--- Begin Message ---
Package: release.debian.org
Severity: normal
Tags: trixie
Control: affects -1 + src:exim4
User: [email protected]
Usertags: pu
Hello,
after discussion with the security team I would like to fix a couple
CVEs and unrelated to that a interoperability issue via
stable/oldstable uploads:
a) All the CVE fixes from the recent security update 4.99.2:
* CVE-2026-40684 Possible crash with malicious DNS data when using musl
libc ...
While we do not use musl libc, it is small contained patch, so I would
still prefer to inculde it.
* CVE-2026-40685 Possible OOB read/write on corrupt JSON in header
configurations using json operators on invalid externally-provided input
could trigger heap corruption.
As far I understand this also does not hit our binaries, since we do
not build with JSON looks enabled. Howver users can build private
packages from our sources. One-line change.
* CVE-2026-40686 Possible OOB read with large UTF8 trailing character
... Another tiny change, applies to Debian.
* CVE-2026-40687 Possible OOB read/write with SPA authenticator.
This is client side and needs a hostile/compromised external
counterpart. This patch is rather big and required some handholding to
apply.
b) Fix GnuTLS hostname verify of a server certificate with a
zero-length Subject. These are now being handed out by LetsEncrypt; note
that this means they carry no DN (as well as no SN, that having decreed
deprecated in favour of SANs).
This is also a small change and something our DSA would appreciate.
Upstream discussion starts here:
https://lists.exim.org/lurker/message/20260413.184322.ecbabb9e.en.html
TIA, cu Andreas
--
"You people are noisy," Nia said.
I made the gesture of agreement.
diff --git a/debian/changelog b/debian/changelog
index c2007702..9e9b4b3e 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,28 @@
+exim4 (4.98.2-1+deb13u1) trixie; urgency=medium
+
+ * Fix GnuTLS hostname verify of a server certificate with a zero-length
+ Subject. Patch from upstream GIT master (Closes: #1134984)
+ * Pull CVE-fixes from 4.99.2
+ +CVE-2026-40684 Possible crash with malicious DNS data when using musl
+ libc On systems using musl libc (not glibc) due to an oddity in octal
+ printing it is possible to crash the connection instance when malformed
+ DNS data is present in PTR records.
+ +CVE-2026-40685 Possible OOB read/write on corrupt JSON in header
+ configurations using json operators on invalid externally-provided input
+ could trigger heap corruption.
+ +CVE-2026-40686 Possible OOB read with large UTF8 trailing characters
+ configurations using utf8 operators on malformed utf8 in headers could
+ trigger OOB reads and might trigger some data leak if error messages are
+ required for subsequent emails in the current connection and similar
+ malformed headers are present.
+ +CVE-2026-40687 Possible OOB read/write with SPA authenticator in
+ configurations using the SPA authentication driver to a
+ hostile/compromised external SPA/NTLM connection it is possible to
+ trigger an OOB read/write and crash the connection instance or possibly
+ leak heap data to the instance.
+
+ -- Andreas Metzler <[email protected]> Sat, 02 May 2026 11:31:20 +0200
+
exim4 (4.98.2-1) unstable; urgency=medium
* New upstream version (Basically identical to 4.98,1 + CVE-2025-30232 fix)
diff --git a/debian/patches/80_GnuTLS-fix-hostname-verify-of-server-cert-for-empty-.patch b/debian/patches/80_GnuTLS-fix-hostname-verify-of-server-cert-for-empty-.patch
new file mode 100644
index 00000000..12f06292
--- /dev/null
+++ b/debian/patches/80_GnuTLS-fix-hostname-verify-of-server-cert-for-empty-.patch
@@ -0,0 +1,83 @@
+From 371e5210218746e876fd71c888fdb666c85ceb56 Mon Sep 17 00:00:00 2001
+From: Jeremy Harris <[email protected]>
+Date: Sun, 19 Apr 2026 15:14:14 +0100
+Subject: [PATCH] GnuTLS: fix hostname verify of server cert for empty Subject.
