--- Begin Message ---
Package: release.debian.org
Severity: normal
Tags: jessie
User: [email protected]
Usertags: pu
Hello,
I would like to fix 803562 in jessie. Exim's MIME checking ACL
(available in exim4-daemon-heavy) was found to not correctly handle
some broken MIME containers. Jessie contains most of the fixes, but
some additional issues were found later.
Debian's default setup does not set either acl_not_smtp_mime nor
acl_smtp_mime and is therefore not affected.
cu Andreas
--
`What a good friend you are to him, Dr. Maturin. His other friends are
so grateful to you.'
`I sew his ears on from time to time, sure'
File lists identical (after any substitutions)
Control files of package exim4: lines which differ (wdiff format)
-----------------------------------------------------------------
Depends: debconf (>= 0.5) | debconf-2.0, debconf (>= 1.4.69) | cdebconf (>=
0.39), exim4-base (>= [-4.84-8),-] {+4.84-8+deb8u1),+} exim4-base (<<
[-4.84-8.1),-] {+4.84-8+deb8u1.1),+} exim4-daemon-light | exim4-daemon-heavy |
exim4-daemon-custom
Version: [-4.84-8-] {+4.84-8+deb8u1+}
Control files of package exim4-base: lines which differ (wdiff format)
----------------------------------------------------------------------
Version: [-4.84-8-] {+4.84-8+deb8u1+}
Control files of package exim4-config: lines which differ (wdiff format)
------------------------------------------------------------------------
Version: [-4.84-8-] {+4.84-8+deb8u1+}
Control files of package exim4-daemon-heavy: lines which differ (wdiff format)
------------------------------------------------------------------------------
Depends: exim4-base (>= 4.84), libc6 (>= 2.15), libdb5.3, libgnutls-deb0-28 (>=
3.3.0), libldap-2.4-2 (>= 2.4.7), libmysqlclient18 (>= 5.5.24+dfsg-1), libpam0g
(>= 0.99.7.1), libpcre3 (>= 1:8.35), libperl5.20 (>= [-5.20.1),-] {+5.20.2),+}
libpq5, libsasl2-2, libsqlite3-0 (>= 3.5.9), debconf (>= 0.5) | debconf-2.0
Version: [-4.84-8-] {+4.84-8+deb8u1+}
Control files of package exim4-daemon-heavy-dbg: lines which differ (wdiff
format)
----------------------------------------------------------------------------------
Version: [-4.84-8-] {+4.84-8+deb8u1+}
Control files of package exim4-daemon-light: lines which differ (wdiff format)
------------------------------------------------------------------------------
Version: [-4.84-8-] {+4.84-8+deb8u1+}
Control files of package exim4-daemon-light-dbg: lines which differ (wdiff
format)
----------------------------------------------------------------------------------
Installed-Size: [-2078-] {+2079+}
Version: [-4.84-8-] {+4.84-8+deb8u1+}
Control files of package exim4-dbg: lines which differ (wdiff format)
---------------------------------------------------------------------
Version: [-4.84-8-] {+4.84-8+deb8u1+}
Control files of package exim4-dev: lines which differ (wdiff format)
---------------------------------------------------------------------
Version: [-4.84-8-] {+4.84-8+deb8u1+}
Control files of package eximon4: lines which differ (wdiff format)
-------------------------------------------------------------------
