [Thu, 1 Apr 2021 19:33:50 +0000 (21:33 +0200)]
expand

(cherry picked from commit c02ea85f525ff256d78e084d6f76fe3032fd52e1)

3 years agodirectory
Heiko Schlittermann (HS12-RIPE) [Thu, 1 Apr 2021 19:28:59 +0000 (21:28 +0200)]
directory

(cherry picked from commit 5f41e800ce9cc7ad154047298914df955e905bf4)

3 years agodeliver
Heiko Schlittermann (HS12-RIPE) [Wed, 31 Mar 2021 21:12:44 +0000 (23:12 +0200)]
deliver

(cherry picked from commit 2fee91ae42e974c21202e0b5e17185f6a87bf8af)

3 years agopipe
Heiko Schlittermann (HS12-RIPE) [Fri, 2 Apr 2021 15:30:27 +0000 (17:30 +0200)]
pipe

(cherry picked from commit f9628406706112be459adb3f121db8e6cf282c2d)

3 years agoautoreply
Heiko Schlittermann (HS12-RIPE) [Sun, 28 Mar 2021 09:06:27 +0000 (11:06 +0200)]
autoreply

(cherry picked from commit 26de37d8960da80473866fb59b9dfd10a5761538)

3 years agorda
Heiko Schlittermann (HS12-RIPE) [Sun, 28 Mar 2021 08:59:46 +0000 (10:59 +0200)]
rda

(cherry picked from commit a6da9c67acaee699616516be141d600cc178a633)

3 years agoparse
Heiko Schlittermann (HS12-RIPE) [Sun, 28 Mar 2021 08:58:46 +0000 (10:58 +0200)]
parse

(cherry picked from commit 7eeeb6f26af05322814ecc77c87f09c72ab2216a)

3 years agoacl
Heiko Schlittermann (HS12-RIPE) [Sun, 28 Mar 2021 08:50:14 +0000 (10:50 +0200)]
acl

(cherry picked from commit 44fd80ad8abcd885fc1c8dbb294fc2140e4ef481)

3 years agodbstuff
Heiko Schlittermann (HS12-RIPE) [Sun, 28 Mar 2021 08:49:49 +0000 (10:49 +0200)]
dbstuff

(cherry picked from commit 35b11dd0e52b5ac176849f807cca8898bcaf0c3d)

3 years agosearch
Heiko Schlittermann (HS12-RIPE) [Thu, 1 Apr 2021 20:45:03 +0000 (22:45 +0200)]
search

(cherry picked from commit b71d675f695c2cf17357b190476129535d5f446c)

3 years agoIntroduce main config option allow_insecure_tainted_data
Heiko Schlittermann (HS12-RIPE) [Thu, 1 Apr 2021 20:44:31 +0000 (22:44 +0200)]
Introduce main config option allow_insecure_tainted_data

This option is deprecated already now.

(cherry picked from commit ec06d64532e4952fc36429f73e0222d26997ef7c)

3 years agoGnuTLS: fix build with older GnuTLS
Jeremy Harris [Tue, 22 Jun 2021 22:42:24 +0000 (23:42 +0100)]
GnuTLS: fix build with older GnuTLS

The ALPN handling we need requires later features than the basic functions.
Broken-byu: f50a063dc0

3 years agoTLS: as server, reject connections with ALPN indicating non-smtp use
Jeremy Harris [Tue, 22 Jun 2021 22:04:59 +0000 (23:04 +0100)]
TLS: as server, reject connections with ALPN indicating non-smtp use

3 years agoTestsuite: fix testcases for non-TLS build
Jeremy Harris [Mon, 21 Jun 2021 19:39:37 +0000 (20:39 +0100)]
Testsuite: fix testcases for non-TLS build

3 years agoTestsuite: fix munging for no-TLS build
Jeremy Harris [Mon, 21 Jun 2021 19:22:23 +0000 (20:22 +0100)]
Testsuite: fix munging for no-TLS build

Broken-by: da40b1ec6b
3 years agoCompiler quietening
Jeremy Harris [Sun, 20 Jun 2021 13:20:32 +0000 (14:20 +0100)]
Compiler quietening

Stupid static analysis failing to track crontrol dependencies

3 years agoOpenSSL: on library versions too old to support session tickets
Jeremy Harris [Sat, 19 Jun 2021 19:12:09 +0000 (20:12 +0100)]
OpenSSL: on library versions too old to support session tickets
client-side limit the valid lifetime of resumable sessions

