On Mon, Sep 17, 2018 at 09:14:43AM +0200, Giovanni Bechis wrote:
> Hi,
> update to latest version, this a major update, there are many new features
> and a lot of bug fixed.
> Some CVE has been fixed and a old SA versions will not be compatible with
> new rules sooner or later.
> I used several iterations of this diff in production, ok to put it in
> before 6.4 ?
>
> More info here:
> http://svn.apache.org/repos/asf/spamassassin/trunk/build/announcements/3.4.2.txt
>
> Thanks & Cheers
> Giovanni
Works fine on my small setup.
ok pea@
Any plans to backport CVE to -stable ?
> Index: Makefile
> ===================================================================
> RCS file: /var/cvs/ports/mail/p5-Mail-SpamAssassin/Makefile,v
> retrieving revision 1.109
> diff -u -p -r1.109 Makefile
> --- Makefile 4 Sep 2018 12:46:15 -0000 1.109
> +++ Makefile 17 Sep 2018 06:59:30 -0000
> @@ -2,11 +2,10 @@
>
> COMMENT= mailfilter to identify and mark spam
>
> -VER= 3.4.1
> +VER= 3.4.2
> DISTNAME= Mail-SpamAssassin-${VER}
> PKGNAME= p5-${DISTNAME}
> -REVISION= 15
> -RULESNAME= Mail-SpamAssassin-rules-${VER}.r1675274.tgz
> +RULESNAME= Mail-SpamAssassin-rules-${VER}.r1840640.tgz
> CATEGORIES= mail perl5
>
> DISTFILES= ${DISTNAME}${EXTRACT_SUFX} ${RULESNAME}
> @@ -33,8 +32,9 @@ COMMON_DEPENDS= www/p5-HTML-Parser>=3.3
> BUILD_DEPENDS= ${COMMON_DEPENDS}
> RUN_DEPENDS= ${COMMON_DEPENDS} \
> devel/re2c \
> + devel/p5-BSD-Resource \
> p5-Mail-SPF-*|p5-Mail-SPF-Query-*:mail/p5-Mail-SPF \
> - net/p5-Geo-IP \
> +
> p5-Geo-IP-*|p5-IP-Country-DB_File-*|p5-IP-Country-*:net/p5-Geo-IP \
> net/p5-Net-LibIDN \
> net/p5-Net-Patricia \
> security/gnupg \
> Index: distinfo
> ===================================================================
> RCS file: /var/cvs/ports/mail/p5-Mail-SpamAssassin/distinfo,v
> retrieving revision 1.38
> diff -u -p -r1.38 distinfo
> --- distinfo 30 Apr 2015 14:41:53 -0000 1.38
> +++ distinfo 17 Sep 2018 06:59:56 -0000
> @@ -1,4 +1,4 @@
> -SHA256 (Mail-SpamAssassin-3.4.1.tar.bz2) =
> oMHJgI8GhLOJWU64ssy6zmSGVGWTST+TCMlVRWPRRlE=
> -SHA256 (Mail-SpamAssassin-rules-3.4.1.r1675274.tgz) =
> OC9+4WCpahWq5Vn1PfksNvLhdkexnFlU7+3oYUn40Ss=
> -SIZE (Mail-SpamAssassin-3.4.1.tar.bz2) = 2710985
> -SIZE (Mail-SpamAssassin-rules-3.4.1.r1675274.tgz) = 270622
> +SHA256 (Mail-SpamAssassin-3.4.2.tar.bz2) =
> zwMEWkmRdSFF7tAH51c38+TH80zyJdtBHOP9NZKA6No=
> +SHA256 (Mail-SpamAssassin-rules-3.4.2.r1840640.tgz) =
> jUgaIIHx5ioleSOPZrWNIST3ounzz6PUqisD/nsBmbs=
> +SIZE (Mail-SpamAssassin-3.4.2.tar.bz2) = 2700016
> +SIZE (Mail-SpamAssassin-rules-3.4.2.r1840640.tgz) = 284758
> Index: patches/patch-Makefile_PL
> ===================================================================
> RCS file: /var/cvs/ports/mail/p5-Mail-SpamAssassin/patches/patch-Makefile_PL,v
> retrieving revision 1.13
> diff -u -p -r1.13 patch-Makefile_PL
> --- patches/patch-Makefile_PL 30 Apr 2015 14:41:53 -0000 1.13
> +++ patches/patch-Makefile_PL 13 Apr 2018 14:26:57 -0000
> @@ -1,7 +1,8 @@
> $OpenBSD: patch-Makefile_PL,v 1.13 2015/04/30 14:41:53 sthen Exp $
> ---- Makefile.PL.orig Tue Apr 28 20:57:01 2015
> -+++ Makefile.PL Thu Apr 30 14:25:54 2015
> -@@ -832,7 +832,7 @@ sub MY::install {
> +Index: Makefile.PL
> +--- Makefile.PL.orig
> ++++ Makefile.PL
> +@@ -856,7 +856,7 @@ sub MY::install {
>
> foreach (@code) {
> # Add our install targets as a dependency to all top-level install
> targets
> Index: patches/patch-lib_Mail_SpamAssassin_BayesStore_pm
> ===================================================================
> RCS file: patches/patch-lib_Mail_SpamAssassin_BayesStore_pm
> diff -N patches/patch-lib_Mail_SpamAssassin_BayesStore_pm
> --- patches/patch-lib_Mail_SpamAssassin_BayesStore_pm 31 Oct 2017 07:41:51
> -0000 1.1
> +++ /dev/null 1 Jan 1970 00:00:00 -0000
> @@ -1,15 +0,0 @@
> -$OpenBSD: patch-lib_Mail_SpamAssassin_BayesStore_pm,v 1.1 2017/10/31
> 07:41:51 giovanni Exp $
> -
> -# bug 7340: remove expire flag after token expiration is done
> -
> -Index: lib/Mail/SpamAssassin/BayesStore.pm
> ---- lib/Mail/SpamAssassin/BayesStore.pm.orig
> -+++ lib/Mail/SpamAssassin/BayesStore.pm
> -@@ -419,6 +419,7 @@ sub expire_old_tokens_trapped {
> - dbg("bayes: $msg: $msg2");
> - }
> -
> -+ $self->remove_running_expire_tok();
> - return 1;
> - }
> -
> Index: patches/patch-lib_Mail_SpamAssassin_Conf_Parser_pm
> ===================================================================
> RCS file: patches/patch-lib_Mail_SpamAssassin_Conf_Parser_pm
> diff -N patches/patch-lib_Mail_SpamAssassin_Conf_Parser_pm
> --- patches/patch-lib_Mail_SpamAssassin_Conf_Parser_pm 13 Mar 2018
> 07:51:59 -0000 1.2
> +++ /dev/null 1 Jan 1970 00:00:00 -0000
> @@ -1,218 +0,0 @@
> -$OpenBSD: patch-lib_Mail_SpamAssassin_Conf_Parser_pm,v 1.2 2018/03/13
> 07:51:59 giovanni Exp $
> -
> -Index: lib/Mail/SpamAssassin/Conf/Parser.pm
> ---- lib/Mail/SpamAssassin/Conf/Parser.pm.orig
> -+++ lib/Mail/SpamAssassin/Conf/Parser.pm
> -@@ -142,15 +142,11 @@ use Mail::SpamAssassin::NetSet;
> -
> - use strict;
> - use warnings;
> --use bytes;
> -+# use bytes;
> - use re 'taint';
> -
> --use vars qw{
> -- @ISA
> --};
> -+our @ISA = qw();
> -
> --@ISA = qw();
> --
> - ###########################################################################
> -
> - sub new {
> -@@ -263,6 +259,7 @@ sub parse {
> - while (defined ($line = shift @conf_lines)) {
> - local ($1); # bug 3838: prevent random taint flagging of $1
> -
> -+ if (index($line,'#') > -1) {
> - # bug 5545: used to support testing rules in the ruleqa system
> - if ($keepmetadata && $line =~ /^\#testrules/) {
> - $self->{file_scoped_attrs}->{testrules}++;
> -@@ -278,8 +275,12 @@ sub parse {
> -
> - $line =~ s/(?<!\\)#.*$//; # remove comments
> - $line =~ s/\\#/#/g; # hash chars are escaped, so unescape them
> -+ }
> -+
> -+ if ($line =~ tr{ \t\r\n\f}{}) {
> - $line =~ s/^\s+//; # remove leading whitespace
> - $line =~ s/\s+$//; # remove tailing whitespace
> -+ }
> - next unless($line); # skip empty lines
> -
> - # handle i18n
> -@@ -288,7 +289,7 @@ sub parse {
> - my($key, $value) = split(/\s+/, $line, 2);
> - $key = lc $key;
> - # convert all dashes in setting name to underscores.
> -- $key =~ s/-/_/g;
> -+ $key =~ tr/-/_/;
> - $value = '' unless defined($value);
> -
> - # # Do a better job untainting this info ...
> -@@ -338,26 +339,26 @@ sub parse {
> - }
> -
> - # now handle the commands.
