Package: release.debian.org Severity: normal User: release.debian....@packages.debian.org Usertags: unblock
Please shorten the waiting time for migration of exim4 to testing. This package's version includes a fix for CVE-2016-9963 (stable's DSA 3747-1). * Add macro IGNORE_SMTP_LINE_LENGTH_LIMIT to allow disabling the SMTP DATA physical line limit check for both for SMTP DATA ACL and remote_smtp* transports. Closes: #828801 Also update corresponding NEWS entry. * [lintian] debian/changelog: s/lenght/length/ * Pull 75_Fix-DKIM-information-leakage.patch from upstream GIT, fixing DKIM information leakage issue CVE-2016-9963. unblock exim4/4.88~RC6-2 TIA, cu Andreas -- `What a good friend you are to him, Dr. Maturin. His other friends are so grateful to you.' `I sew his ears on from time to time, sure'
[The following lists of changes regard files as different if they have
different names, permissions or owners.]
Files in second .changes but not in first
-----------------------------------------
-rw-r--r-- root/root /usr/lib/debug/.build-id/0e/6ccd0a87df0978d44e8c56384725977293a6dd.debug
-rw-r--r-- root/root /usr/lib/debug/.build-id/41/1af8cce86cb5d33e1bdbb837691965bcf4bbe5.debug
-rw-r--r-- root/root /usr/lib/debug/.build-id/46/d0128b00d8487771080db604a216ffe5bbc4c9.debug
-rw-r--r-- root/root /usr/lib/debug/.build-id/8b/070c0099a8863f5af9e0dc6b4b8b30c882d5e3.debug
-rw-r--r-- root/root /usr/lib/debug/.build-id/a2/748941706aae40a4a467296db62bc5fbc5874e.debug
-rw-r--r-- root/root /usr/lib/debug/.build-id/b5/21f3139342b3cc5fefc9d5160d1c609170bdf2.debug
-rw-r--r-- root/root /usr/lib/debug/.build-id/bc/5c505fbec14f3a52727df50b7ed9a256a6896a.debug
-rw-r--r-- root/root /usr/lib/debug/.build-id/d6/5072ddeb66cc7ad6950e23e0ea5d2ea76f9015.debug
Files in first .changes but not in second
-----------------------------------------
-rw-r--r-- root/root /usr/lib/debug/.build-id/37/68bfb280763a8320ac0cb1b3f5128a6b2f7d50.debug
-rw-r--r-- root/root /usr/lib/debug/.build-id/67/180bb423dc99137f0dc7f115e46fa176414b9b.debug
-rw-r--r-- root/root /usr/lib/debug/.build-id/71/e8fbf0661a197ef7edf1a50faf9114d0551867.debug
-rw-r--r-- root/root /usr/lib/debug/.build-id/76/2c5a67771e75896543d5308d0f31e3a17102b1.debug
-rw-r--r-- root/root /usr/lib/debug/.build-id/a0/65508918ffd2a967a51fb0e172d0d85890798c.debug
-rw-r--r-- root/root /usr/lib/debug/.build-id/e0/2d1716e0c78e2d1fc27323ec0283c2048e0680.debug
-rw-r--r-- root/root /usr/lib/debug/.build-id/f0/aa82f38a765839ff6488981bb29adf9d0c7f4d.debug
-rw-r--r-- root/root /usr/lib/debug/.build-id/fc/0f8ff4895d18f4a3647db63921eba5887c1477.debug
Control files of package exim4: lines which differ (wdiff format)
-----------------------------------------------------------------
Depends: debconf (>= 0.5) | debconf-2.0, debconf (>= 1.4.69) | cdebconf (>= 0.39), exim4-base (>= [-4.88~RC6-1),-] {+4.88~RC6-2),+} exim4-base (<< [-4.88~RC6-1.1),-] {+4.88~RC6-2.1),+} exim4-daemon-light | exim4-daemon-heavy | exim4-daemon-custom
Version: [-4.88~RC6-1-] {+4.88~RC6-2+}
Control files of package exim4-base: lines which differ (wdiff format)
----------------------------------------------------------------------
Version: [-4.88~RC6-1-] {+4.88~RC6-2+}
Control files of package exim4-config: lines which differ (wdiff format)
------------------------------------------------------------------------