Version: [-4.84-8-] {+4.84-8+deb8u1+}
diff -Nru exim4-4.84/debian/changelog exim4-4.84/debian/changelog
--- exim4-4.84/debian/changelog 2015-02-17 18:00:49.000000000 +0100
+++ exim4-4.84/debian/changelog 2015-10-31 13:55:10.000000000 +0100
@@ -1,3 +1,12 @@
+exim4 (4.84-8+deb8u1) jessie; urgency=medium
+
+ * Pull 85_Fix-crash-in-mime-acl-when-a-parameter-is-unterminat.patch
+ and 86_Avoid-crash-with-badly-terminated-non-recognised-mim.patch from
+ upstream GIT to fixup more MIME ACL related crashes. (Thanks, Lutz
+ Preßler) Closes: #803562
+
+ -- Andreas Metzler <[email protected]> Mon, 26 Oct 2015 17:42:16 +0100
+
exim4 (4.84-8) unstable; urgency=medium
* Pull 83_Remove-limit-on-remove_headers-item-size.-Bug-1533.patch and
diff -Nru
exim4-4.84/debian/patches/85_Fix-crash-in-mime-acl-when-a-parameter-is-unterminat.patch
exim4-4.84/debian/patches/85_Fix-crash-in-mime-acl-when-a-parameter-is-unterminat.patch
---
exim4-4.84/debian/patches/85_Fix-crash-in-mime-acl-when-a-parameter-is-unterminat.patch
1970-01-01 01:00:00.000000000 +0100
+++
exim4-4.84/debian/patches/85_Fix-crash-in-mime-acl-when-a-parameter-is-unterminat.patch
2015-10-31 13:50:54.000000000 +0100
@@ -0,0 +1,77 @@
+From bf485bf34df3fc2214765497a5552851c6a8977a Mon Sep 17 00:00:00 2001
+From: Jeremy Harris <[email protected]>
+Date: Tue, 30 Dec 2014 20:39:02 +0000
+Subject: [PATCH] Fix crash in mime acl when a parameter is unterminated
+
+Verified-by: Wolfgang Breyha <[email protected]>
+---
+ src/mime.c | 33 +++++++++++----------------------
+ test/confs/4000 | 1 +
+ test/log/4000 | 9 ++++++---
+ test/mail/4000.userx | 36 ++++++++++++++++++++++++++++++++++++
+ test/scripts/4000-scanning/4000 | 27 +++++++++++++++++++++++++++
+ test/stdout/4000 | 11 +++++++++++
+ 6 files changed, 92 insertions(+), 25 deletions(-)
+
+diff --git a/src/mime.c b/src/mime.c
+index a61e9f2..e5fe476 100644
+--- a/src/mime.c
++++ b/src/mime.c
+@@ -599,46 +599,35 @@ NEXT_PARAM_SEARCH:
+ /* found an interesting parameter? */
+ if (strncmpic(mp->name, p, mp->namelen) == 0)
+ {
+- uschar * q = p + mp->namelen;
+- int plen = 0;
+ int size = 0;
+ int ptr = 0;
+
+ /* yes, grab the value and copy to its corresponding expansion
variable */
+- while(*q && *q != ';') /* ; terminates */
+- if (*q == '"')
++ p += mp->namelen;
++ while(*p && *p != ';') /* ; terminates */
++ if (*p == '"')
+ {
+- q++; /* skip leading " */
+- plen++; /* and account for the skip */
+- while(*q && *q != '"') /* " protects ; */
+- {
+- param_value = string_cat(param_value, &size, &ptr, q++, 1);
+- plen++;
+- }
+- if (*q)
+- {
+- q++; /* skip trailing " */
+- plen++;
+- }
++ p++; /* skip leading " */
++ while(*p && *p != '"') /* " protects ; */
++ param_value = string_cat(param_value, &size, &ptr, p++, 1);
++ if (*p) p++; /* skip trailing " */
+ }
+ else
+- {
+- param_value = string_cat(param_value, &size, &ptr, q++, 1);
+- plen++;
+- }
++ param_value = string_cat(param_value, &size, &ptr, p++, 1);
++ if (*p) p++; /* skip trailing ; */
+
+ if (param_value)
+ {
++ uschar * dummy;
+ param_value[ptr++] = '\0';
+
+ param_value = rfc2047_decode(param_value,
