Jeremy Harris [Sat, 15 May 2021 00:11:41 +0000 (01:11 +0100)]
hostlist for router fallback_hosts must be mutable
Jeremy Harris [Fri, 14 May 2021 23:48:40 +0000 (00:48 +0100)]
consification
Jeremy Harris [Fri, 14 May 2021 23:37:43 +0000 (00:37 +0100)]
avoid modifying source text in parse_forward_list()
Jeremy Harris [Fri, 14 May 2021 23:19:26 +0000 (00:19 +0100)]
avoid modifying source text, in appendfile
Jeremy Harris [Fri, 14 May 2021 23:03:01 +0000 (00:03 +0100)]
tree nodes for acls must be mutable
Jeremy Harris [Fri, 14 May 2021 23:01:27 +0000 (00:01 +0100)]
avoid modifying possible config text during :fail: delivery
Jeremy Harris [Fri, 14 May 2021 23:00:06 +0000 (00:00 +0100)]
copy transport struct for modifying for **bypassed** postprocess
Jeremy Harris [Fri, 14 May 2021 22:58:32 +0000 (23:58 +0100)]
use store_get_perm()
Jeremy Harris [Thu, 13 May 2021 21:19:10 +0000 (22:19 +0100)]
driver options blocks must be mutable
Jeremy Harris [Thu, 13 May 2021 20:59:25 +0000 (21:59 +0100)]
router instance must be mutable
Jeremy Harris [Thu, 13 May 2021 20:31:16 +0000 (21:31 +0100)]
namedlist_block has to be allocated mutably, to cache lookups
paniclog from 5 - subprocess crashes
Jeremy Harris [Mon, 10 May 2021 21:47:01 +0000 (22:47 +0100)]
first go. crashes in 0003
Jeremy Harris [Fri, 7 May 2021 12:09:12 +0000 (13:09 +0100)]
Suggestion from Qalys:
If I may add one more thing, there is an issue that should be addressed
sooner rather than later: the writable configuration at the beginning of
the heap. A short-term (and hopefully non-intrusive) solution may be to
mmap() the configuration instead, and then mprotect(PROT_READ) it. This
would mitigate the exploitation technique that almost all Exim exploits
have been using.
Jeremy Harris [Sun, 27 Jun 2021 23:29:09 +0000 (00:29 +0100)]
Fix Solaris 10 build, more
Jeremy Harris [Sun, 27 Jun 2021 20:15:45 +0000 (21:15 +0100)]
Fix Solaris 10 build, for intro of taintwarn
Broken-by: f9a3fcddba
Jeremy Harris [Sun, 27 Jun 2021 17:58:44 +0000 (18:58 +0100)]
TLS: track changing fd of file-watcher when creds are releaded.
Broken-by: 5fd673807d
Heiko Schlittermann (HS12-RIPE) [Fri, 25 Jun 2021 08:02:47 +0000 (10:02 +0200)]
Merge branch 'hs/taintwarn'
This is a "forward" port of the taintwarn patches that are applied to
4.94.2+fixes.
Heiko Schlittermann (HS12-RIPE) [Wed, 16 Jun 2021 20:22:50 +0000 (22:22 +0200)]
Testsuite: Fix 608
Heiko Schlittermann (HS12-RIPE) [Sat, 15 May 2021 11:40:46 +0000 (13:40 +0200)]
Fix logging with build-time config and empty elements (Closes 2733)
(cherry picked from commit
66392b270e3a6c8202e4626d43bbc9b77545ae23)
Jeremy Harris [Sat, 15 May 2021 11:37:04 +0000 (13:37 +0200)]
Fix logging with empty element in log_file_path (Bug 2733)
(cherry picked from commit
e19790f7707cc901435849e78d20f249056c16b5)
Heiko Schlittermann (HS12-RIPE) [Sun, 20 Jun 2021 17:02:59 +0000 (19:02 +0200)]
Revert "testsuite: adjust 622 for taintwarn"
This reverts commit
7ab3a6cd7fe7b033b5e267617f3be8a99b33db31.