+ Bug 3215
+
+---
+ doc/ChangeLog | 6 ++++++
+ src/tls-gnu.c | 27 +++++++++++++++++----------
+ 2 files changed, 23 insertions(+), 10 deletions(-)
+
+--- a/doc/ChangeLog
++++ b/doc/ChangeLog
+@@ -1,9 +1,15 @@
+ This document describes *changes* to previous versions, that might
+ affect Exim's operation, with an unchanged configuration file. For new
+ options, and new features, see the NewStuff file next to this ChangeLog.
+
++JH/33 Bug 3215: Fix GnuTLS hostname verify of a server certificate with a
++ zero-length Subject. These are now being handed out by LetsEncrypt; note
++ that this means they carry no DN (as well as no SN, that having decreed
++ deprecated in favour of SANs). The $tls_*peerdn variables relating to
++ these certificates will be empty strings.
++
+ JH/07 Bug 3106: Fix coding in SPA authenticator. A macro argument was not
+ properly parenthesized, resulting in a logic error. While the simple
+ fix was provided by Andrew Aitchison, the over-large code block resulting
+ from this macro made me want to replace it with a real function so more
+ extensive rework becamse needed.
+--- a/src/tls-gnu.c
++++ b/src/tls-gnu.c
+@@ -2265,11 +2265,10 @@ gnutls_protocol_t protocol;
+ gnutls_cipher_algorithm_t cipher;
+ gnutls_kx_algorithm_t kx;
+ gnutls_mac_algorithm_t mac;
+ gnutls_certificate_type_t ct;
+ gnutls_x509_crt_t crt;
+-uschar * dn_buf;
+ size_t sz;
+
+ if (state->have_set_peerdn)
+ return OK;
+ state->have_set_peerdn = TRUE;
+@@ -2387,22 +2386,30 @@ if ((ct = gnutls_certificate_type_get(se
+ rc = import_cert(&cert_list[0], &crt);
+ exim_gnutls_peer_err(US"cert 0");
+
+ state->tlsp->peercert = state->peercert = crt;
+
++state->peerdn = US"";
+ sz = 0;
+-rc = gnutls_x509_crt_get_dn(crt, NULL, &sz);
+-if (rc != GNUTLS_E_SHORT_MEMORY_BUFFER)
++if (!(rc = gnutls_x509_crt_get_dn(crt, NULL, &sz)))
++ { DEBUG(D_tls) debug_printf_indent("TLS: zero-length DN\n"); }
++else if (rc == GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE)
++ { DEBUG(D_tls) debug_printf_indent("TLS: no DN\n"); }
++else
+ {
+- exim_gnutls_peer_err(US"getting size for cert DN failed");
+- return FAIL; /* should not happen */
+- }
+-dn_buf = store_get_perm(sz, GET_TAINTED);
+-rc = gnutls_x509_crt_get_dn(crt, CS dn_buf, &sz);
+-exim_gnutls_peer_err(US"failed to extract certificate DN [gnutls_x509_crt_get_dn(cert 0)]");
++ uschar * dn_buf;
++ if (rc != GNUTLS_E_SHORT_MEMORY_BUFFER)
++ {
++ exim_gnutls_peer_err(US"getting size for cert DN failed");
++ return FAIL; /* should not happen */
++ }
++ dn_buf = store_get_perm(sz, GET_TAINTED);
++ rc = gnutls_x509_crt_get_dn(crt, CS dn_buf, &sz);
++ exim_gnutls_peer_err(US"failed to extract certificate DN [gnutls_x509_crt_get_dn(cert 0)]");
+
+-state->peerdn = dn_buf;
++ state->peerdn = dn_buf;
++ }
+
+ return OK;
+ #undef exim_gnutls_peer_err
+ }
+
diff --git a/debian/patches/81-01-Support-musl-libc-dn_expand-oddity.patch b/debian/patches/81-01-Support-musl-libc-dn_expand-oddity.patch
new file mode 100644
index 00000000..ce80c8f2
--- /dev/null
+++ b/debian/patches/81-01-Support-musl-libc-dn_expand-oddity.patch
@@ -0,0 +1,74 @@
+From 628bbaca7672748d941a12e7cd5f0122a4e18c81 Mon Sep 17 00:00:00 2001
+From: Jeremy Harris <[email protected]>
+Date: Tue, 28 Apr 2026 14:47:32 +0100
+Subject: [PATCH 1/4] Support musl libc dn_expand oddity
+
+CVE-2026-40684
+---
+ doc/ChangeLog | 16 ++++++++++++++++
+ .../CVE2026-40684.assessment | 12 ++++++++++++
+ src/string.c | 12 ++++++------
+ 3 files changed, 34 insertions(+), 6 deletions(-)
+ create mode 100644 doc/doc-txt/exim-security-2026-04.1/CVE2026-40684.assessment
+
+--- a/doc/ChangeLog
++++ b/doc/ChangeLog
+@@ -1,9 +1,13 @@
+ This document describes *changes* to previous versions, that might
+ affect Exim's operation, with an unchanged configuration file. For new
+ options, and new features, see the NewStuff file next to this ChangeLog.
