Package: release.debian.org Severity: normal User: release.debian....@packages.debian.org Usertags: unblock
Hi, Please unblock the package msmtp. [ Reason ] The version presently in bullseye does not understand lowercase SMTP commands. It violates RFC821 [1] from 1982 and later applicable specs such as RFC5321. [2] [ Impact ] Users of the version in bullseye cannot send emails via SMTP port 25 locally when software sends mixed or lowercase commands. The issue was discovered when sending key expiration reminders to Debian contributors via Python's smtplib [3][4] but probably affects additional programs, modules and libraries. The faulty behavior is further detailed in Bug#985468 [5] and the links provided therein. [6][7] [ Tests ] I personally used the patched version on half a dozen machines since March, and have had no issues with it. [ Risks ] The commit cherry-picked here [8] was accepted by upstream over a year ago. It replaces several instances of 'strcmp' with the case insensitive equivalent 'strcasecmp'. The risk of breakage is probably low. [ Checklist ] [x] all changes are documented in the d/changelog [x] I reviewed all changes and I approve them [x] attach debdiff against the package in testing [ Other info ] The debdiff for the sources is shown at the bottom of this message. For easier perusal I also attached the actual patch. unblock thunderbird/1:78.12.0-1 [1] https://tools.ietf.org/html/rfc821 [2] https://tools.ietf.org/html/rfc5321 [3] https://bugs.debian.org/892058 [4] https://salsa.debian.org/lechner/key-expirations [5] https://bugs.debian.org/985468 [6] https://bugs.python.org/issue29860 [7] https://github.com/marlam/msmtp-mirror/issues/45 [8] https://github.com/marlam/msmtp-mirror/commit/7d2222cfd522efc13fde4df448d834bc6ba2b205 * * * $ debdiff msmtp_1.8.11-2.dsc msmtp_1.8.11-2.1.dsc diff -Nru msmtp-1.8.11/debian/changelog msmtp-1.8.11/debian/changelog --- msmtp-1.8.11/debian/changelog 2020-08-20 07:24:11.000000000 -0700 +++ msmtp-1.8.11/debian/changelog 2021-03-18 09:01:45.000000000 -0700 @@ -1,3 +1,12 @@ +msmtp (1.8.11-2.1) unstable; urgency=medium + + * Non-maintainer upload. + * Cherry-pick 7d2222cf from upstream for the bullseye release. Brings + msmtp into conformance with RFC821, which states that "Commands and + replies are not case sensitive." (Closes: #985468) + + -- Felix Lechner <felix.lech...@lease-up.com> Thu, 18 Mar 2021 09:01:45 -0700 + msmtp (1.8.11-2) unstable; urgency=medium * Fix build options to re-enable TLS support via GnuTLS, IDN and SASL. diff -Nru msmtp-1.8.11/debian/patches/7d2222cfd522efc13fde4df448d834bc6ba2b205-adjusted.diff msmtp-1.8.11/debian/patches/7d2222cfd522efc13fde4df448d834bc6ba2b205-adjusted.diff --- msmtp-1.8.11/debian/patches/7d2222cfd522efc13fde4df448d834bc6ba2b205-adjusted.diff 1969-12-31 16:00:00.000000000 -0800 +++ msmtp-1.8.11/debian/patches/7d2222cfd522efc13fde4df448d834bc6ba2b205-adjusted.diff 2021-03-18 09:01:45.000000000 -0700 @@ -0,0 +1,70 @@ +Description: Cherry-pick 7d2222cf from upstream for bullseye, adjusted +Author: Felix Lechner <felix.lech...@lesae-up.com> +Origin: https://github.com/marlam/msmtp-mirror/commit/7d2222cfd522efc13fde4df448d834bc6ba2b205.diff +Bug: https://github.com/marlam/msmtp-mirror/issues/45 +--- +This patch header follows DEP-3: http://dep.debian.net/deps/dep3/ +--- a/src/msmtpd.c ++++ b/src/msmtpd.c +@@ -26,6 +26,7 @@ + #include <stdio.h> + #include <stdlib.h> + #include <string.h> ++#include <strings.h> + #include <errno.h> + #include <unistd.h> + #include <signal.h> +@@ -186,18 +187,18 @@ int msmtpd_session(FILE* in, FILE* out, + fprintf(out, "220 localhost ESMTP msmtpd\r\n"); + if (read_smtp_cmd(in, buf, SMTP_BUFSIZE) != 0) + return 1; +- if (strncmp(buf, "EHLO ", 5) != 0 && strncmp(buf, "HELO ", 5) != 0) { ++ if (strncasecmp(buf, "EHLO ", 5) != 0 && strncasecmp(buf, "HELO ", 5) != 0) { + fprintf(out, "500 Expected EHLO or HELO\r\n"); + return 1; + } + fprintf(out, "250 localhost\r\n"); + if (read_smtp_cmd(in, buf, SMTP_BUFSIZE) != 