> -- if ($key eq 'include') {
> -+ elsif ($key eq 'include') {
> - $value = $self->fix_path_relative_to_current_file($value);
> - my $text = $conf->{main}->read_cf($value, 'included file');
> - unshift (@conf_lines, split (/\n/, $text));
> - next;
> - }
> -
> -- if ($key eq 'ifplugin') {
> -+ elsif ($key eq 'ifplugin') {
> - $self->handle_conditional ($key, "plugin ($value)",
> - \@if_stack, \$skip_parsing);
> - next;
> - }
> -
> -- if ($key eq 'if') {
> -+ elsif ($key eq 'if') {
> - $self->handle_conditional ($key, $value,
> - \@if_stack, \$skip_parsing);
> - next;
> - }
> -
> -- if ($key eq 'else') {
> -+ elsif ($key eq 'else') {
> - # TODO: if/else/else won't get flagged here :(
> - if (!@if_stack) {
> - $parse_error = "config: found else without matching conditional";
> -@@ -369,7 +370,7 @@ sub parse {
> - }
> -
> - # and the endif statement:
> -- if ($key eq 'endif') {
> -+ elsif ($key eq 'endif') {
> - my $lastcond = pop @if_stack;
> - if (!defined $lastcond) {
> - $parse_error = "config: found endif without matching conditional";
> -@@ -508,7 +509,7 @@ sub handle_conditional {
> - my $conf = $self->{conf};
> -
> - my $lexer = ARITH_EXPRESSION_LEXER;
> -- my @tokens = ($value =~ m/($lexer)/g);
> -+ my @tokens = ($value =~ m/($lexer)/og);
> -
> - my $eval = '';
> - my $bad = 0;
> -@@ -573,6 +574,10 @@ sub cond_clause_plugin_loaded {
> -
> - sub cond_clause_can {
> - my ($self, $method) = @_;
> -+ if ($self->{currentfile} =~ q!/user_prefs$! ) {
> -+ warn "config: 'if can $method' not available in user_prefs";
> -+ return 0
> -+ }
> - $self->cond_clause_can_or_has('can', $method);
> - }
> -
> -@@ -591,7 +596,7 @@ sub cond_clause_can_or_has {
> - } elsif ($method =~ /^(.*)::([^:]+)$/) {
> - no strict "refs";
> - my($module, $meth) = ($1, $2);
> -- return 1 if UNIVERSAL::can($module,$meth) &&
> -+ return 1 if $module->can($meth) &&
> - ( $fn_name eq 'has' || &{$method}() );
> - } else {
> - $self->lint_warn("bad 'if' line, cannot find '::' in $fn_name($method),
> ".
> -@@ -984,14 +989,14 @@ sub _meta_deps_recurse {
> -
> - # Lex the rule into tokens using a rather simple RE method ...
> - my $lexer = ARITH_EXPRESSION_LEXER;
> -- my @tokens = ($rule =~ m/$lexer/g);
> -+ my @tokens = ($rule =~ m/$lexer/og);
> -
> - # Go through each token in the meta rule
> - my $conf_tests = $conf->{tests};
> - foreach my $token (@tokens) {
> - # has to be an alpha+numeric token
> -- # next if $token =~ /^(?:\W+|[+-]?\d+(?:\.\d+)?)$/;
> -- next if $token !~ /^[A-Za-z_][A-Za-z0-9_]*\z/s; # faster
> -+ next if $token =~ tr{A-Za-z0-9_}{}c || substr($token,0,1) =~
> tr{A-Za-z_}{}c; # even faster
> -+
> - # and has to be a rule name
> - next unless exists $conf_tests->{$token};
> -
> -@@ -1178,25 +1183,25 @@ sub add_test {
> - my $conf = $self->{conf};
> -
> - # Don't allow invalid names ...
> -- if ($name !~ /^\D\w*$/) {
> -+ if ($name !~ /^[_[:alpha:]]\w*$/) {
> - $self->lint_warn("config: error: rule '$name' has invalid characters ".
> - "(not Alphanumeric + Underscore + starting with a non-digit)\n",
> $name);
> - return;
> - }
> -
> -- # Also set a hard limit for ALL rules (rule names longer than 242
> -+ # Also set a hard limit for ALL rules (rule names longer than 40
> - # characters throw warnings). Check this separately from the above
> - # pattern to avoid vague error messages.
> -- if (length $name > 200) {
> -- $self->lint_warn("config: error: rule '$name' is way too long ".
> -+ if (length $name > 100) {
> -+ $self->lint_warn("config: error: rule '$name' is too long ".
> - "(recommended maximum length is 22 characters)\n", $name);
> - return;
> - }
> -
> - # Warn about, but use, long rule names during --lint
> - if ($conf->{lint_rules}) {
> -- if (length($name) > 50 && $name !~ /^__/ && $name !~ /^T_/) {
> -- $self->lint_warn("config: warning: rule name '$name' is over 50 chars
> ".
> -+ if (length($name) > 40 && $name !~ /^__/ && $name !~ /^T_/) {
> -+ $self->lint_warn("config: warning: rule name '$name' is over 40 chars
> ".
> - "(recommended maximum length is 22 characters)\n", $name);
> - }
> - }
> -@@ -1286,12 +1291,18 @@ sub add_regression_test {
> - sub is_meta_valid {
> - my ($self, $name, $rule) = @_;
> -
> -+ # $meta is a degenerate translation of the rule, replacing all variables
> (i.e. rule names) with 0.
> - my $meta = '';
> - $rule = untaint_var($rule); # must be careful below
> -+ # Bug #7557 code injection
> -+ if ( $rule =~ /\S(::|->)\S/ ) {
> -+ warn("is_meta_valid: Bogus rule $name: $rule") ;
> -+ return 0;
> -+ }
> -
> - # Lex the rule into tokens using a rather simple RE method ...
> - my $lexer = ARITH_EXPRESSION_LEXER;
> -- my @tokens = ($rule =~ m/$lexer/g);
> -+ my @tokens = ($rule =~ m/$lexer/og);
> - if (length($name) == 1) {
> - for (@tokens) {
> - print "$name $_\n " or die "Error writing token: $!";
> -@@ -1299,16 +1310,20 @@ sub is_meta_valid {
> - }
> - # Go through each token in the meta rule
> - foreach my $token (@tokens) {
> -- # Numbers can't be rule names
> -- if ($token !~ /^[A-Za-z_][A-Za-z0-9_]*\z/s) {
> -+ # If the token is a syntactically legal rule name, make it zero
> -+ if ($token =~ /^[_[:alpha:]]\w+\z/s) {
> -+ $meta .= "0 ";
> -+ }
> -+ # if it is a number or a string of 1 or 2 punctuation characters (i.e.
> operators) tack it onto the degenerate rule
> -+ elsif ( $token =~ /^(\d+|[[:punct:]]{1,2})\z/s ) {
> - $meta .= "$token ";
> - }
> -- # Zero will probably cause more errors
> -+ # WTF is it? Just warn, for now. Bug #7557
> - else {
> -- $meta .= "0 ";
> -+ $self->lint_warn("config: Strange rule token: $token", $name);
> -+ $meta .= "$token ";
> - }
> - }
> --
> - my $evalstr = 'my $x = ' . $meta . '; 1;';
> - if (eval $evalstr) {
> - return 1;
> Index: patches/patch-lib_Mail_SpamAssassin_Conf_pm
> ===================================================================
> RCS file: patches/patch-lib_Mail_SpamAssassin_Conf_pm
> diff -N patches/patch-lib_Mail_SpamAssassin_Conf_pm
> --- patches/patch-lib_Mail_SpamAssassin_Conf_pm 13 Mar 2018 07:51:59
> -0000 1.1
> +++ /dev/null 1 Jan 1970 00:00:00 -0000
> @@ -1,43 +0,0 @@
> -$OpenBSD: patch-lib_Mail_SpamAssassin_Conf_pm,v 1.1 2018/03/13 07:51:59
> giovanni Exp $
> -
> -Index: lib/Mail/SpamAssassin/Conf.pm
> ---- lib/Mail/SpamAssassin/Conf.pm.orig
> -+++ lib/Mail/SpamAssassin/Conf.pm
> -@@ -2836,8 +2836,8 @@ C<header SYMBOLIC_TEST_NAME header =~ /\S/> rule as de
> - =item header SYMBOLIC_TEST_NAME eval:name_of_eval_method([arguments])
> -
> - Define a header eval test. C<name_of_eval_method> is the name of
> --a method on the C<Mail::SpamAssassin::EvalTests> object. C<arguments>
> --are optional arguments to the function call.
> -+a method registered by a C<Mail::SpamAssassin::Plugin> object.
> -+C<arguments> are optional arguments to the function call.
> -
> - =item header SYMBOLIC_TEST_NAME eval:check_rbl('set', 'zone' [, 'sub-test'])
> -
> -@@ -2950,7 +2950,10 @@ name.
> - local ($1,$2);
> - if ($value =~ /^(\S+)\s+(?:rbl)?eval:(.*)$/) {
> - my ($rulename, $fn) = ($1, $2);
> --
> -+ dbg("config: header eval rule name is $rulename function is $fn");
> -+ if ($fn !~ /^\w+(\(.*\))?$/) {
> -+ return $INVALID_VALUE;
> -+ }
> - if ($fn =~ /^check_(?:rbl|dns)/) {
> - $self->{parser}->add_test ($rulename, $fn, $TYPE_RBL_EVALS);
> - }
> -@@ -3008,7 +3011,13 @@ Define a body eval test. See above.