Version: [-4.88~RC6-1-] {+4.88~RC6-2+}
Control files of package exim4-daemon-heavy: lines which differ (wdiff format)
------------------------------------------------------------------------------
Version: [-4.88~RC6-1-] {+4.88~RC6-2+}
Control files of package exim4-daemon-heavy-dbg: lines which differ (wdiff format)
----------------------------------------------------------------------------------
Build-Ids: [-e02d1716e0c78e2d1fc27323ec0283c2048e0680-] {+a2748941706aae40a4a467296db62bc5fbc5874e+}
Version: [-4.88~RC6-1-] {+4.88~RC6-2+}
Control files of package exim4-daemon-light: lines which differ (wdiff format)
------------------------------------------------------------------------------
Version: [-4.88~RC6-1-] {+4.88~RC6-2+}
Control files of package exim4-daemon-light-dbg: lines which differ (wdiff format)
----------------------------------------------------------------------------------
Build-Ids: [-3768bfb280763a8320ac0cb1b3f5128a6b2f7d50-] {+0e6ccd0a87df0978d44e8c56384725977293a6dd+}
Version: [-4.88~RC6-1-] {+4.88~RC6-2+}
Control files of package exim4-dbg: lines which differ (wdiff format)
---------------------------------------------------------------------
Build-Ids: [-67180bb423dc99137f0dc7f115e46fa176414b9b 71e8fbf0661a197ef7edf1a50faf9114d0551867 762c5a67771e75896543d5308d0f31e3a17102b1 a065508918ffd2a967a51fb0e172d0d85890798c fc0f8ff4895d18f4a3647db63921eba5887c1477-] {+411af8cce86cb5d33e1bdbb837691965bcf4bbe5 46d0128b00d8487771080db604a216ffe5bbc4c9 8b070c0099a8863f5af9e0dc6b4b8b30c882d5e3 b521f3139342b3cc5fefc9d5160d1c609170bdf2 d65072ddeb66cc7ad6950e23e0ea5d2ea76f9015+}
Version: [-4.88~RC6-1-] {+4.88~RC6-2+}
Control files of package exim4-dev: lines which differ (wdiff format)
---------------------------------------------------------------------
Version: [-4.88~RC6-1-] {+4.88~RC6-2+}
Control files of package eximon4: lines which differ (wdiff format)
-------------------------------------------------------------------
Version: [-4.88~RC6-1-] {+4.88~RC6-2+}
diff -Nru exim4-4.88~RC6/debian/changelog exim4-4.88~RC6/debian/changelog
--- exim4-4.88~RC6/debian/changelog 2016-12-08 07:19:18.000000000 +0100
+++ exim4-4.88~RC6/debian/changelog 2016-12-22 16:50:21.000000000 +0100
@@ -1,3 +1,15 @@
+exim4 (4.88~RC6-2) unstable; urgency=high
+
+ * Add macro IGNORE_SMTP_LINE_LENGTH_LIMIT to allow disabling the SMTP DATA
+ physical line limit check for both for SMTP DATA ACL and remote_smtp*
+ transports. Closes: #828801
+ Also update corresponding NEWS entry.
+ * [lintian] debian/changelog: s/lenght/length/
+ * Pull 75_Fix-DKIM-information-leakage.patch from upstream GIT, fixing DKIM
+ information leakage issue CVE-2016-9963.
+
+ -- Andreas Metzler <ametz...@debian.org> Thu, 22 Dec 2016 16:50:21 +0100
+
exim4 (4.88~RC6-1) unstable; urgency=low
* New upstream version.
@@ -109,7 +121,7 @@
expansion. https://bugs.exim.org/show_bug.cgi?id=165
* Copy information message on rejecting overlong lines in data ACL from
upstream example configuration. Closes: #823418
- * Add NEWS entry on line-lenght-limit introduced in 4.87~RC1-1.
+ * Add NEWS entry on line-length-limit introduced in 4.87~RC1-1.
Closes: 821830
-- Andreas Metzler <ametz...@debian.org> Sun, 08 May 2016 14:03:10 +0200
@@ -3805,7 +3817,7 @@
- Supports CRL (Certificate Revocation List) (Closes: #229063)
- exim_dbmbuild does not crash on _very_ long RHS values.
