Package: release.debian.org Severity: normal Tags: stretch User: release.debian....@packages.debian.org Usertags: pu
This upload is intended to solve several problems. While it's somewhat unusual, since it includes new upstream releases, the upstream changes are very targetted and all things that I believe are appropriate to fix in a stable update: Security: Security: Berkeley DB 2 and later try to read settings from a file DB_CONFIG in the current directory. The Debian security team requested this be fixed in a stable update. Safety: Safety net: append a null byte to vstring buffers, so that C-style string operations won't scribble past the end. Regression corrections (relative to postfix 2.11 in oldstable): Compatibility fix (introduced: Postfix 3.1): some Milter applications do not recognize macros sent as {name} when macros have single-character names. Postfix now sends such macros without {} as it has done historically. Workaround (introduced: Postfix 3.0 20140718): prevent MIME downgrade of Postfix-generated message/delivery status. It's supposed to be 7bit, therefore quoted-printable encoding is not expected. Problem reported by Griff. File: bounce/bounce_notify_util.c. Additionally, there's a packaging fix for a bug that broke multi-instance. Each of these changes is small and self-contained. Due to my recent lack of time for Debian work, the upstream changes have had three months of use with no issues reported on the very active postfix-users mailing list. I have the package built and ready to upload. Scott K
diff -Nru postfix-3.1.4/debian/changelog postfix-3.1.6/debian/changelog --- postfix-3.1.4/debian/changelog 2017-05-21 14:38:07.000000000 -0400 +++ postfix-3.1.6/debian/changelog 2017-09-27 00:59:24.000000000 -0400 @@ -1,3 +1,40 @@ +postfix (3.1.6-0+deb9u1) stretch; urgency=medium + + [Wietse Venema] + + * New Upstream 3.1.5 + - Compatibility fix (introduced: Postfix 3.1): some Milter + applications do not recognize macros sent as {name} when + macros have single-character names. Postfix now sends such + macros without {} as it has done historically. Viktor + Dukhovni. File: milter/milter.c. + - Safety net: append a null byte to vstring buffers, so that + C-style string operations won't scribble past the end. File: + vstring.c. + - Workaround (introduced: Postfix 3.0 20140718): prevent MIME + downgrade of Postfix-generated message/delivery status. + It's supposed to be 7bit, therefore quoted-printable encoding + is not expected. Problem reported by Griff. File: + bounce/bounce_notify_util.c. + * New Upstream 3.1.6 + - Security: Berkeley DB 2 and later try to read settings from + a file DB_CONFIG in the current directory. This undocumented + feature may introduce undisclosed vulnerabilities resulting + in privilege escalation with Postfix set-gid programs + (postdrop, postqueue) before they chdir to the Postfix queue + directory, and with the postmap and postalias commands + depending on whether the user's current directory is writable + by other users. This fix does not change Postfix behavior + for Berkeley DB < 3, but reduces file create performance + for Berkeley DB 3 .. 