Heiko Schlittermann (HS12-RIPE) [Mon, 3 May 2021 13:53:28 +0000 (15:53 +0200)]
Fix DANE + SNI handling (Bug 2265)
Broken in
d8e99d6047e709b35eabb1395c2046100d1a1dda
Thanks to JGH and Wolfgang Breyha for contributions.
Heiko Schlittermann (HS12-RIPE) [Fri, 30 Apr 2021 08:47:45 +0000 (10:47 +0200)]
Fix BDAT issue for body w/o trailing CRLF (again Bug 1974)
Heiko Schlittermann (HS12-RIPE) [Thu, 29 Apr 2021 22:37:53 +0000 (00:37 +0200)]
testsuite: reproduce BDAT with missing eol (Bug 1974)
Heiko Schlittermann (HS12-RIPE) [Mon, 26 Apr 2021 16:54:28 +0000 (18:54 +0200)]
Cleanup docs on cve-2020-qualys, point to the Exim website
Heiko Schlittermann (HS12-RIPE) [Mon, 26 Apr 2021 14:16:49 +0000 (16:16 +0200)]
rewrite: revert to unchecked result of parse_extract_address()
Now it breaks 471, and overlong addresses won't make it into the rewrite
process, as they are handled as empty.
Heiko Schlittermann (HS12-RIPE) [Mon, 19 Apr 2021 20:23:14 +0000 (22:23 +0200)]
Honour the outcome of parse_extract_address(), testsuite 471
Qualys Security Advisory [Mon, 22 Feb 2021 03:11:55 +0000 (19:11 -0800)]
CVE-2020-28023: Out-of-bounds read in smtp_setup_msg()
Extracted from Jeremy Harris's commit
afaf5a50.
Heiko Schlittermann (HS12-RIPE) [Wed, 21 Apr 2021 07:09:13 +0000 (09:09 +0200)]
Remove merge artifact
Heiko Schlittermann (HS12-RIPE) [Wed, 21 Apr 2021 05:52:39 +0000 (07:52 +0200)]
Update upgrade notes and source about use of seteuid()
(cherry picked from commit
bc13bbca6e07267dfe0c4d275bb0a2e9aabf1dfb)
Qualys Security Advisory [Tue, 23 Feb 2021 16:33:03 +0000 (08:33 -0800)]
CVE-2020-28007: Link attack in Exim's log directory
We patch this vulnerability by opening (instead of just creating) the
log file in an unprivileged (exim) child process, and by passing this
file descriptor back to the privileged (root) parent process. The two
functions log_send_fd() and log_recv_fd() are inspired by OpenSSH's
functions mm_send_fd() and mm_receive_fd(); thanks!
This patch also fixes:
- a NULL-pointer dereference in usr1_handler() (this signal handler is
installed before process_log_path is initialized);
- a file-descriptor leak in dmarc_write_history_file() (two return paths
did not close history_file_fd).
Note: the use of log_open_as_exim() in dmarc_write_history_file() should
be fine because the documentation explicitly states "Make sure the
directory of this file is writable by the user exim runs as."
(cherry picked from commit
2502cc41d1d92c1413eca6a4ba035c21162662bd)
Heiko Schlittermann (HS12-RIPE) [Mon, 12 Apr 2021 21:05:44 +0000 (23:05 +0200)]
CVE-2020-28016: Heap out-of-bounds write in parse_fix_phrase()
Based on Phil Pennock's commit
76a1ce77.
Modified by Qualys.
(cherry picked from commit
f218fef171cbe9e61d10f15399aab8fa6956535b)
Heiko Schlittermann (HS12-RIPE) [Tue, 30 Mar 2021 20:59:25 +0000 (22:59 +0200)]
SECURITY: Avoid modification of constant data in dkim handling
Based on Heiko Schlittermann's commits
f880c7f3 and
c118c7f4. This
fixes:
6/ In src/pdkim/pdkim.c, pdkim_update_ctx_bodyhash() is sometimes called
with a global orig_data and hence canon_data, and the following line can
therefore modify data that should be constant:
773 canon_data->len = b->bodylength - b->signed_body_bytes;
For example, the following proof of concept sets lineending.len to 0
(this should not be possible):
(sleep 10; echo 'EHLO test'; sleep 3; echo 'MAIL FROM:<>'; sleep 3; echo 'RCPT TO:postmaster'; sleep 3; echo 'DATA'; date >&2; sleep 30; printf 'DKIM-Signature:a=rsa-sha1;c=simple/simple;l=0\r\n\r\n\r\nXXX\r\n.\r\n'; sleep 30) | nc -n -v 192.168.56.102 25
(gdb) print lineending
$1 = {data = 0x55e18035b2ad "\r\n", len = 2}
(gdb) print &lineending.len
$3 = (size_t *) 0x55e180385948 <lineending+8>
(gdb) watch *(size_t *) 0x55e180385948
Hardware watchpoint 1: *(size_t *) 0x55e180385948
Old value = 2
New value = 0
(gdb) print lineending
$5 = {data = 0x55e18035b2ad "\r\n", len = 0}
(cherry picked from commit
92359a62a0e31734ad8069c66f64b37f9eaaccbe)
Heiko Schlittermann (HS12-RIPE) [Tue, 30 Mar 2021 20:48:06 +0000 (22:48 +0200)]
SECURITY: Leave a clean smtp_out input buffer even in case of read error
Based on Heiko Schlittermann's commit
54895bc3. This fixes:
7/ In src/smtp_out.c, read_response_line(), inblock->ptr is not updated
when -1 is returned. This does not seem to have bad consequences, but is
maybe not the intended behavior.
