On Mon, Sep 17, 2018 at 07:50:03PM +0200, Pierre-Emmanuel André wrote: > On Mon, Sep 17, 2018 at 09:14:43AM +0200, Giovanni Bechis wrote: > > Hi, > > update to latest version, this a major update, there are many new features > > and a lot of bug fixed. > > Some CVE has been fixed and a old SA versions will not be compatible with > > new rules sooner or later. > > I used several iterations of this diff in production, ok to put it in > > before 6.4 ? > > > > More info here: > > http://svn.apache.org/repos/asf/spamassassin/trunk/build/announcements/3.4.2.txt > > > > Thanks & Cheers > > Giovanni > > > Works fine on my small setup. > ok pea@ > > Any plans to backport CVE to -stable ? > some of them has been backported before a CVE has been assigned, anyway I feel more confident in updating to 3.4.2 in -stable as well. Diff follows. Giovanni
Index: Makefile =================================================================== RCS file: /cvs/ports/mail/p5-Mail-SpamAssassin/Makefile,v retrieving revision 1.108 diff -u -p -r1.108 Makefile --- Makefile 13 Mar 2018 07:51:59 -0000 1.108 +++ Makefile 18 Sep 2018 07:08:03 -0000 @@ -2,11 +2,10 @@ COMMENT= mailfilter to identify and mark spam -VER= 3.4.1 +VER= 3.4.2 DISTNAME= Mail-SpamAssassin-${VER} PKGNAME= p5-${DISTNAME} -REVISION= 14 -RULESNAME= Mail-SpamAssassin-rules-${VER}.r1675274.tgz +RULESNAME= Mail-SpamAssassin-rules-${VER}.r1840640.tgz CATEGORIES= mail perl5 DISTFILES= ${DISTNAME}${EXTRACT_SUFX} ${RULESNAME} @@ -33,8 +32,9 @@ COMMON_DEPENDS= www/p5-HTML-Parser>=3.3 BUILD_DEPENDS= ${COMMON_DEPENDS} RUN_DEPENDS= ${COMMON_DEPENDS} \ devel/re2c \ + devel/p5-BSD-Resource \ p5-Mail-SPF-*|p5-Mail-SPF-Query-*:mail/p5-Mail-SPF \ - net/p5-Geo-IP \ + p5-Geo-IP-*|p5-IP-Country-DB_File-*|p5-IP-Country-*:net/p5-Geo-IP \ net/p5-Net-LibIDN \ net/p5-Net-Patricia \ security/gnupg \ Index: distinfo =================================================================== RCS file: /cvs/ports/mail/p5-Mail-SpamAssassin/distinfo,v retrieving revision 1.38 diff -u -p -r1.38 distinfo --- distinfo 30 Apr 2015 14:41:53 -0000 1.38 +++ distinfo 18 Sep 2018 07:08:03 -0000 @@ -1,4 +1,4 @@ -SHA256 (Mail-SpamAssassin-3.4.1.tar.bz2) = oMHJgI8GhLOJWU64ssy6zmSGVGWTST+TCMlVRWPRRlE= -SHA256 (Mail-SpamAssassin-rules-3.4.1.r1675274.tgz) = OC9+4WCpahWq5Vn1PfksNvLhdkexnFlU7+3oYUn40Ss= -SIZE (Mail-SpamAssassin-3.4.1.tar.bz2) = 2710985 -SIZE (Mail-SpamAssassin-rules-3.4.1.r1675274.tgz) = 270622 +SHA256 (Mail-SpamAssassin-3.4.2.tar.bz2) = zwMEWkmRdSFF7tAH51c38+TH80zyJdtBHOP9NZKA6No= +SHA256 (Mail-SpamAssassin-rules-3.4.2.r1840640.tgz) = jUgaIIHx5ioleSOPZrWNIST3ounzz6PUqisD/nsBmbs= +SIZE (Mail-SpamAssassin-3.4.2.tar.bz2) = 2700016 +SIZE (Mail-SpamAssassin-rules-3.4.2.r1840640.tgz) = 284758 Index: patches/patch-Makefile_PL =================================================================== RCS file: /cvs/ports/mail/p5-Mail-SpamAssassin/patches/patch-Makefile_PL,v retrieving revision 1.13 diff -u -p -r1.13 patch-Makefile_PL --- patches/patch-Makefile_PL 30 Apr 2015 14:41:53 -0000 1.13 +++ patches/patch-Makefile_PL 18 Sep 2018 07:08:03 -0000 @@ -1,7 +1,8 @@ $OpenBSD: patch-Makefile_PL,v 1.13 2015/04/30 14:41:53 sthen Exp $ ---- Makefile.PL.orig Tue Apr 28 20:57:01 2015 -+++ Makefile.PL Thu Apr 30 14:25:54 2015 -@@ -832,7 +832,7 @@ sub MY::install { +Index: Makefile.PL +--- Makefile.PL.orig ++++ Makefile.PL +@@ -856,7 +856,7 @@ sub MY::install { foreach (@code) { # Add our install targets as a dependency to all top-level install targets Index: patches/patch-lib_Mail_SpamAssassin_BayesStore_pm =================================================================== RCS file: patches/patch-lib_Mail_SpamAssassin_BayesStore_pm diff -N patches/patch-lib_Mail_SpamAssassin_BayesStore_pm --- patches/patch-lib_Mail_SpamAssassin_BayesStore_pm 31 Oct 2017 07:41:51 -0000 1.1 +++ /dev/null 1 Jan 1970 00:00:00 -0000 @@ -1,15 +0,0 @@ -$OpenBSD: patch-lib_Mail_SpamAssassin_BayesStore_pm,v 1.1 2017/10/31 07:41:51 giovanni Exp $ - -# bug 7340: remove expire flag after token expiration is done - -Index: lib/Mail/SpamAssassin/BayesStore.pm ---- lib/Mail/SpamAssassin/BayesStore.pm.orig -+++ lib/Mail/SpamAssassin/BayesStore.pm -@@ -419,6 +419,7 @@ sub expire_old_tokens_trapped { - dbg("bayes: $msg: $msg2"); - } - -+ $self->remove_running_expire_tok(); - return 1; - } - Index: patches/patch-lib_Mail_SpamAssassin_Conf_Parser_pm =================================================================== RCS file: patches/patch-lib_Mail_SpamAssassin_Conf_Parser_pm diff -N patches/patch-lib_Mail_SpamAssassin_Conf_Parser_pm --- patches/patch-lib_Mail_SpamAssassin_Conf_Parser_pm 13 Mar 2018 07:51:59 -0000 1.2 +++ /dev/null 1 Jan 1970 00:00:00 -0000 @@ -1,218 +0,0 @@ -$OpenBSD: patch-lib_Mail_SpamAssassin_Conf_Parser_pm,v 1.2 2018/03/13 07:51:59 giovanni Exp $ - -Index: lib/Mail/SpamAssassin/Conf/Parser.pm ---- lib/Mail/SpamAssassin/Conf/Parser.pm.orig -+++ lib/Mail/SpamAssassin/Conf/Parser.pm -@@ -142,15 +142,11 @@ use Mail::SpamAssassin::NetSet; - - use strict; - use warnings; --use bytes; -+# use bytes; - use re 'taint'; - --use vars qw{ -- @ISA --}; -+our @ISA = qw(); - --@ISA = qw(); -- - ########################################################################### - - sub new { -@@ -263,6 +259,7 @@ sub parse { - while (defined ($line = shift @conf_lines)) { - local ($1); # bug 3838: prevent random taint flagging of $1 - -+ if (index($line,'#') > -1) { - # bug 5545: used to support testing rules in the ruleqa system - if ($keepmetadata && $line =~ /^\#testrules/) { - $self->{file_scoped_attrs}->{testrules}++; -@@ -278,8 +275,12 @@ sub parse { - - $line =~ s/(?<!\\)#.