> - my ($self, $key, $value, $line) = @_;
> - local ($1,$2);
> - if ($value =~ /^(\S+)\s+eval:(.*)$/) {
> -- $self->{parser}->add_test ($1, $2, $TYPE_BODY_EVALS);
> -+ my ($rulename, $fn) = ($1, $2);
> -+ dbg("config: body eval rule name is $rulename function is $fn");
> -+
> -+ if ($fn !~ /^\w+(\(.*\))?$/) {
> -+ return $INVALID_VALUE;
> -+ }
> -+ $self->{parser}->add_test ($rulename, $fn, $TYPE_BODY_EVALS);
> - }
> - else {
> - my @values = split(/\s+/, $value, 2);
> Index: patches/patch-lib_Mail_SpamAssassin_DnsResolver_pm
> ===================================================================
> RCS file: patches/patch-lib_Mail_SpamAssassin_DnsResolver_pm
> diff -N patches/patch-lib_Mail_SpamAssassin_DnsResolver_pm
> --- patches/patch-lib_Mail_SpamAssassin_DnsResolver_pm 4 Mar 2016
> 00:05:35 -0000 1.4
> +++ /dev/null 1 Jan 1970 00:00:00 -0000
> @@ -1,82 +0,0 @@
> -$OpenBSD: patch-lib_Mail_SpamAssassin_DnsResolver_pm,v 1.4 2016/03/04
> 00:05:35 sthen Exp $
> ---- lib/Mail/SpamAssassin/DnsResolver.pm.orig Tue Apr 28 20:56:49 2015
> -+++ lib/Mail/SpamAssassin/DnsResolver.pm Thu Mar 3 23:59:55 2016
> -@@ -592,6 +592,9 @@ sub new_dns_packet {
> - };
> -
> - if ($packet) {
> -+ # RD flag needs to be set explicitly since Net::DNS 1.01, Bug 7223
> -+ $packet->header->rd(1);
> -+
> - # my $udp_payload_size = $self->{res}->udppacketsize;
> - my $udp_payload_size = $self->{conf}->{dns_options}->{edns};
> - if ($udp_payload_size && $udp_payload_size > 512) {
> -@@ -722,6 +725,37 @@ sub bgsend {
> -
> - ###########################################################################
> -
> -+=item $id = $res->bgread()
> -+
> -+Similar to C<Net::DNS::Resolver::bgread>. Reads a DNS packet from
> -+a supplied socket, decodes it, and returns a Net::DNS::Packet object
> -+if successful. Dies on error.
> -+
> -+=cut
> -+
> -+sub bgread() {
> -+ my ($self) = @_;
> -+ my $sock = $self->{sock};
> -+ my $packetsize = $self->{res}->udppacketsize;
> -+ $packetsize = 512 if $packetsize < 512; # just in case
> -+ my $data = '';
> -+ my $peeraddr = $sock->recv($data, $packetsize+256); # with some size
> margin for troubleshooting
> -+ defined $peeraddr or die "bgread: recv() failed: $!";
> -+ my $peerhost = $sock->peerhost;
> -+ $data ne '' or die "bgread: received empty packet from $peerhost";
> -+ dbg("dns: bgread: received %d bytes from %s", length($data), $peerhost);
> -+ my($answerpkt, $decoded_length) = Net::DNS::Packet->new(\$data);
> -+ $answerpkt or die "bgread: decoding DNS packet failed: $@";
> -+ $answerpkt->answerfrom($peerhost);
> -+ if ($decoded_length ne length($data)) {
> -+ warn sprintf("bgread: received a %d bytes packet from %s, decoded %d
> bytes\n",
> -+ length($data), $peerhost, $decoded_length);
> -+ }
> -+ return $answerpkt;
> -+}
> -+
> -+###########################################################################
> -+
> - =item $nfound = $res->poll_responses()
> -
> - See if there are any C<bgsend> reply packets ready, and return
> -@@ -769,13 +803,25 @@ sub poll_responses {
> - $timeout = 0; # next time around collect whatever is available, then
> exit
> - last if $nfound == 0;
> -
> -- my $packet = $self->{res}->bgread($self->{sock});
> -+ my $packet;
> -+ eval {
> -+ $packet = $self->bgread();
> -+ } or do {
> -+ undef $packet;
> -+ my $eval_stat = $@ ne '' ? $@ : "errno=$!"; chomp $eval_stat;
> -+ # resignal if alarm went off
> -+ die $eval_stat if $eval_stat =~ /__alarm__ignore__\(.*\)/s;
> -+ info("dns: bad dns reply: %s", $eval_stat);
> -+ };
> -
> -+# Bug 7265, use our own bgread()
> -+# my $packet = $self->{res}->bgread($self->{sock});
> -+
> - if (!$packet) {
> -- my $dns_err = $self->{res}->errorstring;
> -- # resignal if alarm went off
> -- die "dns (3) $dns_err\n" if $dns_err =~ /__alarm__ignore__\(.*\)/s;
> -- info("dns: bad dns reply: $dns_err");
> -+ # error already reported above
> -+# my $dns_err = $self->{res}->errorstring;
> -+# die "dns (3) $dns_err\n" if $dns_err =~ /__alarm__ignore__\(.*\)/s;
> -+# info("dns: bad dns reply: $dns_err");
> - } else {
> - my $header = $packet->header;
> - if (!$header) {
> Index: patches/patch-lib_Mail_SpamAssassin_Message_Metadata_Received_pm
> ===================================================================
> RCS file: patches/patch-lib_Mail_SpamAssassin_Message_Metadata_Received_pm
> diff -N patches/patch-lib_Mail_SpamAssassin_Message_Metadata_Received_pm
> --- patches/patch-lib_Mail_SpamAssassin_Message_Metadata_Received_pm 4 Mar
> 2016 00:05:35 -0000 1.1
> +++ /dev/null 1 Jan 1970 00:00:00 -0000
> @@ -1,25 +0,0 @@
> -$OpenBSD: patch-lib_Mail_SpamAssassin_Message_Metadata_Received_pm,v 1.1
> 2016/03/04 00:05:35 sthen Exp $
> ---- lib/Mail/SpamAssassin/Message/Metadata/Received.pm.orig Tue Apr 28
> 20:56:48 2015
> -+++ lib/Mail/SpamAssassin/Message/Metadata/Received.pm Thu Mar 3
> 23:59:55 2016
> -@@ -434,7 +434,8 @@ sub parse_received_line {
> - $auth = 'Postfix';
> - }
> - # Communigate Pro - Bug 6495 adds HTTP as possible transmission method
> -- elsif (/CommuniGate Pro (HTTP|SMTP)/ && / \(account /) {
> -+ # Bug 7277: XIMSS used by Pronto and other custom apps, IMAP
> supports XMIT extension
> -+ elsif (/CommuniGate Pro (HTTP|SMTP|XIMSS|IMAP)/ && / \(account /) {
> - $auth = 'Communigate';
> - }
> - # Microsoft Exchange (complete with syntax error)
> -@@ -714,6 +715,11 @@ sub parse_received_line {
> - # Received: from sc8-sf-sshgate.sourceforge.net (HELO
> sc8-sf-netmisc.sourceforge.net) (66.35.250.220) by la.mx.develooper.com
> (qpsmtpd/0.27-dev) with ESMTP; Fri, 02 Jan 2004 14:44:41 -0800
> - # Received: from mx10.topofferz.net (HELO ) (69.6.60.10) by
> blazing.arsecandle.org with SMTP; 3 Mar 2004 20:34:38 -0000
> - if (/^(\S+) \((?:HELO|EHLO) (\S*)\) \((${IP_ADDRESS})\) by (\S+)
> \(qpsmtpd\/\S+\) with (?:ESMTP|SMTP)/) {
> -+ $rdns = $1; $helo = $2; $ip = $3; $by = $4; goto enough;
> -+ }
> -+
> -+ # Received: from mail-backend.DDDD.com (LHLO mail-backend.DDDD.com)
> (10.2.2.20) by mail-backend.DDDD.com with LMTP; Thu, 18 Jun 2015 16:50:56
> -0700 (PDT)
> -+ if (/^(\S+) \(LHLO (\S*)\) \((${IP_ADDRESS})\) by (\S+) with LMTP/) {
> - $rdns = $1; $helo = $2; $ip = $3; $by = $4; goto enough;
> - }
> -
> Index: patches/patch-lib_Mail_SpamAssassin_Message_pm
> ===================================================================
> RCS file: patches/patch-lib_Mail_SpamAssassin_Message_pm
> diff -N patches/patch-lib_Mail_SpamAssassin_Message_pm
> --- patches/patch-lib_Mail_SpamAssassin_Message_pm 31 Oct 2017 07:41:51
> -0000 1.2
> +++ /dev/null 1 Jan 1970 00:00:00 -0000
> @@ -1,27 +0,0 @@
> -$OpenBSD: patch-lib_Mail_SpamAssassin_Message_pm,v 1.2 2017/10/31 07:41:51
> giovanni Exp $
> -
> -# bug 7447: Delete parse_queue in Message::finish() to prevent memory leak.