Heiko Schlittermann (HS12-RIPE) [Sun, 25 Apr 2021 08:17:57 +0000 (10:17 +0200)]
testsuite: adjust 622 for taintwarn
(cherry picked from commit
460aac0eb9a289af1ab0f32a242a27dab851fa18)
Heiko Schlittermann (HS12-RIPE) [Sun, 25 Apr 2021 16:58:35 +0000 (18:58 +0200)]
Silence the compiler
(cherry picked from commit
33d5b8e8e4c2f23b4e834e3a095e3c9dd9f0686b)
Heiko Schlittermann (HS12-RIPE) [Fri, 23 Apr 2021 20:41:57 +0000 (22:41 +0200)]
Do not close the (main)_log, if we do not see a chance to open it again.
The process doing local deliveries runs as an unprivileged user. If this
process needs to log failures or warnings (as caused by the
is_tainting2() function), it can't re-open the main_log and just exits.
(cherry picked from commit
235c7030ee9ee1c1aad507786506a470b580bfe2)
Heiko Schlittermann (HS12-RIPE) [Fri, 23 Apr 2021 15:40:40 +0000 (17:40 +0200)]
Silence compiler
(cherry picked from commit
2c9869d0622cc690b424cc74166d4a8393017ece)
Heiko Schlittermann (HS12-RIPE) [Mon, 12 Apr 2021 07:19:21 +0000 (09:19 +0200)]
Heiko Schlittermann (HS12-RIPE) [Mon, 5 Apr 2021 14:06:24 +0000 (16:06 +0200)]
testsuite: add 0990 for allow_insecure_tainted_data
(cherry picked from commit
56213337357265eb42c40dd04a22f6ac433b9e81)
Heiko Schlittermann (HS12-RIPE) [Sat, 3 Apr 2021 07:29:13 +0000 (09:29 +0200)]
Heiko Schlittermann (HS12-RIPE) [Thu, 1 Apr 2021 20:02:27 +0000 (22:02 +0200)]
Heiko Schlittermann (HS12-RIPE) [Thu, 1 Apr 2021 19:42:38 +0000 (21:42 +0200)]
Heiko Schlittermann (HS12-RIPE) [Sat, 3 Apr 2021 08:54:22 +0000 (10:54 +0200)]
Heiko Schlittermann (HS12-RIPE) [Fri, 2 Apr 2021 06:36:24 +0000 (08:36 +0200)]
rf_get_transport
(cherry picked from commit
015fff57c854184f8bce61476c46a2830a97daf8)
Heiko Schlittermann (HS12-RIPE) [Thu, 1 Apr 2021 19:36:12 +0000 (21:36 +0200)]
lf_sqlperform
(cherry picked from commit
9810dfc25d8b9687b46e57963a3ac30bf5c9b2c9)
Heiko Schlittermann (HS12-RIPE) [Thu, 1 Apr 2021 19:33:50 +0000 (21:33 +0200)]
Heiko Schlittermann (HS12-RIPE) [Thu, 1 Apr 2021 19:28:59 +0000 (21:28 +0200)]
Heiko Schlittermann (HS12-RIPE) [Wed, 31 Mar 2021 21:12:44 +0000 (23:12 +0200)]
Heiko Schlittermann (HS12-RIPE) [Fri, 2 Apr 2021 15:30:27 +0000 (17:30 +0200)]
Heiko Schlittermann (HS12-RIPE) [Sun, 28 Mar 2021 09:06:27 +0000 (11:06 +0200)]
Heiko Schlittermann (HS12-RIPE) [Sun, 28 Mar 2021 08:59:46 +0000 (10:59 +0200)]
Heiko Schlittermann (HS12-RIPE) [Sun, 28 Mar 2021 08:58:46 +0000 (10:58 +0200)]
Heiko Schlittermann (HS12-RIPE) [Sun, 28 Mar 2021 08:50:14 +0000 (10:50 +0200)]
Heiko Schlittermann (HS12-RIPE) [Sun, 28 Mar 2021 08:49:49 +0000 (10:49 +0200)]
Heiko Schlittermann (HS12-RIPE) [Thu, 1 Apr 2021 20:45:03 +0000 (22:45 +0200)]
Heiko Schlittermann (HS12-RIPE) [Thu, 1 Apr 2021 20:44:31 +0000 (22:44 +0200)]
Introduce main config option allow_insecure_tainted_data
This option is deprecated already now.