(cherry picked from commit
30f5d98786fb4e6ccfdd112fe65c153f0ee34c5f)
Qualys Security Advisory [Mon, 22 Feb 2021 06:09:06 +0000 (22:09 -0800)]
SECURITY: Always exit when LOG_PANIC_DIE is set
(cherry picked from commit
e20aa895b37f449d5c81c3e7b102fc534b5d23ba)
Qualys Security Advisory [Mon, 22 Feb 2021 05:53:55 +0000 (21:53 -0800)]
CVE-2020-28012: Missing close-on-exec flag for privileged pipe
(cherry picked from commit
72dad1e64bb3d1ff387938f59678098cab1f60a3)
Qualys Security Advisory [Mon, 22 Feb 2021 05:49:30 +0000 (21:49 -0800)]
CVE-2020-28024: Heap buffer underflow in smtp_ungetc()
(cherry picked from commit
998e5a9db121c3eff15cac16859bdffd7adcbe57)
Qualys Security Advisory [Mon, 22 Feb 2021 05:45:19 +0000 (21:45 -0800)]
CVE-2020-28009: Integer overflow in get_stdinput()
(cherry picked from commit
bbf1bb10bee5a1d7cbcc97f178b348189219eb7d)
Qualys Security Advisory [Mon, 22 Feb 2021 05:26:53 +0000 (21:26 -0800)]
CVE-2020-28015+28021: New-line injection into spool header file
(cherry picked from commit
31b1a42d0bd29cb05f85e56d3343b13bef20a2bd)
Heiko Schlittermann (HS12-RIPE) [Tue, 30 Mar 2021 20:03:49 +0000 (22:03 +0200)]
CVE-2020-28026: Line truncation and injection in spool_read_header()
This also fixes:
2/ In src/spool_in.c:
462 while ( (len = Ustrlen(big_buffer)) == big_buffer_size-1
463 && big_buffer[len-1] != '\n'
464 )
465 { /* buffer not big enough for line; certs make this possible */
466 uschar * buf;
467 if (big_buffer_size >= BIG_BUFFER_SIZE*4) goto SPOOL_READ_ERROR;
468 buf = store_get_perm(big_buffer_size *= 2, FALSE);
469 memcpy(buf, big_buffer, --len);
The --len in memcpy() chops off a useful byte (we know for sure that
big_buffer[len-1] is not a '\n' because we entered the while loop).
Based on a patch done by Qualys.
(cherry picked from commit
f0c307458e1ee81abbe7ed2d4a8d16b5cbd8a799)
Heiko Schlittermann (HS12-RIPE) [Mon, 29 Mar 2021 21:12:02 +0000 (23:12 +0200)]
CVE-2020-28022: Heap out-of-bounds read and write in extract_option()
Based on Phil Pennock's commit
c5017adf.
(cherry picked from commit
9e941e1807b624b255c9ec0f41a0b3a89e144de3)
Heiko Schlittermann (HS12-RIPE) [Mon, 29 Mar 2021 21:05:58 +0000 (23:05 +0200)]
CVE-2020-28017: Integer overflow in receive_add_recipient()
Based on Phil Pennock's commit
e3b441f7.
(cherry picked from commit
18a19e18242edc5ab2082fa9c41cd6210d1b6087)
Heiko Schlittermann (HS12-RIPE) [Mon, 29 Mar 2021 21:02:34 +0000 (23:02 +0200)]
SECURITY: Refuse negative and large store allocations
Based on Phil Pennock's commits
b34d3046 and
e6c1606a. Done by Qualys.
(cherry picked from commit
09d36bd64fc5bf71d8882af35c41ac4e8599acc1)
Heiko Schlittermann (HS12-RIPE) [Mon, 29 Mar 2021 20:44:47 +0000 (22:44 +0200)]
CVE-2020-28013: Heap buffer overflow in parse_fix_phrase()
Based on Phil Pennock's
8a50c88a, done by Qualys
(cherry picked from commit
8161c16ec7320ac6164954bade23179a0ed095eb)
Qualys Security Advisory [Mon, 22 Feb 2021 03:22:33 +0000 (19:22 -0800)]
CVE-2020-28011: Heap buffer overflow in queue_run()
(cherry picked from commit
6e1fb878e95f8e6f838ffde5258c7a969c981865)
Heiko Schlittermann (HS12-RIPE) [Mon, 29 Mar 2021 20:16:28 +0000 (22:16 +0200)]
CVE-2020-28010: Heap out-of-bounds write in main()
Based on Phil Pennock's
0f57feb4. Done by Qualys, modified by me.