> -
> -Index: lib/Mail/SpamAssassin/Message.pm
> ---- lib/Mail/SpamAssassin/Message.pm.orig
> -+++ lib/Mail/SpamAssassin/Message.pm
> -@@ -628,6 +628,9 @@ sub finish {
> - delete $self->{'line_ending'};
> - delete $self->{'missing_head_body_separator'};
> -
> -+ # Remove the queue variable, in case the body has not been parsed
> -+ delete $self->{'parse_queue'};
> -+
> - my @toclean = ( $self );
> -
> - # Go ahead and clean up all of the Message::Node parts
> -@@ -1045,6 +1048,9 @@ sub _parse_normal {
> - }
> - elsif ($ct[3]) {
> - $msg->{'name'} = $ct[3];
> -+ }
> -+ if ($msg->{'name'}) {
> -+ $msg->{'name'} = Encode::decode("MIME-Header", $msg->{'name'});
> - }
> -
> - $msg->{'boundary'} = $boundary;
> Index: patches/patch-lib_Mail_SpamAssassin_Plugin_DKIM_pm
> ===================================================================
> RCS file: patches/patch-lib_Mail_SpamAssassin_Plugin_DKIM_pm
> diff -N patches/patch-lib_Mail_SpamAssassin_Plugin_DKIM_pm
> --- patches/patch-lib_Mail_SpamAssassin_Plugin_DKIM_pm 4 Mar 2016
> 00:05:35 -0000 1.1
> +++ /dev/null 1 Jan 1970 00:00:00 -0000
> @@ -1,87 +0,0 @@
> -$OpenBSD: patch-lib_Mail_SpamAssassin_Plugin_DKIM_pm,v 1.1 2016/03/04
> 00:05:35 sthen Exp $
> ---- lib/Mail/SpamAssassin/Plugin/DKIM.pm.orig Tue Apr 28 20:56:47 2015
> -+++ lib/Mail/SpamAssassin/Plugin/DKIM.pm Thu Mar 3 23:59:55 2016
> -@@ -178,14 +178,19 @@ sub set_config {
> -
> - Works similarly to whitelist_from, except that in addition to matching
> - an author address (From) to the pattern in the first parameter, the message
> --must also carry a Domain Keys Identified Mail (DKIM) signature made by a
> --signing domain (SDID, i.e. the d= tag) that is acceptable to us.
> -+must also carry a valid Domain Keys Identified Mail (DKIM) signature made by
> -+a signing domain (SDID, i.e. the d= tag) that is acceptable to us.
> -
> - Only one whitelist entry is allowed per line, as in C<whitelist_from_rcvd>.
> - Multiple C<whitelist_from_dkim> lines are allowed. File-glob style
> characters
> - are allowed for the From address (the first parameter), just like with
> --C<whitelist_from_rcvd>. The second parameter does not accept wildcards.
> -+C<whitelist_from_rcvd>.
> -
> -+The second parameter (the signing-domain) does not accept full file-glob
> style
> -+wildcards, although a simple '*.' (or just a '.') prefix to a domain name
> -+is recognized and implies any subdomain of the specified domain (but not
> -+the domain itself).
> -+
> - If no signing-domain parameter is specified, the only acceptable signature
> - will be an Author Domain Signature (sometimes called first-party signature)
> - which is a signature where the signing domain (SDID) of a signature matches
> -@@ -205,7 +210,8 @@ Examples of whitelisting based on third-party signatur
> - whitelist_from_dkim j...@example.net example.org
> - whitelist_from_dkim r...@info.example.net example.net
> - whitelist_from_dkim *@info.example.net example.net
> -- whitelist_from_dkim *@* remailer.example.com
> -+ whitelist_from_dkim *@* mail7.remailer.example.com
> -+ whitelist_from_dkim *@* *.remailer.example.com
> -
> - =item def_whitelist_from_dkim aut...@example.com [signing-domain]
> -
> -@@ -376,7 +382,8 @@ some valid signature on a message has no reputational
> - associated with a particular domain), regardless of its key size - anyone
> can
> - prepend its own signature on a copy of some third party mail and re-send it,
> - which makes it no more trustworthy than without such signature. This is also
> --a reason for a rule DKIM_VALID to have a near-zero score.
> -+a reason for a rule DKIM_VALID to have a near-zero score, i.e. a rule hit
> -+is only informational.
> -
> - =cut
> -
> -@@ -786,7 +793,8 @@ sub _check_dkim_signature {
> - # Only do so if EDNS0 provides a reasonably-sized UDP payload size,
> - # as our interface does not provide a DNS fallback to TCP, unlike
> - # the Net::DNS::Resolver::send which does provide it.
> -- my $res = $self->{main}->{resolver}->get_resolver;
> -+ my $res = $self->{main}->{resolver};
> -+ dbg("dkim: providing our own resolver: %s", ref $res);
> - Mail::DKIM::DNS::resolver($res);
> - }
> - }
> -@@ -892,13 +900,13 @@ sub _check_dkim_signature {
> - }
> - }
> - if (would_log("dbg","dkim")) {
> -- dbg("dkim: %s %s, i=%s, d=%s, s=%s, a=%s, c=%s, %s, %s",
> -+ dbg("dkim: %s %s, i=%s, d=%s, s=%s, a=%s, c=%s, %s, %s, %s",
> - $info,
> - $signature->isa('Mail::DKIM::DkSignature') ? 'DK' : 'DKIM',
> - map(!defined $_ ? '(undef)' : $_,
> - $signature->identity, $d, $signature->selector,
> - $signature->algorithm, scalar($signature->canonicalization),
> -- $key_size ? "key_bits=$key_size" : (),
> -+ $key_size ? "key_bits=$key_size" : "unknown key size",
> - ($sig_result_supported ? $signature : $verifier)->result ),
> - defined $d && $pms->{dkim_author_domains}->{$d}
> - ? 'matches author domain'
> -@@ -1257,8 +1265,12 @@ sub _wlcheck_list {
> - # identity (AUID). Nevertheless, be prepared to accept the full
> e-mail
> - # address there for compatibility, and just ignore its local-part.
> -
> -- $acceptable_sdid = $1 if $acceptable_sdid =~ /\@([^\@]*)\z/;
> -- $matches = 1 if $sdid eq lc $acceptable_sdid;
> -+ $acceptable_sdid = $1 if $acceptable_sdid =~ /\@([^\@]*)\z/s;
> -+ if ($acceptable_sdid =~ s/^\*?\.//s) {
> -+ $matches = 1 if $sdid =~ /\.\Q$acceptable_sdid\E\z/si;
> -+ } else {
> -+ $matches = 1 if $sdid eq lc $acceptable_sdid;
> -+ }
> - }
> - if ($matches) {
> - if (would_log("dbg","dkim")) {
> Index: patches/patch-lib_Mail_SpamAssassin_Plugin_PDFInfo_pm
> ===================================================================
> RCS file: patches/patch-lib_Mail_SpamAssassin_Plugin_PDFInfo_pm
> diff -N patches/patch-lib_Mail_SpamAssassin_Plugin_PDFInfo_pm
> --- patches/patch-lib_Mail_SpamAssassin_Plugin_PDFInfo_pm 8 Mar 2018
> 07:30:00 -0000 1.1
> +++ /dev/null 1 Jan 1970 00:00:00 -0000
> @@ -1,99 +0,0 @@
> -$OpenBSD: patch-lib_Mail_SpamAssassin_Plugin_PDFInfo_pm,v 1.1 2018/03/08
> 07:30:00 giovanni Exp $
> -
> -Index: lib/Mail/SpamAssassin/Plugin/PDFInfo.pm
> ---- lib/Mail/SpamAssassin/Plugin/PDFInfo.pm.orig
> -+++ lib/Mail/SpamAssassin/Plugin/PDFInfo.pm
> -@@ -31,7 +31,7 @@ This plugin helps detected spam using attached PDF fil
> -
> - =item See "Usage:" below - more documentation see 20_pdfinfo.cf
> -
> -- Original info kept for history.
> -+ Original info kept for history. For later changes see SVN repo
> - -------------------------------------------------------
> - PDFInfo Plugin for SpamAssassin
> - Version: 0.8
> -@@ -40,7 +40,6 @@ This plugin helps detected spam using attached PDF fil
> - Modified: 2007-08-10
> - By: Dallas Engelken
> -
> --
> - Changes:
> - 0.8 - added .fdf detection (thanks John Lundin) [axb]
> - 0.7 - fixed empty body/pdf count buglet(thanks Jeremy) [axb]
> -@@ -76,7 +75,6 @@ This plugin helps detected spam using attached PDF fil
> - - removed all support for png, gif, and jpg from the code.
> - - prepended pdf_ to all function names to avoid conflicts with
> ImageInfo in SA 3.2.
