OpenPKG CVS Repository http://cvs.openpkg.org/ ____________________________________________________________________________
Server: cvs.openpkg.org Name: Christoph Schug Root: /e/openpkg/cvs Email: [EMAIL PROTECTED] Module: openpkg-src Date: 07-Jan-2005 09:02:41 Branch: HEAD Handle: 2005010708024000 Added files: openpkg-src/exim exim.patch Modified files: openpkg-src/exim exim.conf exim.spec Log: fixed two security issues and typo in config Summary: Revision Changes Path 1.2 +1 -1 openpkg-src/exim/exim.conf 1.1 +127 -0 openpkg-src/exim/exim.patch 1.79 +3 -1 openpkg-src/exim/exim.spec ____________________________________________________________________________ patch -p0 <<'@@ .' Index: openpkg-src/exim/exim.conf ============================================================================ $ cvs diff -u -r1.1 -r1.2 exim.conf --- openpkg-src/exim/exim.conf 24 Jun 2004 12:57:06 -0000 1.1 +++ openpkg-src/exim/exim.conf 7 Jan 2005 08:02:40 -0000 1.2 @@ -68,7 +68,7 @@ dnslookup: driver = dnslookup - domains = ! +all_local_domains + domains = ! +local_domains transport = remote_smtp ignore_target_hosts = 0.0.0.0 : 127.0.0.0/8 no_more @@ . patch -p0 <<'@@ .' Index: openpkg-src/exim/exim.patch ============================================================================ $ cvs diff -u -r0 -r1.1 exim.patch --- /dev/null 2005-01-07 09:02:40 +0100 +++ exim.patch 2005-01-07 09:02:41 +0100 @@ -0,0 +1,127 @@ +Security patches regarding two issues discussed at +http://www.exim.org/mail-archives/exim-announce/2005/msg00000.html + +diff -Naur exim-4.43.orig/src/auths/auth-spa.c exim-4.43/src/auths/auth-spa.c +--- exim-4.43.orig/src/auths/auth-spa.c 2004-10-05 10:32:08.000000000 +0200 ++++ exim-4.43/src/auths/auth-spa.c 2005-01-07 08:32:42.000000000 +0100 +@@ -405,7 +405,7 @@ + } + + int +-spa_base64_to_bits (char *out, const char *in) ++spa_base64_to_bits (char *out, int outlength, const char *in) + /* base 64 to raw bytes in quasi-big-endian order, returning count of bytes */ + { + int len = 0; +@@ -418,6 +418,8 @@ + + do + { ++ if (len >= outlength) ++ return (-1); + digit1 = in[0]; + if (DECODE64 (digit1) == BAD) + return (-1); +@@ -435,11 +437,15 @@ + ++len; + if (digit3 != '=') + { ++ if (len >= outlength) ++ return (-1); + *out++ = + ((DECODE64 (digit2) << 4) & 0xf0) | (DECODE64 (digit3) >> 2); + ++len; + if (digit4 != '=') + { ++ if (len >= outlength) ++ return (-1); + *out++ = ((DECODE64 (digit3) << 6) & 0xc0) | DECODE64 (digit4); + ++len; + } +diff -Naur exim-4.43.orig/src/auths/auth-spa.h exim-4.43/src/auths/auth-spa.h +--- exim-4.43.orig/src/auths/auth-spa.h 2004-10-05 10:32:08.000000000 +0200 ++++ exim-4.43/src/auths/auth-spa.h 2005-01-07 08:34:06.000000000 +0100 +@@ -10,6 +10,9 @@ + * Samba project (by Andrew Tridgell, Jeremy Allison, and others). + */ + ++/* December 2004: The spa_base64_to_bits() function has no length checking in ++it. I have added a check. PH */ ++ + /* It seems that some systems have existing but different definitions of some + of the following types. I received a complaint about "int16" causing + compilation problems. So I (PH) have renamed them all, to be on the safe side. +@@ -75,7 +78,7 @@ + #define spa_request_length(ptr) (((ptr)->buffer - (uint8x*)(ptr)) + (ptr)->bufIndex) + + void spa_bits_to_base64 (unsigned char *, const unsigned char *, int); +-int spa_base64_to_bits(char *, const char *); ++int spa_base64_to_bits(char *, int, const char *); + void spa_build_auth_response (SPAAuthChallenge *challenge, + SPAAuthResponse *response, char *user, char *password); + void spa_build_auth_request (SPAAuthRequest *request, char *user, +diff -Naur exim-4.43.orig/src/auths/spa.c exim-4.43/src/auths/spa.c +--- exim-4.43.orig/src/auths/spa.c 2004-10-05 10:32:08.000000000 +0200 ++++ exim-4.43/src/auths/spa.c 2005-01-07 08:35:39.000000000 +0100 +@@ -133,7 +133,7 @@ + return FAIL; + } + +-if (spa_base64_to_bits((char *)(&request), (const char *)(data)) < 0) ++if (spa_base64_to_bits((char *)(&request), sizeof(request), (const char *)(data)) < 0) + { + DEBUG(D_auth) debug_printf("auth_spa_server(): bad base64 data in " + "request: %s\n", data); +@@ -153,7 +153,7 @@ + } + + /* dump client response */ +-if (spa_base64_to_bits((char *)(&response), (const char *)(data)) < 0) ++if (spa_base64_to_bits((char *)(&response), sizeof(response), (const char *)(data)) < 0) + { + DEBUG(D_auth) debug_printf("auth_spa_server(): bad base64 data in " + "response: %s\n", data); +@@ -319,7 +319,7 @@ + /* convert the challenge into the challenge struct */ + DSPA("\n\n%s authenticator: challenge (%s)\n\n", + ablock->name, buffer + 4); +- spa_base64_to_bits ((char *)(&challenge), (const char *)(buffer + 4)); ++ spa_base64_to_bits ((char *)(&challenge), sizeof(challenge), (const char *)(buffer + 4)); + + spa_build_auth_response (&challenge, &response, + CS username, CS password); +diff -Naur exim-4.43.orig/src/host.c exim-4.43/src/host.c +--- exim-4.43.orig/src/host.c 2004-10-05 10:32:08.000000000 +0200 ++++ exim-4.43/src/host.c 2005-01-07 08:28:02.000000000 +0100 +@@ -710,12 +710,18 @@ + + if (*p == ':') p++; + +- /* Split the address into components separated by colons. */ ++ /* Split the address into components separated by colons. The input address ++ is supposed to be checked for syntax. There was a case where this was ++ overlooked; to guard against that happening again, check here and crash if ++ there is a violation. */ + + while (*p != 0) + { + int len = Ustrcspn(p, ":"); + if (len == 0) nulloffset = ci; ++ if (ci > 7) log_write(0, LOG_MAIN|LOG_PANIC_DIE, ++ "Internal error: invalid IPv6 address \"%s\" passed to host_aton()", ++ address); + component[ci++] = p; + p += len; + if (*p == ':') p++; +diff -Naur exim-4.43.orig/src/lookups/dnsdb.c exim-4.43/src/lookups/dnsdb.c +--- exim-4.43.orig/src/lookups/dnsdb.c 2004-10-05 10:32:08.000000000 +0200 ++++ exim-4.43/src/lookups/dnsdb.c 2005-01-07 08:28:38.000000000 +0100 +@@ -125,7 +125,7 @@ + /* If the type is PTR, we have to construct the relevant magic lookup + key. This code is now in a separate function. */ + +-if (type == T_PTR) ++if (type == T_PTR && string_is_ip_address(keystring, NULL)) + { + dns_build_reverse(keystring, buffer); + keystring = buffer; @@ . patch -p0 <<'@@ .' Index: openpkg-src/exim/exim.spec ============================================================================ $ cvs diff -u -r1.78 -r1.79 exim.spec --- openpkg-src/exim/exim.spec 1 Jan 2005 10:48:59 -0000 1.78 +++ openpkg-src/exim/exim.spec 7 Jan 2005 08:02:40 -0000 1.79 @@ -34,7 +34,7 @@ Group: Mail License: GPL Version: 4.43 -Release: 20041209 +Release: 20050107 # package options %option with_auth_cram_md5 no @@ -50,6 +50,7 @@ Source1: rc.exim Source2: exim.conf Source3: aliases +Patch0: exim.patch # build information Prefix: %{l_prefix} @@ -98,6 +99,7 @@ %prep %setup -q + %patch -p1 %{l_shtool} subst \ -e 's;STRING_UNKNOWN;"unknown";g' \ src/smtp_in.c @@ . ______________________________________________________________________ The OpenPKG Project www.openpkg.org CVS Repository Commit List openpkg-cvs@openpkg.org