3 years agoTestsuite: split out OpenSSL TLS1.3 resume tests
Jeremy Harris [Sat, 19 Jun 2021 18:11:43 +0000 (19:11 +0100)]
Testsuite: split out OpenSSL TLS1.3 resume tests

Older library versions do not support 1.3 so a separate numbered
testcase is needed

3 years agoTestsuite: allow time for daemon to listen before terminating
Jeremy Harris [Sat, 19 Jun 2021 18:10:26 +0000 (19:10 +0100)]
Testsuite: allow time for daemon to listen before terminating

3 years agoOpenSSL: fix verify-certs stack initialization
Jeremy Harris [Thu, 17 Jun 2021 19:45:32 +0000 (20:45 +0100)]
OpenSSL: fix verify-certs stack initialization

3 years agoTestsuite: output changes for OpenSSL library variants
Jeremy Harris [Thu, 17 Jun 2021 18:50:08 +0000 (19:50 +0100)]
Testsuite: output changes for OpenSSL library variants

Broken-by: 2f8e0a5f6b
3 years agoDocs: typo
Jeremy Harris [Thu, 17 Jun 2021 18:44:19 +0000 (19:44 +0100)]
Docs: typo

3 years agohosts_require_helo
Jeremy Harris [Tue, 15 Jun 2021 18:27:04 +0000 (19:27 +0100)]
hosts_require_helo

3 years agoTestsuite: EC cert
Jeremy Harris [Sun, 13 Jun 2021 13:47:25 +0000 (14:47 +0100)]
Testsuite: EC cert

3 years agoFix server creds cache invalidation
Jeremy Harris [Tue, 8 Jun 2021 20:42:23 +0000 (21:42 +0100)]
Fix server creds cache invalidation

Broken-by: 5fd673807d
3 years agocompiler quietening
Jeremy Harris [Mon, 7 Jun 2021 18:13:09 +0000 (19:13 +0100)]
compiler quietening

3 years agoRe-fix non-Linux build
Jeremy Harris [Mon, 7 Jun 2021 17:47:14 +0000 (18:47 +0100)]
Re-fix non-Linux build

3 years agotidying
Jeremy Harris [Sun, 6 Jun 2021 21:23:03 +0000 (22:23 +0100)]
tidying

Vroken-by: ef77ddc923
3 years agoFix non-Linux build
Jeremy Harris [Sun, 6 Jun 2021 21:03:35 +0000 (22:03 +0100)]
Fix non-Linux build

3 years agoObservability: listen queue backlog
Jeremy Harris [Sun, 6 Jun 2021 18:58:48 +0000 (19:58 +0100)]
Observability: listen queue backlog

3 years agoTestsuite: testcase for multiple listener sockets ready
Jeremy Harris [Sun, 6 Jun 2021 16:01:02 +0000 (17:01 +0100)]
Testsuite: testcase for multiple listener sockets ready

3 years agoAvoid rescanning listen select set
Jeremy Harris [Sun, 6 Jun 2021 13:05:02 +0000 (14:05 +0100)]
Avoid rescanning listen select set

3 years agoCompute select fd_set outside daemon loop
Jeremy Harris [Sun, 6 Jun 2021 10:29:56 +0000 (11:29 +0100)]
Compute select fd_set outside daemon loop

3 years agoTestsuite: fix OCSP/OpenSSL/1.3 testcase
Jeremy Harris [Sat, 5 Jun 2021 20:30:38 +0000 (21:30 +0100)]
Testsuite: fix OCSP/OpenSSL/1.3 testcase

3 years agoFix SSL creds file watching on kevent platforms (BSDs) for symlinks
Jeremy Harris [Sat, 5 Jun 2021 19:47:12 +0000 (20:47 +0100)]
Fix SSL creds file watching on kevent platforms (BSDs) for symlinks

3 years agoDMARC: note unsupported library versions issue
Jeremy Harris [Fri, 4 Jun 2021 10:35:52 +0000 (11:35 +0100)]
DMARC: note unsupported library versions issue

3 years agodebug: fix openssl output
Jeremy Harris [Tue, 1 Jun 2021 19:51:42 +0000 (20:51 +0100)]
debug: fix openssl output

3 years agoTestsuite: regen certificates suite with fixed Authority Identifier
Jeremy Harris [Tue, 1 Jun 2021 20:20:38 +0000 (21:20 +0100)]
Testsuite: regen certificates suite with fixed Authority Identifier

3 years agoDKIM: under GnuTLS, permit weak algorithms
Jeremy Harris [Fri, 28 May 2021 19:04:44 +0000 (20:04 +0100)]
DKIM: under GnuTLS, permit weak algorithms

Recent versions of GnuTLS by default disallow use of some methods now regarded as
weak.  This probably mean sha1, which is deprecated per DKIM standards.