+
++JH/34 CVE-2026-40684: A crafted DNS record could cause a crash of the Exim
++ process acessing it, when operating with musl libc. This could be the
++ daemon. An Exim using Gnu libc is not affeected.
++
+ JH/33 Bug 3215: Fix GnuTLS hostname verify of a server certificate with a
+ zero-length Subject. These are now being handed out by LetsEncrypt; note
+ that this means they carry no DN (as well as no SN, that having decreed
+ deprecated in favour of SANs). The $tls_*peerdn variables relating to
+ these certificates will be empty strings.
+--- /dev/null
++++ b/doc/doc-txt/exim-security-2026-04.1/CVE2026-40684.assessment
+@@ -0,0 +1,12 @@
++CVE2026-40684
++
++Vulnerability conditions
++------------------------
++
++- Exim build/run using musl libc (not gnulibc)
++- Deamon running, accepting connections
++
++Impact
++------
++
++Remote-triggered crash, via crafted PTR record
+--- a/src/string.c
++++ b/src/string.c
+@@ -606,21 +606,21 @@ string_copy_dnsdomain(uschar * s)
+ {
+ uschar * yield;
+ uschar * ss = yield = store_get(Ustrlen(s) + 1, GET_TAINTED); /* always treat as tainted */
+
+ while (*s)
+- {
+ if (*s != '\\')
+ *ss++ = *s++;
+- else if (isdigit(s[1]))
+- {
+- *ss++ = (s[1] - '0')*100 + (s[2] - '0')*10 + s[3] - '0';
+- s += 4;
++ else if (isdigit(*++s)) /* Apparently, musl libc dn_expand seen doing \DD */
++ { /* and \D also. We can only hope not when a real digit follows. */
++ uschar c = *s++ - '0';
++ if (isdigit(*s)) c = c * 10 + *s++ - '0';
++ if (isdigit(*s)) c = c * 10 + *s++ - '0';
++ *ss++ = c;
+ }
+ else if (*++s)
+ *ss++ = *s++;
+- }
+
+ *ss = 0;
+ return yield;
+ }
+
diff --git a/debian/patches/81-02-when-dewrap-only-skip-if-associated-char.patch b/debian/patches/81-02-when-dewrap-only-skip-if-associated-char.patch
new file mode 100644
index 00000000..4816c6e2
--- /dev/null
+++ b/debian/patches/81-02-when-dewrap-only-skip-if-associated-char.patch
@@ -0,0 +1,57 @@
+From 9fdc057e71b87c87a0d3d2288b2810a0efaaba57 Mon Sep 17 00:00:00 2001
+From: Bernard Quatermass <[email protected]>
+Date: Mon, 23 Mar 2026 16:43:51 +0000
+Subject: [PATCH 2/4] when dewrap, only skip \ if associated char
+
+CVE2026-40685
+---
+ doc/ChangeLog | 5 ++++-
+ .../exim-security-2026-04.1/CVE2026-40685.assessment | 11 +++++++++++
+ src/expand.c | 2 +-
+ 3 files changed, 16 insertions(+), 2 deletions(-)
+ create mode 100644 doc/doc-txt/exim-security-2026-04.1/CVE2026-40685.assessment
+
+--- a/doc/ChangeLog
++++ b/doc/ChangeLog
+@@ -1,9 +1,12 @@
+ This document describes *changes* to previous versions, that might
+ affect Exim's operation, with an unchanged configuration file. For new
+ options, and new features, see the NewStuff file next to this ChangeLog.