(cherry picked from commit
ec06d64532e4952fc36429f73e0222d26997ef7c)
Jeremy Harris [Tue, 22 Jun 2021 22:42:24 +0000 (23:42 +0100)]
GnuTLS: fix build with older GnuTLS
The ALPN handling we need requires later features than the basic functions.
Broken-byu:
f50a063dc0
Jeremy Harris [Tue, 22 Jun 2021 22:04:59 +0000 (23:04 +0100)]
TLS: as server, reject connections with ALPN indicating non-smtp use
Jeremy Harris [Mon, 21 Jun 2021 19:39:37 +0000 (20:39 +0100)]
Testsuite: fix testcases for non-TLS build
Jeremy Harris [Mon, 21 Jun 2021 19:22:23 +0000 (20:22 +0100)]
Testsuite: fix munging for no-TLS build
Broken-by: da40b1ec6b
Jeremy Harris [Sun, 20 Jun 2021 13:20:32 +0000 (14:20 +0100)]
Compiler quietening
Stupid static analysis failing to track crontrol dependencies
Jeremy Harris [Sat, 19 Jun 2021 19:12:09 +0000 (20:12 +0100)]
OpenSSL: on library versions too old to support session tickets
client-side limit the valid lifetime of resumable sessions
Jeremy Harris [Sat, 19 Jun 2021 18:11:43 +0000 (19:11 +0100)]
Testsuite: split out OpenSSL TLS1.3 resume tests
Older library versions do not support 1.3 so a separate numbered
testcase is needed
Jeremy Harris [Sat, 19 Jun 2021 18:10:26 +0000 (19:10 +0100)]
Testsuite: allow time for daemon to listen before terminating
Jeremy Harris [Thu, 17 Jun 2021 19:45:32 +0000 (20:45 +0100)]
OpenSSL: fix verify-certs stack initialization
Jeremy Harris [Thu, 17 Jun 2021 18:50:08 +0000 (19:50 +0100)]
Testsuite: output changes for OpenSSL library variants
Broken-by: 2f8e0a5f6b
Jeremy Harris [Thu, 17 Jun 2021 18:44:19 +0000 (19:44 +0100)]
Docs: typo
Jeremy Harris [Tue, 15 Jun 2021 18:27:04 +0000 (19:27 +0100)]
hosts_require_helo
Jeremy Harris [Sun, 13 Jun 2021 13:47:25 +0000 (14:47 +0100)]
Testsuite: EC cert
Jeremy Harris [Tue, 8 Jun 2021 20:42:23 +0000 (21:42 +0100)]
Fix server creds cache invalidation
Broken-by: 5fd673807d
Jeremy Harris [Mon, 7 Jun 2021 18:13:09 +0000 (19:13 +0100)]
compiler quietening
Jeremy Harris [Mon, 7 Jun 2021 17:47:14 +0000 (18:47 +0100)]
Re-fix non-Linux build
Jeremy Harris [Sun, 6 Jun 2021 21:23:03 +0000 (22:23 +0100)]
tidying
Vroken-by: ef77ddc923
Jeremy Harris [Sun, 6 Jun 2021 21:03:35 +0000 (22:03 +0100)]
Fix non-Linux build
Jeremy Harris [Sun, 6 Jun 2021 18:58:48 +0000 (19:58 +0100)]
Observability: listen queue backlog
Jeremy Harris [Sun, 6 Jun 2021 16:01:02 +0000 (17:01 +0100)]
Testsuite: testcase for multiple listener sockets ready
Jeremy Harris [Sun, 6 Jun 2021 13:05:02 +0000 (14:05 +0100)]
Avoid rescanning listen select set
Jeremy Harris [Sun, 6 Jun 2021 10:29:56 +0000 (11:29 +0100)]
Compute select fd_set outside daemon loop
Jeremy Harris [Sat, 5 Jun 2021 20:30:38 +0000 (21:30 +0100)]
Testsuite: fix OCSP/OpenSSL/1.3 testcase
Jeremy Harris [Sat, 5 Jun 2021 19:47:12 +0000 (20:47 +0100)]
Fix SSL creds file watching on kevent platforms (BSDs) for symlinks
Jeremy Harris [Fri, 4 Jun 2021 10:35:52 +0000 (11:35 +0100)]
DMARC: note unsupported library versions issue
Jeremy Harris [Tue, 1 Jun 2021 19:51:42 +0000 (20:51 +0100)]
debug: fix openssl output
Jeremy Harris [Tue, 1 Jun 2021 20:20:38 +0000 (21:20 +0100)]
Testsuite: regen certificates suite with fixed Authority Identifier
Jeremy Harris [Fri, 28 May 2021 19:04:44 +0000 (20:04 +0100)]
DKIM: under GnuTLS, permit weak algorithms
Recent versions of GnuTLS by default disallow use of some methods now regarded as
weak. This probably mean sha1, which is deprecated per DKIM standards.