> -
> --
> - Usage:
> -
> - pdf_count()
> -@@ -144,14 +142,14 @@ package Mail::SpamAssassin::Plugin::PDFInfo;
> -
> - use Mail::SpamAssassin::Plugin;
> - use Mail::SpamAssassin::Logger;
> -+use Mail::SpamAssassin::Util;
> - use strict;
> - use warnings;
> --use bytes;
> -+# use bytes;
> - use Digest::MD5 qw(md5_hex);
> - use MIME::QuotedPrint;
> -
> --use vars qw(@ISA);
> --@ISA = qw(Mail::SpamAssassin::Plugin);
> -+our @ISA = qw(Mail::SpamAssassin::Plugin);
> -
> - # constructor: register the eval rule
> - sub new {
> -@@ -413,9 +411,9 @@ sub _find_pdf_mime_parts {
> -
> - foreach my $p (@parts) {
> - my $type = $p->{'type'} =~ m@/([\w\-]+)$@;
> -- my $name = $p->{'name'};
> -+ my $name = $p->{'name'} || '';
> -
> -- my $cte = lc $p->get_header('content-transfer-encoding') || '';
> -+ my $cte = lc( $p->get_header('content-transfer-encoding') || '' );
> -
> - dbg("pdfinfo: found part, type=".($type ? $type : '')." file=".($name ?
> $name : '')." cte=".($cte ? $cte : '')."");
> -
> -@@ -441,7 +439,6 @@ sub _find_pdf_mime_parts {
> -
> - }
> -
> --
> - # ----------------------------------------
> -
> - sub pdf_named {
> -@@ -476,8 +473,12 @@ sub pdf_name_regex {
> -
> - my $hit = 0;
> - foreach my $name (keys %{$pms->{'pdfinfo'}->{"names_pdf"}}) {
> -- my $eval = 'if (q{'.$name.'} =~ '.$re.') { $hit = 1; } ';
> -- eval $eval;
> -+ eval {
> -+ my $regex = Mail::SpamAssassin::Util::make_qr($re);
> -+ if ( $name =~ m/$regex/ ) {
> -+ $hit = 1;
> -+ }
> -+ };
> - dbg("pdfinfo: error in regex $re - $@") if $@;
> - if ($hit) {
> - dbg("pdfinfo: pdf_name_regex hit on $name");
> -@@ -722,9 +723,12 @@ sub pdf_match_details {
> - return unless $check_value;
> -
> - my $hit = 0;
> -- $check_value =~ s/[\{\}\\]//g;
> -- my $eval = 'if (q{'.$check_value.'} =~ '.$regex.') { $hit = 1; }';
> -- eval $eval;
> -+ eval {
> -+ my $re = Mail::SpamAssassin::Util::make_qr($regex);
> -+ if ( $check_value =~ m/$re/ ) {
> -+ $hit = 1;
> -+ }
> -+ };
> - dbg("pdfinfo: error in regex $regex - $@") if $@;
> - if ($hit) {
> - dbg("pdfinfo: pdf_match_details $detail $regex matches $check_value");
> Index: patches/patch-lib_Mail_SpamAssassin_Plugin_SPF_pm
> ===================================================================
> RCS file: patches/patch-lib_Mail_SpamAssassin_Plugin_SPF_pm
> diff -N patches/patch-lib_Mail_SpamAssassin_Plugin_SPF_pm
> --- patches/patch-lib_Mail_SpamAssassin_Plugin_SPF_pm 4 Mar 2016 00:05:35
> -0000 1.1
> +++ /dev/null 1 Jan 1970 00:00:00 -0000
> @@ -1,24 +0,0 @@
> -$OpenBSD: patch-lib_Mail_SpamAssassin_Plugin_SPF_pm,v 1.1 2016/03/04
> 00:05:35 sthen Exp $
> ---- lib/Mail/SpamAssassin/Plugin/SPF.pm.orig Tue Apr 28 20:56:47 2015
> -+++ lib/Mail/SpamAssassin/Plugin/SPF.pm Thu Mar 3 23:59:55 2016
> -@@ -232,7 +232,7 @@ working downwards until results are successfully parse
> - =item has_check_for_spf_errors
> -
> - Adds capability check for "if can()" for check_for_spf_permerror,
> check_for_spf_temperror, check_for_spf_helo_permerror and
> check_for_spf_helo_permerror
> --
> -+
> - =cut
> -
> - sub has_check_for_spf_errors { 1 }
> -@@ -506,9 +506,9 @@ sub _check_spf {
> - $self->{spf_server} = Mail::SPF::Server->new(
> - hostname => $scanner->get_tag('HOSTNAME'),
> - dns_resolver => $self->{main}->{resolver},
> -- max_dns_interactive_terms => 15);
> -+ max_dns_interactive_terms => 20);
> - # Bug 7112: max_dns_interactive_terms defaults to 10, but even 14 is
> -- # not enough for ebay.com, setting it to 15
> -+ # not enough for ebay.com, setting it to 15 NOTE: raising to 20 per
> bug 7182
> - 1;
> - } or do {
> - $eval_stat = $@ ne '' ? $@ : "errno=$!"; chomp $eval_stat;
> Index: patches/patch-lib_Mail_SpamAssassin_Plugin_URIDNSBL_pm
> ===================================================================
> RCS file: patches/patch-lib_Mail_SpamAssassin_Plugin_URIDNSBL_pm
> diff -N patches/patch-lib_Mail_SpamAssassin_Plugin_URIDNSBL_pm
> --- patches/patch-lib_Mail_SpamAssassin_Plugin_URIDNSBL_pm 4 Mar 2016
> 00:05:35 -0000 1.1
> +++ /dev/null 1 Jan 1970 00:00:00 -0000
> @@ -1,28 +0,0 @@
> -$OpenBSD: patch-lib_Mail_SpamAssassin_Plugin_URIDNSBL_pm,v 1.1 2016/03/04
> 00:05:35 sthen Exp $
> ---- lib/Mail/SpamAssassin/Plugin/URIDNSBL.pm.orig Tue Apr 28 20:56:47 2015
> -+++ lib/Mail/SpamAssassin/Plugin/URIDNSBL.pm Thu Mar 3 23:59:55 2016
> -@@ -942,9 +942,8 @@ sub complete_ns_lookup {
> - next unless (defined($str) && defined($dom));
> - dbg("uridnsbl: got($j) NS for $dom: $str");
> -
> -- if ($str =~ /IN\s+NS\s+(\S+)/) {
> -- my $nsmatch = lc $1;
> -- $nsmatch =~ s/\.$//;
> -+ if ($rr->type eq 'NS') {
> -+ my $nsmatch = lc $rr->nsdname; # available since at least Net::DNS
> 0.14
> - my $nsrhblstr = $nsmatch;
> - my $fullnsrhblstr = $nsmatch;
> -
> -@@ -1025,9 +1024,9 @@ sub complete_a_lookup {
> - }
> - dbg("uridnsbl: complete_a_lookup got(%d) A for %s: %s", $j,$hname,$str);
> -
> -- local $1;
> -- if ($str =~ /IN\s+A\s+(\S+)/) {
> -- $self->lookup_dnsbl_for_ip($pms, $ent->{obj}, $1);
> -+ if ($rr->type eq 'A') {
> -+ my $ip_address = $rr->rdatastr;
> -+ $self->lookup_dnsbl_for_ip($pms, $ent->{obj}, $ip_address);
> - }
> - }
> - }
> Index: patches/patch-lib_Mail_SpamAssassin_Plugin_URILocalBL_pm
> ===================================================================
> RCS file: patches/patch-lib_Mail_SpamAssassin_Plugin_URILocalBL_pm
> diff -N patches/patch-lib_Mail_SpamAssassin_Plugin_URILocalBL_pm
> --- patches/patch-lib_Mail_SpamAssassin_Plugin_URILocalBL_pm 6 Feb 2018
> 07:58:03 -0000 1.1
> +++ /dev/null 1 Jan 1970 00:00:00 -0000
> @@ -1,34 +0,0 @@
> -$OpenBSD: patch-lib_Mail_SpamAssassin_Plugin_URILocalBL_pm,v 1.1 2018/02/06
> 07:58:03 giovanni Exp $
> -
> -Compatibility patches for perl 5.23+
> -
> -Index: lib/Mail/SpamAssassin/Plugin/URILocalBL.pm
> ---- lib/Mail/SpamAssassin/Plugin/URILocalBL.pm.orig
> -+++ lib/Mail/SpamAssassin/Plugin/URILocalBL.pm
> -@@ -350,7 +350,7 @@ sub check_uri_local_bl {
> - # look for W3 links only
> - next unless (defined $info->{types}->{a});
> -
> -- while (my($host, $domain) = each $info->{hosts}) {
> -+ while (my($host, $domain) = each %{$info->{hosts}}) {
> -
> - # skip if the domain name was matched
> - if (exists $rule->{exclusions} && exists
> $rule->{exclusions}->{$domain}) {
> -@@ -374,7 +374,7 @@ sub check_uri_local_bl {
> - }
> -
> - if (exists $rule->{countries}) {
> -- dbg("check: uri_local_bl countries %s\n", join(' ', sort keys
> $rule->{countries}));
> -+ dbg("check: uri_local_bl countries %s\n", join(' ', sort keys
> %{$rule->{countries}}));
> -
> - my $cc = $self->{geoip}->country_code_by_addr($ip);
> -
> -@@ -403,7 +403,7 @@ sub check_uri_local_bl {
> - }
> -
> - if (exists $rule->{isps}) {
> -- dbg("check: uri_local_bl isps %s\n", join(' ', map { '"' . $_ .