(cherry picked from commit
b0982c2776048948ebae48574b70fa487684cb8c)
Qualys Security Advisory [Mon, 22 Feb 2021 03:05:56 +0000 (19:05 -0800)]
CVE-2020-28018: Use-after-free in tls-openssl.c
(cherry picked from commit
6290686dd59d8158d100c67e8f96df27158a6fc5)
Qualys Security Advisory [Mon, 22 Feb 2021 02:54:16 +0000 (18:54 -0800)]
CVE-2020-28025: Heap out-of-bounds read in pdkim_finish_bodyhash()
(cherry picked from commit
cad30cd3fb96196e908e0d66b1b45fdf377c850c)
Heiko Schlittermann (HS12-RIPE) [Thu, 25 Mar 2021 21:48:09 +0000 (22:48 +0100)]
CVE-2020-28014, CVE-2021-27216: PID file handling
Arbitrary PID file creation, clobbering, and deletion.
Patch provided by Qualys.
(cherry picked from commit
974f32939a922512b27d9f0a8a1cb5dec60e7d37)
Heiko Schlittermann (HS12-RIPE) [Wed, 10 Mar 2021 22:37:29 +0000 (23:37 +0100)]
Add priv.c: reworked version of priv dropping code
(cherry picked from commit
82b545236e6dc82b7af34528c532811bfc74ea19)
Heiko Schlittermann (HS12-RIPE) [Sun, 14 Mar 2021 11:16:57 +0000 (12:16 +0100)]
CVE-2020-28008: Assorted attacks in Exim's spool directory
We patch dbfn_open() by introducing two functions priv_drop_temp() and
priv_restore() (inspired by OpenSSH's functions temporarily_use_uid()
and restore_uid()), which temporarily drop and restore root privileges
thanks to seteuid(). This goes against Exim's developers' wishes ("Exim
(the project) doesn't trust seteuid to work reliably") but, to the best
of our knowledge, seteuid() works everywhere and is the only way to
securely fix dbfn_open().
(cherry picked from commit
18da59151dbafa89be61c63580bdb295db36e374)
Jeremy Harris [Thu, 4 Mar 2021 21:19:08 +0000 (22:19 +0100)]
CVE-2020-28019: Failure to reset function pointer after BDAT error
Based on Phil Pennock's commits
4715403e and
151ffd72, and Jeremy
Harris's commits
aa171254 and
9aceb5c2.
(cherry picked from commit
0a3fbb7e3be375bc93b8e359c6aff333c7c2d76f)
Heiko Schlittermann (HS12-RIPE) [Wed, 2 Dec 2020 21:28:02 +0000 (22:28 +0100)]
SECURITY: smtp_out: Leave a clean input buffer, even in case of read error
Credits: Qualys
7/ In src/smtp_out.c, read_response_line(), inblock->ptr is not updated
when -1 is returned. This does not seem to have bad consequences, but is
maybe not the intended behavior.
(cherry picked from commit
f7ac5a7d1e817bf60f161e7a1d40b65d66da607f)
Heiko Schlittermann (HS12-RIPE) [Thu, 26 Nov 2020 17:16:59 +0000 (18:16 +0100)]
SECURITY: Avoid modification of constant data
Credits: Qualys
6/ In src/pdkim/pdkim.c, pdkim_update_ctx_bodyhash() is sometimes called
with a global orig_data and hence canon_data, and the following line can
therefore modify data that should be constant:
773 canon_data->len = b->bodylength - b->signed_body_bytes;
For example, the following proof of concept sets lineending.len to 0
(this should not be possible):
(sleep 10; echo 'EHLO test'; sleep 3; echo 'MAIL FROM:<>'; sleep 3; echo 'RCPT TO:postmaster'; sleep 3; echo 'DATA'; date >&2; sleep 30; printf 'DKIM-Signature:a=rsa-sha1;c=simple/simple;l=0\r\n\r\n\r\nXXX\r\n.\r\n'; sleep 30) | nc -n -v 192.168.56.102 25
(gdb) print lineending
$1 = {data = 0x55e18035b2ad "\r\n", len = 2}
(gdb) print &lineending.len
$3 = (size_t *) 0x55e180385948 <lineending+8>
(gdb) watch *(size_t *) 0x55e180385948
Hardware watchpoint 1: *(size_t *) 0x55e180385948
Old value = 2
New value = 0
(gdb) print lineending
$5 = {data = 0x55e18035b2ad "\r\n", len = 0}
(cherry picked from commit
9fce76f56459dde7489eb21ce1ff822e04e10f43)
Heiko Schlittermann (HS12-RIPE) [Wed, 25 Nov 2020 22:19:57 +0000 (23:19 +0100)]
SECURITY: Avoid memory corruption in dkim handling
Credits: Qualys
