Package: release.debian.org Severity: normal User: release.debian....@packages.debian.org Usertags: unblock
Please unblock the following version of bsd-mailx:
bsd-mailx (8.1.2-0.20141216cvs-1) unstable; urgency=high
* New upstream version from OpenBSD cvs repository. The version consists of:
- The changes that are part of the following recent stable security update
by Florian Weimer:
bsd-mailx (8.1.2-0.20111106cvs-1+deb7u1) wheezy-security; urgency=high
* Apply OpenBSD patches from Todd Miller:
+ 80-remove_T.patch (remove undocumented/obsolete -T option)
+ 81-minus_f.patch (adjust -f processing)
+ 82-expandaddr.patch (fix CVE-2014-7844)
+ 83-nosendmail.patch (make -- work for option parsing suppression)
- A simple change in lex.c related to preferring mkostemp(O_CLOEXEC) over
mkstemp()+fcntl(F_SETFD) and fopen("re") over fopen("r")+fcntl(F_SETFD).
- A change in fio.c to use glob() to expand filenames. The change however
is not enabled in the Debian package (i.e. outside of `#ifdef DEBIAN'
code) as wordexp() function instead has been used in Debian for last
10 years.
* Bump Standards-Version to 3.9.6.
-- Robert Luberda <rob...@debian.org> Thu, 18 Dec 2014 00:45:40 +0100
I'm attaching the full debdiff to this e-mail.
To make the review easier please find below the upstream code
differencies between
- previous version (8.1.2-0.20140825cvs-1) with all Florian's patches
from wheezy security applied
- and the version I've just uploaded.
diff -Nur -x debian -x CVS -x .pc -x .git bsd-mailx.patches/fio.c
bsd-mailx/fio.c
--- bsd-mailx.patches/fio.c 2014-12-17 23:54:58.000000000 +0100
+++ bsd-mailx/fio.c 2014-12-18 20:05:45.000000000 +0100
@@ -1,4 +1,4 @@
-/* $OpenBSD: fio.c,v 1.33 2014/01/17 18:42:30 okan Exp $ */
+/* $OpenBSD: fio.c,v 1.34 2014/12/16 18:31:06 millert Exp $ */
/* $NetBSD: fio.c,v 1.8 1997/07/07 22:57:55 phil Exp $ */
/*
@@ -37,6 +37,9 @@
#include <unistd.h>
#include <paths.h>
#include <errno.h>
+#ifndef DEBIAN
+#include <glob.h>
+#endif
#include "extern.h"
#ifdef DEBIAN
@@ -424,17 +427,13 @@
char *
expand(char *name)
{
+#ifndef DEBIAN
+ const int flags = GLOB_BRACE|GLOB_TILDE|GLOB_NOSORT;
+#endif
char xname[PATHSIZE];
char cmdbuf[PATHSIZE]; /* also used for file names */
#ifdef DEBIAN
wordexp_t p;
-#else
- pid_t pid;
- int l;
- char *cp, *shell;
- int pivec[2];
- struct stat sbuf;
- extern int wait_status;
#endif
/*
@@ -511,47 +510,23 @@
}
#else
// [ RL - note the whole block is not applicable to Debian, as it is
// #else branch for #ifdef DEBIAN ]
-
- /* XXX - just use glob(3) and env expansion instead? */
- if (pipe(pivec) < 0) {
- warn("pipe");
- return(name);
- }
- (void)snprintf(cmdbuf, sizeof(cmdbuf), "echo %s", name);
- shell = value("SHELL");
- pid = start_command(shell, 0, -1, pivec[1], "-c", cmdbuf, NULL);
- if (pid < 0) {
- (void)close(pivec[0]);
- (void)close(pivec[1]);
- return(NULL);
- }
- (void)close(pivec[1]);
- l = myread(pivec[0], xname, PATHSIZE);
- if (l < 0)
- warn("read"); /* report error before errno changes */
- (void)close(pivec[0]);