(Closes: #231597)
- - route_list does not use a fixed lenght buffer anymore. (Closes: #231979)
+ - route_list does not use a fixed length buffer anymore. (Closes: #231979)
- An empty tls_verify_certificates file is correctly interpreted as empty
list instead of breaking TLS. (Closes: #236478)
* Korean translation of debconf templates by Changwoo Ryu (Closes: #241499)
diff -Nru exim4-4.88~RC6/debian/debconf/conf.d/acl/40_exim4-config_check_data exim4-4.88~RC6/debian/debconf/conf.d/acl/40_exim4-config_check_data
--- exim4-4.88~RC6/debian/debconf/conf.d/acl/40_exim4-config_check_data 2016-09-25 14:46:29.000000000 +0200
+++ exim4-4.88~RC6/debian/debconf/conf.d/acl/40_exim4-config_check_data 2016-12-18 13:59:15.000000000 +0100
@@ -11,9 +11,11 @@
# Deny if the message contains an overlong line. Per the standards
# we should never receive one such via SMTP.
#
+ .ifndef IGNORE_SMTP_LINE_LENGTH_LIMIT
deny message = maximum allowed line length is 998 octets, \
got $max_received_linelength
condition = ${if > {$max_received_linelength}{998}}
+ .endif
# Deny unless the address list headers are syntactically correct.
#
diff -Nru exim4-4.88~RC6/debian/debconf/conf.d/transport/30_exim4-config_remote_smtp exim4-4.88~RC6/debian/debconf/conf.d/transport/30_exim4-config_remote_smtp
--- exim4-4.88~RC6/debian/debconf/conf.d/transport/30_exim4-config_remote_smtp 2016-09-25 14:46:29.000000000 +0200
+++ exim4-4.88~RC6/debian/debconf/conf.d/transport/30_exim4-config_remote_smtp 2016-12-18 13:59:52.000000000 +0100
@@ -9,7 +9,9 @@
remote_smtp:
debug_print = "T: remote_smtp for $local_part@$domain"
driver = smtp
+.ifndef IGNORE_SMTP_LINE_LENGTH_LIMIT
message_size_limit = ${if > {$max_received_linelength}{998} {1}{0}}
+.endif
.ifdef REMOTE_SMTP_HOSTS_AVOID_TLS
hosts_avoid_tls = REMOTE_SMTP_HOSTS_AVOID_TLS
.endif
diff -Nru exim4-4.88~RC6/debian/debconf/conf.d/transport/30_exim4-config_remote_smtp_smarthost exim4-4.88~RC6/debian/debconf/conf.d/transport/30_exim4-config_remote_smtp_smarthost
--- exim4-4.88~RC6/debian/debconf/conf.d/transport/30_exim4-config_remote_smtp_smarthost 2016-09-25 14:46:29.000000000 +0200
+++ exim4-4.88~RC6/debian/debconf/conf.d/transport/30_exim4-config_remote_smtp_smarthost 2016-12-18 14:00:13.000000000 +0100
@@ -12,7 +12,9 @@
remote_smtp_smarthost:
debug_print = "T: remote_smtp_smarthost for $local_part@$domain"
driver = smtp
+.ifndef IGNORE_SMTP_LINE_LENGTH_LIMIT
message_size_limit = ${if > {$max_received_linelength}{998} {1}{0}}
+.endif
hosts_try_auth = <; ${if exists{CONFDIR/passwd.client} \
{\
${lookup{$host}nwildlsearch{CONFDIR/passwd.client}{$host_address}}\
diff -Nru exim4-4.88~RC6/debian/NEWS exim4-4.88~RC6/debian/NEWS
--- exim4-4.88~RC6/debian/NEWS 2016-09-25 14:46:29.000000000 +0200
+++ exim4-4.88~RC6/debian/NEWS 2016-12-18 14:04:32.000000000 +0100
@@ -1,9 +1,11 @@
exim4 (4.87-3) unstable; urgency=medium
- Starting with 4.87~RC1-1 exim will not accept messages with physical lines
- longer than 998 characters. Delivery of such RFC-violating message might
- fail and subsequently cause routing errors and loss of legitimate mail.
- See <https://bugs.exim.org/show_bug.cgi?id=1684>.
+ Starting with 4.87~RC1-1 exim will not accept or send out messages with
+ physical lines longer than 998 characters by SMTP DATA. Delivery of such
+ RFC-violating message might fail and subsequently cause routing errors and
+ loss of legitimate mail. See <https://bugs.exim.org/show_bug.cgi?id=1684>.
+ This limit can be disabled by setting the macro
+ IGNORE_SMTP_LINE_LENGTH_LIMIT.