+
++BQ/02 CVE-2026-40685: JSON string expansions could, when fed crafted source
++ strings, corrupt the heap.
++
+ JH/34 CVE-2026-40684: A crafted DNS record could cause a crash of the Exim
+ process acessing it, when operating with musl libc. This could be the
+ daemon. An Exim using Gnu libc is not affeected.
+
+ JH/33 Bug 3215: Fix GnuTLS hostname verify of a server certificate with a
+--- /dev/null
++++ b/doc/doc-txt/exim-security-2026-04.1/CVE2026-40685.assessment
+@@ -0,0 +1,11 @@
++CVE2026-40685
++
++Vulnerability conditions
++------------------------
++
++- Config uses json operators on externally-provided input
++
++Impact
++------
++
++- Remote-triggered heap corruption
+--- a/src/expand.c
++++ b/src/expand.c
+@@ -2379,11 +2379,11 @@ if (Uskip_whitespace(&p) == *wrap)
+ {
+ s = ++p;
+ wrap++;
+ while (*p)
+ {
+- if (*p == '\\') p++;
++ if (*p == '\\' && *(p+1)) p++;
+ else if (!quotesmode && *p == wrap[-1]) depth++;
+ else if (*p == *wrap)
+ if (depth == 0)
+ {
+ *p = '\0';
diff --git a/debian/patches/81-03-Expansions-harden-for-malformed-UTF-8.patch b/debian/patches/81-03-Expansions-harden-for-malformed-UTF-8.patch
new file mode 100644
index 00000000..553ad29d
--- /dev/null
+++ b/debian/patches/81-03-Expansions-harden-for-malformed-UTF-8.patch
@@ -0,0 +1,58 @@
+From f2570bde16fb4d4a1242ff363a4c4eecf6372efc Mon Sep 17 00:00:00 2001
+From: Jeremy Harris <[email protected]>
+Date: Mon, 23 Mar 2026 15:10:28 +0000
+Subject: [PATCH 3/4] Expansions: harden for malformed UTF-8
+
+CVE2026-40686
+---
+ doc/ChangeLog | 4 ++++
+ .../exim-security-2026-04.1/CVE2026-40686.assessment | 11 +++++++++++
+ src/expand.c | 2 +-
+ 3 files changed, 16 insertions(+), 1 deletion(-)
+ create mode 100644 doc/doc-txt/exim-security-2026-04.1/CVE2026-40686.assessment
+
+--- a/doc/ChangeLog
++++ b/doc/ChangeLog
+@@ -1,9 +1,13 @@
+ This document describes *changes* to previous versions, that might
+ affect Exim's operation, with an unchanged configuration file. For new
+ options, and new features, see the NewStuff file next to this ChangeLog.
+
++JH/35 CVE-2026-40686: The ${from_utf8:} expansion operator, fed malformed input,
++ could read into the heap. If the result was used for an SMTP rejection
++ message, data exfiltration would be possible.
++
+ BQ/02 CVE-2026-40685: JSON string expansions could, when fed crafted source
+ strings, corrupt the heap.
