aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorAriadne Conill <ariadne@dereferenced.org>2020-07-28 05:44:34 -0600
committerAriadne Conill <ariadne@dereferenced.org>2020-07-28 05:44:34 -0600
commit21bde86bd2793ea75fb3fe315996094eb8c36b82 (patch)
tree0b0aa9f69b64a9111a984d16ce549fc3cd627c85
parent9c83aaa63e87a912480d3ce872e4d4cb7ff1a3d1 (diff)
downloadaports-21bde86bd2793ea75fb3fe315996094eb8c36b82.tar.gz
aports-21bde86bd2793ea75fb3fe315996094eb8c36b82.tar.bz2
aports-21bde86bd2793ea75fb3fe315996094eb8c36b82.tar.xz
community/exim: upgrade to 4.94, drop berkeley db for tdb
-rw-r--r--community/exim/APKBUILD17
-rw-r--r--community/exim/CVE-2020-12783-1.patch81
-rw-r--r--community/exim/CVE-2020-12783-2.patch59
-rw-r--r--community/exim/exim.Makefile2
4 files changed, 8 insertions, 151 deletions
diff --git a/community/exim/APKBUILD b/community/exim/APKBUILD
index 78196a09f2..3f0ec90383 100644
--- a/community/exim/APKBUILD
+++ b/community/exim/APKBUILD
@@ -5,8 +5,8 @@
# Contributor: Jesse Young <jlyo@jlyo.org>
# Maintainer: Jesse Young <jlyo@jlyo.org>
pkgname=exim
-pkgver=4.93
-pkgrel=1
+pkgver=4.94
+pkgrel=0
pkgdesc="Message Transfer Agent"
url="https://www.exim.org/"
arch="all"
@@ -15,7 +15,7 @@ options="!check suid"
pkgusers="$pkgname"
pkggroups="$pkgname mail"
depends="ca-certificates"
-makedepends="bash db-dev gawk libidn-dev libspf2-dev linux-headers
+makedepends="bash tdb-dev gawk libidn-dev libspf2-dev linux-headers
mariadb-connector-c-dev openssl-dev pcre-dev perl postgresql-dev sqlite-dev
"
install="exim.pre-install"
@@ -30,9 +30,6 @@ source="https://ftp.exim.org/pub/exim/exim4/$pkgname-$pkgver.tar.xz
exim.initd
exim.logrotate
exim.gencert
-
- CVE-2020-12783-1.patch
- CVE-2020-12783-2.patch
"
# secfixes:
@@ -129,12 +126,10 @@ cdb() { _mv_ext cdb; }
dbmdb() { _mv_ext dbmdb; }
dnsdb() { _mv_ext dnsdb; }
-sha512sums="556c7fe75042739c3e92346b96c40960680fe2838589add5fad1f69f18600dd9ed128f367627c812051b3a3a1a64e740488d5ce8c198bf87b59fa84ab8a0eb5b exim-4.93.tar.xz
+sha512sums="3bf95ade30902327403e7308089a3e423761da5b0745397dace7c7fd15ba3838d93e0ee418f1fed57606f79e57b793c7c7407e5c0d526146f0036126d5d95316 exim-4.94.tar.xz
691df92954f015711398350963ea321d143127bc731a985bcacc5364c71b6df84b6c21a2e8dc3cc2048fcd3dd02def3dc8015f4d84dd672f23d5a41348e72dc7 bounce-charset.patch
-fc738995baf4376ca0a73a9a957046b254548071181b25156b549a814aea173206915615569bffacd0156205c737c192265f5839715b0209057cd41beb59abf5 exim.Makefile
+d0a8a009233ff8b5adaa803f190bd3dc177d817c12f373a05fac2535fd7fd6b4d455f9ebfeb812a218b36fca426f94e7975e3401c93e4883f42ef80432f16b6f exim.Makefile
bb6f5ead067af19ace661cc92bcd428da97570aedd1f9dc5b61a34e7e3fb3e028be6c96d51df73353bdfcaf69a3ee053fb03d245f868d63ebf518aa96ec82d66 exim.confd
3769e74a54566362bcdf57c45fbf7d130d7a7529fbc40befce431eef0387df117c71a5b57779c507e30d5b125913b5f26c9d16b17995521a1d94997be6dc3e02 exim.initd
28e748693a6a72d9943fa9c342ff041fe650fa6977f468dee127e845e6c2a91872ce33fb6f5698838906bde3ed92de7a91cdb0349cedc40b806261867e8c06cb exim.logrotate