4.6. File: util/dict_db.c. Closes: #864942 + + [Scott Kitterman] + + * Refresh debian/patches/11_postmap_update.diff + * Use full path to main.cf in postfix-instance-generator. Closes: #873957 + + -- Scott Kitterman <sc...@kitterman.com> Wed, 27 Sep 2017 00:56:28 -0400 + postfix (3.1.4-7) unstable; urgency=medium * Fix use of smtp binary for lmtp service on new installs and bump version diff -Nru postfix-3.1.4/debian/patches/11_postmap_update.diff postfix-3.1.6/debian/patches/11_postmap_update.diff --- postfix-3.1.4/debian/patches/11_postmap_update.diff 2017-05-19 10:50:13.000000000 -0400 +++ postfix-3.1.6/debian/patches/11_postmap_update.diff 2017-09-27 00:26:51.000000000 -0400 @@ -1,7 +1,7 @@ Index: postfix/html/postmap.1.html =================================================================== ---- postfix.orig/html/postmap.1.html 2016-03-01 05:01:20.999356738 -0700 -+++ postfix/html/postmap.1.html 2016-03-01 05:01:20.995356871 -0700 +--- postfix.orig/html/postmap.1.html 2017-09-27 00:26:44.474769942 -0400 ++++ postfix/html/postmap.1.html 2017-09-27 00:26:44.466769942 -0400 @@ -10,7 +10,7 @@ postmap - Postfix lookup table management @@ -24,8 +24,8 @@ instead of the default configuration directory. Index: postfix/man/man1/postmap.1 =================================================================== ---- postfix.orig/man/man1/postmap.1 2016-03-01 05:01:20.999356738 -0700 -+++ postfix/man/man1/postmap.1 2016-03-01 05:01:20.995356871 -0700 +--- postfix.orig/man/man1/postmap.1 2017-09-27 00:26:44.474769942 -0400 ++++ postfix/man/man1/postmap.1 2017-09-27 00:26:44.466769942 -0400 @@ -9,7 +9,7 @@ .na .nf @@ -46,8 +46,8 @@ truncate an existing database. By default, \fBpostmap\fR(1) creates Index: postfix/src/postmap/postmap.c =================================================================== ---- postfix.orig/src/postmap/postmap.c 2016-03-01 05:01:20.999356738 -0700 -+++ postfix/src/postmap/postmap.c 2016-03-01 05:01:20.995356871 -0700 +--- postfix.orig/src/postmap/postmap.c 2017-09-27 00:26:44.474769942 -0400 ++++ postfix/src/postmap/postmap.c 2017-09-27 00:26:44.466769942 -0400 @@ -77,6 +77,8 @@ /* syntax checks anyway. /* .sp @@ -165,8 +165,8 @@ usage(argv[0]); Index: postfix/src/util/dict.h =================================================================== ---- postfix.orig/src/util/dict.h 2016-03-01 05:01:20.999356738 -0700 -+++ postfix/src/util/dict.h 2016-03-01 05:01:20.995356871 -0700 +--- postfix.orig/src/util/dict.h 2017-09-27 00:26:44.474769942 -0400 ++++ postfix/src/util/dict.h 2017-09-27 00:26:44.466769942 -0400 @@ -123,6 +123,7 @@ #define DICT_FLAG_NO_UNAUTH (1<<13) /* disallow unauthenticated data */ #define DICT_FLAG_FOLD_FIX (1<<14) /* case-fold key with fixed-case map */ @@ -177,10 +177,10 @@ #define DICT_FLAG_BULK_UPDATE (1<<17) /* optimize for bulk updates */ Index: postfix/src/util/dict_db.c =================================================================== ---- postfix.orig/src/util/dict_db.c 2016-03-01 05:01:20.999356738 -0700 -+++ postfix/src/util/dict_db.c 2016-03-01 05:01:20.995356871 -0700 -@@ -689,6 +689,12 @@ - msg_fatal("set DB cache size %d: %m", dict_db_cache_size); +--- postfix.orig/src/util/dict_db.c 2017-09-27 00:26:44.474769942 -0400 ++++ postfix/src/util/dict_db.c 2017-09-27 