[PATCH] Re: OpenSMTPD 7.5.0 RC1

[Tassilo Philipp]

Hi,

while working on the DSN patches mentioned in another thread, I came 
across an oversight in the final ORCPT patch that will be part of 7.5.0.

Find the patch attached - IMHO, this patch should make it into 7.5.0, as 
it's fixing an error writing to a wrong buffer, which could be abused 
(from a cursory review it looks safe as that wrong destination buffer 
big enough, but I haven't checked it thoroughly).


On Fri, Mar 08, 2024 at 11:14:54AM +0100, Omar Polo wrote:
Today we're happy to announce the first release candidate for 
OpenSMTPD 7.5.0 that includes the latest developments on OpenBSD, 
briefly summarized below.  The 7.5.0 stable release will follow the 
OpenBSD release schedule and so will be available in around a month. 
It is our hope that the community will help testing this first 
release candidate and report any issue found.

Tarballs are available on the official mirror or on GitHub:

   https://opensmtpd.org/archives/opensmtpd-7.5.0rc1.tar.gz
   https://github.com/OpenSMTPD/OpenSMTPD/releases/tag/7.5.0rc1

Verify the tarball with signify(1) and the usual public key:

   https://opensmtpd.org/archives/opensmtpd-7.5.0rc1.sum.sig
   https://opensmtpd.org/archives/opensmtpd-20181026.pub


Changelog:

- run LMTP deliveires as the recipient user (again).
- do not execute commands from root's .forward file, nor allow expanding. 
- when an alternate delivery user is provided for a dispatcher, skip
 other users forward files. 
- reject invalid headers that start with blanks.
- relax ORCPT syntax validation.
- use smtpd' table parser in makemap(8) too.
- fix and improve the table(5) file format documentation.
- fixed handling of escaping inside quotes in From, To and Cc headers. 
- fix table lookups of IPv6 address.
- allow to use a key-pair table on various match constraints where only
 list tables were previously allowed. 
- allow inline tables and filter to span over multiple lines.
- enable DSN (Delivery Status Notification) for the implicit socket too. 
- add the `no-dsn' option to `listen on socket' too.

OpenSMTPD-portable specific changes:

- re-add ASR_IPV4_BEFORE_IPV6 compile-time knob to prefer connecting
 to IPv6 instead of IPv4. 
- update asr(3) and imsg with OpenBSD.
- configure: readd -R usage on NetBSD mistakenly dropped in previous
 release.



Thanks,

Omar Polo

--- ./usr.sbin/smtpd/smtp_session.c.orig        2024-03-20 17:27:12.280717000 
+0100
+++ ./usr.sbin/smtpd/smtp_session.c     2024-03-20 17:27:18.240157000 +0100
@@ -2496,7 +2496,7 @@
 
                        if ((p = strchr(opt, ';')) == NULL ||
                            !valid_xtext(p + 1) ||
-                           strlcpy(opt, tx->evp.dsn_orcpt, len) >= len) {
+                           strlcpy(tx->evp.dsn_orcpt, opt, len) >= len) {
                                smtp_reply(tx->session,
                                    "553 ORCPT address syntax error");
                                return;