> '"'; } sort keys $rule->{isps}));
> -+ dbg("check: uri_local_bl isps %s\n", join(' ', map { '"' . $_ .
> '"'; } sort keys %{$rule->{isps}}));
> -
> - my $isp = $self->{geoisp}->isp_by_name($ip);
> -
> Index: patches/patch-lib_Mail_SpamAssassin_Util_pm
> ===================================================================
> RCS file: patches/patch-lib_Mail_SpamAssassin_Util_pm
> diff -N patches/patch-lib_Mail_SpamAssassin_Util_pm
> --- patches/patch-lib_Mail_SpamAssassin_Util_pm 23 Feb 2018 17:07:35
> -0000 1.4
> +++ /dev/null 1 Jan 1970 00:00:00 -0000
> @@ -1,96 +0,0 @@
> -$OpenBSD: patch-lib_Mail_SpamAssassin_Util_pm,v 1.4 2018/02/23 17:07:35
> giovanni Exp $
> -Index: lib/Mail/SpamAssassin/Util.pm
> ---- lib/Mail/SpamAssassin/Util.pm.orig
> -+++ lib/Mail/SpamAssassin/Util.pm
> -@@ -62,7 +62,8 @@ BEGIN {
> - @EXPORT_OK = qw(&local_tz &base64_decode &untaint_var &untaint_file_path
> - &exit_status_str &proc_status_ok &am_running_on_windows
> - &reverse_ip_address &decode_dns_question_entry
> -- &secure_tmpfile &secure_tmpdir &uri_list_canonicalize);
> -+ &secure_tmpfile &secure_tmpdir &uri_list_canonicalize
> -+ &get_user_groups);
> - }
> -
> - use Mail::SpamAssassin;
> -@@ -108,7 +109,7 @@ BEGIN {
> - if ( !$displayed_path++ ) {
> - dbg("util: current PATH is:
> ".join($Config{'path_sep'},File::Spec->path()));
> - }
> -- foreach my $path (File::Spec->path()) {
> -+ foreach my $path (File::Spec->path(), qw(${LOCALBASE}/bin
> ${LOCALBASE}/sbin)) {
> - my $fname = File::Spec->catfile ($path, $filename);
> - if ( -f $fname ) {
> - if (-x $fname) {
> -@@ -988,6 +989,18 @@ sub parse_content_type {
> - my($charset) = $ct =~ /\bcharset\s*=\s*["']?(.*?)["']?(?:;|$)/i;
> - my($name) = $ct =~ /\b(?:file)?name\s*=\s*["']?(.*?)["']?(?:;|$)/i;
> -
> -+ # RFC 2231 section 3: Parameter Value Continuations
> -+ # support continuations for name values
> -+ #
> -+ if (!$name && $ct =~ /\b(?:file)?name\*0\s*=/i) {
> -+
> -+ my @name;
> -+ $name[$1] = $2
> -+ while ($ct =~
> /\b(?:file)?name\*(\d+)\s*=\s*["']?(.*?)["']?(?:;|$)/ig);
> -+
> -+ $name = join "", grep defined, @name;
> -+ }
> -+
> - # Get the actual MIME type out ...
> - # Note: the header content may not be whitespace unfolded, so make sure
> the
> - # REs do /s when appropriate.
> -@@ -1493,13 +1506,43 @@ sub receive_date {
> - }
> -
> - ###########################################################################
> -+sub get_user_groups {
> -+ my $suid = shift;
> -+ dbg("get_user_groups: uid is $suid\n");
> -+ my ( $user, $passwd, $uid, $gid, $quota, $comment, $gcos, $dir, $shell,
> $expire ) = getpwuid($suid);
> -+ my $rgids="$gid ";
> -+ while ( my($name,$pw,$gid,$members) = getgrent() ) {
> -+ if ( $members =~ m/\b$user\b/ ) {
> -+ $rgids .= "$gid ";
> -+ dbg("get_user_groups: added $gid ($name) to group list which is now:
> $rgids\n");
> -+ }
> -+ }
> -+ endgrent;
> -+ chop $rgids;
> -+ return ($rgids);
> -+}
> -
> -+
> -+
> - sub setuid_to_euid {
> - return if (RUNNING_ON_WINDOWS);
> -
> - # remember the target uid, the first number is the important one
> - my $touid = $>;
> --
> -+ my $gids = get_user_groups($touid);
> -+ my ( $pgid, $supgs ) = split (' ',$gids,2);
> -+ defined $supgs or $supgs=$pgid;
> -+ if ($( != $pgid) {
> -+ # Gotta be root for any of this to work
> -+ $> = 0 ;
> -+ dbg("util: changing real primary gid from $( to $pgid and supplemental
> groups to $supgs to match effective uid $touid");
> -+ POSIX::setgid($pgid);
> -+ dbg("util: POSIX::setgid($pgid) set errno to $!");
> -+ $! = 0;
> -+ $( = $pgid;
> -+ $) = "$pgid $supgs";
> -+ dbg("util: assignment \$) = $pgid $supgs set errno to $!");
> -+ }
> - if ($< != $touid) {
> - dbg("util: changing real uid from $< to match effective uid $touid");
> - # bug 3586: kludges needed to work around platform dependent behavior
> assigning to $<
> -@@ -1574,7 +1617,7 @@ sub helper_app_pipe_open_unix {
> - eval {
> - # go setuid...
> - setuid_to_euid();
> -- dbg("util: setuid: ruid=$< euid=$>");
> -+ info("util: setuid: ruid=$< euid=$> rgid=$( egid=$) ");
> -
> - # now set up the fds. due to some wierdness, we may have to ensure that
> - # we *really* close the correct fd number, since some other code may
> have
> Index: patches/patch-spamc_libspamc_c
> ===================================================================
> RCS file: patches/patch-spamc_libspamc_c
> diff -N patches/patch-spamc_libspamc_c
> --- patches/patch-spamc_libspamc_c 23 May 2015 14:18:55 -0000 1.3
> +++ /dev/null 1 Jan 1970 00:00:00 -0000
> @@ -1,21 +0,0 @@
> -$OpenBSD: patch-spamc_libspamc_c,v 1.3 2015/05/23 14:18:55 bluhm Exp $
> ---- spamc/libspamc.c.orig Tue Apr 28 21:56:59 2015
> -+++ spamc/libspamc.c Wed May 20 19:53:07 2015
> -@@ -1216,7 +1216,7 @@ int message_filter(struct transport *tp, const char *u
> - if (flags & SPAMC_TLSV1) {
> - meth = TLSv1_client_method();
> - } else {
> -- meth = SSLv3_client_method(); /* default */
> -+ meth = SSLv23_client_method(); /* default */
> - }
> - SSL_load_error_strings();
> - ctx = SSL_CTX_new(meth);
> -@@ -1604,7 +1604,7 @@ int message_tell(struct transport *tp, const char *use
> - if (flags & SPAMC_USE_SSL) {
> - #ifdef SPAMC_SSL
> - SSLeay_add_ssl_algorithms();
> -- meth = SSLv3_client_method();
> -+ meth = SSLv23_client_method();
> - SSL_load_error_strings();
> - ctx = SSL_CTX_new(meth);
> - #else
> Index: patches/patch-spamd_spamd_raw
> ===================================================================
> RCS file: patches/patch-spamd_spamd_raw
> diff -N patches/patch-spamd_spamd_raw
> --- patches/patch-spamd_spamd_raw 23 Feb 2018 17:07:35 -0000 1.9
> +++ /dev/null 1 Jan 1970 00:00:00 -0000
> @@ -1,98 +0,0 @@
> -$OpenBSD: patch-spamd_spamd_raw,v 1.9 2018/02/23 17:07:35 giovanni Exp $
> -Index: spamd/spamd.raw
> ---- spamd/spamd.raw.orig
> -+++ spamd/spamd.raw
> -@@ -246,7 +246,8 @@ use Mail::SpamAssassin::SubProcBackChannel;
> - use Mail::SpamAssassin::SpamdForkScaling qw(:pfstates);
> - use Mail::SpamAssassin::Logger qw(:DEFAULT log_message);
> - use Mail::SpamAssassin::Util qw(untaint_var untaint_file_path
> -- exit_status_str am_running_on_windows);
> -+ exit_status_str am_running_on_windows
> -+ get_user_groups);
> - use Mail::SpamAssassin::Timeout;
> -
> - use Getopt::Long;
> -@@ -1071,7 +1072,6 @@ sub server_sock_setup_inet {
> - $sockopt{V6Only} = 1 if $io_socket_module_name eq 'IO::Socket::IP'
> - && IO::Socket::IP->VERSION >= 0.09;
> - %sockopt = (%sockopt, (
> -- SSL_version => $sslversion,
> - SSL_verify_mode => 0x00,
> - SSL_key_file => $opt{'server-key'},
> - SSL_cert_file => $opt{'server-cert'},
> -@@ -1092,7 +1092,8 @@ sub server_sock_setup_inet {
> - if (!$server_inet) {
> - $diag = sprintf("could not create %s socket on [%s]:%s: %s",
> - $ssl ? 'IO::Socket::SSL' : $io_socket_module_name,
> -- $adr, $port, $!);
> -+ $adr, $port, $ssl && $IO::Socket::SSL::SSL_ERROR ?