Jeremy Harris [Fri, 28 May 2021 16:33:13 +0000 (17:33 +0100)]
Testsuite: use higher-spec certs, for more-recent GnuTLS versions which deprecate weaker ones
Needed for GnuTLS 3.6.15 (on Fedora 33)
Jeremy Harris [Fri, 28 May 2021 14:13:29 +0000 (15:13 +0100)]
tidying
Jeremy Harris [Fri, 28 May 2021 13:55:43 +0000 (14:55 +0100)]
Update testcase output to match newly applied default config limit
Broken-by: f07847e436
Jeremy Harris [Fri, 28 May 2021 13:41:00 +0000 (14:41 +0100)]
Fix testsuite output for DB cases
Broken-by: 186e99bafc
Jeremy Harris [Fri, 28 May 2021 13:09:45 +0000 (14:09 +0100)]
tidying
Jeremy Harris [Fri, 28 May 2021 12:33:49 +0000 (13:33 +0100)]
Logging: avoid pause during log-open under testsuite
It results in rearranged logging output, causing testsuite case failures
The downside is that we lose debug visbility of the extra process startup
Broken-by: b6c1434e47
Jeremy Harris [Fri, 28 May 2021 08:37:15 +0000 (09:37 +0100)]
Fix dmarc build
Broken-by: b6c1434e47
Jeremy Harris [Wed, 26 May 2021 12:41:13 +0000 (13:41 +0100)]
Docs: enhance section on redirect router :defer: & :fail:
Heiko Schlittermann (HS12-RIPE) [Thu, 27 May 2021 21:18:04 +0000 (23:18 +0200)]
Merge branch 'qualys-2020'
- all Qualys patches from 4.94.2
- all fixes from 4.94.2+fixes if not applied yet
Heiko Schlittermann (HS12-RIPE) [Fri, 30 Apr 2021 08:47:45 +0000 (10:47 +0200)]
Fix BDAT issue for body w/o trailing CRLF (again Bug 1974)
(cherry picked from commit
919111edac911ba9c15422eafd7c5bf14d416d26)
Heiko Schlittermann (HS12-RIPE) [Thu, 29 Apr 2021 22:37:53 +0000 (00:37 +0200)]
testsuite: reproduce BDAT with missing eol (Bug 1974)
(cherry picked from commit
e9cecc465a570c1a4f34b199eae6bdd0a52ee2b0)
Heiko Schlittermann (HS12-RIPE) [Mon, 26 Apr 2021 16:54:28 +0000 (18:54 +0200)]
Cleanup docs on cve-2020-qualys, point to the Exim website
(cherry picked from commit
6429b0fc79595f120703c022ae99aa10d698f909)
Heiko Schlittermann (HS12-RIPE) [Mon, 26 Apr 2021 14:16:49 +0000 (16:16 +0200)]
rewrite: revert to unchecked result of parse_extract_address()
Now it breaks 471, and overlong addresses won't make it into the rewrite
process, as they are handled as empty.
(cherry picked from commit
506286c62b8786a926dafb5bb05d3103492b86bc)
Heiko Schlittermann (HS12-RIPE) [Mon, 19 Apr 2021 20:23:14 +0000 (22:23 +0200)]
Honour the outcome of parse_extract_address(), testsuite 471
(cherry picked from commit
39d83bf19fc0c4364e0a665360b14194c62e4ab4)
Heiko Schlittermann (HS12-RIPE) [Wed, 21 Apr 2021 05:52:39 +0000 (07:52 +0200)]
Update upgrade notes and source about use of seteuid()
(cherry picked from commit
bc13bbca6e07267dfe0c4d275bb0a2e9aabf1dfb)
(cherry picked from commit
fee1a06ec05e58e0cda8cf04f28240688736f945)
Qualys Security Advisory [Tue, 23 Feb 2021 16:33:03 +0000 (08:33 -0800)]
CVE-2020-28007: Link attack in Exim's log directory
We patch this vulnerability by opening (instead of just creating) the
log file in an unprivileged (exim) child process, and by passing this
file descriptor back to the privileged (root) parent process. The two
functions log_send_fd() and log_recv_fd() are inspired by OpenSSH's
functions mm_send_fd() and mm_receive_fd(); thanks!