6/ In src/pdkim/pdkim.c, pdkim_update_ctx_bodyhash() is sometimes called
with a global orig_data and hence canon_data, and the following line can
therefore modify data that should be constant:
773 canon_data->len = b->bodylength - b->signed_body_bytes;
For example, the following proof of concept sets lineending.len to 0
(this should not be possible):
(sleep 10; echo 'EHLO test'; sleep 3; echo 'MAIL FROM:<>'; sleep 3; echo 'RCPT TO:postmaster'; sleep 3; echo 'DATA'; date >&2; sleep 30; printf 'DKIM-Signature:a=rsa-sha1;c=simple/simple;l=0\r\n\r\n\r\nXXX\r\n.\r\n'; sleep 30) | nc -n -v 192.168.56.102 25
(gdb) print lineending
$1 = {data = 0x55e18035b2ad "\r\n", len = 2}
(gdb) print &lineending.len
$3 = (size_t *) 0x55e180385948 <lineending+8>
(gdb) watch *(size_t *) 0x55e180385948
Hardware watchpoint 1: *(size_t *) 0x55e180385948
Old value = 2
New value = 0
(gdb) print lineending
$5 = {data = 0x55e18035b2ad "\r\n", len = 0}
(cherry picked from commit
ea850e27714ccda2090d781ebe89b410bc38c2c6)
Heiko Schlittermann (HS12-RIPE) [Wed, 25 Nov 2020 21:58:58 +0000 (22:58 +0100)]
SECURITY: Avoid decrement of dkim_collect_input if already at 0
Credits: Qualys
5/ receive_msg() calls dkim_exim_verify_finish(), which sets
dkim_collect_input to 0 and calls pdkim_feed_finish(), which calls
pdkim_header_complete(), which decreases dkim_collect_input to UINT_MAX,
which reactivates the DKIM code.
As a result, pdkim_feed() is called again (through receive_getc at the
end of receive_msg()), but functions like pdkim_finish_bodyhash() and
exim_sha_finish() have already been called (in pdkim_feed_finish()).
This suggests a use-after-free.
But it seems that a use-after-free would happen only with
EVP_DigestFinal() (in exim_sha_finish()), which does not seem to be
reachable via DKIM (no SHA3). But we checked OpenSSL only, not GnuTLS.
Here is a proof of concept that triggers the bug (which came very close
to a security vulnerability):
(sleep 10; echo 'EHLO test'; sleep 3; echo 'MAIL FROM:<>'; sleep 3; echo 'RCPT TO:postmaster'; sleep 3; echo 'BDAT 42 LAST'; date >&2; sleep 30; printf 'not a valid header line\r\nDKIM-Signature:\r\nXXX'; sleep 30) | nc -n -v 192.168.56.102 25
(gdb) print &dkim_collect_input
$2 = (unsigned int *) 0x55e180386d90 <dkim_collect_input>
(gdb) watch *(unsigned int *) 0x55e180386d90
Hardware watchpoint 1: *(unsigned int *) 0x55e180386d90
Old value = 0
New value =
4294967295
#0 0x000055e18031f805 in pdkim_header_complete (ctx=ctx@entry=0x55e181b9e8e0) at pdkim.c:1006
#1 0x000055e18032106c in pdkim_feed_finish (ctx=0x55e181b9e8e0, return_signatures=0x55e180386d78 <dkim_signatures>, err=err@entry=0x7ffe443e1d00) at pdkim.c:1490
#2 0x000055e1802a3280 in dkim_exim_verify_finish () at dkim.c:328
#3 0x000055e1802c9d1d in receive_msg (extract_recip=extract_recip@entry=0) at receive.c:3409
(cherry picked from commit
e3674091056ac05eb7ef1c504accce790c434bd7)
Heiko Schlittermann (HS12-RIPE) [Wed, 25 Nov 2020 21:26:53 +0000 (22:26 +0100)]
SECURITY: Check overrun rcpt_count integer
Credits: Qualys
4/ In src/smtp_in.c:
4966 case RCPT_CMD:
4967 HAD(SCH_RCPT);
4968 rcpt_count++;
....
5123 if (rcpt_count > recipients_max && recipients_max > 0)
In theory this recipients_max check can be bypassed, because the int
rcpt_count can overflow (become negative). In practice this would either
consume too much memory or generate too much network traffic, but maybe
it should be fixed anyway.
(cherry picked from commit
04139ca809fbe56d8fe9c55a77640ea9fa93b8f1)
Heiko Schlittermann (HS12-RIPE) [Sat, 21 Nov 2020 21:41:28 +0000 (22:41 +0100)]
SECURITY: Fix safeguard against upward traversal in msglog files.