3 years agoTestsuite: use higher-spec certs, for more-recent GnuTLS versions which deprecate...
Jeremy Harris [Fri, 28 May 2021 16:33:13 +0000 (17:33 +0100)]
Testsuite: use higher-spec certs, for more-recent GnuTLS versions which deprecate weaker ones

Needed for GnuTLS 3.6.15 (on Fedora 33)

3 years agotidying
Jeremy Harris [Fri, 28 May 2021 14:13:29 +0000 (15:13 +0100)]
tidying

3 years agoUpdate testcase output to match newly applied default config limit
Jeremy Harris [Fri, 28 May 2021 13:55:43 +0000 (14:55 +0100)]
Update testcase output to match newly applied default config limit
Broken-by: f07847e436
3 years agoFix testsuite output for DB cases
Jeremy Harris [Fri, 28 May 2021 13:41:00 +0000 (14:41 +0100)]
Fix testsuite output for DB cases
Broken-by: 186e99bafc
3 years agotidying
Jeremy Harris [Fri, 28 May 2021 13:09:45 +0000 (14:09 +0100)]
tidying

3 years agoLogging: avoid pause during log-open under testsuite
Jeremy Harris [Fri, 28 May 2021 12:33:49 +0000 (13:33 +0100)]
Logging: avoid pause during log-open under testsuite
It results in rearranged logging output, causing testsuite case failures
The downside is that we lose debug visbility of the extra process startup

Broken-by: b6c1434e47
3 years agoFix dmarc build
Jeremy Harris [Fri, 28 May 2021 08:37:15 +0000 (09:37 +0100)]
Fix dmarc build
Broken-by: b6c1434e47
3 years agoDocs: enhance section on redirect router :defer: & :fail:
Jeremy Harris [Wed, 26 May 2021 12:41:13 +0000 (13:41 +0100)]
Docs: enhance section on redirect router :defer: & :fail:

3 years agoMerge branch 'qualys-2020'
Heiko Schlittermann (HS12-RIPE) [Thu, 27 May 2021 21:18:04 +0000 (23:18 +0200)]
Merge branch 'qualys-2020'

- all Qualys patches from 4.94.2
- all fixes from 4.94.2+fixes if not applied yet

3 years agoFix BDAT issue for body w/o trailing CRLF (again Bug 1974)
Heiko Schlittermann (HS12-RIPE) [Fri, 30 Apr 2021 08:47:45 +0000 (10:47 +0200)]
Fix BDAT issue for body w/o trailing CRLF (again Bug 1974)

(cherry picked from commit 919111edac911ba9c15422eafd7c5bf14d416d26)

3 years agotestsuite: reproduce BDAT with missing eol (Bug 1974)
Heiko Schlittermann (HS12-RIPE) [Thu, 29 Apr 2021 22:37:53 +0000 (00:37 +0200)]
testsuite: reproduce BDAT with missing eol (Bug 1974)

(cherry picked from commit e9cecc465a570c1a4f34b199eae6bdd0a52ee2b0)

3 years agoCleanup docs on cve-2020-qualys, point to the Exim website
Heiko Schlittermann (HS12-RIPE) [Mon, 26 Apr 2021 16:54:28 +0000 (18:54 +0200)]
Cleanup docs on cve-2020-qualys, point to the Exim website

(cherry picked from commit 6429b0fc79595f120703c022ae99aa10d698f909)

3 years agorewrite: revert to unchecked result of parse_extract_address()
Heiko Schlittermann (HS12-RIPE) [Mon, 26 Apr 2021 14:16:49 +0000 (16:16 +0200)]
rewrite: revert to unchecked result of parse_extract_address()

Now it breaks 471, and overlong addresses won't make it into the rewrite
process, as they are handled as empty.