00:26:44.466769942 -0400 +@@ -735,6 +735,12 @@ + msg_panic("db_create null result"); if (type == DB_HASH && db->set_h_nelem(db, DICT_DB_NELM) != 0) msg_fatal("set DB hash element count %d: %m", DICT_DB_NELM); + if (dict_flags & DICT_FLAG_UPGRADE) { diff -Nru postfix-3.1.4/debian/postfix-instance-generator postfix-3.1.6/debian/postfix-instance-generator --- postfix-3.1.4/debian/postfix-instance-generator 2017-05-07 23:54:30.000000000 -0400 +++ postfix-3.1.6/debian/postfix-instance-generator 2017-09-27 00:55:57.000000000 -0400 @@ -7,7 +7,7 @@ mkdir -p "$WANTDIR" -if [ -f main.cf ]; then +if [ -f /etc/postfix/main.cf ]; then for NAME in $(postmulti -l -a | awk '{ print $1}'); do ln -s "$SERVICEFILE" "$WANTDIR/postfix@$NAME.service" done diff -Nru postfix-3.1.4/HISTORY postfix-3.1.6/HISTORY --- postfix-3.1.4/HISTORY 2017-01-01 12:49:40.000000000 -0500 +++ postfix-3.1.6/HISTORY 2017-06-13 13:31:40.000000000 -0400 @@ -22317,3 +22317,38 @@ senders with "smtpd_reject_unlisted_recipient = yes" or with reject_unlisted_sender. Stephen R. van den Berg (Mr. procmail). Files: smtpd/smtpd.c, smtpd/smtpd_check.c. + +20170221 + + Compatibility fix (introduced: Postfix 3.1): some Milter + applications do not recognize macros sent as {name} when + macros have single-character names. Postfix now sends such + macros without {} as it has done historically. Viktor + Dukhovni. File: milter/milter.c. + +20170430 + + Safety net: append a null byte to vstring buffers, so that + C-style string operations won't scribble past the end. File: + vstring.c. + +20170610 + + Workaround (introduced: Postfix 3.0 20140718): prevent MIME + downgrade of Postfix-generated message/delivery status. + It's supposed to be 7bit, therefore quoted-printable encoding + is not expected. Problem reported by Griff. File: + bounce/bounce_notify_util.c. + +20170611 + + Security: Berkeley DB 2 and later try to read settings from + a file DB_CONFIG in the current directory. This undocumented + feature may introduce undisclosed vulnerabilities resulting + in privilege escalation with Postfix set-gid programs + (postdrop, postqueue) before they chdir to the Postfix queue + directory, and with the postmap and postalias commands + depending on whether the user's current directory is writable + by other users. This fix does not change Postfix behavior + for Berkeley DB < 3, but reduces file create performance + for Berkeley DB 3 .. 4.6. File: util/dict_db.c. diff -Nru postfix-3.1.4/src/bounce/bounce_notify_util.c postfix-3.1.6/src/bounce/bounce_notify_util.c --- postfix-3.1.4/src/bounce/bounce_notify_util.c 2015-01-26 15:00:13.000000000 -0500 +++ postfix-3.1.6/src/bounce/bounce_notify_util.c 2017-06-10 14:47:25.000000000 -0400 @@ -637,7 +637,9 @@ (bounce_info->smtputf8 & SMTPUTF8_FLAG_REQUESTED) ? "global-" : ""); /* Fix 20140709: addresses may be 8bit. */ - if (NOT_7BIT_MIME(bounce_info)) + if (NOT_7BIT_MIME(bounce_info) + /* BC Fix 20170610: prevent MIME downgrade of message/delivery-status. */ + && (bounce_info->smtputf8 & SMTPUTF8_FLAG_REQUESTED)) post_mail_fprintf(bounce, "Content-Transfer-Encoding: %s", bounce_info->mime_encoding); diff -Nru postfix-3.1.4/src/global/mail_version.h