Your message dated Thu, 15 Sep 2016 13:42:06 +0000
with message-id <[email protected]>
and subject line Bug#703369: fixed in gnarwl 3.6.dfsg-7
has caused the Debian Bug report #703369,
regarding gnarwl: Address parser fails on '+' and '=' characters in localpart
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
703369: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=703369
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Package: gnarwl
Version: 3.6.dfsg-6.2
Severity: important
Tags: upstream patch
When the sender address contains a '+' sign (often used with things like VERP,
PVRS, but also Facebook notifications) the parser breaks and drops everything
behind the plus sign, including the sender domain
Mar 18 03:32:22 lxmhs61 postfix-forwarder/qmgr[2877]: 66D1A20035:
from=<[email protected]>, size=12411, nrcpt=3 (queue active)
Mar 18 03:32:22 lxmhs61 gnarwl[16807]: INFO/MAIL sent mail:
localuser@localdomain -> update
Mar 18 03:32:22 lxmhs61 postfix-forwarder/smtp[16241]: 716C62003F:
to=<update@myhostname>, orig_to=<update>, relay=...
As you can see, gnarwl sends to the unqualified "update" address, which on
most systems will get the local domain appended.
The problem is here in src/util.c
157 for(m=0;m<(int)strlen(s);m++) {
158 if (r>-1 && l>-1) {
159 if (m<l || m>r) s[m]='*';
160 }
161 else {
162 if (! ( ((s[m]>47)&&(s[m]<58)) || ((s[m]>63)&&(s[m]<91)) ||
((s[m]>96)&&(s[m]<123)) || s[m]=='.' || s[m]=='-' || s[m]=='_' ) ) s[m]='*';
163 }
164 }
165
166 tmp=splitString(s,1,'*');
167 m=1;
And fortunately, at least for '+' quite easy to fix (patch attached). The
code is most likely still broken, since almost every character can appear
in a mail address if quoted correctly, but '+' (and maybe '=') are quite
commonly used.
I briefly considered dropping everything in the localpart after '+', but
it would be more complicated and I don't see a reason to do so. After all,
the extension delimiter can be anything in today's mailsystems, and
sometimes the extension is necessary to correctly route the answer.
I would consider this Wheezy material, but given the depth of freeze,
the low popcount and the time this behaviour has existed I don't have
much hope. I'm not in a position to do an NMU.
-- System Information:
Debian Release: 7.0
APT prefers testing
APT policy: (900, 'testing'), (800, 'unstable'), (1, 'experimental')
Architecture: amd64 (x86_64)
Foreign Architectures: i386
Kernel: Linux 3.2.0-4-amd64 (SMP w/2 CPU cores)
Locale: LANG=de_DE.UTF-8, LC_CTYPE=de_DE.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Index: gnarwl/src/util.c
===================================================================
--- gnarwl.orig/src/util.c 2013-03-18 17:39:30.684903663 +0100
+++ gnarwl/src/util.c 2013-03-18 21:44:18.423746197 +0100
@@ -159,7 +159,7 @@
if (m<l || m>r) s[m]='*';
}
else {
- if (! ( ((s[m]>47)&&(s[m]<58)) || ((s[m]>63)&&(s[m]<91)) || ((s[m]>96)&&(s[m]<123)) || s[m]=='.' || s[m]=='-' || s[m]=='_' ) ) s[m]='*';
+ if (! ( ((s[m]>47)&&(s[m]<58)) || ((s[m]>63)&&(s[m]<91)) || ((s[m]>96)&&(s[m]<123)) || s[m]=='.' || s[m]=='-' || s[m]=='_' || s[m]=='+' || s[m]=='=' ) ) s[m]='*';
}
}
--- End Message ---
--- Begin Message ---
Source: gnarwl
Source-Version: 3.6.dfsg-7
We believe that the bug you reported is fixed in the latest version of
gnarwl, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Bernhard Schmidt <[email protected]> (supplier of updated gnarwl package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.8
Date: Thu, 15 Sep 2016 10:02:01 +0200
Source: gnarwl
Binary: gnarwl
Architecture: source
Version: 3.6.dfsg-7
Distribution: unstable
Urgency: medium
Maintainer: Bernhard Schmidt <[email protected]>
Changed-By: Bernhard Schmidt <[email protected]>
Description:
gnarwl - Email autoresponder based on LDAP
Closes: 646812 681211 703369 835325
Changes:
gnarwl (3.6.dfsg-7) unstable; urgency=medium
.