This patch also fixes:
- a NULL-pointer dereference in usr1_handler() (this signal handler is
installed before process_log_path is initialized);
- a file-descriptor leak in dmarc_write_history_file() (two return paths
did not close history_file_fd).
Note: the use of log_open_as_exim() in dmarc_write_history_file() should
be fine because the documentation explicitly states "Make sure the
directory of this file is writable by the user exim runs as."
(cherry picked from commit
2502cc41d1d92c1413eca6a4ba035c21162662bd)
(cherry picked from commit
93e9a18fbf09deb59bd133986f4c89aeb2d2d86a)
Heiko Schlittermann (HS12-RIPE) [Mon, 12 Apr 2021 21:05:44 +0000 (23:05 +0200)]
CVE-2020-28016: Heap out-of-bounds write in parse_fix_phrase()
Based on Phil Pennock's commit
76a1ce77.
Modified by Qualys.
(cherry picked from commit
f218fef171cbe9e61d10f15399aab8fa6956535b)
(cherry picked from commit
8b1e9bc2cac17ee24d595c97dcf97d9b016f8a46)
Heiko Schlittermann (HS12-RIPE) [Tue, 30 Mar 2021 20:59:25 +0000 (22:59 +0200)]
SECURITY: Avoid modification of constant data in dkim handling
Based on Heiko Schlittermann's commits
f880c7f3 and
c118c7f4. This
fixes:
6/ In src/pdkim/pdkim.c, pdkim_update_ctx_bodyhash() is sometimes called
with a global orig_data and hence canon_data, and the following line can
therefore modify data that should be constant:
773 canon_data->len = b->bodylength - b->signed_body_bytes;
For example, the following proof of concept sets lineending.len to 0
(this should not be possible):
(sleep 10; echo 'EHLO test'; sleep 3; echo 'MAIL FROM:<>'; sleep 3; echo 'RCPT TO:postmaster'; sleep 3; echo 'DATA'; date >&2; sleep 30; printf 'DKIM-Signature:a=rsa-sha1;c=simple/simple;l=0\r\n\r\n\r\nXXX\r\n.\r\n'; sleep 30) | nc -n -v 192.168.56.102 25
(gdb) print lineending
$1 = {data = 0x55e18035b2ad "\r\n", len = 2}
(gdb) print &lineending.len
$3 = (size_t *) 0x55e180385948 <lineending+8>
(gdb) watch *(size_t *) 0x55e180385948
Hardware watchpoint 1: *(size_t *) 0x55e180385948
Old value = 2
New value = 0
(gdb) print lineending
$5 = {data = 0x55e18035b2ad "\r\n", len = 0}
(cherry picked from commit
92359a62a0e31734ad8069c66f64b37f9eaaccbe)
(cherry picked from commit
c5f2f5cf2a6b45ae7ba0ed15e04fbe014727b210)
Heiko Schlittermann (HS12-RIPE) [Tue, 30 Mar 2021 20:48:06 +0000 (22:48 +0200)]
SECURITY: Leave a clean smtp_out input buffer even in case of read error
Based on Heiko Schlittermann's commit
54895bc3. This fixes:
7/ In src/smtp_out.c, read_response_line(), inblock->ptr is not updated
when -1 is returned. This does not seem to have bad consequences, but is
maybe not the intended behavior.