*$//; # remove comments - $line =~ s/\\#/#/g; # hash chars are escaped, so unescape them -+ } -+ -+ if ($line =~ tr{ \t\r\n\f}{}) { - $line =~ s/^\s+//; # remove leading whitespace - $line =~ s/\s+$//; # remove tailing whitespace -+ } - next unless($line); # skip empty lines - - # handle i18n -@@ -288,7 +289,7 @@ sub parse { - my($key, $value) = split(/\s+/, $line, 2); - $key = lc $key; - # convert all dashes in setting name to underscores. -- $key =~ s/-/_/g; -+ $key =~ tr/-/_/; - $value = '' unless defined($value); - - # # Do a better job untainting this info ... -@@ -338,26 +339,26 @@ sub parse { - } - - # now handle the commands. -- if ($key eq 'include') { -+ elsif ($key eq 'include') { - $value = $self->fix_path_relative_to_current_file($value); - my $text = $conf->{main}->read_cf($value, 'included file'); - unshift (@conf_lines, split (/\n/, $text)); - next; - } - -- if ($key eq 'ifplugin') { -+ elsif ($key eq 'ifplugin') { - $self->handle_conditional ($key, "plugin ($value)", - \@if_stack, \$skip_parsing); - next; - } - -- if ($key eq 'if') { -+ elsif ($key eq 'if') { - $self->handle_conditional ($key, $value, - \@if_stack, \$skip_parsing); - next; - } - -- if ($key eq 'else') { -+ elsif ($key eq 'else') { - # TODO: if/else/else won't get flagged here :( - if (!@if_stack) { - $parse_error = "config: found else without matching conditional"; -@@ -369,7 +370,7 @@ sub parse { - } - - # and the endif statement: -- if ($key eq 'endif') { -+ elsif ($key eq 'endif') { - my $lastcond = pop @if_stack; - if (!defined $lastcond) { - $parse_error = "config: found endif without matching conditional"; -@@ -508,7 +509,7 @@ sub handle_conditional { - my $conf = $self->{conf}; - - my $lexer = ARITH_EXPRESSION_LEXER; -- my @tokens = ($value =~ m/($lexer)/g); -+ my @tokens = ($value =~ m/($lexer)/og); - - my $eval = ''; - my $bad = 0; -@@ -573,6 +574,10 @@ sub cond_clause_plugin_loaded { - - sub cond_clause_can { - my ($self, $method) = @_; -+ if ($self->{currentfile} =~ q!/user_prefs$! ) { -+ warn "config: 'if can $method' not available in user_prefs"; -+ return 0 -+ } - $self->cond_clause_can_or_has('can', $method); - } - -@@ -591,7 +596,7 @@ sub cond_clause_can_or_has { - } elsif ($method =~ /^(.*)::([^:]+)$/) { - no strict "refs"; - my($module, $meth) = ($1, $2); -- return 1 if UNIVERSAL::can($module,$meth) && -+ return 1 if $module->can($meth) && - ( $fn_name eq 'has' || &{$method}() ); - } else { - $self->lint_warn("bad 'if' line, cannot find '::' in $fn_name($method), ". -@@ -984,14 +989,14 @@ sub _meta_deps_recurse { - - # Lex the rule into tokens using a rather simple RE method ... - my $lexer = ARITH_EXPRESSION_LEXER; -- my @tokens = ($rule =~ m/$lexer/g); -+ my @tokens = ($rule =~ m/$lexer/og); - - # Go through each token in the meta rule - my $conf_tests = $conf->{tests}; - foreach my $token (@tokens) { - # has to be an alpha+numeric token -- # next if $token =~ /^(?:\W+|[+-]?\d+(?:\.\d+)?)$/; -- next if $token !~ /^[A-Za-z_][A-Za-z0-9_]*\z/s; # faster -+ next if $token =~ tr{A-Za-z0-9_}{}c || substr($token,0,1) =~ tr{A-Za-z_}{}c; # even faster -+ - # and has to be a rule name - next unless exists $conf_tests->{$token}; - -@@ -1178,25 +1183,25 @@ sub add_test { - my $conf = $self->{conf}; - - # Don't allow invalid names ... -- if ($name !~ /^\D\w*$/) { -+ if ($name !~ /^[_[:alpha:]]\w*$/) { - $self->lint_warn("config: error: rule '$name' has invalid characters ". - "(not Alphanumeric + Underscore + starting with a non-digit)\n", $name); - return; - } - -- # Also set a hard limit for ALL rules (rule names longer than 242 -+ # Also set a hard limit for ALL rules (rule names longer than 40 - # characters throw warnings). Check this separately from the above - # pattern to avoid vague error messages. -- if (length $name > 200) { -- $self->lint_warn("config: error: rule '$name' is way too long ". -+ if (length $name > 100) { -+ $self->lint_warn("config: error: rule '$name' is too long ". - "(recommended maximum length is 22 characters)\n", $name); - return; - } - - # Warn about, but use, long rule names during --lint - if ($conf->{lint_rules}) { -- if (length($name) > 50 && $name !~ /^__/ && $name !~ /^T_/) { -- $self->lint_warn("config: warning: rule name '$name' is over 50 chars ". -+ if (length($name) > 40 && $name !~ /^__/ && $name !~ /^T_/) { -+ $self->lint_warn("config: warning: rule name '$name' is over 40 chars ". - "(recommended maximum length is 22 characters)\n", $name); - } - } -@@ -1286,12 +1291,18 @@ sub add_regression_test { - sub is_meta_valid { - my ($self, $name, $rule) = @_; - -+ # $meta is a degenerate translation of the rule, replacing all variables (i.e. rule names) with 0. - my $meta = ''; - $rule = untaint_var($rule); # must be careful below -+ # Bug #7557 code injection -+ if ( $rule =~ /\S(::|->)\S/ ) { -+ warn("is_meta_valid: Bogus rule $name: $rule") ; -+ return 0; -+ } - - # Lex the rule into tokens using a rather simple RE method ... - my $lexer = ARITH_EXPRESSION_LEXER; -- my @tokens = ($rule =~ m/$lexer/g); -+ my @tokens = ($rule =~ m/$lexer/og); - if (length($name) == 1) { - for (@tokens) { - print "$name $_\n " or die "Error writing token: $!"; -@@ -1299,16 +1310,20 @@ sub is_meta_valid { - } - # Go through each token in the meta rule - foreach my $token (@tokens) { -- # Numbers can't be rule names -- if ($token !~ /^[A-Za-z_][A-Za-z0-9_]*\z/s) { -+ # If the token is a syntactically legal rule name, make it zero -+ if ($token =~ /^[_[:alpha:]]\w+\z/s) { -+ $meta .= "0 "; -+ } -+ # if it is a number or a string of 1 or 2 punctuation characters (i.e. operators) tack it onto the degenerate rule -+ elsif ( $token =~ /^(\d+|[[:punct:]]{1,2})\z/s ) { - $meta .= "$token "; - } -- # Zero will probably cause more errors -+ # WTF is it? Just warn, for now. Bug #7557 - else { -- $meta .= "0 "; -+ $self->lint_warn("config: Strange rule token: $token", $name); -+ $meta .