> -+ "$!,$IO::Socket::SSL::SSL_ERROR" : $!);
> - push(@diag_fail, $diag);
> - } else {
> - $diag = sprintf("created %s socket on [%s]:%s",
> -@@ -1369,10 +1370,20 @@ sub spawn {
> - # bug 5518: assignments to $) and $( don't always work on all
> platforms
> - # bug 3900: assignments to $> and $< problems with BSD perl bug
> - # use the POSIX functions to hide the platform specific workarounds
> -+ dbg("spamd: Privilege de-escalation from user $< and groups $(\n");
> -+ $! = 0;
> - POSIX::setgid($ugid); # set effective and real gid
> -+ dbg("spamd: setgid ERRNO is $!\n");
> -+ $( = $ugid;
> -+ $) = "$ugid ".(get_user_groups($uuid)); # set effective and real
> gid/grouplist another way because we lack initgroups in Perl
> -+ dbg("spamd: group assignment ERRNO is $!\n");
> - POSIX::setuid($uuid); # set effective and real UID
> -+ dbg("spamd: setuid ERRNO is $!\n");
> - $< = $uuid; $> = $uuid; # bug 5574
> -+ dbg("spamd: uid assignment ERRNO is $!\n");
> -+ dbg("spamd: real user is $< \neff user is $> \nreal groups are $(
> \neff groups are $) \n");
> -
> -+
> - # keep the sanity check to catch problems like bug 3900 just in case
> - if ( $> != $uuid and $> != ( $uuid - 2**32 ) ) {
> - die "spamd: setuid to uid $uuid failed (> = $>, < = $<)\n";
> -@@ -1521,7 +1532,7 @@ sub accept_from_any_server_socket {
> - } # end multiple sockets case
> -
> - if ($selected_socket_info) {
> -- my $socket = $selected_socket_info->{socket};
> -+ $socket = $selected_socket_info->{socket};
> - $socket or die "no socket???, impossible";
> - dbg("spamd: accept() on fd %d", $selected_socket_info->{fd});
> - $client = $socket->accept;
> -@@ -1726,7 +1737,7 @@ sub handle_setuid_to_user {
> - my ($name, $pwd, $uid, $gid, $quota, $comment, $gcos, $dir, $etc) =
> - getpwnam('nobody');
> -
> -- $) = "$gid $gid"; # eGID
> -+ $) = (get_user_groups($uid)); # eGID
> - $> = $uid; # eUID
> - if (!defined($uid) || ($> != $uid and $> != ($uid - 2**32))) {
> - die("spamd: setuid to nobody failed");
> -@@ -2488,7 +2499,7 @@ sub handle_user_setuid_basic {
> - }
> -
> - if ($setuid_to_user) {
> -- $) = "$gid $gid"; # change eGID
> -+ $) = (get_user_groups($uid)); # change eGID
> - $> = $uid; # change eUID
> - if ( !defined($uid) || ( $> != $uid and $> != ( $uid - 2**32 ) ) ) {
> - # make it fatal to avoid security breaches
> -@@ -2710,7 +2721,7 @@ sub handle_user_setuid_with_sql {
> - }
> -
> - if ($setuid_to_user) {
> -- $) = "$gid $gid"; # change eGID
> -+ $) = (get_user_groups($uid)); # change eGID
> - $> = $uid; # change eUID
> - if (!defined($uid) || ($> != $uid and $> != ($uid - 2**32))) {
> - # make it fatal to avoid security breaches
> -@@ -2755,7 +2766,7 @@ sub handle_user_setuid_with_ldap {
> - }
> -
> - if ($setuid_to_user) {
> -- $) = "$gid $gid"; # change eGID
> -+ $) = (get_user_groups($uid)); # change eGID
> - $> = $uid; # change eUID
> - if (!defined($uid) || ($> != $uid and $> != ($uid - 2**32))) {
> - # make it fatal to avoid security breaches
> Index: patches/patch-t_SATest_pm
> ===================================================================
> RCS file: patches/patch-t_SATest_pm
> diff -N patches/patch-t_SATest_pm
> --- patches/patch-t_SATest_pm 7 Nov 2017 07:39:07 -0000 1.1
> +++ /dev/null 1 Jan 1970 00:00:00 -0000
> @@ -1,14 +0,0 @@
> -$OpenBSD: patch-t_SATest_pm,v 1.1 2017/11/07 07:39:07 giovanni Exp $
> -
> -Index: t/SATest.pm
> ---- t/SATest.pm.orig
> -+++ t/SATest.pm
> -@@ -1027,7 +1027,7 @@ sub can_use_net_dns_safely {
> - # (which is used by Net::DNS)
> -
> - return 1 if ($< != 0);
> -- return 1 if ($^O =~ /^(linux|mswin|dos|os2)/oi);
> -+ return 1 if ($^O =~ /^(linux|mswin|dos|os2|openbsd)/oi);
> -
> - my $has_unsafe_hostname =
> - eval { require Sys::Hostname::Long && Sys::Hostname::Long->VERSION <
> 1.4 };
> Index: patches/patch-t_sa_compile_t
> ===================================================================
> RCS file:
> /var/cvs/ports/mail/p5-Mail-SpamAssassin/patches/patch-t_sa_compile_t,v
> retrieving revision 1.3
> diff -u -p -r1.3 patch-t_sa_compile_t
> --- patches/patch-t_sa_compile_t 23 May 2015 14:18:55 -0000 1.3
> +++ patches/patch-t_sa_compile_t 25 Aug 2018 17:29:40 -0000
> @@ -1,21 +1,14 @@
> $OpenBSD: patch-t_sa_compile_t,v 1.3 2015/05/23 14:18:55 bluhm Exp $
> ---- t/sa_compile.t.orig Tue Apr 28 21:56:58 2015
> -+++ t/sa_compile.t Tue May 12 22:36:36 2015
> -@@ -8,8 +8,7 @@ use Config;
> +Index: t/sa_compile.t
> +--- t/sa_compile.t.orig
> ++++ t/sa_compile.t
> +@@ -12,8 +12,7 @@ use Config;
> use File::Basename;
> use File::Path qw/mkpath/;
>
> -my $temp_binpath = $Config{sitebinexp};
> --$temp_binpath =~ s/^\Q$Config{prefix}\E//;
> +-$temp_binpath =~ s|^\Q$Config{siteprefixexp}\E/||;
> +my $temp_binpath = "bin";
>
> - # called from BEGIN
> - sub re2c_version_new_enough {
> -@@ -65,6 +64,7 @@ sub new_instdir {
> - $instdir = $instbase.".".(shift);
> - print "\nsetting new instdir: $instdir\n";
> - $INST_FROM_SCRATCH and system("rm -rf $instdir; mkdir $instdir");
> -+ system("mkdir -p $instdir/foo/etc/mail/spamassassin");
> - }
> -
> - sub run_makefile_pl {
> + use Test::More;
> + plan skip_all => "Long running tests disabled" unless
> conf_bool('run_long_tests');
> Index: patches/patch-t_spf_t
> ===================================================================
> RCS file: patches/patch-t_spf_t
> diff -N patches/patch-t_spf_t
> --- patches/patch-t_spf_t 7 Nov 2017 07:39:07 -0000 1.1
> +++ /dev/null 1 Jan 1970 00:00:00 -0000
> @@ -1,22 +0,0 @@
> -$OpenBSD: patch-t_spf_t,v 1.1 2017/11/07 07:39:07 giovanni Exp $
> -
> -Index: t/spf.t
> ---- t/spf.t.orig
> -+++ t/spf.t
> -@@ -12,6 +12,7 @@ use constant HAS_MAILSPF => eval { require Mail::SPF;
> - # on non-Linux unices as root, due to a bug in Sys::Hostname::Long
> - # (it is used by Mail::SPF::Query, which is now obsoleted by Mail::SPF)
> - use constant IS_LINUX => $^O eq 'linux';
> -+use constant IS_OPENBSD => $^O eq 'openbsd';
> - use constant IS_WINDOWS => ($^O =~ /^(mswin|dos|os2)/oi);
> - use constant AM_ROOT => $< == 0;
> -
> -@@ -20,7 +21,7 @@ use constant HAS_UNSAFE_HOSTNAME => # Bug 3806 - modu
> -
> - use constant DO_RUN =>
> - TEST_ENABLED && (HAS_SPFQUERY || HAS_MAILSPF) &&
