Package: release.debian.org Severity: normal User: release.debian....@packages.debian.org Usertags: unblock
Please unblock the following version of bsd-mailx: bsd-mailx (8.1.2-0.20141216cvs-1) unstable; urgency=high * New upstream version from OpenBSD cvs repository. The version consists of: - The changes that are part of the following recent stable security update by Florian Weimer: bsd-mailx (8.1.2-0.20111106cvs-1+deb7u1) wheezy-security; urgency=high * Apply OpenBSD patches from Todd Miller: + 80-remove_T.patch (remove undocumented/obsolete -T option) + 81-minus_f.patch (adjust -f processing) + 82-expandaddr.patch (fix CVE-2014-7844) + 83-nosendmail.patch (make -- work for option parsing suppression) - A simple change in lex.c related to preferring mkostemp(O_CLOEXEC) over mkstemp()+fcntl(F_SETFD) and fopen("re") over fopen("r")+fcntl(F_SETFD). - A change in fio.c to use glob() to expand filenames. The change however is not enabled in the Debian package (i.e. outside of `#ifdef DEBIAN' code) as wordexp() function instead has been used in Debian for last 10 years. * Bump Standards-Version to 3.9.6. -- Robert Luberda <rob...@debian.org> Thu, 18 Dec 2014 00:45:40 +0100 I'm attaching the full debdiff to this e-mail. To make the review easier please find below the upstream code differencies between - previous version (8.1.2-0.20140825cvs-1) with all Florian's patches from wheezy security applied - and the version I've just uploaded. diff -Nur -x debian -x CVS -x .pc -x .git bsd-mailx.patches/fio.c bsd-mailx/fio.c --- bsd-mailx.patches/fio.c 2014-12-17 23:54:58.000000000 +0100 +++ bsd-mailx/fio.c 2014-12-18 20:05:45.000000000 +0100 @@ -1,4 +1,4 @@ -/* $OpenBSD: fio.c,v 1.33 2014/01/17 18:42:30 okan Exp $ */ +/* $OpenBSD: fio.c,v 1.34 2014/12/16 18:31:06 millert Exp $ */ /* $NetBSD: fio.c,v 1.8 1997/07/07 22:57:55 phil Exp $ */ /* @@ -37,6 +37,9 @@ #include <unistd.h> #include <paths.h> #include <errno.h> +#ifndef DEBIAN +#include <glob.h> +#endif #include "extern.h" #ifdef DEBIAN @@ -424,17 +427,13 @@ char * expand(char *name) { +#ifndef DEBIAN + const int flags = GLOB_BRACE|GLOB_TILDE|GLOB_NOSORT; +#endif char xname[PATHSIZE]; char cmdbuf[PATHSIZE]; /* also used for file names */ #ifdef DEBIAN wordexp_t p; -#else - pid_t pid; - int l; - char *cp, *shell; - int pivec[2]; - struct stat sbuf; - extern int wait_status; #endif /* @@ -511,47 +510,23 @@ } #else // [ RL - note the whole block is not applicable to Debian, as it is // #else branch for #ifdef DEBIAN ] - - /* XXX - just use glob(3) and env expansion instead? */ - if (pipe(pivec) < 0) { - warn("pipe"); - return(name); - } - (void)snprintf(cmdbuf, sizeof(cmdbuf), "echo %s", name); - shell = value("SHELL"); - pid = start_command(shell, 0, -1, pivec[1], "-c", cmdbuf, NULL); - if (pid < 0) { - (void)close(pivec[0]); - (void)close(pivec[1]); - return(NULL); - } - (void)close(pivec[1]); - l = myread(pivec[0], xname, PATHSIZE); - if (l < 0) - warn("read"); /* report error before errno changes */ - (void)close(pivec[0]); - if (wait_child(pid) < 0 && WIFSIGNALED(wait_status) && - WTERMSIG(wait_status) != SIGPIPE) { - fprintf(stderr, "\"%s\": Expansion failed.\n", name); - return(NULL); - } - if (l < 0) - return(NULL); - if (l == 0) { + /* XXX - does not expand enviroment variables. */ + switch (glob(name, flags, NULL, &names)) { + case 0: + if (names.gl_pathc == 1) + match = savestr(names.gl_pathv[0]); + else + fprintf(stderr, "\"%s\": Ambiguous.\n", name); + break; + case GLOB_NOSPACE: + fprintf(stderr, "\"%s\": Out of memory.\n", name); + break; + case GLOB_NOMATCH: fprintf(stderr, "\"%s\": No match.\n", name); - return(NULL); - } - if (l == PATHSIZE) { - fprintf(stderr, "\"%s\": Expansion buffer overflow.\n", name); - return(NULL); - } - xname[l] = '\0'; - for (cp = &xname[l-1]; *cp == '\n' && cp > xname; cp--) - ; - cp[1] = '\0'; - if (strchr(xname, ' ') && stat(xname, &sbuf) < 0) { - fprintf(stderr, "\"%s\": Ambiguous.\n", name); - return(NULL); + break; + default: + fprintf(stderr, "\"%s\": Expansion failed.