0) + return 1; +- if (strncmp(buf, "MAIL FROM:", 10) != 0 && strcmp(buf, "QUIT") != 0) { ++ if (strncasecmp(buf, "MAIL FROM:", 10) != 0 && strcasecmp(buf, "QUIT") != 0) { + fprintf(out, "500 Expected MAIL FROM:<addr> or QUIT\r\n"); + return 1; + } +- if (strcmp(buf, "QUIT") == 0) { ++ if (strcasecmp(buf, "QUIT") == 0) { + fprintf(out, "221 Bye\r\n"); + return 0; + } +@@ -235,19 +236,19 @@ int msmtpd_session(FILE* in, FILE* out, + return 1; + } + if (!recipient_was_seen) { +- if (strncmp(buf, "RCPT TO:", 8) != 0) { ++ if (strncasecmp(buf, "RCPT TO:", 8) != 0) { + fprintf(out, "500 Expected RCPT TO:<addr>\r\n"); + free(cmd); + return 1; + } + } else { +- if (strncmp(buf, "RCPT TO:", 8) != 0 && strcmp(buf, "DATA") != 0) { ++ if (strncasecmp(buf, "RCPT TO:", 8) != 0 && strcasecmp(buf, "DATA") != 0) { + fprintf(out, "500 Expected RCPT TO:<addr> or DATA\r\n"); + free(cmd); + return 1; + } + } +- if (strcmp(buf, "DATA") == 0) { ++ if (strcasecmp(buf, "DATA") == 0) { + break; + } else { + if (get_addr(buf + 8, addrbuf, 0, &addrlen) != 0) { +@@ -302,7 +303,7 @@ int msmtpd_session(FILE* in, FILE* out, + fprintf(out, "250 Ok, mail was piped\r\n"); + if (read_smtp_cmd(in, buf, SMTP_BUFSIZE) != 0) + return 0; /* ignore missing QUIT */ +- if (strcmp(buf, "QUIT") != 0) { ++ if (strcasecmp(buf, "QUIT") != 0) { + fprintf(out, "500 Expected QUIT\r\n"); + return 1; + } diff -Nru msmtp-1.8.11/debian/patches/series msmtp-1.8.11/debian/patches/series --- msmtp-1.8.11/debian/patches/series 2020-04-23 07:36:12.000000000 -0700 +++ msmtp-1.8.11/debian/patches/series 2021-03-18 09:01:45.000000000 -0700 @@ -1 +1,2 @@ +7d2222cfd522efc13fde4df448d834bc6ba2b205-adjusted.diff fix_typo_manapge
Description: Cherry-pick 7d2222cf from upstream for bullseye, adjusted Author: Felix Lechner <felix.lech...@lesae-up.com> Origin: https://github.com/marlam/msmtp-mirror/commit/7d2222cfd522efc13fde4df448d834bc6ba2b205.diff Bug: https://github.com/marlam/msmtp-mirror/issues/45 --- This patch header follows DEP-3: http://dep.debian.net/deps/dep3/ --- a/src/msmtpd.c +++ b/src/msmtpd.c @@ -26,6 +26,7 @@ #include <stdio.h> #include <stdlib.h> #include <string.h> +#include <strings.h> #include <errno.h> #include <unistd.h> #include <signal.h> @@ -186,18 +187,18 @@ int msmtpd_session(FILE* in, FILE* out, fprintf(out, "220 localhost ESMTP msmtpd\r\n"); if (read_smtp_cmd(in, buf, SMTP_BUFSIZE) != 0) return 1; - if (strncmp(buf, "EHLO ", 5) != 0 && strncmp(buf, "HELO ", 5) != 0) { + if (strncasecmp(buf, "EHLO ", 5) != 0 && strncasecmp(buf, "HELO ", 5) != 0) { fprintf(out, "500 Expected EHLO or HELO\r\n"); return 1; } fprintf(out, "250 localhost\r\n"); if (read_smtp_cmd(in, buf, SMTP_BUFSIZE) != 0) return 1; - if (strncmp(buf, "MAIL FROM:", 10) != 0 && strcmp(buf, "QUIT") != 0) { + if (strncasecmp(buf, "MAIL FROM:", 10) != 0 && strcasecmp(buf, "QUIT") != 0) { fprintf(out, "500 Expected MAIL FROM:<addr> or QUIT\r\n"); return 1; } - if (strcmp(buf, "QUIT") == 0) { + if (strcasecmp(buf, "QUIT") == 0) { fprintf(out, "221 Bye\r\n"); return 0; } @@ -235,19 +236,19 @@ int msmtpd_session(FILE* in, FILE* out, return 1; } if (!recipient_was_seen) { - if (strncmp(buf, "RCPT TO:", 8) != 0) { + if (strncasecmp(buf, "RCPT TO:", 8) != 0) { fprintf(out, "500 Expected RCPT TO:<addr>\r\n"); free(cmd); return 1; } } else { - if (strncmp(buf, "RCPT TO:", 8) != 0 && strcmp(buf, "DATA") != 0) { + if (strncasecmp(buf, "RCPT TO:", 8) != 0 && strcasecmp(buf, "DATA") != 0) { fprintf(out, "500 Expected RCPT TO:<addr> or DATA\r\n"); free(cmd); return 1; } } - if (strcmp(buf, "DATA") == 0) { + if (strcasecmp(buf, "DATA") == 0) { break; } else { if (get_addr(buf + 8, addrbuf, 0, &addrlen) != 0) { @@ -302,7 +303,7 @@ int msmtpd_session(FILE* in, FILE* out, fprintf(out, "250 Ok, mail was piped\r\n"); if (read_smtp_cmd(in, buf, SMTP_BUFSIZE) != 0) return 0; /* ignore missing QUIT */ - if (strcmp(buf, "QUIT") != 0) { + if (strcasecmp(buf, "QUIT") != 0) { fprintf(out, "500 Expected QUIT\r\n"); return 1; }