> -- (!HAS_UNSAFE_HOSTNAME || !AM_ROOT || IS_LINUX || IS_WINDOWS);
> -+ (!HAS_UNSAFE_HOSTNAME || !AM_ROOT || IS_LINUX || IS_WINDOWS ||
> IS_OPENBSD);
> -
> - BEGIN {
> -
> Index: pkg/PLIST
> ===================================================================
> RCS file: /var/cvs/ports/mail/p5-Mail-SpamAssassin/pkg/PLIST,v
> retrieving revision 1.36
> diff -u -p -r1.36 PLIST
> --- pkg/PLIST 4 Sep 2018 12:46:15 -0000 1.36
> +++ pkg/PLIST 10 Sep 2018 07:35:40 -0000
> @@ -3,6 +3,12 @@
> @newgroup _spamdaemon:506
> @newuser
> _spamdaemon:506:506:daemon:SpamAssassin:${LOCALSTATEDIR}:/sbin/nologin
> @extraunexec rm -rf ${CONFDIR}/sa-update-keys
> +@rcscript ${RCDIR}/spamassassin
> +@owner _spamdaemon
> +@group _spamdaemon
> +@sample ${LOCALSTATEDIR}/
> +@owner
> +@group
> bin/sa-awl
> bin/sa-check_spamd
> bin/sa-compile
> @@ -79,8 +85,10 @@ ${P5SITE}/Mail/SpamAssassin/Plugin/DCC.p
> ${P5SITE}/Mail/SpamAssassin/Plugin/DKIM.pm
> ${P5SITE}/Mail/SpamAssassin/Plugin/DNSEval.pm
> ${P5SITE}/Mail/SpamAssassin/Plugin/FreeMail.pm
> +${P5SITE}/Mail/SpamAssassin/Plugin/FromNameSpoof.pm
> ${P5SITE}/Mail/SpamAssassin/Plugin/HTMLEval.pm
> ${P5SITE}/Mail/SpamAssassin/Plugin/HTTPSMismatch.pm
> +${P5SITE}/Mail/SpamAssassin/Plugin/HashBL.pm
> ${P5SITE}/Mail/SpamAssassin/Plugin/Hashcash.pm
> ${P5SITE}/Mail/SpamAssassin/Plugin/HeaderEval.pm
> ${P5SITE}/Mail/SpamAssassin/Plugin/ImageInfo.pm
> @@ -89,11 +97,13 @@ ${P5SITE}/Mail/SpamAssassin/Plugin/MIMEH
> ${P5SITE}/Mail/SpamAssassin/Plugin/OneLineBodyRuleType.pm
> ${P5SITE}/Mail/SpamAssassin/Plugin/PDFInfo.pm
> ${P5SITE}/Mail/SpamAssassin/Plugin/PhishTag.pm
> +${P5SITE}/Mail/SpamAssassin/Plugin/Phishing.pm
> ${P5SITE}/Mail/SpamAssassin/Plugin/Pyzor.pm
> ${P5SITE}/Mail/SpamAssassin/Plugin/Razor2.pm
> ${P5SITE}/Mail/SpamAssassin/Plugin/RelayCountry.pm
> ${P5SITE}/Mail/SpamAssassin/Plugin/RelayEval.pm
> ${P5SITE}/Mail/SpamAssassin/Plugin/ReplaceTags.pm
> +${P5SITE}/Mail/SpamAssassin/Plugin/ResourceLimits.pm
> ${P5SITE}/Mail/SpamAssassin/Plugin/Reuse.pm
> ${P5SITE}/Mail/SpamAssassin/Plugin/Rule2XSBody.pm
> ${P5SITE}/Mail/SpamAssassin/Plugin/SPF.pm
> @@ -118,9 +128,9 @@ ${P5SITE}/Mail/SpamAssassin/SubProcBackC
> ${P5SITE}/Mail/SpamAssassin/Timeout.pm
> ${P5SITE}/Mail/SpamAssassin/Util/
> ${P5SITE}/Mail/SpamAssassin/Util.pm
> +@comment ${P5SITE}/Mail/SpamAssassin/Util.pm.beforesubst
> ${P5SITE}/Mail/SpamAssassin/Util/DependencyInfo.pm
> ${P5SITE}/Mail/SpamAssassin/Util/Progress.pm
> -${P5SITE}/Mail/SpamAssassin/Util/RegistrarBoundaries.pm
> ${P5SITE}/Mail/SpamAssassin/Util/ScopedTimer.pm
> ${P5SITE}/Mail/SpamAssassin/Util/TieOneStringHash.pm
> ${P5SITE}/Mail/SpamAssassin/Util/TinyRedis.pm
> @@ -174,16 +184,20 @@ ${P5SITE}/spamassassin-run.pod
> @man man/man3p/Mail::SpamAssassin::Plugin::DCC.3p
> @man man/man3p/Mail::SpamAssassin::Plugin::DKIM.3p
> @man man/man3p/Mail::SpamAssassin::Plugin::DNSEval.3p
> +@man man/man3p/Mail::SpamAssassin::Plugin::FromNameSpoof.3p
> +@man man/man3p/Mail::SpamAssassin::Plugin::HashBL.3p
> @man man/man3p/Mail::SpamAssassin::Plugin::Hashcash.3p
> @man man/man3p/Mail::SpamAssassin::Plugin::MIMEEval.3p
> @man man/man3p/Mail::SpamAssassin::Plugin::MIMEHeader.3p
> @man man/man3p/Mail::SpamAssassin::Plugin::OneLineBodyRuleType.3p
> @man man/man3p/Mail::SpamAssassin::Plugin::PDFInfo.3p
> @man man/man3p/Mail::SpamAssassin::Plugin::PhishTag.3p
> +@man man/man3p/Mail::SpamAssassin::Plugin::Phishing.3p
> @man man/man3p/Mail::SpamAssassin::Plugin::Pyzor.3p
> @man man/man3p/Mail::SpamAssassin::Plugin::Razor2.3p
> @man man/man3p/Mail::SpamAssassin::Plugin::RelayCountry.3p
> @man man/man3p/Mail::SpamAssassin::Plugin::ReplaceTags.3p
> +@man man/man3p/Mail::SpamAssassin::Plugin::ResourceLimits.3p
> @man man/man3p/Mail::SpamAssassin::Plugin::Reuse.3p
> @man man/man3p/Mail::SpamAssassin::Plugin::Rule2XSBody.3p
> @man man/man3p/Mail::SpamAssassin::Plugin::SPF.3p
> @@ -205,7 +219,6 @@ ${P5SITE}/spamassassin-run.pod
> @man man/man3p/Mail::SpamAssassin::Util.3p
> @man man/man3p/Mail::SpamAssassin::Util::DependencyInfo.3p
> @man man/man3p/Mail::SpamAssassin::Util::Progress.3p
> -@man man/man3p/Mail::SpamAssassin::Util::RegistrarBoundaries.3p
> @man man/man3p/spamassassin-run.3p
> share/doc/SpamAssassin/
> share/doc/SpamAssassin/CREDITS
> @@ -242,6 +255,7 @@ share/examples/SpamAssassin/init.pre
> @sample ${CONFDIR}/init.pre
> share/examples/SpamAssassin/local.cf
> @sample ${CONFDIR}/local.cf
> +@comment share/examples/SpamAssassin/svn_only.pre
> share/examples/SpamAssassin/v310.pre
> @sample ${CONFDIR}/v310.pre
> share/examples/SpamAssassin/v312.pre
> @@ -254,6 +268,8 @@ share/examples/SpamAssassin/v340.pre
> @sample ${CONFDIR}/v340.pre
> share/examples/SpamAssassin/v341.pre
> @sample ${CONFDIR}/v341.pre
> +share/examples/SpamAssassin/v342.pre
> +@sample ${CONFDIR}/v342.pre
> share/spamassassin/
> share/spamassassin/10_default_prefs.cf
> share/spamassassin/10_hasbase.cf
> @@ -303,7 +319,9 @@ share/spamassassin/50_scores.cf
> share/spamassassin/60_adsp_override_dkim.cf
> share/spamassassin/60_awl.cf
> share/spamassassin/60_shortcircuit.cf
> +share/spamassassin/60_txrep.cf
> share/spamassassin/60_whitelist.cf
> +share/spamassassin/60_whitelist_auth.cf
> share/spamassassin/60_whitelist_dkim.cf
> share/spamassassin/60_whitelist_spf.cf
> share/spamassassin/60_whitelist_subject.cf
> @@ -319,7 +337,3 @@ share/spamassassin/local.cf
> share/spamassassin/regression_tests.cf
> share/spamassassin/sa-update-pubkey.txt
> share/spamassassin/user_prefs.template
> -@rcscript ${RCDIR}/spamassassin
> -@owner _spamdaemon
> -@group _spamdaemon
> -@sample ${LOCALSTATEDIR}/
> Index: pkg/spamassassin.rc
> ===================================================================
> RCS file: /var/cvs/ports/mail/p5-Mail-SpamAssassin/pkg/spamassassin.rc,v
> retrieving revision 1.6
> diff -u -p -r1.6 spamassassin.rc
> --- pkg/spamassassin.rc 11 Jan 2018 19:27:03 -0000 1.6
> +++ pkg/spamassassin.rc 25 Aug 2018 17:57:33 -0000
> @@ -7,6 +7,6 @@ daemon_flags="-u _spamdaemon -P"
>
> . /etc/rc.d/rc.subr
>
> -pexp="perl: ${daemon}${daemon_flags:+ ${daemon_flags}}"
> +pexp="/usr/bin/perl -T -w ${daemon}${daemon_flags:+ ${daemon_flags}}"
>
> rc_cmd $1