-- Andreas Metzler <ametz...@debian.org> Sun, 08 May 2016 14:03:10 +0200
diff -Nru exim4-4.88~RC6/debian/patches/75_Fix-DKIM-information-leakage.patch exim4-4.88~RC6/debian/patches/75_Fix-DKIM-information-leakage.patch
--- exim4-4.88~RC6/debian/patches/75_Fix-DKIM-information-leakage.patch 1970-01-01 01:00:00.000000000 +0100
+++ exim4-4.88~RC6/debian/patches/75_Fix-DKIM-information-leakage.patch 2016-12-18 18:16:03.000000000 +0100
@@ -0,0 +1,73 @@
+From 87cb4a166c47b57df48c2918e47801d77639fbb0 Mon Sep 17 00:00:00 2001
+From: Jeremy Harris <j...@wizmail.org>
+Date: Fri, 16 Dec 2016 20:45:44 +0000
+Subject: [PATCH 1/2] Fix DKIM information leakage
+
+
+JH/34 SECURITY: Use proper copy of DATA command in error message.
+ Could leak key material. Remotely exploitable. CVE-2016-9963.
+
+diff --git a/src/dkim.c b/src/dkim.c
+index 3fa11c80..70c9547e 100644
+--- a/src/dkim.c
++++ b/src/dkim.c
+@@ -612,6 +612,7 @@ while ((dkim_signing_domain = string_nextinlist(&dkim_domain, &sep,
+ CS dkim_private_key_expanded,
+ PDKIM_ALGO_RSA_SHA256,
+ dkim->dot_stuffed);
++ dkim_private_key_expanded[0] = '\0';
+ pdkim_set_optional(ctx,
+ CS dkim_sign_headers_expanded,
+ NULL,
+diff --git a/src/transports/smtp.c b/src/transports/smtp.c
+index d6ef34ef..a19e85ff 100644
+--- a/src/transports/smtp.c
++++ b/src/transports/smtp.c
+@@ -285,10 +285,11 @@ static uschar *rf_names[] = { US"NEVER", US"SUCCESS", US"FAILURE", US"DELAY" };
+
+ /* Local statics */
+
+-static uschar *smtp_command; /* Points to last cmd for error messages */
+-static uschar *mail_command; /* Points to MAIL cmd for error messages */
+-static BOOL update_waiting; /* TRUE to update the "wait" database */
+-static BOOL pipelining_active; /* current transaction is in pipe mode */
++static uschar *smtp_command; /* Points to last cmd for error messages */
++static uschar *mail_command; /* Points to MAIL cmd for error messages */
++static uschar *data_command = US""; /* Points to DATA cmd for error messages */
++static BOOL update_waiting; /* TRUE to update the "wait" database */
++static BOOL pipelining_active; /* current transaction is in pipe mode */
+
+
+ /*************************************************
+@@ -1390,10 +1391,14 @@ uschar * buffer = tctx->buffer;
+ /* Write SMTP chunk header command */
+
+ if (chunk_size > 0)
++ {
+ if((cmd_count = smtp_write_command(tctx->outblock, FALSE, "BDAT %u%s\r\n",
+ chunk_size,
+ flags & tc_chunk_last ? " LAST" : "")
+ ) < 0) return ERROR;
++ if (flags & tc_chunk_last)
++ data_command = string_copy(big_buffer); /* Save for later error message */
++ }
+
+ prev_cmd_count = cmd_count += tctx->cmd_count;
+
+@@ -2512,6 +2517,7 @@ if ( !(peer_offered & PEER_OFFERED_CHUNKING)
+ default: goto RESPONSE_FAILED; /* I/O error, or any MAIL/DATA error */
+ }
+ pipelining_active = FALSE;
++ data_command = string_copy(big_buffer); /* Save for later error message */
+ }
+
+ /* If there were no good recipients (but otherwise there have been no
+@@ -2735,7 +2741,7 @@ else
+ #else
+ "LMTP error after %s: %s",
+ #endif
+- big_buffer, string_printing(buffer));
++ data_command, string_printing(buffer));
+ setflag(addr, af_pass_message); /* Allow message to go to user */
+ if (buffer[0] == '5')
+ addr->transport_return = FAIL;
diff -Nru exim4-4.88~RC6/debian/patches/series exim4-4.88~RC6/debian/patches/series
--- exim4-4.88~RC6/debian/patches/series 2016-11-19 17:39:37.000000000 +0100
+++ exim4-4.88~RC6/debian/patches/series 2016-12-18 18:16:06.000000000 +0100
@@ -8,4 +8,5 @@
60_convert4r4.dpatch
67_unnecessaryCopt.diff
70_remove_exim-users_references.dpatch
+75_Fix-DKIM-information-leakage.patch
92_CVE-2016-1238.diff
signature.asc
Description: PGP signature