= "$token "; - } - } -- - my $evalstr = 'my $x = ' . $meta . '; 1;'; - if (eval $evalstr) { - return 1; Index: patches/patch-lib_Mail_SpamAssassin_Conf_pm =================================================================== RCS file: patches/patch-lib_Mail_SpamAssassin_Conf_pm diff -N patches/patch-lib_Mail_SpamAssassin_Conf_pm --- patches/patch-lib_Mail_SpamAssassin_Conf_pm 13 Mar 2018 07:51:59 -0000 1.1 +++ /dev/null 1 Jan 1970 00:00:00 -0000 @@ -1,43 +0,0 @@ -$OpenBSD: patch-lib_Mail_SpamAssassin_Conf_pm,v 1.1 2018/03/13 07:51:59 giovanni Exp $ - -Index: lib/Mail/SpamAssassin/Conf.pm ---- lib/Mail/SpamAssassin/Conf.pm.orig -+++ lib/Mail/SpamAssassin/Conf.pm -@@ -2836,8 +2836,8 @@ C<header SYMBOLIC_TEST_NAME header =~ /\S/> rule as de - =item header SYMBOLIC_TEST_NAME eval:name_of_eval_method([arguments]) - - Define a header eval test. C<name_of_eval_method> is the name of --a method on the C<Mail::SpamAssassin::EvalTests> object. C<arguments> --are optional arguments to the function call. -+a method registered by a C<Mail::SpamAssassin::Plugin> object. -+C<arguments> are optional arguments to the function call. - - =item header SYMBOLIC_TEST_NAME eval:check_rbl('set', 'zone' [, 'sub-test']) - -@@ -2950,7 +2950,10 @@ name. - local ($1,$2); - if ($value =~ /^(\S+)\s+(?:rbl)?eval:(.*)$/) { - my ($rulename, $fn) = ($1, $2); -- -+ dbg("config: header eval rule name is $rulename function is $fn"); -+ if ($fn !~ /^\w+(\(.*\))?$/) { -+ return $INVALID_VALUE; -+ } - if ($fn =~ /^check_(?:rbl|dns)/) { - $self->{parser}->add_test ($rulename, $fn, $TYPE_RBL_EVALS); - } -@@ -3008,7 +3011,13 @@ Define a body eval test. See above. - my ($self, $key, $value, $line) = @_; - local ($1,$2); - if ($value =~ /^(\S+)\s+eval:(.*)$/) { -- $self->{parser}->add_test ($1, $2, $TYPE_BODY_EVALS); -+ my ($rulename, $fn) = ($1, $2); -+ dbg("config: body eval rule name is $rulename function is $fn"); -+ -+ if ($fn !~ /^\w+(\(.*\))?$/) { -+ return $INVALID_VALUE; -+ } -+ $self->{parser}->add_test ($rulename, $fn, $TYPE_BODY_EVALS); - } - else { - my @values = split(/\s+/, $value, 2); Index: patches/patch-lib_Mail_SpamAssassin_DnsResolver_pm =================================================================== RCS file: patches/patch-lib_Mail_SpamAssassin_DnsResolver_pm diff -N patches/patch-lib_Mail_SpamAssassin_DnsResolver_pm --- patches/patch-lib_Mail_SpamAssassin_DnsResolver_pm 4 Mar 2016 00:05:35 -0000 1.4 +++ /dev/null 1 Jan 1970 00:00:00 -0000 @@ -1,82 +0,0 @@ -$OpenBSD: patch-lib_Mail_SpamAssassin_DnsResolver_pm,v 1.4 2016/03/04 00:05:35 sthen Exp $ ---- lib/Mail/SpamAssassin/DnsResolver.pm.orig Tue Apr 28 20:56:49 2015 -+++ lib/Mail/SpamAssassin/DnsResolver.pm Thu Mar 3 23:59:55 2016 -@@ -592,6 +592,9 @@ sub new_dns_packet { - }; - - if ($packet) { -+ # RD flag needs to be set explicitly since Net::DNS 1.01, Bug 7223 -+ $packet->header->rd(1); -+ - # my $udp_payload_size = $self->{res}->udppacketsize; - my $udp_payload_size = $self->{conf}->{dns_options}->{edns}; - if ($udp_payload_size && $udp_payload_size > 512) { -@@ -722,6 +725,37 @@ sub bgsend { - - ########################################################################### - -+=item $id = $res->bgread() -+ -+Similar to C<Net::DNS::Resolver::bgread>. Reads a DNS packet from -+a supplied socket, decodes it, and returns a Net::DNS::Packet object -+if successful. Dies on error. -+ -+=cut -+ -+sub bgread() { -+ my ($self) = @_; -+ my $sock = $self->{sock}; -+ my $packetsize = $self->{res}->udppacketsize; -+ $packetsize = 512 if $packetsize < 512; # just in case -+ my $data = ''; -+ my $peeraddr = $sock->recv($data, $packetsize+256); # with some size margin for troubleshooting -+ defined $peeraddr or die "bgread: recv() failed: $!"; -+ my $peerhost = $sock->peerhost; -+ $data ne '' or die "bgread: received empty packet from $peerhost"; -+ dbg("dns: bgread: received %d bytes from %s", length($data), $peerhost); -+ my($answerpkt, $decoded_length) = Net::DNS::Packet->new(\$data); -+ $answerpkt or die "bgread: decoding DNS packet failed: $@"; -+ $answerpkt->answerfrom($peerhost); -+ if ($decoded_length ne length($data)) { -+ warn sprintf("bgread: received a %d bytes packet from %s, decoded %d bytes\n", -+ length($data), $peerhost, $decoded_length); -+ } -+ return $answerpkt; -+} -+ -+########################################################################### -+ - =item $nfound = $res->poll_responses() - - See if there are any C<bgsend> reply packets ready, and return -@@ -769,13 +803,25 @@ sub poll_responses { - $timeout = 0; # next time around collect whatever is available, then exit - last if $nfound == 0; - -- my $packet = $self->{res}->bgread($self->{sock}); -+ my $packet; -+ eval { -+ $packet = $self->bgread(); -+ } or do { -+ undef $packet; -+ my $eval_stat = $@ ne '' ? $@ : "errno=$!"; chomp $eval_stat; -+ # resignal if alarm went off -+ die $eval_stat if $eval_stat =~ /__alarm__ignore__\(.*\)/s; -+ info("dns: bad dns reply: %s", $eval_stat); -+ }; - -+# Bug 7265, use our own bgread() -+# my $packet = $self->{res}->bgread($self->{sock}); -+ - if (!$packet) { -- my $dns_err = $self->{res}->errorstring; -- # resignal if alarm went off -- die "dns (3) $dns_err\n" if $dns_err =~ /__alarm__ignore__\(.*\)/s; -- info("dns: bad dns reply: $dns_err"); -+ # error already reported above -+# my $dns_err = $self->{res}->errorstring; -+# die "dns (3) $dns_err\n" if $dns_err =~ /__alarm__ignore__\(.*\)/s; -+# info("dns: bad dns reply: $dns_err"); - } else { - my $header = $packet->header; - if (!