-abdaf749ed3947a75b997caa300bf9f27ef82760f1854aa4521a9ac0f322f1655b65a375bc7a709259daea88bf93cfab5289997fa8e376fac9a3477f09bab642 exim.gencert
-f2c252a5d3536e384e276e4253d70f4b6c644e4de684df0a03dc7967d66bb517d50eeb8a1387ef5055c6ee8fdd9eb599ed553ffe77472f273848c15cde9937fa CVE-2020-12783-1.patch
-303a888b2ce2097e5f031fc6e6fff410c1246634bee7b8b5749ad99e90f255549faecd56dc2327b24e8fca1a360c10f8a7cdb6a0e39631b273f8f3b786e1e921 CVE-2020-12783-2.patch"
+abdaf749ed3947a75b997caa300bf9f27ef82760f1854aa4521a9ac0f322f1655b65a375bc7a709259daea88bf93cfab5289997fa8e376fac9a3477f09bab642 exim.gencert"
diff --git a/community/exim/CVE-2020-12783-1.patch b/community/exim/CVE-2020-12783-1.patch
deleted file mode 100644
index d292b14034..0000000000
--- a/community/exim/CVE-2020-12783-1.patch
+++ /dev/null
@@ -1,81 +0,0 @@
-From 6a7edbf6608d10ef0c707c426511e667849518d7 Mon Sep 17 00:00:00 2001
-From: Jeremy Harris <jgh146exb@wizmail.org>
-Date: Tue, 5 May 2020 21:15:34 +0100
-Subject: [PATCH 44/46] Fix SPA authenticator, checking client-supplied data
- before using it. Bug 2571
-
-(cherry picked from commit 57aa14b216432be381b6295c312065b2fd034f86)
----
- doc/ChangeLog | 5 +++++
- src/auths/spa.c | 22 ++++++++++++++++------
- 2 files changed, 21 insertions(+), 6 deletions(-)
-
-diff --git a/doc/ChangeLog b/doc/ChangeLog
-index b651b94e7..9c62f8dda 100644
---- a/doc/ChangeLog
-+++ b/doc/ChangeLog
-@@ -107,6 +107,11 @@ JH/40 Fix a memory-handling bug: when a connection carried multiple messages
- stale data could be accessed. Ensure that variable references are
- dropped between messages.
-
-+JH/41 Bug 2571: Fix SPA authenticator. Running as a server, an offset supplied
-+ by the client was not checked as pointing within response data before
-+ being used. A malicious client could thus cause an out-of-bounds read and
-+ possibly gain authentication. Fix by adding the check.
-+
-
- Exim version 4.93
- -----------------
-diff --git a/src/auths/spa.c b/src/auths/spa.c
-index 97e3b102c..ed9aff23b 100644
---- a/src/auths/spa.c
-+++ b/src/auths/spa.c
-@@ -139,7 +139,7 @@ SPAAuthChallenge challenge;
- SPAAuthResponse response;
- SPAAuthResponse *responseptr = &response;
- uschar msgbuf[2048];
--uschar *clearpass;
-+uschar *clearpass, *s;
-
- /* send a 334, MS Exchange style, and grab the client's request,
- unless we already have it via an initial response. */
-@@ -197,6 +197,13 @@ that causes failure if the size of msgbuf is exceeded. ****/
- char *p = ((char*)responseptr) + IVAL(&responseptr->uUser.offset,0);
- int len = SVAL(&responseptr->uUser.len,0)/2;
-
-+ if (p + len*2 >= CS (responseptr+1))
-+ {
-+ DEBUG(D_auth)
-+ debug_printf("auth_spa_server(): bad uUser spec in response\n");
-+ return FAIL;
-+ }
-+
- if (len + 1 >= sizeof(msgbuf)) return FAIL;
- for (i = 0; i < len; ++i)
- {
-@@ -245,14 +252,17 @@ spa_smb_nt_encrypt (clearpass, challenge.challengeData, ntRespData);
-
- /* compare NT hash (LM may not be available) */
-
--if (memcmp(ntRespData,
-- ((unsigned char*)responseptr)+IVAL(&responseptr->ntResponse.offset,0),