Credits: Qualys
3/ In src/deliver.c:
333 static int
334 open_msglog_file(uschar *filename, int mode, uschar **error)
335 {
336 if (Ustrstr(filename, US"/../"))
337 log_write(0, LOG_MAIN|LOG_PANIC,
338 "Attempt to open msglog file path with upward-traversal: '%s'\n", filename);
Should this be LOG_PANIC_DIE instead of LOG_PANIC? Right now it will log
the /../ attempt but will open the file anyway.
(cherry picked from commit
742c27f02d83792937dcb1719b380d3dde6228bf)
Heiko Schlittermann (HS12-RIPE) [Sat, 21 Nov 2020 21:18:56 +0000 (22:18 +0100)]
SECURITY: Don't miss the very last byte when reading long lines from -H
Credits: Qualys
2/ In src/spool_in.c:
462 while ( (len = Ustrlen(big_buffer)) == big_buffer_size-1
463 && big_buffer[len-1] != '\n'
464 )
465 { /* buffer not big enough for line; certs make this possible */
466 uschar * buf;
467 if (big_buffer_size >= BIG_BUFFER_SIZE*4) goto SPOOL_READ_ERROR;
468 buf = store_get_perm(big_buffer_size *= 2, FALSE);
469 memcpy(buf, big_buffer, --len);
The --len in memcpy() chops off a useful byte (we know for sure that
big_buffer[len-1] is not a '\n' because we entered the while loop).
(cherry picked from commit
58454ea01c2e817481770954edf09ad82f3cd417)
Heiko Schlittermann (HS12-RIPE) [Sat, 21 Nov 2020 21:03:03 +0000 (22:03 +0100)]
SECURITY: off-by-one in smtp transport (read response)
Credits: Qualys
1/ In src/transports/smtp.c:
2281 int n = sizeof(sx->buffer);
2282 uschar * rsp = sx->buffer;
2283
2284 if (sx->esmtp_sent && (n = Ustrlen(sx->buffer)) < sizeof(sx->buffer)/2)
2285 { rsp = sx->buffer + n + 1; n = sizeof(sx->buffer) - n; }
This should probably be either:
rsp = sx->buffer + n + 1; n = sizeof(sx->buffer) - n - 1;
or:
rsp = sx->buffer + n; n = sizeof(sx->buffer) - n;
(not sure which) to avoid an off-by-one.
(cherry picked from commit
d2c44ef5dd94f1f43ba1d1a02bc4594f4fba5e38)
Phil Pennock [Mon, 2 Nov 2020 07:39:38 +0000 (02:39 -0500)]
Start documenting the things we changed incompatibly.
(cherry picked from commit
8dad4da53bad2ed3b29fa6a3b9ef59bfec73dc0e)
Phil Pennock [Mon, 2 Nov 2020 07:23:14 +0000 (02:23 -0500)]
Inline four often-called new functions
The BDAT state switchers should happen so often during SMTP reception that a
compiler hint to inline seems wise.
The length filter checks happen on every start-up, which for Exim is often
enough that I think an inline these is warranted too.
(cherry picked from commit
6e3d0e3f1c8228ef19a3d1ba61f131cef3172ceb)
Jeremy Harris [Sat, 31 Oct 2020 14:36:55 +0000 (14:36 +0000)]
Fixes for compilation
(cherry picked from commit
85a90771a373aaaced64b92d7176a8a310490b9e)
Phil Pennock [Fri, 30 Oct 2020 03:21:36 +0000 (23:21 -0400)]
SECURITY: rework BDAT receive function handling
(cherry picked from commit
dd1b9b753bb7c42df2b8f48d726b82928b67940b)
Phil Pennock [Fri, 30 Oct 2020 02:40:59 +0000 (22:40 -0400)]
SECURITY: fix SMTP verb option parsing
A boundary case in looking for an opening quote before the closing quote could
walk off the front of the buffer.
(cherry picked from commit
515d8d43a18481d23d7cf410b8dc71b4e254ebb8)
Phil Pennock [Fri, 30 Oct 2020 01:48:05 +0000 (21:48 -0400)]
SECURITY: Avoid integer overflow on too many recipients
(cherry picked from commit
323ff55e67b44e95f9d3cfaba155e385aa33c4bd)
Phil Pennock [Fri, 30 Oct 2020 01:38:25 +0000 (21:38 -0400)]
SECURITY: default recipients_max to 50,000
A default of "unlimited" can have unfortunate consequences when people start
putting many millions of recipients on a message.
(cherry picked from commit
1d7780722a66cea8da5fa4ae0775e85d185fbf7e)
Phil Pennock [Fri, 30 Oct 2020 01:30:04 +0000 (21:30 -0400)]
SECURITY: a second negative store guard
(cherry picked from commit
706864e934c70941ce7a327f97b7649a1e5f5556)
Phil Pennock [Fri, 30 Oct 2020 00:49:49 +0000 (20:49 -0400)]
SECURITY: refuse too small store allocations
Negative sizes are definitely bad.
Optimistically, I'm saying that zero is bad too. But perhaps we have something
doing that, expecting to be able to grow. In which case we'll have to amend
this.