$header) { Index: patches/patch-lib_Mail_SpamAssassin_Message_Metadata_Received_pm =================================================================== RCS file: patches/patch-lib_Mail_SpamAssassin_Message_Metadata_Received_pm diff -N patches/patch-lib_Mail_SpamAssassin_Message_Metadata_Received_pm --- patches/patch-lib_Mail_SpamAssassin_Message_Metadata_Received_pm 4 Mar 2016 00:05:35 -0000 1.1 +++ /dev/null 1 Jan 1970 00:00:00 -0000 @@ -1,25 +0,0 @@ -$OpenBSD: patch-lib_Mail_SpamAssassin_Message_Metadata_Received_pm,v 1.1 2016/03/04 00:05:35 sthen Exp $ ---- lib/Mail/SpamAssassin/Message/Metadata/Received.pm.orig Tue Apr 28 20:56:48 2015 -+++ lib/Mail/SpamAssassin/Message/Metadata/Received.pm Thu Mar 3 23:59:55 2016 -@@ -434,7 +434,8 @@ sub parse_received_line { - $auth = 'Postfix'; - } - # Communigate Pro - Bug 6495 adds HTTP as possible transmission method -- elsif (/CommuniGate Pro (HTTP|SMTP)/ && / \(account /) { -+ # Bug 7277: XIMSS used by Pronto and other custom apps, IMAP supports XMIT extension -+ elsif (/CommuniGate Pro (HTTP|SMTP|XIMSS|IMAP)/ && / \(account /) { - $auth = 'Communigate'; - } - # Microsoft Exchange (complete with syntax error) -@@ -714,6 +715,11 @@ sub parse_received_line { - # Received: from sc8-sf-sshgate.sourceforge.net (HELO sc8-sf-netmisc.sourceforge.net) (66.35.250.220) by la.mx.develooper.com (qpsmtpd/0.27-dev) with ESMTP; Fri, 02 Jan 2004 14:44:41 -0800 - # Received: from mx10.topofferz.net (HELO ) (69.6.60.10) by blazing.arsecandle.org with SMTP; 3 Mar 2004 20:34:38 -0000 - if (/^(\S+) \((?:HELO|EHLO) (\S*)\) \((${IP_ADDRESS})\) by (\S+) \(qpsmtpd\/\S+\) with (?:ESMTP|SMTP)/) { -+ $rdns = $1; $helo = $2; $ip = $3; $by = $4; goto enough; -+ } -+ -+ # Received: from mail-backend.DDDD.com (LHLO mail-backend.DDDD.com) (10.2.2.20) by mail-backend.DDDD.com with LMTP; Thu, 18 Jun 2015 16:50:56 -0700 (PDT) -+ if (/^(\S+) \(LHLO (\S*)\) \((${IP_ADDRESS})\) by (\S+) with LMTP/) { - $rdns = $1; $helo = $2; $ip = $3; $by = $4; goto enough; - } - Index: patches/patch-lib_Mail_SpamAssassin_Message_pm =================================================================== RCS file: patches/patch-lib_Mail_SpamAssassin_Message_pm diff -N patches/patch-lib_Mail_SpamAssassin_Message_pm --- patches/patch-lib_Mail_SpamAssassin_Message_pm 31 Oct 2017 07:41:51 -0000 1.2 +++ /dev/null 1 Jan 1970 00:00:00 -0000 @@ -1,27 +0,0 @@ -$OpenBSD: patch-lib_Mail_SpamAssassin_Message_pm,v 1.2 2017/10/31 07:41:51 giovanni Exp $ - -# bug 7447: Delete parse_queue in Message::finish() to prevent memory leak. - -Index: lib/Mail/SpamAssassin/Message.pm ---- lib/Mail/SpamAssassin/Message.pm.orig -+++ lib/Mail/SpamAssassin/Message.pm -@@ -628,6 +628,9 @@ sub finish { - delete $self->{'line_ending'}; - delete $self->{'missing_head_body_separator'}; - -+ # Remove the queue variable, in case the body has not been parsed -+ delete $self->{'parse_queue'}; -+ - my @toclean = ( $self ); - - # Go ahead and clean up all of the Message::Node parts -@@ -1045,6 +1048,9 @@ sub _parse_normal { - } - elsif ($ct[3]) { - $msg->{'name'} = $ct[3]; -+ } -+ if ($msg->{'name'}) { -+ $msg->{'name'} = Encode::decode("MIME-Header", $msg->{'name'}); - } - - $msg->{'boundary'} = $boundary; Index: patches/patch-lib_Mail_SpamAssassin_Plugin_DKIM_pm =================================================================== RCS file: patches/patch-lib_Mail_SpamAssassin_Plugin_DKIM_pm diff -N patches/patch-lib_Mail_SpamAssassin_Plugin_DKIM_pm --- patches/patch-lib_Mail_SpamAssassin_Plugin_DKIM_pm 4 Mar 2016 00:05:35 -0000 1.1 +++ /dev/null 1 Jan 1970 00:00:00 -0000 @@ -1,87 +0,0 @@ -$OpenBSD: patch-lib_Mail_SpamAssassin_Plugin_DKIM_pm,v 1.1 2016/03/04 00:05:35 sthen Exp $ ---- lib/Mail/SpamAssassin/Plugin/DKIM.pm.orig Tue Apr 28 20:56:47 2015 -+++ lib/Mail/SpamAssassin/Plugin/DKIM.pm Thu Mar 3 23:59:55 2016 -@@ -178,14 +178,19 @@ sub set_config { - - Works similarly to whitelist_from, except that in addition to matching - an author address (From) to the pattern in the first parameter, the message --must also carry a Domain Keys Identified Mail (DKIM) signature made by a --signing domain (SDID, i.e. the d= tag) that is acceptable to us. -+must also carry a valid Domain Keys Identified Mail (DKIM) signature made by -+a signing domain (SDID, i.e. the d= tag) that is acceptable to us. - - Only one whitelist entry is allowed per line, as in C<whitelist_from_rcvd>. - Multiple C<whitelist_from_dkim> lines are allowed. File-glob style characters - are allowed for the From address (the first parameter), just like with --C<whitelist_from_rcvd>. The second parameter does not accept wildcards. -+C<whitelist_from_rcvd>. - -+The second parameter (the signing-domain) does not accept full file-glob style -+wildcards, although a simple '*.' (or just a '.') prefix to a domain name -+is recognized and implies any subdomain of the specified domain (but not -+the domain itself). -+ - If no signing-domain parameter is specified, the only acceptable signature - will be an Author Domain Signature (sometimes called first-party signature) - which is a signature where the signing domain (SDID) of a signature matches -@@ -205,7 +210,8 @@ Examples of whitelisting based on third-party signatur - whitelist_from_dkim j...@example.net example.org - whitelist_from_dkim r...@info.example.net example.net - whitelist_from_dkim *@info.example.net example.net -- whitelist_from_dkim *@* remailer.example.com -+ whitelist_from_dkim *@* mail7.remailer.example.com -+ whitelist_from_dkim *@* *.remailer.example.com - - =item def_whitelist_from_dkim aut...@example.com [signing-domain] - -@@ -376,7 +382,8 @@ some valid signature on a message has no reputational - associated with a particular domain), regardless of its key size - anyone can - prepend its own signature on a copy of some third party mail and re-send it, - which makes it no more trustworthy than without such signature. This is also --a reason for a rule DKIM_VALID to have a near-zero score. -+a reason for a rule DKIM_VALID to have a near-zero score, i.e. a rule hit -+is only informational. - - =cut - -@@ -786,7 +793,8 @@ sub _check_dkim_signature { - # Only do so if EDNS0 provides a reasonably-sized UDP payload size, - # as our interface does not provide a DNS fallback to TCP, unlike - # the Net::DNS::Resolver::send which does provide it. -- my $res = $self->{main}->{resolver}->get_resolver; -+ my $res = $self->{main}->{resolver}; -+ dbg("dkim: providing our own resolver: %s", ref $res); - Mail::DKIM::DNS::resolver($res); - } - } -@@ -892,13 +900,13 @@ sub _check_dkim_signature { - } - } - if (would_log("dbg","dkim")) { -- dbg("dkim: %s %s, i=%s, d=%s, s=%s, a=%s, c=%s, %s, %s", -+ dbg("dkim: %s %s, i=%s, d=%s, s=%s, a=%s, c=%s, %s, %s, %s", - $info, - $signature->isa('Mail::DKIM::DkSignature') ? 