(cherry picked from commit 506286c62b8786a926dafb5bb05d3103492b86bc)

3 years agoHonour the outcome of parse_extract_address(), testsuite 471
Heiko Schlittermann (HS12-RIPE) [Mon, 19 Apr 2021 20:23:14 +0000 (22:23 +0200)]
Honour the outcome of parse_extract_address(), testsuite 471

(cherry picked from commit 39d83bf19fc0c4364e0a665360b14194c62e4ab4)

3 years agoUpdate upgrade notes and source about use of seteuid()
Heiko Schlittermann (HS12-RIPE) [Wed, 21 Apr 2021 05:52:39 +0000 (07:52 +0200)]
Update upgrade notes and source about use of seteuid()

(cherry picked from commit bc13bbca6e07267dfe0c4d275bb0a2e9aabf1dfb)
(cherry picked from commit fee1a06ec05e58e0cda8cf04f28240688736f945)

3 years agoCVE-2020-28007: Link attack in Exim's log directory
Qualys Security Advisory [Tue, 23 Feb 2021 16:33:03 +0000 (08:33 -0800)]
CVE-2020-28007: Link attack in Exim's log directory

We patch this vulnerability by opening (instead of just creating) the
log file in an unprivileged (exim) child process, and by passing this
file descriptor back to the privileged (root) parent process. The two
functions log_send_fd() and log_recv_fd() are inspired by OpenSSH's
functions mm_send_fd() and mm_receive_fd(); thanks!

This patch also fixes:

- a NULL-pointer dereference in usr1_handler() (this signal handler is
  installed before process_log_path is initialized);

- a file-descriptor leak in dmarc_write_history_file() (two return paths
  did not close history_file_fd).

Note: the use of log_open_as_exim() in dmarc_write_history_file() should
be fine because the documentation explicitly states "Make sure the
directory of this file is writable by the user exim runs as."

(cherry picked from commit 2502cc41d1d92c1413eca6a4ba035c21162662bd)
(cherry picked from commit 93e9a18fbf09deb59bd133986f4c89aeb2d2d86a)

3 years agoCVE-2020-28016: Heap out-of-bounds write in parse_fix_phrase()
Heiko Schlittermann (HS12-RIPE) [Mon, 12 Apr 2021 21:05:44 +0000 (23:05 +0200)]
CVE-2020-28016: Heap out-of-bounds write in parse_fix_phrase()

Based on Phil Pennock's commit 76a1ce77.
Modified by Qualys.

(cherry picked from commit f218fef171cbe9e61d10f15399aab8fa6956535b)
(cherry picked from commit 8b1e9bc2cac17ee24d595c97dcf97d9b016f8a46)

3 years agoSECURITY: Avoid modification of constant data in dkim handling
Heiko Schlittermann (HS12-RIPE) [Tue, 30 Mar 2021 20:59:25 +0000 (22:59 +0200)]
SECURITY: Avoid modification of constant data in dkim handling

Based on Heiko Schlittermann's commits f880c7f3 and c118c7f4. This
fixes:

6/ In src/pdkim/pdkim.c, pdkim_update_ctx_bodyhash() is sometimes called
with a global orig_data and hence canon_data, and the following line can
therefore modify data that should be constant:

 773   canon_data->len = b->bodylength - b->signed_body_bytes;

For example, the following proof of concept sets lineending.len to 0
(this should not be possible):

(sleep 10; echo 'EHLO test'; sleep 3; echo 'MAIL FROM:<>'; sleep 3; echo 'RCPT TO:postmaster'; sleep 3; echo 'DATA'; date >&2; sleep 30; printf 'DKIM-Signature:a=rsa-sha1;c=simple/simple;l=0\r\n\r\n\r\nXXX\r\n.\r\n'; sleep 30) | nc -n -v 192.168.56.102 25

(gdb) print lineending
$1 = {data = 0x55e18035b2ad "\r\n", len = 2}
(gdb) print &lineending.len
$3 = (size_t *) 0x55e180385948 <lineending+8>
(gdb) watch *(size_t *) 0x55e180385948

Hardware watchpoint 1: *(size_t *) 0x55e180385948
Old value = 2
New value = 0
(gdb) print lineending
$5 = {data = 0x55e18035b2ad "\r\n", len = 0}

(cherry picked from commit 92359a62a0e31734ad8069c66f64b37f9eaaccbe)
(cherry picked from commit c5f2f5cf2a6b45ae7ba0ed15e04fbe014727b210)

3 years agoSECURITY: Leave a clean smtp_out input buffer even in case of read error
Heiko Schlittermann (HS12-RIPE) [Tue, 30 Mar 2021 20:48:06 +0000 (22:48 +0200)]
SECURITY: Leave a clean smtp_out input buffer even in case of read error

Based on Heiko Schlittermann's commit 54895bc3. This fixes:

7/ In src/smtp_out.c, read_response_line(), inblock->ptr is not updated
when -1 is returned. This does not seem to have bad consequences, but is
maybe not the intended behavior.

(cherry picked from commit 30f5d98786fb4e6ccfdd112fe65c153f0ee34c5f)
(cherry picked from commit d600f6c4d0c5d33e3988dfbfee248ff6a1536673)