Hi, attached diff updates exim to the version 4.76, which was released ealiert today. 4.76 fixes a rather ugly security issue within the dkim code-path, as such I would like to get this in really fast.
The update to 4.75 that I've sent out a while ago was tested just fine, 4.76 only has the security fix and one other smaller item. The attached diff removes the obsolete diff for log.c and updates the Makefile. Any feedback is welcome. felix
Index: Makefile
===================================================================
RCS file: /data/cvsmirror/src/openbsd/ports/mail/exim/Makefile,v
retrieving revision 1.80
diff -u -r1.80 Makefile
--- Makefile 7 Feb 2011 16:01:26 -0000 1.80
+++ Makefile 9 May 2011 11:21:26 -0000
@@ -3,10 +3,9 @@
CATEGORIES = mail
COMMENT-main = flexible mail transfer agent
COMMENT-eximon = X11 monitor tool for Exim MTA
-VERSION = 4.73
+VERSION = 4.76
DISTNAME = exim-${VERSION}
PKGNAME-main = exim-${VERSION}
-REVISION-main = 0
FULLPKGNAME-eximon = exim-eximon-${VERSION}
FULLPKGPATH-eximon = ${PKGPATH},-eximon
MASTER_SITES = ftp://ftp.exim.org/pub/exim/exim4/ \
Index: distinfo
===================================================================
RCS file: /data/cvsmirror/src/openbsd/ports/mail/exim/distinfo,v
retrieving revision 1.19
diff -u -r1.19 distinfo
--- distinfo 12 Jan 2011 05:45:29 -0000 1.19
+++ distinfo 9 May 2011 11:21:26 -0000
@@ -1,5 +1,5 @@
-MD5 (exim-4.73.tar.gz) = 9j+ymqDEobjJjWlfHIJBdA==
-RMD160 (exim-4.73.tar.gz) = 81TEbqA2h/yXFcXSKMMybxNqtiw=
-SHA1 (exim-4.73.tar.gz) = QaICWyUOISvz1okNxmNu60+gh7k=
-SHA256 (exim-4.73.tar.gz) = C6a4ZdUuQwzapZAyLHwbH4tkrflK1+N04ISQR+982aY=
-SIZE (exim-4.73.tar.gz) = 2051165
+MD5 (exim-4.76.tar.gz) = T8OXDU+7HUlRtbYz3r0NSA==
+RMD160 (exim-4.76.tar.gz) = a8MWCKG8H0OjYtvLkUB/ZvqIwsM=
+SHA1 (exim-4.76.tar.gz) = ExIWRKnf1sBm9l20rWcDo9xDLIo=
+SHA256 (exim-4.76.tar.gz) = mXbJ7+bDBLG/iRoWlZMapdGNw3T3134voIKqx1OyJy0=
+SIZE (exim-4.76.tar.gz) = 2068071
Index: files/Makefile
===================================================================
RCS file: /data/cvsmirror/src/openbsd/ports/mail/exim/files/Makefile,v
retrieving revision 1.13
diff -u -r1.13 Makefile
--- files/Makefile 12 Jan 2011 05:45:29 -0000 1.13
+++ files/Makefile 9 May 2011 11:21:27 -0000
@@ -249,6 +249,19 @@
#------------------------------------------------------------------------------
+# See below for dynamic lookup modules.
+# LOOKUP_MODULE_DIR=/usr/lib/exim/lookups/
+# If not using package management but using this anyway, then think about how
+# you perform upgrades and revert them. You should consider the benefit of
+# embedding the Exim version number into LOOKUP_MODULE_DIR, so that you can
+# maintain two concurrent sets of modules.
+
+# To build a module dynamically, you'll need to define CFLAGS_DYNAMIC for
+# your platform. Eg:
+# CFLAGS_DYNAMIC=-shared -rdynamic
+# CFLAGS_DYNAMIC=-shared -rdynamic -fPIC
+
+#------------------------------------------------------------------------------
# These settings determine which file and database lookup methods are included
# in the binary. See the manual chapter entitled "File and database lookups"
# for discussion. DBM and lsearch (linear search) are included by default. If
@@ -256,6 +269,18 @@
# LOOKUP_DNSDB does *not* refer to general mail routing using the DNS. It is
# for the specialist case of using the DNS as a general database facility (not
# common).
+# If set to "2" instead of "yes" then the corresponding lookup will be
+# built as a module and must be installed into LOOKUP_MODULE_DIR. You need to
+# add -export-dynamic -rdynamic to EXTRALIBS. You may also need to add -ldl to
+# EXTRALIBS so that dlopen() is available to Exim. You need to define
+# LOOKUP_MODULE_DIR above so the exim binary actually loads dynamic lookup
+# modules.
+# Also, instead of adding all the libraries/includes to LOOKUP_INCLUDE and
+# LOOKUP_LIBS, add them to the respective LOOKUP_*_INCLUDE and LOOKUP_*_LIBS
+# (where * is the name as given here in this list). That ensures that only
+# the dynamic library and not the exim binary will be linked against the
+# library.
+# NOTE: LDAP cannot be built as a module!
LOOKUP_DBM=yes
LOOKUP_LSEARCH=yes
@@ -503,7 +528,7 @@
#
# As a strictly transient measure to ease migration to 4.73, the
# WHITELIST_D_MACROS value definies a colon-separated list of macro-names
-# which are permitted to be overriden from the command-line which will be
+# which are permitted to be overridden from the command-line which will be
# honoured by the Exim user. So these are macros that can persist to delivery
# time.
# Examples might be -DTLS or -DSPOOL=/some/dir. The values on the
Index: patches/patch-src_log_c
===================================================================
RCS file: patches/patch-src_log_c
diff -N patches/patch-src_log_c
--- patches/patch-src_log_c 7 Feb 2011 16:01:26 -0000 1.1
+++ /dev/null 1 Jan 1970 00:00:00 -0000
@@ -1,41 +0,0 @@
-$OpenBSD: patch-src_log_c,v 1.1 2011/02/07 16:01:26 jasper Exp $
-
-Security fix for CVE-2011-0017
-Privilege escalation from exim run-time user to root.
-
-Patch extracted from exim 3.74.
-
---- src/log.c.orig Sun Dec 26 19:17:23 2010
-+++ src/log.c Mon Feb 7 14:11:37 2011
-@@ -361,17 +361,26 @@ are neither exim nor root, creation is not attempted.
-
- else if (euid == root_uid)
- {
-- int status;
-+ int status, rv;
- pid_t pid = fork();
-
- /* In the subprocess, change uid/gid and do the creation. Return 0 from the
-- subprocess on success. There doesn't seem much point in testing for setgid
-- and setuid errors. */
-+ subprocess on success. If we don't check for setuid failures, then the file
-+ can be created as root, so vulnerabilities which cause setuid to fail mean
-+ that the Exim user can use symlinks to cause a file to be opened/created as
-+ root. We always open for append, so can't nuke existing content but it would
-+ still be Rather Bad. */
-
- if (pid == 0)
- {
-- (void)setgid(exim_gid);
-- (void)setuid(exim_uid);
-+ rv = setgid(exim_gid);
-+ if (rv)
-+ die(US"exim: setgid for log-file creation failed, aborting",
-+ US"Unexpected log failure, please try later");
-+ rv = setuid(exim_uid);
-+ if (rv)
-+ die(US"exim: setuid for log-file creation failed, aborting",
-+ US"Unexpected log failure, please try later");
- _exit((create_log(buffer) < 0)? 1 : 0);
- }
-
signature.asc
Description: Digital signature