'DK' : 'DKIM', - map(!defined $_ ? '(undef)' : $_, - $signature->identity, $d, $signature->selector, - $signature->algorithm, scalar($signature->canonicalization), -- $key_size ? "key_bits=$key_size" : (), -+ $key_size ? "key_bits=$key_size" : "unknown key size", - ($sig_result_supported ? $signature : $verifier)->result ), - defined $d && $pms->{dkim_author_domains}->{$d} - ? 'matches author domain' -@@ -1257,8 +1265,12 @@ sub _wlcheck_list { - # identity (AUID). Nevertheless, be prepared to accept the full e-mail - # address there for compatibility, and just ignore its local-part. - -- $acceptable_sdid = $1 if $acceptable_sdid =~ /\@([^\@]*)\z/; -- $matches = 1 if $sdid eq lc $acceptable_sdid; -+ $acceptable_sdid = $1 if $acceptable_sdid =~ /\@([^\@]*)\z/s; -+ if ($acceptable_sdid =~ s/^\*?\.//s) { -+ $matches = 1 if $sdid =~ /\.\Q$acceptable_sdid\E\z/si; -+ } else { -+ $matches = 1 if $sdid eq lc $acceptable_sdid; -+ } - } - if ($matches) { - if (would_log("dbg","dkim")) { Index: patches/patch-lib_Mail_SpamAssassin_Plugin_PDFInfo_pm =================================================================== RCS file: patches/patch-lib_Mail_SpamAssassin_Plugin_PDFInfo_pm diff -N patches/patch-lib_Mail_SpamAssassin_Plugin_PDFInfo_pm --- patches/patch-lib_Mail_SpamAssassin_Plugin_PDFInfo_pm 8 Mar 2018 07:30:00 -0000 1.1 +++ /dev/null 1 Jan 1970 00:00:00 -0000 @@ -1,99 +0,0 @@ -$OpenBSD: patch-lib_Mail_SpamAssassin_Plugin_PDFInfo_pm,v 1.1 2018/03/08 07:30:00 giovanni Exp $ - -Index: lib/Mail/SpamAssassin/Plugin/PDFInfo.pm ---- lib/Mail/SpamAssassin/Plugin/PDFInfo.pm.orig -+++ lib/Mail/SpamAssassin/Plugin/PDFInfo.pm -@@ -31,7 +31,7 @@ This plugin helps detected spam using attached PDF fil - - =item See "Usage:" below - more documentation see 20_pdfinfo.cf - -- Original info kept for history. -+ Original info kept for history. For later changes see SVN repo - ------------------------------------------------------- - PDFInfo Plugin for SpamAssassin - Version: 0.8 -@@ -40,7 +40,6 @@ This plugin helps detected spam using attached PDF fil - Modified: 2007-08-10 - By: Dallas Engelken - -- - Changes: - 0.8 - added .fdf detection (thanks John Lundin) [axb] - 0.7 - fixed empty body/pdf count buglet(thanks Jeremy) [axb] -@@ -76,7 +75,6 @@ This plugin helps detected spam using attached PDF fil - - removed all support for png, gif, and jpg from the code. - - prepended pdf_ to all function names to avoid conflicts with ImageInfo in SA 3.2. - -- - Usage: - - pdf_count() -@@ -144,14 +142,14 @@ package Mail::SpamAssassin::Plugin::PDFInfo; - - use Mail::SpamAssassin::Plugin; - use Mail::SpamAssassin::Logger; -+use Mail::SpamAssassin::Util; - use strict; - use warnings; --use bytes; -+# use bytes; - use Digest::MD5 qw(md5_hex); - use MIME::QuotedPrint; - --use vars qw(@ISA); --@ISA = qw(Mail::SpamAssassin::Plugin); -+our @ISA = qw(Mail::SpamAssassin::Plugin); - - # constructor: register the eval rule - sub new { -@@ -413,9 +411,9 @@ sub _find_pdf_mime_parts { - - foreach my $p (@parts) { - my $type = $p->{'type'} =~ m@/([\w\-]+)$@; -- my $name = $p->{'name'}; -+ my $name = $p->{'name'} || ''; - -- my $cte = lc $p->get_header('content-transfer-encoding') || ''; -+ my $cte = lc( $p->get_header('content-transfer-encoding') || '' ); - - dbg("pdfinfo: found part, type=".($type ? $type : '')." file=".($name ? $name : '')." cte=".($cte ? $cte : '').""); - -@@ -441,7 +439,6 @@ sub _find_pdf_mime_parts { - - } - -- - # ---------------------------------------- - - sub pdf_named { -@@ -476,8 +473,12 @@ sub pdf_name_regex { - - my $hit = 0; - foreach my $name (keys %{$pms->{'pdfinfo'}->{"names_pdf"}}) { -- my $eval = 'if (q{'.$name.'} =~ '.$re.') { $hit = 1; } '; -- eval $eval; -+ eval { -+ my $regex = Mail::SpamAssassin::Util::make_qr($re); -+ if ( $name =~ m/$regex/ ) { -+ $hit = 1; -+ } -+ }; - dbg("pdfinfo: error in regex $re - $@") if $@; - if ($hit) { - dbg("pdfinfo: pdf_name_regex hit on $name"); -@@ -722,9 +723,12 @@ sub pdf_match_details { - return unless $check_value; - - my $hit = 0; -- $check_value =~ s/[\{\}\\]//g; -- my $eval = 'if (q{'.$check_value.'} =~ '.$regex.') { $hit = 1; }'; -- eval $eval; -+ eval { -+ my $re = Mail::SpamAssassin::Util::make_qr($regex); -+ if ( $check_value =~ m/$re/ ) { -+ $hit = 1; -+ } -+ }; - dbg("pdfinfo: error in regex $regex - $@") if $@; - if ($hit) { - dbg("pdfinfo: pdf_match_details $detail $regex matches $check_value"); Index: patches/patch-lib_Mail_SpamAssassin_Plugin_SPF_pm =================================================================== RCS file: patches/patch-lib_Mail_SpamAssassin_Plugin_SPF_pm diff -N patches/patch-lib_Mail_SpamAssassin_Plugin_SPF_pm --- patches/patch-lib_Mail_SpamAssassin_Plugin_SPF_pm 4 Mar 2016 00:05:35 -0000 1.1 +++ /dev/null 1 Jan 1970 00:00:00 -0000 @@ -1,24 +0,0 @@ -$OpenBSD: patch-lib_Mail_SpamAssassin_Plugin_SPF_pm,v 1.1 2016/03/04 00:05:35 sthen Exp $ ---- lib/Mail/SpamAssassin/Plugin/SPF.pm.orig Tue Apr 28 20:56:47 2015 -+++ lib/Mail/SpamAssassin/Plugin/SPF.pm Thu Mar 3 23:59:55 2016 -@@ -232,7 +232,7 @@ working downwards until results are successfully parse - =item has_check_for_spf_errors - - Adds capability check for "if can()" for check_for_spf_permerror, check_for_spf_temperror, check_for_spf_helo_permerror and check_for_spf_helo_permerror -- -+ - =cut - - sub has_check_for_spf_errors { 1 } -@@ -506,9 +506,9 @@ sub _check_spf { - $self->{spf_server} = Mail::SPF::Server->new( - hostname => $scanner->get_tag('HOSTNAME'), - dns_resolver => $self->{main}->{resolver}, -- max_dns_interactive_terms => 15); -+ max_dns_interactive_terms => 20); - # Bug 7112: max_dns_interactive_terms defaults to 10, but even 14 is -- # not enough for ebay.com, setting it to 15 -+ # not