(cherry picked from commit
1c9afcec0043e2fb72607b2addb0613763705549)
Phil Pennock [Fri, 30 Oct 2020 00:42:40 +0000 (20:42 -0400)]
SECURITY: fix Qualys CVE-2020-PFPZA
(cherry picked from commit
29d7a8c25f182c91d5d30f124f9e296dce5c018e)
Phil Pennock [Thu, 29 Oct 2020 23:00:51 +0000 (19:00 -0400)]
SECURITY: fix Qualys CVE-2020-PFPSN
(cherry picked from commit
93b6044e1636404f3463f3e1113098742e295542)
Phil Pennock [Thu, 29 Oct 2020 15:47:58 +0000 (11:47 -0400)]
SECURITY: fix Qualys CVE-2020-SLCWD
(cherry picked from commit
bf5f9d56fadf9be8d947f141d31f7e0e8fa63762)
Phil Pennock [Thu, 29 Oct 2020 22:40:37 +0000 (18:40 -0400)]
SECURITY: pick up more argv length checks
(cherry picked from commit
f28a6a502c7973d8844d11d4b0990d4b0359fb3f)
Phil Pennock [Thu, 29 Oct 2020 22:11:35 +0000 (18:11 -0400)]
SECURITY: length limits on many cmdline options
We'll also now abort upon, rather than silently truncate, a driver name
(router, transport, ACL, etc) encountered in the config which is longer than
the 64-char limit.
(cherry picked from commit
ff8bef9ae2370db4a7873fe2ce573a607fe6999f)
Phil Pennock [Fri, 18 Sep 2020 14:25:42 +0000 (10:25 -0400)]
Re-ran the conversion of all DH parameters
I get different results now to those I got before.
Now, using gen_pkcs3 linked against OpenSSL 1.1.1f-1ubuntu2 on Focal Fossa, I
get the results below. The ffdhe2048 value now matches that at
<https://ssl-config.mozilla.org/ffdhe2048.txt>.
I ran the same code yesterday for just the ffdhe2048 item and got code which
seemed to me then to match what was already in the C file. Something hinky is
going on, perhaps with my sanity.
(the commit IDs changee because of heavy rebasing (heiko))
(cherry picked from commit
76ed8115182e2daaadb437ec9655df8000796ec5)
Simon Arlott [Thu, 24 Sep 2020 22:03:14 +0000 (23:03 +0100)]
gen_pkcs3: Terminate string before calling BH_hex2bn()
Signed-off-by: Phil Pennock <pdp@exim.org>
(cherry picked from commit
1cf66e5872d517b620c308af634e4e26e3547f06)
Phil Pennock [Fri, 30 Oct 2020 02:14:45 +0000 (22:14 -0400)]
Default config: reject on too many bad RCPT
An example exploit failed against my system, because I had this sanity guard in
place; it's not a real security fix since a careful attacker could find enough
valid recipients to hit that problem, but it highlights that this is a useful
enough pattern that we should encourage its wider use.
(cherry picked from commit
2a636a39fff29b7c3da1798767a510dfed982a62)
Heiko Schlittermann (HS12-RIPE) [Thu, 18 Mar 2021 06:56:59 +0000 (07:56 +0100)]
Handle SIGINT as we do with SIGTERM
(cherry picked from commit
cdc5c672e1c309294626cd5ed90acdccb05baaa1)
Heiko Schlittermann (HS12-RIPE) [Thu, 18 Mar 2021 06:59:21 +0000 (07:59 +0100)]
Enforce pid_file_path start at "/"
(cherry picked from commit
60f2a8e797d9ebaea1e3eac4ad28ff64e11bab40)
Heiko Schlittermann (HS12-RIPE) [Mon, 29 Mar 2021 16:17:55 +0000 (18:17 +0200)]
testsuite: tidy logs/4520 and confs/4520
This fixed 4520 failure en-passant, but I'm sure it's a timing issue
here (the order of the mainlog output lines didn't exactly match the
logs/4520)
(cherry picked from commit
95306ca61531d9d79c5dac808a5a571158acd29c)
Heiko Schlittermann (HS12-RIPE) [Tue, 16 Mar 2021 22:44:29 +0000 (23:44 +0100)]
Jeremy Harris [Sat, 27 Feb 2021 19:25:26 +0000 (19:25 +0000)]
Docs: fix description of hosts_try_dane. Bug 2704