- if (wait_child(pid) < 0 && WIFSIGNALED(wait_status) &&
- WTERMSIG(wait_status) != SIGPIPE) {
- fprintf(stderr, "\"%s\": Expansion failed.\n", name);
- return(NULL);
- }
- if (l < 0)
- return(NULL);
- if (l == 0) {
+ /* XXX - does not expand enviroment variables. */
+ switch (glob(name, flags, NULL, &names)) {
+ case 0:
+ if (names.gl_pathc == 1)
+ match = savestr(names.gl_pathv[0]);
+ else
+ fprintf(stderr, "\"%s\": Ambiguous.\n", name);
+ break;
+ case GLOB_NOSPACE:
+ fprintf(stderr, "\"%s\": Out of memory.\n", name);
+ break;
+ case GLOB_NOMATCH:
fprintf(stderr, "\"%s\": No match.\n", name);
- return(NULL);
- }
- if (l == PATHSIZE) {
- fprintf(stderr, "\"%s\": Expansion buffer overflow.\n", name);
- return(NULL);
- }
- xname[l] = '\0';
- for (cp = &xname[l-1]; *cp == '\n' && cp > xname; cp--)
- ;
- cp[1] = '\0';
- if (strchr(xname, ' ') && stat(xname, &sbuf) < 0) {
- fprintf(stderr, "\"%s\": Ambiguous.\n", name);
- return(NULL);
+ break;
+ default:
+ fprintf(stderr, "\"%s\": Expansion failed.\n", name);
+ break;
}
return(savestr(xname));
#endif
diff -Nur -x debian -x CVS -x .pc -x .git bsd-mailx.patches/glob.h
bsd-mailx/glob.h
--- bsd-mailx.patches/glob.h 2014-12-17 23:54:59.000000000 +0100
+++ bsd-mailx/glob.h 2014-12-18 00:04:44.000000000 +0100
@@ -1,4 +1,4 @@
-/* $OpenBSD: glob.h,v 1.7 2003/06/03 02:56:11 millert Exp $ */
+/* $OpenBSD: glob.h,v 1.8 2014/11/24 20:01:43 millert Exp $ */
/* $NetBSD: glob.h,v 1.4 1996/06/08 19:48:25 christos Exp $ */
/*
diff -Nur -x debian -x CVS -x .pc -x .git bsd-mailx.patches/lex.c
bsd-mailx/lex.c
--- bsd-mailx.patches/lex.c 2014-12-17 23:54:59.000000000 +0100
+++ bsd-mailx/lex.c 2014-12-18 20:05:45.000000000 +0100
@@ -1,4 +1,4 @@
-/* $OpenBSD: lex.c,v 1.37 2014/05/20 01:25:23 guenther Exp $ */
+/* $OpenBSD: lex.c,v 1.38 2014/10/26 20:38:13 guenther Exp $ */
/* $NetBSD: lex.c,v 1.10 1997/05/17 19:55:13 pk Exp $ */
/*
@@ -125,13 +125,11 @@
// [ RL - this is the mkostemp change mentioned in changelog. In case
// you don't like the change, I can make new version with a patch that
// will revert it ]
mailsize = fsize(ibuf);
(void)snprintf(tempname, sizeof(tempname),
"%s/mail.RxXXXXXXXXXX", tmpdir);
- if ((fd = mkstemp(tempname)) == -1 ||
+ if ((fd = mkostemp(tempname, O_CLOEXEC)) == -1 ||
(otf = fdopen(fd, "w")) == NULL)
err(1, "%s", tempname);
- (void)fcntl(fileno(otf), F_SETFD, FD_CLOEXEC);
- if ((itf = fopen(tempname, "r")) == NULL)
+ if ((itf = fopen(tempname, "re")) == NULL)
err(1, "%s", tempname);
- (void)fcntl(fileno(itf), F_SETFD, FD_CLOEXEC);
(void)rm(tempname);
setptr(ibuf, (off_t)0);
setmsize(msgCount);
diff -Nur -x debian -x CVS -x .pc -x .git bsd-mailx.patches/mail.1
bsd-mailx/mail.1
--- bsd-mailx.patches/mail.1 2014-12-17 23:56:58.000000000 +0100
+++ bsd-mailx/mail.1 2014-12-18 20:05:45.000000000 +0100
@@ -1,4 +1,4 @@
-.\" $OpenBSD: mail.1,v 1.65 2014/03/27 13:08:24 jmc Exp $
+.\" $OpenBSD: mail.1,v 1.70 2014/12/16 18:37:17 millert Exp $
.\"
.\" Copyright (c) 1980, 1990, 1993
.\" The Regents of the University of California. All rights reserved.