enough for ebay.com, setting it to 15 NOTE: raising to 20 per bug 7182 - 1; - } or do { - $eval_stat = $@ ne '' ? $@ : "errno=$!"; chomp $eval_stat; Index: patches/patch-lib_Mail_SpamAssassin_Plugin_URIDNSBL_pm =================================================================== RCS file: patches/patch-lib_Mail_SpamAssassin_Plugin_URIDNSBL_pm diff -N patches/patch-lib_Mail_SpamAssassin_Plugin_URIDNSBL_pm --- patches/patch-lib_Mail_SpamAssassin_Plugin_URIDNSBL_pm 4 Mar 2016 00:05:35 -0000 1.1 +++ /dev/null 1 Jan 1970 00:00:00 -0000 @@ -1,28 +0,0 @@ -$OpenBSD: patch-lib_Mail_SpamAssassin_Plugin_URIDNSBL_pm,v 1.1 2016/03/04 00:05:35 sthen Exp $ ---- lib/Mail/SpamAssassin/Plugin/URIDNSBL.pm.orig Tue Apr 28 20:56:47 2015 -+++ lib/Mail/SpamAssassin/Plugin/URIDNSBL.pm Thu Mar 3 23:59:55 2016 -@@ -942,9 +942,8 @@ sub complete_ns_lookup { - next unless (defined($str) && defined($dom)); - dbg("uridnsbl: got($j) NS for $dom: $str"); - -- if ($str =~ /IN\s+NS\s+(\S+)/) { -- my $nsmatch = lc $1; -- $nsmatch =~ s/\.$//; -+ if ($rr->type eq 'NS') { -+ my $nsmatch = lc $rr->nsdname; # available since at least Net::DNS 0.14 - my $nsrhblstr = $nsmatch; - my $fullnsrhblstr = $nsmatch; - -@@ -1025,9 +1024,9 @@ sub complete_a_lookup { - } - dbg("uridnsbl: complete_a_lookup got(%d) A for %s: %s", $j,$hname,$str); - -- local $1; -- if ($str =~ /IN\s+A\s+(\S+)/) { -- $self->lookup_dnsbl_for_ip($pms, $ent->{obj}, $1); -+ if ($rr->type eq 'A') { -+ my $ip_address = $rr->rdatastr; -+ $self->lookup_dnsbl_for_ip($pms, $ent->{obj}, $ip_address); - } - } - } Index: patches/patch-lib_Mail_SpamAssassin_Plugin_URILocalBL_pm =================================================================== RCS file: patches/patch-lib_Mail_SpamAssassin_Plugin_URILocalBL_pm diff -N patches/patch-lib_Mail_SpamAssassin_Plugin_URILocalBL_pm --- patches/patch-lib_Mail_SpamAssassin_Plugin_URILocalBL_pm 6 Feb 2018 07:58:03 -0000 1.1 +++ /dev/null 1 Jan 1970 00:00:00 -0000 @@ -1,34 +0,0 @@ -$OpenBSD: patch-lib_Mail_SpamAssassin_Plugin_URILocalBL_pm,v 1.1 2018/02/06 07:58:03 giovanni Exp $ - -Compatibility patches for perl 5.23+ - -Index: lib/Mail/SpamAssassin/Plugin/URILocalBL.pm ---- lib/Mail/SpamAssassin/Plugin/URILocalBL.pm.orig -+++ lib/Mail/SpamAssassin/Plugin/URILocalBL.pm -@@ -350,7 +350,7 @@ sub check_uri_local_bl { - # look for W3 links only - next unless (defined $info->{types}->{a}); - -- while (my($host, $domain) = each $info->{hosts}) { -+ while (my($host, $domain) = each %{$info->{hosts}}) { - - # skip if the domain name was matched - if (exists $rule->{exclusions} && exists $rule->{exclusions}->{$domain}) { -@@ -374,7 +374,7 @@ sub check_uri_local_bl { - } - - if (exists $rule->{countries}) { -- dbg("check: uri_local_bl countries %s\n", join(' ', sort keys $rule->{countries})); -+ dbg("check: uri_local_bl countries %s\n", join(' ', sort keys %{$rule->{countries}})); - - my $cc = $self->{geoip}->country_code_by_addr($ip); - -@@ -403,7 +403,7 @@ sub check_uri_local_bl { - } - - if (exists $rule->{isps}) { -- dbg("check: uri_local_bl isps %s\n", join(' ', map { '"' . $_ . '"'; } sort keys $rule->{isps})); -+ dbg("check: uri_local_bl isps %s\n", join(' ', map { '"' . $_ . '"'; } sort keys %{$rule->{isps}})); - - my $isp = $self->{geoisp}->isp_by_name($ip); - Index: patches/patch-lib_Mail_SpamAssassin_Util_pm =================================================================== RCS file: patches/patch-lib_Mail_SpamAssassin_Util_pm diff -N patches/patch-lib_Mail_SpamAssassin_Util_pm --- patches/patch-lib_Mail_SpamAssassin_Util_pm 23 Feb 2018 17:07:35 -0000 1.4 +++ /dev/null 1 Jan 1970 00:00:00 -0000 @@ -1,96 +0,0 @@ -$OpenBSD: patch-lib_Mail_SpamAssassin_Util_pm,v 1.4 2018/02/23 17:07:35 giovanni Exp $ -Index: lib/Mail/SpamAssassin/Util.pm ---- lib/Mail/SpamAssassin/Util.pm.orig -+++ lib/Mail/SpamAssassin/Util.pm -@@ -62,7 +62,8 @@ BEGIN { - @EXPORT_OK = qw(&local_tz &base64_decode &untaint_var &untaint_file_path - &exit_status_str &proc_status_ok &am_running_on_windows - &reverse_ip_address &decode_dns_question_entry -- &secure_tmpfile &secure_tmpdir &uri_list_canonicalize); -+ &secure_tmpfile &secure_tmpdir &uri_list_canonicalize -+ &get_user_groups); - } - - use Mail::SpamAssassin; -@@ -108,7 +109,7 @@ BEGIN { - if ( !$displayed_path++ ) { - dbg("util: current PATH is: ".join($Config{'path_sep'},File::Spec->path())); - } -- foreach my $path (File::Spec->path()) { -+ foreach my $path (File::Spec->path(), qw(${LOCALBASE}/bin ${LOCALBASE}/sbin)) { - my $fname = File::Spec->catfile ($path, $filename); - if ( -f $fname ) { - if (-x $fname) { -@@ -988,6 +989,18 @@ sub parse_content_type { - my($charset) = $ct =~ /\bcharset\s*=\s*["']?(.*?)["']?(?:;|$)/i; - my($name) = $ct =~ /\b(?:file)?name\s*=\s*["']?(.*?)["']?(?:;|$)/i; - -+ # RFC 2231 section 3: Parameter Value Continuations -+ # support continuations for name values -+ # -+ if (!$name && $ct =~ /\b(?:file)?name\*0\s*=/i) { -+ -+ my @name; -+ $name[$1] = $2 -+ while ($ct =~ /\b(?:file)?name\*(\d+)\s*=\s*["']?(.*?)["']?(?:;|$)/ig); -+ -+ $name = join "", grep defined, @name; -+ } -+ - # Get the actual MIME type out ... - # Note: the header content may not be whitespace unfolded, so make sure the - # REs do /s when appropriate. -@@ -1493,13 +1506,43 @@ sub receive_date { - } - - ########################################################################### -+sub get_user_groups { -+ my $suid = shift; -+ dbg("get_user_groups: uid is $suid\n"); -+ my ( $user, $passwd, $uid, $gid, $quota, $comment, $gcos, $dir, $shell, $expire ) = getpwuid($suid); -+ my $rgids="$gid "; -+ while ( my($name,$pw,$gid,$members) = getgrent() ) { -+ if ( $members =~ m/\b$user\b/ ) { -+ $rgids .