(cherry picked from commit
30f5d98786fb4e6ccfdd112fe65c153f0ee34c5f)
(cherry picked from commit
d600f6c4d0c5d33e3988dfbfee248ff6a1536673)
Qualys Security Advisory [Mon, 22 Feb 2021 06:09:06 +0000 (22:09 -0800)]
SECURITY: Always exit when LOG_PANIC_DIE is set
(cherry picked from commit
e20aa895b37f449d5c81c3e7b102fc534b5d23ba)
(cherry picked from commit
3b8c0ceb7339329188e19efb907da950dbe691d1)
Qualys Security Advisory [Mon, 22 Feb 2021 05:53:55 +0000 (21:53 -0800)]
CVE-2020-28012: Missing close-on-exec flag for privileged pipe
(cherry picked from commit
72dad1e64bb3d1ff387938f59678098cab1f60a3)
(cherry picked from commit
645a31d16195bb6b73f0a0d0c04b2251e5b28421)
Qualys Security Advisory [Mon, 22 Feb 2021 05:49:30 +0000 (21:49 -0800)]
CVE-2020-28024: Heap buffer underflow in smtp_ungetc()
(cherry picked from commit
998e5a9db121c3eff15cac16859bdffd7adcbe57)
(cherry picked from commit
638f7ca75694bcbb70cfbe7db2ef52af4aca5c83)
Qualys Security Advisory [Mon, 22 Feb 2021 05:45:19 +0000 (21:45 -0800)]
CVE-2020-28009: Integer overflow in get_stdinput()
(cherry picked from commit
bbf1bb10bee5a1d7cbcc97f178b348189219eb7d)
(cherry picked from commit
1241deaefb71c40436320af7d0bd04c7c9e54241)
Qualys Security Advisory [Mon, 22 Feb 2021 05:26:53 +0000 (21:26 -0800)]
CVE-2020-28015+28021: New-line injection into spool header file
(cherry picked from commit
31b1a42d0bd29cb05f85e56d3343b13bef20a2bd)
(cherry picked from commit
fcddccd650178ceeec3655c6c40f420164a8706e)
Heiko Schlittermann (HS12-RIPE) [Tue, 30 Mar 2021 20:03:49 +0000 (22:03 +0200)]
CVE-2020-28026: Line truncation and injection in spool_read_header()
This also fixes:
2/ In src/spool_in.c:
462 while ( (len = Ustrlen(big_buffer)) == big_buffer_size-1
463 && big_buffer[len-1] != '\n'
464 )
465 { /* buffer not big enough for line; certs make this possible */
466 uschar * buf;
467 if (big_buffer_size >= BIG_BUFFER_SIZE*4) goto SPOOL_READ_ERROR;
468 buf = store_get_perm(big_buffer_size *= 2, FALSE);
469 memcpy(buf, big_buffer, --len);
The --len in memcpy() chops off a useful byte (we know for sure that
big_buffer[len-1] is not a '\n' because we entered the while loop).
Based on a patch done by Qualys.
(cherry picked from commit
f0c307458e1ee81abbe7ed2d4a8d16b5cbd8a799)
(cherry picked from commit
4daba4bec729a57fb0863af786a1395e70794c76)
Heiko Schlittermann (HS12-RIPE) [Mon, 29 Mar 2021 21:12:02 +0000 (23:12 +0200)]
CVE-2020-28022: Heap out-of-bounds read and write in extract_option()
Based on Phil Pennock's commit
c5017adf.
(cherry picked from commit
9e941e1807b624b255c9ec0f41a0b3a89e144de3)
(cherry picked from commit
33d4c87653ddbbea9fd8cb8eb2ff78c149850006)
Heiko Schlittermann (HS12-RIPE) [Mon, 29 Mar 2021 21:05:58 +0000 (23:05 +0200)]
CVE-2020-28017: Integer overflow in receive_add_recipient()
Based on Phil Pennock's commit
e3b441f7.
(cherry picked from commit
18a19e18242edc5ab2082fa9c41cd6210d1b6087)
(cherry picked from commit
605716b999a4ca6c7d5777ab7463058e9b055dc2)
Heiko Schlittermann (HS12-RIPE) [Mon, 29 Mar 2021 21:02:34 +0000 (23:02 +0200)]
SECURITY: Refuse negative and large store allocations
Based on Phil Pennock's commits
b34d3046 and
e6c1606a. Done by Qualys.
(cherry picked from commit
09d36bd64fc5bf71d8882af35c41ac4e8599acc1)
(cherry picked from commit
f9c58fb385343b8e3fa13988efcbd30ae3285ea7)