postfix-3.1.6/src/global/mail_version.h --- postfix-3.1.4/src/global/mail_version.h 2017-01-01 13:01:36.000000000 -0500 +++ postfix-3.1.6/src/global/mail_version.h 2017-06-13 13:36:23.000000000 -0400 @@ -20,8 +20,8 @@ * Patches change both the patchlevel and the release date. Snapshots have no * patchlevel; they change the release date only. */ -#define MAIL_RELEASE_DATE "20170101" -#define MAIL_VERSION_NUMBER "3.1.4" +#define MAIL_RELEASE_DATE "20170613" +#define MAIL_VERSION_NUMBER "3.1.6" #ifdef SNAPSHOT #define MAIL_VERSION_DATE "-" MAIL_RELEASE_DATE diff -Nru postfix-3.1.4/src/milter/milter.c postfix-3.1.6/src/milter/milter.c --- postfix-3.1.4/src/milter/milter.c 2016-01-23 19:42:19.000000000 -0500 +++ postfix-3.1.6/src/milter/milter.c 2017-02-21 17:32:57.000000000 -0500 @@ -333,18 +333,21 @@ VSTRING *canon_buf = vstring_alloc(20); const char *value; const char *name; + const char *cname; while ((name = mystrtok(&cp, CHARS_COMMA_SP)) != 0) { if (msg_verbose) msg_info("%s: \"%s\"", myname, name); if (*name != '{') /* } */ - name = STR(vstring_sprintf(canon_buf, "{%s}", name)); - if ((value = milters->mac_lookup(name, milters->mac_context)) != 0) { + cname = STR(vstring_sprintf(canon_buf, "{%s}", name)); + else + cname = name; + if ((value = milters->mac_lookup(cname, milters->mac_context)) != 0) { if (msg_verbose) msg_info("%s: result \"%s\"", myname, value); argv_add(argv, name, value, (char *) 0); } else if (milters->macro_defaults != 0 - && (value = htable_find(milters->macro_defaults, name)) != 0) { + && (value = htable_find(milters->macro_defaults, cname)) != 0) { if (msg_verbose) msg_info("%s: using default \"%s\"", myname, value); argv_add(argv, name, value, (char *) 0); diff -Nru postfix-3.1.4/src/util/dict_db.c postfix-3.1.6/src/util/dict_db.c --- postfix-3.1.4/src/util/dict_db.c 2014-12-06 20:35:33.000000000 -0500 +++ postfix-3.1.6/src/util/dict_db.c 2017-06-13 12:15:32.000000000 -0400 @@ -122,6 +122,9 @@ typedef struct { DICT dict; /* generic members */ DB *db; /* open db file */ +#if DB_VERSION_MAJOR > 2 + DB_ENV *dbenv; +#endif #if DB_VERSION_MAJOR > 1 DBC *cursor; /* dict_db_sequence() */ #endif @@ -553,6 +556,9 @@ if (DICT_DB_CLOSE(dict_db->db) < 0) msg_info("close database %s: %m (possible Berkeley DB bug)", dict_db->dict.name); +#if DB_VERSION_MAJOR > 2 + dict_db->dbenv->close(dict_db->dbenv, 0); +#endif if (dict_db->key_buf) vstring_free(dict_db->key_buf); if (dict_db->val_buf) @@ -562,6 +568,44 @@ dict_free(dict); } +#if DB_VERSION_MAJOR > 2 + +/* dict_db_new_env - workaround for undocumented ./DB_CONFIG read */ + +static DB_ENV *dict_db_new_env(const char *db_path) +{ + VSTRING *db_home_buf; + DB_ENV *dbenv; + u_int32_t cache_size_gbytes; + u_int32_t cache_size_bytes; + int ncache; + + if ((errno = db_env_create(&dbenv, 0)) != 0) + msg_fatal("create DB environment: %m"); +#if DB_VERSION_MAJOR > 4 || (DB_VERSION_MAJOR == 4 && DB_VERSION_MINOR >= 7) + if ((errno = dbenv->get_cachesize(dbenv, &cache_size_gbytes, + &cache_size_bytes, &ncache)) != 0) + msg_fatal("get DB cache size: %m"); + if (cache_size_gbytes == 0 && cache_size_bytes < dict_db_cache_size) { + if ((errno = dbenv->set_cache_max(dbenv, cache_size_gbytes, + dict_db_cache_size)) != 