\n", name); + break; } return(savestr(xname)); #endif diff -Nur -x debian -x CVS -x .pc -x .git bsd-mailx.patches/glob.h bsd-mailx/glob.h --- bsd-mailx.patches/glob.h 2014-12-17 23:54:59.000000000 +0100 +++ bsd-mailx/glob.h 2014-12-18 00:04:44.000000000 +0100 @@ -1,4 +1,4 @@ -/* $OpenBSD: glob.h,v 1.7 2003/06/03 02:56:11 millert Exp $ */ +/* $OpenBSD: glob.h,v 1.8 2014/11/24 20:01:43 millert Exp $ */ /* $NetBSD: glob.h,v 1.4 1996/06/08 19:48:25 christos Exp $ */ /* diff -Nur -x debian -x CVS -x .pc -x .git bsd-mailx.patches/lex.c bsd-mailx/lex.c --- bsd-mailx.patches/lex.c 2014-12-17 23:54:59.000000000 +0100 +++ bsd-mailx/lex.c 2014-12-18 20:05:45.000000000 +0100 @@ -1,4 +1,4 @@ -/* $OpenBSD: lex.c,v 1.37 2014/05/20 01:25:23 guenther Exp $ */ +/* $OpenBSD: lex.c,v 1.38 2014/10/26 20:38:13 guenther Exp $ */ /* $NetBSD: lex.c,v 1.10 1997/05/17 19:55:13 pk Exp $ */ /* @@ -125,13 +125,11 @@ // [ RL - this is the mkostemp change mentioned in changelog. In case // you don't like the change, I can make new version with a patch that // will revert it ] mailsize = fsize(ibuf); (void)snprintf(tempname, sizeof(tempname), "%s/mail.RxXXXXXXXXXX", tmpdir); - if ((fd = mkstemp(tempname)) == -1 || + if ((fd = mkostemp(tempname, O_CLOEXEC)) == -1 || (otf = fdopen(fd, "w")) == NULL) err(1, "%s", tempname); - (void)fcntl(fileno(otf), F_SETFD, FD_CLOEXEC); - if ((itf = fopen(tempname, "r")) == NULL) + if ((itf = fopen(tempname, "re")) == NULL) err(1, "%s", tempname); - (void)fcntl(fileno(itf), F_SETFD, FD_CLOEXEC); (void)rm(tempname); setptr(ibuf, (off_t)0); setmsize(msgCount); diff -Nur -x debian -x CVS -x .pc -x .git bsd-mailx.patches/mail.1 bsd-mailx/mail.1 --- bsd-mailx.patches/mail.1 2014-12-17 23:56:58.000000000 +0100 +++ bsd-mailx/mail.1 2014-12-18 20:05:45.000000000 +0100 @@ -1,4 +1,4 @@ -.\" $OpenBSD: mail.1,v 1.65 2014/03/27 13:08:24 jmc Exp $ +.\" $OpenBSD: mail.1,v 1.70 2014/12/16 18:37:17 millert Exp $ .\" .\" Copyright (c) 1980, 1990, 1993 .\" The Regents of the University of California. All rights reserved. @@ -29,7 +29,7 @@ .\" .\" @(#)mail.1 8.8 (Berkeley) 4/28/95 .\" -.Dd $Mdocdate: March 27 2014 $ +.Dd $Mdocdate: December 16 2014 $ .Dt MAIL 1 .Os .Sh NAME @@ -970,6 +970,11 @@ .Nm mail to interpret a period alone on a line as the terminator of a message you are sending. +.It Ar expandaddr +Causes +.Nm mail +to expand message recipient addresses, as explained in the section +.Sx Recipient address specifications . .It Ar hold This option is used to hold messages in the system mailbox by default. diff -Nur -x debian -x CVS -x .pc -x .git bsd-mailx.patches/main.c bsd-mailx/main.c --- bsd-mailx.patches/main.c 2014-12-17 23:56:58.000000000 +0100 +++ bsd-mailx/main.c 2014-12-18 20:05:45.000000000 +0100 @@ -1,4 +1,4 @@ -/* $OpenBSD: main.c,v 1.23 2009/10/27 23:59:40 deraadt Exp $ */ +/* $OpenBSD: main.c,v 1.26 2014/12/16 18:37:17 millert Exp $ */ /* $NetBSD: main.c,v 1.7 1997/05/13 06:15:57 mikel Exp $ */ /* diff -Nur -x debian -x CVS -x .pc -x .git bsd-mailx.patches/names.c bsd-mailx/names.c --- bsd-mailx.patches/names.c 2014-12-17 23:56:12.000000000 +0100 +++ bsd-mailx/names.c 2014-12-18 20:05:45.000000000 +0100 @@ -1,4 +1,4 @@ -/* $OpenBSD: names.c,v 1.20 2014/08/15 03:51:40 guenther Exp $ */ +/* $OpenBSD: names.c,v 1.21 2014/12/16 18:36:46 millert Exp $ */ /* $NetBSD: names.c,v 1.5 1996/06/08 19:48:32 christos Exp $ */ /* diff -Nur -x debian -x CVS -x .pc -x .git bsd-mailx.patches/quit.c bsd-mailx/quit.c --- bsd-mailx.patches/quit.c 2014-12-17 23:54:59.000000000 +0100 +++ bsd-mailx/quit.c 2014-12-18 20:05:45.000000000 +0100 @@ -1,4 +1,4 @@ -/* $OpenBSD: quit.c,v 1.20 2009/10/27 23:59:40 deraadt Exp $ */ +/* $OpenBSD: quit.c,v 1.21 2014/11/24 20:01:43 millert Exp $ */ /* $NetBSD: quit.c,v 1.6 1996/12/28 07:11:07 tls Exp $ */ /* unblock bsd-mailx/8.1.2-0.20141216cvs-1 -- System Information: Debian Release: 8.0 APT prefers unstable APT policy: (990, 'unstable'), (200, 'testing') Architecture: i386 (i686) Kernel: Linux 3.16-3-686-pae (SMP w/1 CPU core) Locale: LANG=pl_PL.UTF-8, LC_CTYPE=pl_PL.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Init: sysvinit (via /sbin/init)
bsd-mailx_8.1.2-0.20141216cvs-1.debdiff.gz
Description: application/gzip