-- 24) == 0)
-- /* success. we have a winner. */
-+s = (US responseptr) + IVAL(&responseptr->ntResponse.offset,0);
-+if (s + 24 >= US (responseptr+1))
- {
-- return auth_check_serv_cond(ablock);
-+ DEBUG(D_auth)
-+ debug_printf("auth_spa_server(): bad ntRespData spec in response\n");
-+ return FAIL;
- }
-
-+if (memcmp(ntRespData, s, 24) == 0)
-+ return auth_check_serv_cond(ablock); /* success. we have a winner. */
-+
- /* Expand server_condition as an authorization check (PH) */
-
- return FAIL;
---
-2.26.2
-
diff --git a/community/exim/CVE-2020-12783-2.patch b/community/exim/CVE-2020-12783-2.patch
deleted file mode 100644
index 7f1e825d95..0000000000
--- a/community/exim/CVE-2020-12783-2.patch
+++ /dev/null
@@ -1,59 +0,0 @@
-From 5a41d2c2cd2b28a0d1aea21edeaea02bd6db4984 Mon Sep 17 00:00:00 2001
-From: Jeremy Harris <jgh146exb@wizmail.org>
-Date: Wed, 6 May 2020 22:31:25 +0100
-Subject: [PATCH 45/46] Rework SPA fix to avoid overflows. Bug 2571
-
-Amends: 6a7edbf660
-(cherry picked from commit a04174dc2a84ae1008c23b6a7109e7fa3fb7b8b0)
----
- src/auths/spa.c | 13 +++++++++----
- 1 file changed, 9 insertions(+), 4 deletions(-)
-
-diff --git a/src/auths/spa.c b/src/auths/spa.c
-index ed9aff23b..4e3aef808 100644
---- a/src/auths/spa.c
-+++ b/src/auths/spa.c
-@@ -140,6 +140,7 @@ SPAAuthResponse response;
- SPAAuthResponse *responseptr = &response;
- uschar msgbuf[2048];
- uschar *clearpass, *s;
-+unsigned off;
-
- /* send a 334, MS Exchange style, and grab the client's request,
- unless we already have it via an initial response. */
-@@ -194,10 +195,13 @@ that causes failure if the size of msgbuf is exceeded. ****/
-
- {
- int i;
-- char *p = ((char*)responseptr) + IVAL(&responseptr->uUser.offset,0);
-+ char * p;
- int len = SVAL(&responseptr->uUser.len,0)/2;
-
-- if (p + len*2 >= CS (responseptr+1))
-+ if ( (off = IVAL(&responseptr->uUser.offset,0)) >= sizeof(SPAAuthResponse)
-+ || len >= sizeof(responseptr->buffer)/2
-+ || (p = (CS responseptr) + off) + len*2 >= CS (responseptr+1)
-+ )
- {
- DEBUG(D_auth)
- debug_printf("auth_spa_server(): bad uUser spec in response\n");
-@@ -252,13 +256,14 @@ spa_smb_nt_encrypt (clearpass, challenge.challengeData, ntRespData);
-
- /* compare NT hash (LM may not be available) */
-
--s = (US responseptr) + IVAL(&responseptr->ntResponse.offset,0);
--if (s + 24 >= US (responseptr+1))
-+off = IVAL(&responseptr->ntResponse.offset,0);
-+if (off >= sizeof(SPAAuthResponse) - 24)
- {
- DEBUG(D_auth)
- debug_printf("auth_spa_server(): bad ntRespData spec in response\n");
- return FAIL;
- }
-+s = (US responseptr) + off;
-
- if (memcmp(ntRespData, s, 24) == 0)
- return auth_check_serv_cond(ablock); /* success. we have a winner. */
---
-2.26.2
-
diff --git a/community/exim/exim.Makefile b/community/exim/exim.Makefile
index c910f7cd7b..f874cb6bbf 100644
--- a/community/exim/exim.Makefile
+++ b/community/exim/exim.Makefile
@@ -71,3 +71,5 @@ USE_OPENSSL_PC=openssl
WITH_CONTENT_SCAN=yes
WITH_OLD_DEMIME=yes
ZCAT_COMMAND=
+USE_TDB=yes
+DBMLIB=-ltdb