* Adopt package (Closes: #835325)
* switch to debhelper sequencer (compat 9)
* enable hardening by explicitly carrying CFLAGS to make
- disable format security for now, causes build failure
* add Vcs-* fields for push to collab-maint
* drop versioned dependency on adduser from 2005
* bump Standards-Version to 3.9.8.0, no changes necessary
* Fix lintian error in debian/copyright
* Accept '+' and '=' in mailaddresses (Closes: #703369)
* Downgrade phamm-ldap-vacation to Suggests (Closes: #681211)
* Re-add missing pipe symbol in .forward (Closes: #646812)
Checksums-Sha1:
385a34aa622872dde511a36a7d32ef65fac88df6 1868 gnarwl_3.6.dfsg-7.dsc
695b1aa34f8e7e7bba24cc2d07ffed82584095f7 13464 gnarwl_3.6.dfsg-7.debian.tar.xz
Checksums-Sha256:
db83290df124b8c50d8589c5e18990ed0c90bce5aa632fcdcd93531ceb8bc2da 1868
gnarwl_3.6.dfsg-7.dsc
ef977a18c50f98839ad1bfaf3b362548430f8b91edcca364f1261f38f6cd714c 13464
gnarwl_3.6.dfsg-7.debian.tar.xz
Files:
5c9bf532df44adf82a5513c985c2f896 1868 mail optional gnarwl_3.6.dfsg-7.dsc
2293fb9758e036aed5d62e4a626db22c 13464 mail optional
gnarwl_3.6.dfsg-7.debian.tar.xz
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iQIcBAEBAgAGBQJX2pr1AAoJEHdQeeW4ULyT+PoP/Au7+mCWiyEaNiz/OQFGaQw9
C6KGC9GGwn/velUfQ92FMecFvrUUYmyARoeJzeA5ifYHySmbG64dTHsPjed/qeXS
YPZ0GtM3akipWAOsRbpcOW72Ar2sa1X9kqiN+yMkhoAWXKJyO21CmqAGwOlJgQA/
rhobQVLKn5m5D1+GC+kTXGZX1GIHVn4HrS+kEkZaEJCFN2t58Mp8axeMvId3oqJe
hUU54mTnte8QYijRXG4fJSbQ5tQT99p+WJxrTjQM+MkcHS47eZWL6Uw6K7Rs9RNm
Ww9bloZDV7xN8Xw9EOooT8WMvmW0jbAi4y1DRE2rdBIjQoyzQ5ucAfU6eCNp5lEX
jTxSTQ/u0IW+5G9atd3+zFeT/eLGql1qfLlem7n4co+PCu4Xoc9GhIM2FVCLYPL4
83pGCxUDNUBEvMnUcPAWB14oUEUeboja606DK4wggKtisYi4o6UPBh7UA46OUOyA
weR8k8JOyCkWyJMahmy/PJXPY9x2xj3MpKbrtj3Yvtjyq46rI61eA1q0+Ua7DNZ/
WNTnkl/b3S5s3PzWt57ffFWKu5danWIp6xZOHlp2WRSs82bDK2vV8F6RNJ9iITKS
lAaqYRiMY5TRvlnLSue6vcHvRP0BcPPZI5AgEzvKYLIDl5fpu8i2IQDokUVc5YtA
edy4tYPgHhr9HjSf8CMg
=+qBR
-----END PGP SIGNATURE-----
--- End Message ---