+
+ JH/34 CVE-2026-40684: A crafted DNS record could cause a crash of the Exim
+ process acessing it, when operating with musl libc. This could be the
+--- /dev/null
++++ b/doc/doc-txt/exim-security-2026-04.1/CVE2026-40686.assessment
+@@ -0,0 +1,11 @@
++CVE2026-40686
++
++Vulnerability conditions
++------------------------
++
++- Config using UTF-8 operations on externally-provided input
++
++Impact
++------
++
++- Heap data exfiltration
+--- a/src/expand.c
++++ b/src/expand.c
+@@ -973,11 +973,11 @@ static int utf8_table2[] = { 0xff, 0x1f,
+ if ((c & 0xc0) == 0xc0) \
+ { \
+ int a = utf8_table1[c & 0x3f]; /* Number of additional bytes */ \
+ int s = 6*a; \
+ c = (c & utf8_table2[a]) << s; \
+- while (a-- > 0) \
++ while (a-- > 0 && *ptr) \
+ { \
+ s -= 6; \
+ c |= (*ptr++ & 0x3f) << s; \
+ } \
+ }
diff --git a/debian/patches/81-04-SPA-authenticator-harden-buffer-usage.patch b/debian/patches/81-04-SPA-authenticator-harden-buffer-usage.patch
new file mode 100644
index 00000000..0c2c4c13
--- /dev/null
+++ b/debian/patches/81-04-SPA-authenticator-harden-buffer-usage.patch
@@ -0,0 +1,257 @@
+From 68b963b9f75ca27b38e1c0f8c87037990199f505 Mon Sep 17 00:00:00 2001
+From: Jeremy Harris <[email protected]>
+Date: Tue, 10 Mar 2026 21:29:52 +0000
+Subject: [PATCH 4/4] SPA authenticator: harden buffer usage
+
+CVE-2026-40687
+---
+ doc/ChangeLog | 4 +
+ .../CVE2026-40687.assessment | 12 ++
+ src/auths/auth-spa.c | 113 +++---------------
+ src/auths/auth-spa.h | 1 -
+ 4 files changed, 35 insertions(+), 95 deletions(-)
+ create mode 100644 doc/doc-txt/exim-security-2026-04.1/CVE2026-40687.assessment
+
+--- a/doc/ChangeLog
++++ b/doc/ChangeLog
+@@ -1,9 +1,13 @@
+ This document describes *changes* to previous versions, that might
+ affect Exim's operation, with an unchanged configuration file. For new
+ options, and new features, see the NewStuff file next to this ChangeLog.
+
++JH/36 CVE-2026-40687: The spa authenticator used an unitialized buffer, which
++ could result in a leak of data. It also had potential for wrting past the
++ end of static buffers, by choice of data provided by the client.
++
+ JH/35 CVE-2026-40686: The ${from_utf8:} expansion operator, fed malformed input,
+ could read into the heap. If the result was used for an SMTP rejection
+ message, data exfiltration would be possible.
+
+ BQ/02 CVE-2026-40685: JSON string expansions could, when fed crafted source
+--- /dev/null
++++ b/doc/doc-txt/exim-security-2026-04.1/CVE2026-40687.assessment
+@@ -0,0 +1,12 @@
++CVE2026-40687
++
++Vulnerability conditions
++------------------------
++
++- Config uses the "spa" authenticator driver
++
++Impact
++------
++
++- Remote-triggered crash (only of connection process, not daemon)
++- Infoleak
+--- a/src/auths/auth-spa.c
++++ b/src/auths/auth-spa.c
+@@ -163,11 +163,10 @@ int main (int argc, char ** argv)
+
+ extern int DEBUGLEVEL;
+
+ #include "../exim.h"
+ #include "auth-spa.h"
+-#include <assert.h>
+
+
+ #ifndef _BYTEORDER_H
+ # define _BYTEORDER_H
+
+@@ -411,10 +410,12 @@ spa_base64_to_bits (char *out, int outle
+ /* base 64 to raw bytes in quasi-big-endian order, returning count of bytes */