0) + msg_fatal("set DB max cache size %d: %m", dict_db_cache_size); + if ((errno = dbenv->set_cachesize(dbenv, cache_size_gbytes, + dict_db_cache_size, ncache)) != 0) + msg_fatal("set DB cache size %d: %m", dict_db_cache_size); + } +#endif + /* XXX db_home is also the default directory for the .db file. */ + db_home_buf = vstring_alloc(100); + if ((errno = dbenv->open(dbenv, sane_dirname(db_home_buf, db_path), + DB_INIT_MPOOL | DB_CREATE | DB_PRIVATE, 0)) != 0) + msg_fatal("open DB environment: %m"); + vstring_free(db_home_buf); + return (dbenv); +} + +#endif + /* dict_db_open - open data base */ static DICT *dict_db_open(const char *class, const char *path, int open_flags, @@ -578,6 +622,10 @@ int db_flags; #endif +#if DB_VERSION_MAJOR > 2 + DB_ENV *dbenv; + +#endif /* * Mismatches between #include file and library are a common cause for @@ -681,12 +729,10 @@ db_flags |= DB_CREATE; if (open_flags & O_TRUNC) db_flags |= DB_TRUNCATE; - if ((errno = db_create(&db, 0, 0)) != 0) + if ((errno = db_create(&db, dbenv = dict_db_new_env(db_path), 0)) != 0) msg_fatal("create DB database: %m"); if (db == 0) msg_panic("db_create null result"); - if ((errno = db->set_cachesize(db, 0, dict_db_cache_size, 0)) != 0) - msg_fatal("set DB cache size %d: %m", dict_db_cache_size); if (type == DB_HASH && db->set_h_nelem(db, DICT_DB_NELM) != 0) msg_fatal("set DB hash element count %d: %m", DICT_DB_NELM); #if DB_VERSION_MAJOR == 6 || DB_VERSION_MAJOR == 5 || \ @@ -743,6 +789,9 @@ if (dict_flags & DICT_FLAG_FOLD_FIX) dict_db->dict.fold_buf = vstring_alloc(10); dict_db->db = db; +#if DB_VERSION_MAJOR > 2 + dict_db->dbenv = dbenv; +#endif #if DB_VERSION_MAJOR > 1 dict_db->cursor = 0; #endif diff -Nru postfix-3.1.4/src/util/vstring.c postfix-3.1.6/src/util/vstring.c --- postfix-3.1.4/src/util/vstring.c 2016-02-14 09:26:22.000000000 -0500 +++ postfix-3.1.6/src/util/vstring.c 2017-06-10 17:05:51.000000000 -0400 @@ -280,6 +280,10 @@ #include "vbuf_print.h" #include "vstring.h" +#ifndef SSIZE_T_MAX +#define SSIZE_T_MAX __MAXINT__(ssize_t) +#endif + /* vstring_extend - variable-length string buffer extension policy */ static void vstring_extend(VBUF *bp, ssize_t incr) @@ -299,10 +303,13 @@ * (The tests are redundant as long as mymalloc() and myrealloc() reject * negative length parameters). */ - new_len = bp->len + (bp->len > incr ? bp->len : incr); - if (new_len <= bp->len) + if (bp->len > incr) + incr = bp->len; + if (bp->len > SSIZE_T_MAX - incr - 1) msg_fatal("vstring_extend: length overflow"); - bp->data = (unsigned char *) myrealloc((void *) bp->data, new_len); + new_len = bp->len + incr; + bp->data = (unsigned char *) myrealloc((void *) bp->data, new_len + 1); + bp->data[new_len] = 0; bp->len = new_len; bp->ptr = bp->data + used; bp->cnt = bp->len - used; @@ -342,12 +349,13 @@ { VSTRING *vp; - if (len < 1) + if (len < 1 || len > SSIZE_T_MAX - 1) msg_panic("vstring_alloc: bad length %ld", (long) len); vp = (VSTRING *) mymalloc(sizeof(*vp)); vp->vbuf.flags = 0; vp->vbuf.len = 0; - vp->vbuf.data = (unsigned char *) mymalloc(len); + vp->vbuf.data = (unsigned char *) mymalloc(len + 1); + vp->vbuf.data[len] = 0; vp->vbuf.len = len; VSTRING_RESET(vp); vp->vbuf.data[0] = 0;