+- check_rfc2047_length, NULL, 32, NULL, &q);
++ check_rfc2047_length, NULL, 32, NULL, &dummy);
+ debug_printf("Found %s MIME parameter in %s header, "
+ "value is '%s'\n", mp->name, mime_header_list[i].name,
+ param_value);
+ }
+ *mp->value = param_value;
+- p += mp->namelen + plen + 1; /* name=, content, ; */
+ goto NEXT_PARAM_SEARCH;
+ }
+ }
diff -Nru
exim4-4.84/debian/patches/86_Avoid-crash-with-badly-terminated-non-recognised-mim.patch
exim4-4.84/debian/patches/86_Avoid-crash-with-badly-terminated-non-recognised-mim.patch
---
exim4-4.84/debian/patches/86_Avoid-crash-with-badly-terminated-non-recognised-mim.patch
1970-01-01 01:00:00.000000000 +0100
+++
exim4-4.84/debian/patches/86_Avoid-crash-with-badly-terminated-non-recognised-mim.patch
2015-10-31 13:50:54.000000000 +0100
@@ -0,0 +1,59 @@
+From e7c25d5b603a33e677efc4bccb6e5cac617e7ad5 Mon Sep 17 00:00:00 2001
+From: Jeremy Harris <[email protected]>
+Date: Thu, 1 Jan 2015 21:47:10 +0000
+Subject: [PATCH] Avoid crash with badly-terminated non-recognised mime
+ parameter
+
+---
+ src/mime.c | 18 +++++++++++-------
+ test/log/4000 | 3 +++
+ test/mail/4000.userx | 42 +++++++++++++++++++++++++++++++++++++++++
+ test/scripts/4000-scanning/4000 | 32 +++++++++++++++++++++++++++++++
+ test/stdout/4000 | 11 +++++++++++
+ 5 files changed, 99 insertions(+), 7 deletions(-)
+
+diff --git a/src/mime.c b/src/mime.c
+index e5fe476..948dd78 100644
+--- a/src/mime.c
++++ b/src/mime.c
+@@ -589,6 +589,7 @@ DECODE_HEADERS:
+ NEXT_PARAM_SEARCH:
+ while (*p)
+ {
++ /* debug_printf(" considering paramlist '%s'\n", p); */
+ mime_parameter * mp;
+ for (mp = mime_parameter_list;
+ mp < &mime_parameter_list[mime_parameter_list_size];
+@@ -623,7 +624,7 @@ NEXT_PARAM_SEARCH:
+
+ param_value = rfc2047_decode(param_value,
+ check_rfc2047_length, NULL, 32, NULL, &dummy);
+- debug_printf("Found %s MIME parameter in %s header, "
++ debug_printf(" Found %s MIME parameter in %s header, "
+ "value is '%s'\n", mp->name, mime_header_list[i].name,
+ param_value);
+ }
+@@ -631,14 +632,17 @@ NEXT_PARAM_SEARCH:
+ goto NEXT_PARAM_SEARCH;
+ }
+ }
+- /* There is something, but not one of our interesting parameters.
+- Advance to the next semicolon */
+- while(*p != ';')
++ /* There is something, but not one of our interesting parameters.
++ Advance to the next unquoted semicolon */
++ while(*p && *p != ';')
++ if (*p == '"')
+ {
+- if (*p == '"') while(*++p && *p != '"') ;
+- p++;
++ while(*++p && *p != '"') ;
++ if (*p) p++;
+ }
+- p++;
++ else
++ p++;
++ if (*p) p++;
+ }
+ }
+ }
diff -Nru exim4-4.84/debian/patches/series exim4-4.84/debian/patches/series
--- exim4-4.84/debian/patches/series 2015-02-17 17:55:04.000000000 +0100
+++ exim4-4.84/debian/patches/series 2015-10-31 13:50:54.000000000 +0100
@@ -13,3 +13,5 @@
82_quoted-or-r-2047-encoded.diff
83_Remove-limit-on-remove_headers-item-size.-Bug-1533.patch
84_Fix-truncation-of-items-in-headers_remove-lists-this.patch
+85_Fix-crash-in-mime-acl-when-a-parameter-is-unterminat.patch
+86_Avoid-crash-with-badly-terminated-non-recognised-mim.patch
signature.asc
Description: PGP signature
--- End Message ---