+ {
+ int len = 0;
+ uschar digit1, digit2, digit3, digit4;
+
++memset(out, 0, outlength);
++
+ if (in[0] == '+' && in[1] == ' ')
+ in += 2;
+ if (*in == '\r')
+ return (0);
+
+@@ -1238,63 +1239,37 @@ spa_string_add(SPAbuf * buffer, size_t o
+ int len = string ? Ustrlen(string) : 0;
+ spa_bytes_add(buffer, off, header, string, len);
+ }
+
+ static uschar *
+-strToUnicode(const uschar * p)
++strToUnicode(const uschar * p, int len)
+ {
+-static uschar buf[1024];
+-size_t l = Ustrlen(p);
+-
+-assert (l * 2 < sizeof buf);
+-
+-for (int i = 0; l--; ) { buf[i++] = *p++; buf[i++] = 0; }
++uschar * buf = store_get(len * 2, p);
++for (int i = 0; len--; ) { buf[i++] = *p++; buf[i++] = 0; }
+ return buf;
+ }
+
+ static void
+ spa_unicode_add_string(SPAbuf * buffer, size_t off, SPAStrHeader * header,
+ const uschar * string)
+ {
+-const uschar * p = string;
+-uschar * b = NULL;
++const uschar * p = string, * b = NULL;
+ int len = 0;
+ if (p)
+ {
+ len = Ustrlen(p);
+- b = US strToUnicode(p);
++ b = strToUnicode(p, len);
+ }
+ spa_bytes_add(buffer, off, header, b, len*2);
+ }
+
+
+-#ifdef notdef
+-
+-#define DumpBuffer(fp, structPtr, header) \
+- dumpRaw(fp,(US structPtr)+IVAL(&structPtr->header.offset,0),SVAL(&structPtr->header.len,0))
+-
+-
+-static void
+-dumpRaw (FILE * fp, uschar *buf, size_t len)
++uschar *
++unicodeToString (char * p, size_t len)
+ {
+ int i;
+-
+-for (i = 0; i < len; ++i)
+- fprintf (fp, "%02x ", buf[i]);
+-
+-fprintf (fp, "\n");
+-}
+-
+-#endif
+-
+-char *
+-unicodeToString (char *p, size_t len)
+-{
+-int i;
+-static char buf[1024];
+-
+-assert (len + 1 < sizeof buf);
++uschar * buf = store_get((int)len + 1, p);
+
+ for (i = 0; i < len; ++i)
+ {
+ buf[i] = *p & 0x7f;
+ p += 2;
+@@ -1303,89 +1278,37 @@ for (i = 0; i < len; ++i)
+ buf[i] = '\0';
+ return buf;
+ }
+
+ static uschar *
+-toString (char *p, size_t len)
++toString (const char *p, size_t len)
+ {
+-static uschar buf[1024];
+-
+-assert (len + 1 < sizeof buf);
++uschar * buf = store_get((int)len + 1, p);
+
+ memcpy (buf, p, len);
+-buf[len] = 0;
++buf[len] = '\0';
+ return buf;
+ }
+
+ static inline uschar *
+ get_challenge_unistr(SPAAuthChallenge * challenge, SPAStrHeader * hdr)
+ {
+-int off = IVAL(&hdr->offset, 0);
+-int len = SVAL(&hdr->len, 0);
+-return off + len < sizeof(SPAAuthChallenge)
+- ? US unicodeToString(CS challenge + off, len/2) : US"";
+-}
++int offset = IVAL(&hdr->offset, 0), len = SVAL(&hdr->len, 0);
+
+-static inline uschar *
+-get_challenge_str(SPAAuthChallenge * challenge, SPAStrHeader * hdr)
+-{
+-int off = IVAL(&hdr->offset, 0);
+-int len = SVAL(&hdr->len, 0);
+-return off + len < sizeof(SPAAuthChallenge)
+- ? US toString(CS challenge + off, len) : US"";
++return offset + len < sizeof(SPAAuthChallenge)
++ ? unicodeToString(CS challenge + offset, len/2) : US"";
+ }
+
+-#ifdef notdef
+-
+-#define GetUnicodeString(structPtr, header) \
+- unicodeToString(((char*)structPtr) + IVAL(&structPtr->header.offset,0) , SVAL(&structPtr->header.len,0)/2)
+-
+-#define GetString(structPtr, header) \
+- toString(((CS structPtr) + IVAL(&structPtr->header.offset,0)), SVAL(&structPtr->header.len,0))
+-
+-
+-void