Cherry-picked from:
725900cda2
Jeremy Harris [Tue, 23 Feb 2021 18:55:33 +0000 (18:55 +0000)]
Bulid: fix DISABLE_PIPE_CONNECT build. Bug 2703
(cherry picked from commit
a842359f622190904ceccfff1afff021570566eb)
Jeremy Harris [Mon, 22 Feb 2021 21:48:19 +0000 (21:48 +0000)]
Fix list-expansion for various domainlists, having included sublist elements. Bug 2701
(cherry picked from commit
e2be2df5c0760e2b6a7870c88ad486a23f5e4b01)
Jeremy Harris [Sat, 13 Feb 2021 17:26:14 +0000 (17:26 +0000)]
Fix build for platforms not having ulong
(cherry picked from commit
be839a2609381f535f263ed0c459a4ebf3fd5d1d)
Heiko Schlichting [Fri, 19 Feb 2021 11:14:36 +0000 (11:14 +0000)]
Fix weight calculation for socks_proxy. Bug 2694
(cherry picked from commit
83811e3c1b8189c0a725ec53df699730e7767263)
Heiko Schlichting [Fri, 19 Feb 2021 11:11:51 +0000 (11:11 +0000)]
Fix weight calculation for spamd_address. Bug 2694
(cherry picked from commit
6296a393aeab9fecc38916dfcbf1c94d54691650)
Jeremy Harris [Fri, 12 Feb 2021 17:40:28 +0000 (17:40 +0000)]
Fix FreeBSD 13 build
(cherry picked from commit
e8fd2c45ddd6f59f159baaa2c154ced5ce36f3df)
Jeremy Harris [Sat, 6 Feb 2021 22:01:23 +0000 (22:01 +0000)]
Fix handling of server which follows a RCPT 452 with a 250. Bug 26092
(cherry picked from commit
d6870e76cf0b838eab1929e5d5afb486c4e7b448)
Jeremy Harris [Sat, 6 Feb 2021 17:30:37 +0000 (17:30 +0000)]
Fix daemon-SIGHUP on FreeBSD
Cherry-picked from:
beb5d85c7d
Jeremy Harris [Fri, 29 Jan 2021 21:36:15 +0000 (21:36 +0000)]
Testsuite: missing files
Broken-by: 2a57e74079
Jeremy Harris [Fri, 29 Jan 2021 19:54:02 +0000 (19:54 +0000)]
Lookups: fix $local_part_data for a match on a filename list element. Bug 2691
(cherry picked from commit
0c70e694cf1a703798c0778a3236079e1b25c91d)
Jeremy Harris [Tue, 12 Jan 2021 15:36:09 +0000 (15:36 +0000)]
Auths: in plaintext authenticator, fix parsing of consecutive circuflex. Bug 2687
(cherry picked from commit
ca22cc0abe93c28f3d296d99c239413bb0d079c4)
Jeremy Harris [Sat, 9 Jan 2021 13:08:35 +0000 (13:08 +0000)]
Utilities: harden exim_tidydb against corrupt wait-records. Bug 2343
(cherry picked from commit
fc96555ab63243de9d468325aeaaa14cd77b9943)
Jeremy Harris [Sat, 26 Dec 2020 18:55:29 +0000 (18:55 +0000)]
Fix build on GNU/Hurd [supports openat()]. Bug 2608
(cherry picked from commit
5f4ca3541f228b0b9b880406e70342dea5a2a7a9)
Jeremy Harris [Sat, 26 Dec 2020 18:18:33 +0000 (18:18 +0000)]
Fix build warning on 32-bit int platfowms. Bug 2678
(cherry picked from commit
abca11df7f354c123b0ff8a9bfb89a669d7742d4)
Jeremy Harris [Wed, 23 Dec 2020 22:35:04 +0000 (22:35 +0000)]
Fix ${listextract } from a tainted list
(cherry picked from commit
942f0be6c2cd3ec8c39ca234a449561d9d3c1075)
Jeremy Harris [Sun, 20 Dec 2020 15:55:59 +0000 (15:55 +0000)]
Fix local delivery delay when combined with remote callout/hold. Bug 2599
(cherry picked from commit
94ecf089d68ac5b85c2a99177a8e4b4d35d5aa2e)
Jeremy Harris [Thu, 17 Dec 2020 09:59:23 +0000 (09:59 +0000)]
Fix the PIPE_CONNECT feature control in the template Makefile, the
default having changed to "included" for 4.93
Broken-by: 81344b40e3
(cherry picked from commit
46694b802ce0302f3c3344be933cc9737d4d4f4c)
Jeremy Harris [Thu, 17 Dec 2020 09:39:59 +0000 (09:39 +0000)]
Remove the X_ prefix from the PIPE_CONNECT SMTP service extension keyword.