@@ -29,7 +29,7 @@
.\"
.\" @(#)mail.1 8.8 (Berkeley) 4/28/95
.\"
-.Dd $Mdocdate: March 27 2014 $
+.Dd $Mdocdate: December 16 2014 $
.Dt MAIL 1
.Os
.Sh NAME
@@ -970,6 +970,11 @@
.Nm mail
to interpret a period alone on a line as the terminator
of a message you are sending.
+.It Ar expandaddr
+Causes
+.Nm mail
+to expand message recipient addresses, as explained in the section
+.Sx Recipient address specifications .
.It Ar hold
This option is used to hold messages in the system mailbox
by default.
diff -Nur -x debian -x CVS -x .pc -x .git bsd-mailx.patches/main.c
bsd-mailx/main.c
--- bsd-mailx.patches/main.c 2014-12-17 23:56:58.000000000 +0100
+++ bsd-mailx/main.c 2014-12-18 20:05:45.000000000 +0100
@@ -1,4 +1,4 @@
-/* $OpenBSD: main.c,v 1.23 2009/10/27 23:59:40 deraadt Exp $ */
+/* $OpenBSD: main.c,v 1.26 2014/12/16 18:37:17 millert Exp $ */
/* $NetBSD: main.c,v 1.7 1997/05/13 06:15:57 mikel Exp $ */
/*
diff -Nur -x debian -x CVS -x .pc -x .git bsd-mailx.patches/names.c
bsd-mailx/names.c
--- bsd-mailx.patches/names.c 2014-12-17 23:56:12.000000000 +0100
+++ bsd-mailx/names.c 2014-12-18 20:05:45.000000000 +0100
@@ -1,4 +1,4 @@
-/* $OpenBSD: names.c,v 1.20 2014/08/15 03:51:40 guenther Exp $ */
+/* $OpenBSD: names.c,v 1.21 2014/12/16 18:36:46 millert Exp $ */
/* $NetBSD: names.c,v 1.5 1996/06/08 19:48:32 christos Exp $ */
/*
diff -Nur -x debian -x CVS -x .pc -x .git bsd-mailx.patches/quit.c
bsd-mailx/quit.c
--- bsd-mailx.patches/quit.c 2014-12-17 23:54:59.000000000 +0100
+++ bsd-mailx/quit.c 2014-12-18 20:05:45.000000000 +0100
@@ -1,4 +1,4 @@
-/* $OpenBSD: quit.c,v 1.20 2009/10/27 23:59:40 deraadt Exp $ */
+/* $OpenBSD: quit.c,v 1.21 2014/11/24 20:01:43 millert Exp $ */
/* $NetBSD: quit.c,v 1.6 1996/12/28 07:11:07 tls Exp $ */
/*
unblock bsd-mailx/8.1.2-0.20141216cvs-1
-- System Information:
Debian Release: 8.0
APT prefers unstable
APT policy: (990, 'unstable'), (200, 'testing')
Architecture: i386 (i686)
Kernel: Linux 3.16-3-686-pae (SMP w/1 CPU core)
Locale: LANG=pl_PL.UTF-8, LC_CTYPE=pl_PL.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: sysvinit (via /sbin/init)
bsd-mailx_8.1.2-0.20141216cvs-1.debdiff.gz
Description: application/gzip