+-dumpSmbNtlmAuthRequest (FILE * fp, SPAAuthRequest * request)
++static uschar *
++get_challenge_str(SPAAuthChallenge * challenge, SPAStrHeader * hdr)
+ {
+-fprintf (fp, "NTLM Request:\n");
+-fprintf (fp, " Ident = %s\n", request->ident);
+-fprintf (fp, " mType = %d\n", IVAL (&request->msgType, 0));
+-fprintf (fp, " Flags = %08x\n", IVAL (&request->flags, 0));
+-fprintf (fp, " User = %s\n", GetString (request, user));
+-fprintf (fp, " Domain = %s\n", GetString (request, domain));
+-}
++int offset = IVAL(&hdr->offset, 0), len = SVAL(&hdr->len, 0);
+
+-void
+-dumpSmbNtlmAuthChallenge (FILE * fp, SPAAuthChallenge * challenge)
+-{
+-fprintf (fp, "NTLM Challenge:\n");
+-fprintf (fp, " Ident = %s\n", challenge->ident);
+-fprintf (fp, " mType = %d\n", IVAL (&challenge->msgType, 0));
+-fprintf (fp, " Domain = %s\n", GetUnicodeString (challenge, uDomain));
+-fprintf (fp, " Flags = %08x\n", IVAL (&challenge->flags, 0));
+-fprintf (fp, " Challenge = ");
+-dumpRaw (fp, challenge->challengeData, 8);
++return offset + len < sizeof(SPAAuthChallenge)
++ ? toString(CS challenge + offset, len) : US"";
+ }
+
+-void
+-dumpSmbNtlmAuthResponse (FILE * fp, SPAAuthResponse * response)
+-{
+-fprintf (fp, "NTLM Response:\n");
+-fprintf (fp, " Ident = %s\n", response->ident);
+-fprintf (fp, " mType = %d\n", IVAL (&response->msgType, 0));
+-fprintf (fp, " LmResp = ");
+-DumpBuffer (fp, response, lmResponse);
+-fprintf (fp, " NTResp = ");
+-DumpBuffer (fp, response, ntResponse);
+-fprintf (fp, " Domain = %s\n", GetUnicodeString (response, uDomain));
+-fprintf (fp, " User = %s\n", GetUnicodeString (response, uUser));
+-fprintf (fp, " Wks = %s\n", GetUnicodeString (response, uWks));
+-fprintf (fp, " sKey = ");
+-DumpBuffer (fp, response, sessionKey);
+-fprintf (fp, " Flags = %08x\n", IVAL (&response->flags, 0));
+-}
+-#endif
+
+ void
+ spa_build_auth_request (SPAAuthRequest * request, uschar * user, uschar * domain)
+ {
+ uschar * u = string_copy(user);
+--- a/src/auths/auth-spa.h
++++ b/src/auths/auth-spa.h
+@@ -90,8 +90,8 @@ void spa_build_auth_request (SPAAuthRequ
+ uschar * domain);
+ extern void spa_smb_encrypt (unsigned char * passwd, unsigned char * c8,
+ unsigned char * p24);
+ extern void spa_smb_nt_encrypt (unsigned char * passwd, unsigned char * c8,
+ unsigned char * p24);
+-extern char *unicodeToString(char *p, size_t len);
++extern uschar *unicodeToString(char *p, size_t len);
+ extern void spa_build_auth_challenge(SPAAuthRequest *, SPAAuthChallenge *);
+
diff --git a/debian/patches/series b/debian/patches/series
index 913aec33..e6eab17f 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -13,4 +13,9 @@
77-Fix-IP-SRR-parsing.-Bug-3124.patch
78_DKIM-fix-verify-of-malformed-header-lines.-Bug-3036.patch
79_Dovecot-fix-protocol-sequence-for-version-2.4.0.patch
+80_GnuTLS-fix-hostname-verify-of-server-cert-for-empty-.patch
+81-01-Support-musl-libc-dn_expand-oddity.patch
+81-02-when-dewrap-only-skip-if-associated-char.patch
+81-03-Expansions-harden-for-malformed-UTF-8.patch
+81-04-SPA-authenticator-harden-buffer-usage.patch
90_localscan_dlopen.dpatch
signature.asc
Description: PGP signature
--- End Message ---