(cherry picked from commit
958af3bdb77dc5c190b7f5117c68d2b0acd7b5bc)
Jeremy Harris [Wed, 16 Dec 2020 20:05:07 +0000 (20:05 +0000)]
Fix matching of long addresses. Bug 2677
(cherry picked from commit
183389fae10672e8d5ffb1f14f23a179798f483a)
Jeremy Harris [Sat, 31 Oct 2020 23:58:11 +0000 (23:58 +0000)]
Pass authenticator pubname through spool. Bug 2648
(cherry picked from commit
a75ebe0dcc5faeb915cacb0d9db66d2475789116)
Jeremy Harris [Fri, 30 Oct 2020 13:58:01 +0000 (13:58 +0000)]
LDAP: fix taint-check in server list walk. Bug 2646
(cherry picked from commit
51b611aa81d7ee01243b196abc34a0e2eabd293c)
Richard Clayton [Sat, 12 Sep 2020 21:10:04 +0000 (22:10 +0100)]
eximon: fix FreeBSD build
(cherry picked from commit
ba00bdd4609501dd3ffe187074ff7f8197a9059f)
Jeremy Harris [Thu, 27 Aug 2020 20:15:19 +0000 (21:15 +0100)]
Fix non-TLS build
(cherry picked from commit
b38a477da0a5248ed1d2b7590922c89c6337ec3b)
Jeremy Harris [Sun, 6 Sep 2020 11:15:10 +0000 (12:15 +0100)]
GnuTLS: clear errno before any data i/o op, so error logging does not see stale values
(cherry picked from commit
d52a8ce8499fbb88f4670623df9f52d3e790292b)
Phil Pennock [Fri, 28 Aug 2020 23:58:36 +0000 (19:58 -0400)]
Fix utilities indexing
It looks like there used to be another level of hierarchy here, with all three
of the hints database commands described in one section. They're now distinct
sections in their own right, so fix how they're linked to.
Reported by: Peter Gervai
Part-fixes: 2637
(cherry picked from commit
d79247e6321bd44f4f21bc1234e0424d0fa558eb)
Jeremy Harris [Wed, 26 Aug 2020 22:59:28 +0000 (23:59 +0100)]
Fix non-DANE build
(cherry picked from commit
651946cbf8e3849687332049730e5fa23d42b4b7)
Jeremy Harris [Wed, 26 Aug 2020 22:43:54 +0000 (23:43 +0100)]
DANE: Fix 2 messages from queue case
(cherry picked from commit
b6054898ace169a0e5143117397a4f666a5e7283)
Jeremy Harris [Sun, 23 Aug 2020 16:27:30 +0000 (17:27 +0100)]
Fix non-DANE build
(cherry picked from commit
79b19a30d9fc64a7b7f70928cdefe4f51064280b)
Jeremy Harris [Sun, 23 Aug 2020 14:32:48 +0000 (15:32 +0100)]
DANE: Fix 2-rcpt message, diff domins case. Bug 2265
(cherry picked from commit
99350dede64ad634300ddf15d0d97a81fd75d330)
Jeremy Harris [Wed, 19 Aug 2020 20:09:04 +0000 (21:09 +0100)]
DANE: force SNI to use $domain. Bug 2265
Note: this is not a complete fix for the issue
(cherry picked from commit
7044dd8fd62e215572ecf5a2c7f1bb9581cf6628)
Gavan [Fri, 21 Aug 2020 14:46:01 +0000 (15:46 +0100)]
Taint: fix off-by-one in is_tainted(). Bug 2634
(cherry picked from commit
e0ae68c8ee6788508da4989ee0d6fcbaf40c7b97)
Jeremy Harris [Mon, 24 Aug 2020 19:14:34 +0000 (20:14 +0100)]
Build: ifdef guard for EXPERIMENTAL_QUEUEFILE
(cherry picked from commit
1f5d0a9551205febf6729c7ee36c27626a76b4a4)
Gavan [Fri, 21 Aug 2020 14:46:01 +0000 (15:46 +0100)]
Taint: fix off-by-one in is_tainted(). Bug 2634
(cherry picked from commit
e0ae68c8ee6788508da4989ee0d6fcbaf40c7b97)
Jeremy Harris [Fri, 14 Aug 2020 12:09:53 +0000 (13:09 +0100)]
Fix ${readsocket } eol-replacement. Bug 2630
(cherry picked from commit
7f83b348ccf4cd815e9758ab9ca1012e66324e9d)
Jeremy Harris [Sun, 9 Aug 2020 00:38:00 +0000 (01:38 +0100)]
Fix spelling of local_part_data in docs and debug output
(cherry picked from commit
ccec2d82e2fda6d764f6cd1a9dd21c4f6285b614)
Heiko Schlittermann (HS12-RIPE) [Thu, 16 Jul 2020 21:53:27 +0000 (23:53 +0200)]
debug_print_socket(): output formatting
Heiko Schlittermann (HS12-RIPE) [Thu, 16 Jul 2020 21:45:55 +0000 (23:45 +0200)]
Fix debug_print_socket()
debug_print_socket() crashed on AF_UNIX sockets
Jeremy Harris [Mon, 13 Jul 2020 12:46:14 +0000 (13:46 +0100)]
Taint: fix ACL "spam" condition, to permit tainted name arguments
Follow-on from:
62b2ccce05
(cherry picked from commit
532800c8bf0e4bc2c27739477e70e0d7eef7df21)
Jeremy Harris [Thu, 9 Jul 2020 14:30:55 +0000 (15:30 +0100)]
Fix taint trap in parse_fix_phrase(). Bug 2617
(cherry picked from commit
3c90bbcdc7cf73298156f7bcd5f5e750e7814e72)