= "$gid "; -+ dbg("get_user_groups: added $gid ($name) to group list which is now: $rgids\n"); -+ } -+ } -+ endgrent; -+ chop $rgids; -+ return ($rgids); -+} - -+ -+ - sub setuid_to_euid { - return if (RUNNING_ON_WINDOWS); - - # remember the target uid, the first number is the important one - my $touid = $>; -- -+ my $gids = get_user_groups($touid); -+ my ( $pgid, $supgs ) = split (' ',$gids,2); -+ defined $supgs or $supgs=$pgid; -+ if ($( != $pgid) { -+ # Gotta be root for any of this to work -+ $> = 0 ; -+ dbg("util: changing real primary gid from $( to $pgid and supplemental groups to $supgs to match effective uid $touid"); -+ POSIX::setgid($pgid); -+ dbg("util: POSIX::setgid($pgid) set errno to $!"); -+ $! = 0; -+ $( = $pgid; -+ $) = "$pgid $supgs"; -+ dbg("util: assignment \$) = $pgid $supgs set errno to $!"); -+ } - if ($< != $touid) { - dbg("util: changing real uid from $< to match effective uid $touid"); - # bug 3586: kludges needed to work around platform dependent behavior assigning to $< -@@ -1574,7 +1617,7 @@ sub helper_app_pipe_open_unix { - eval { - # go setuid... - setuid_to_euid(); -- dbg("util: setuid: ruid=$< euid=$>"); -+ info("util: setuid: ruid=$< euid=$> rgid=$( egid=$) "); - - # now set up the fds. due to some wierdness, we may have to ensure that - # we *really* close the correct fd number, since some other code may have Index: patches/patch-spamc_libspamc_c =================================================================== RCS file: patches/patch-spamc_libspamc_c diff -N patches/patch-spamc_libspamc_c --- patches/patch-spamc_libspamc_c 23 May 2015 14:18:55 -0000 1.3 +++ /dev/null 1 Jan 1970 00:00:00 -0000 @@ -1,21 +0,0 @@ -$OpenBSD: patch-spamc_libspamc_c,v 1.3 2015/05/23 14:18:55 bluhm Exp $ ---- spamc/libspamc.c.orig Tue Apr 28 21:56:59 2015 -+++ spamc/libspamc.c Wed May 20 19:53:07 2015 -@@ -1216,7 +1216,7 @@ int message_filter(struct transport *tp, const char *u - if (flags & SPAMC_TLSV1) { - meth = TLSv1_client_method(); - } else { -- meth = SSLv3_client_method(); /* default */ -+ meth = SSLv23_client_method(); /* default */ - } - SSL_load_error_strings(); - ctx = SSL_CTX_new(meth); -@@ -1604,7 +1604,7 @@ int message_tell(struct transport *tp, const char *use - if (flags & SPAMC_USE_SSL) { - #ifdef SPAMC_SSL - SSLeay_add_ssl_algorithms(); -- meth = SSLv3_client_method(); -+ meth = SSLv23_client_method(); - SSL_load_error_strings(); - ctx = SSL_CTX_new(meth); - #else Index: patches/patch-spamd_spamd_raw =================================================================== RCS file: patches/patch-spamd_spamd_raw diff -N patches/patch-spamd_spamd_raw --- patches/patch-spamd_spamd_raw 23 Feb 2018 17:07:35 -0000 1.9 +++ /dev/null 1 Jan 1970 00:00:00 -0000 @@ -1,98 +0,0 @@ -$OpenBSD: patch-spamd_spamd_raw,v 1.9 2018/02/23 17:07:35 giovanni Exp $ -Index: spamd/spamd.raw ---- spamd/spamd.raw.orig -+++ spamd/spamd.raw -@@ -246,7 +246,8 @@ use Mail::SpamAssassin::SubProcBackChannel; - use Mail::SpamAssassin::SpamdForkScaling qw(:pfstates); - use Mail::SpamAssassin::Logger qw(:DEFAULT log_message); - use Mail::SpamAssassin::Util qw(untaint_var untaint_file_path -- exit_status_str am_running_on_windows); -+ exit_status_str am_running_on_windows -+ get_user_groups); - use Mail::SpamAssassin::Timeout; - - use Getopt::Long; -@@ -1071,7 +1072,6 @@ sub server_sock_setup_inet { - $sockopt{V6Only} = 1 if $io_socket_module_name eq 'IO::Socket::IP' - && IO::Socket::IP->VERSION >= 0.09; - %sockopt = (%sockopt, ( -- SSL_version => $sslversion, - SSL_verify_mode => 0x00, - SSL_key_file => $opt{'server-key'}, - SSL_cert_file => $opt{'server-cert'}, -@@ -1092,7 +1092,8 @@ sub server_sock_setup_inet { - if (!$server_inet) { - $diag = sprintf("could not create %s socket on [%s]:%s: %s", - $ssl ? 'IO::Socket::SSL' : $io_socket_module_name, -- $adr, $port, $!); -+ $adr, $port, $ssl && $IO::Socket::SSL::SSL_ERROR ? -+ "$!,$IO::Socket::SSL::SSL_ERROR" : $!); - push(@diag_fail, $diag); - } else { - $diag = sprintf("created %s socket on [%s]:%s", -@@ -1369,10 +1370,20 @@ sub spawn { - # bug 5518: assignments to $) and $( don't always work on all platforms - # bug 3900: assignments to $> and $< problems with BSD perl bug - # use the POSIX functions to hide the platform specific workarounds -+ dbg("spamd: Privilege de-escalation from user $< and groups $(\n"); -+ $! = 0; - POSIX::setgid($ugid); # set effective and real gid -+ dbg("spamd: setgid ERRNO is $!\n"); -+ $( = $ugid; -+ $) = "$ugid ".(get_user_groups($uuid)); # set effective and real gid/grouplist another way because we lack initgroups in Perl -+ dbg("spamd: group assignment ERRNO is $!\n"); - POSIX::setuid($uuid); # set effective and real UID -+ dbg("spamd: setuid ERRNO is $!\n"); - $< = $uuid; $> = $uuid; # bug 5574 -+ dbg("spamd: uid assignment ERRNO is $!\n"); -+ dbg("spamd: real user is $< \neff user is $> \nreal groups are $( \neff groups are $) \n"); - -+ - # keep the sanity check to catch problems like bug 3900 just in case - if ( $> != $uuid and $> != ( $uuid - 2**32 ) ) { - die "spamd: setuid to uid $uuid failed (> = $>, < = $<)\n"; -@@ -1521,7 +1532,7 @@ sub accept_from_any_server_socket { - } # end multiple sockets case - - if ($selected_socket_info) { -- my $socket = $selected_socket_info->{socket}; -+ $socket = $selected_socket_info->{socket}; - $socket or die "no socket???, impossible"; - dbg("spamd: accept() on fd %d", $selected_socket_info->{fd}); - $client = $socket->accept; -@@ -1726,7 +1737,7 @@ sub handle_setuid_to_user { - my ($name, $pwd, $uid, $gid, $quota, $comment, $gcos, $dir, $etc) = - getpwnam('nobody'); - -- $) = "$gid $gid"; # eGID -+ $) = (get_user_groups($uid)); # eGID - $> = $uid; # eUID - if (!defined($uid) || ($> != $uid and $> != ($uid - 2**32))) { - die("spamd: setuid to nobody failed"); -@@ -2488,7 +2499,7 @@ sub handle_user_setuid_basic { - } - - if ($setuid_to_user) { -- $) = "$gid $gid"; # change eGID -+ $) = (get_user_groups($uid)); # change eGID - $> = $uid; # change eUID - if ( !defined($uid) || ( $> != $uid and $> != ( $uid - 2**32 ) ) ) { - # make it fatal to avoid security breaches -@@ -2710,7 +2721,7 @@ sub handle_user_setuid_with_sql { - } - - if ($setuid_to_user) { -- $) = "$gid $gid"; # change eGID -+ $) = (get_user_groups($uid)); # change eGID - $> = $uid; # change eUID - if (!defined($uid) || ($> != $uid and $> != ($uid - 2**32))) { - # make it fatal to avoid security breaches -@@ -2755,7 +2766,7 @@ sub handle_user_setuid_with_ldap { - } - - if ($setuid_to_user) { -- $) = "$gid $gid"; # change eGID -+ $) = (get_user_groups($uid)); # change eGID - $> = $uid; # change eUID - if (!defined($uid) || ($> != $uid and $> != ($uid - 2**32))) { - # make it fatal to avoid security breaches Index: patches/patch-t_SATest_pm =================================================================== RCS file: patches/patch-t_SATest_pm diff -N patches/patch-t_SATest_pm --- patches/patch-t_SATest_pm 7 Nov 2017 07:39:07 -0000 1.1 +++ /dev/null 1 Jan 1970 00:00:00 -0000 @@ -1,14 +0,0 @@ -$OpenBSD: patch-t_SATest_pm,v 1.1 2017/11/07 07:39:07 giovanni Exp $ - -Index: t/SATest.pm ---- t/SATest.pm.orig -+++ t/SATest.pm -@@ -1027,7 +1027,7 @@ sub can_use_net_dns_safely { - # (which is used by Net::DNS) - - return 1 if ($< != 0); -- return 1 if ($^O =~ /^(linux|mswin|dos|os2)/oi); -+ return 1 if ($^O =~ /^(linux|mswin|dos|os2|openbsd)/oi); - - my $has_unsafe_hostname = - eval { require Sys::Hostname::Long && Sys::Hostname::Long->VERSION < 1.4 }; Index: patches/patch-t_sa_compile_t =================================================================== RCS file: /cvs/ports/mail/p5-Mail-SpamAssassin/patches/patch-t_sa_compile_t,v retrieving revision 1.3 diff -u -p -r1.3 patch-t_sa_compile_t --- patches/patch-t_sa_compile_t 23 May 2015 14:18:55 -0000 1.3 +++ patches/patch-t_sa_compile_t 18 Sep 2018 07:08:03 -0000 @@ -1,21 +1,14 @@ $OpenBSD: patch-t_sa_compile_t,v 1.3 2015/05/23 14:18:55 bluhm Exp $ ---- t/sa_compile.t.orig Tue Apr 28 21:56:58 2015 -+++ t/sa_compile.t Tue May 12 22:36:36 2015 -@@ -8,8 +8,7 @@ use Config; +Index: t/sa_compile.t +--- t/sa_compile.t.orig ++++ t/sa_compile.t +@@ -12,8 +12,7 @@ use Config; use File::Basename; use File::Path qw/mkpath/; -my $temp_binpath = $Config{sitebinexp}; --$temp_binpath =~ s/^\Q$Config{prefix}\E//; +-$temp_binpath =~ s|^\Q$Config{siteprefixexp}\E/||; +my $temp_binpath = "bin"; - # called from BEGIN - sub re2c_version_new_enough { -@@ -65,6 +64,7 @@ sub new_instdir { - $instdir = $instbase.".".(shift); - print "\nsetting new instdir: $instdir\n"; - $INST_FROM_SCRATCH and system("rm -rf $instdir; mkdir $instdir"); -+ system("mkdir -p $instdir/foo/etc/mail/spamassassin"); - } - - sub run_makefile_pl { + use Test::More; + plan skip_all => "Long running tests disabled" unless conf_bool('run_long_tests'); Index: patches/patch-t_spf_t =================================================================== RCS file: patches/patch-t_spf_t diff -N patches/patch-t_spf_t --- patches/patch-t_spf_t 7 Nov 2017 07:39:07 -0000 1.1 +++ /dev/null 1 Jan 1970 00:00:00 -0000 @@ -1,22 +0,0 @@ -$OpenBSD: patch-t_spf_t,v 1.1 2017/11/07 07:39:07 giovanni Exp $ - -Index: t/spf.t ---- t/spf.t.orig -+++ t/spf.t -@@ -12,6 +12,7 @@ use constant HAS_MAILSPF => eval { require Mail::SPF; - # on non-Linux unices as root, due to a bug in Sys::Hostname::Long - # (it is used by Mail::SPF::Query, which is now obsoleted by Mail::SPF) - use constant IS_LINUX => $^O eq 'linux'; -+use constant IS_OPENBSD => $^O eq 'openbsd'; - use constant IS_WINDOWS => ($^O =~ /^(mswin|dos|os2)/oi); - use constant AM_ROOT => $< == 0; - -@@ -20,7 +21,7 @@ use constant HAS_UNSAFE_HOSTNAME => # Bug 3806 - modu - - use constant DO_RUN => - TEST_ENABLED && (HAS_SPFQUERY || HAS_MAILSPF) && -- (!HAS_UNSAFE_HOSTNAME || !AM_ROOT || IS_LINUX || IS_WINDOWS); -+ (!HAS_UNSAFE_HOSTNAME || !AM_ROOT || IS_LINUX || IS_WINDOWS || IS_OPENBSD); - - BEGIN { - Index: pkg/PLIST =================================================================== RCS file: /cvs/ports/mail/p5-Mail-SpamAssassin/pkg/PLIST,v retrieving revision 1.35 diff -u -p -r1.35 PLIST --- pkg/PLIST 6 May 2017 14:56:08 -0000 1.35 +++ pkg/PLIST 18 Sep 2018 07:08:03 -0000 @@ -79,8 +79,10 @@ ${P5SITE}/Mail/SpamAssassin/Plugin/DCC.p ${P5SITE}/Mail/SpamAssassin/Plugin/DKIM.pm ${P5SITE}/Mail/SpamAssassin/Plugin/DNSEval.pm ${P5SITE}/Mail/SpamAssassin/Plugin/FreeMail.pm +${P5SITE}/Mail/SpamAssassin/Plugin/FromNameSpoof.pm ${P5SITE}/Mail/SpamAssassin/Plugin/HTMLEval.pm ${P5SITE}/Mail/SpamAssassin/Plugin/HTTPSMismatch.pm +${P5SITE}/Mail/SpamAssassin/Plugin/HashBL.pm ${P5SITE}/Mail/SpamAssassin/Plugin/Hashcash.pm ${P5SITE}/Mail/SpamAssassin/Plugin/HeaderEval.pm ${P5SITE}/Mail/SpamAssassin/Plugin/ImageInfo.pm @@ -89,11 +91,13 @@ ${P5SITE}/Mail/SpamAssassin/Plugin/MIMEH ${P5SITE}/Mail/SpamAssassin/Plugin/OneLineBodyRuleType.pm ${P5SITE}/Mail/SpamAssassin/Plugin/PDFInfo.pm ${P5SITE}/Mail/SpamAssassin/Plugin/PhishTag.pm +${P5SITE}/Mail/SpamAssassin/Plugin/Phishing.pm ${P5SITE}/Mail/SpamAssassin/Plugin/Pyzor.pm ${P5SITE}/Mail/SpamAssassin/Plugin/Razor2.pm ${P5SITE}/Mail/SpamAssassin/Plugin/RelayCountry.pm ${P5SITE}/Mail/SpamAssassin/Plugin/RelayEval.pm ${P5SITE}/Mail/SpamAssassin/Plugin/ReplaceTags.pm +${P5SITE}/Mail/SpamAssassin/Plugin/ResourceLimits.pm ${P5SITE}/Mail/SpamAssassin/Plugin/Reuse.pm ${P5SITE}/Mail/SpamAssassin/Plugin/Rule2XSBody.pm ${P5SITE}/Mail/SpamAssassin/Plugin/SPF.pm @@ -118,9 +122,9 @@ ${P5SITE}/Mail/SpamAssassin/SubProcBackC ${P5SITE}/Mail/SpamAssassin/Timeout.pm ${P5SITE}/Mail/SpamAssassin/Util/ ${P5SITE}/Mail/SpamAssassin/Util.pm +@comment ${P5SITE}/Mail/SpamAssassin/Util.pm.beforesubst ${P5SITE}/Mail/SpamAssassin/Util/DependencyInfo.pm ${P5SITE}/Mail/SpamAssassin/Util/Progress.pm -${P5SITE}/Mail/SpamAssassin/Util/RegistrarBoundaries.pm ${P5SITE}/Mail/SpamAssassin/Util/ScopedTimer.pm ${P5SITE}/Mail/SpamAssassin/Util/TieOneStringHash.pm ${P5SITE}/Mail/SpamAssassin/Util/TinyRedis.pm @@ -174,16 +178,20 @@ ${P5SITE}/spamassassin-run.pod @man man/man3p/Mail::SpamAssassin::Plugin::DCC.3p @man man/man3p/Mail::SpamAssassin::Plugin::DKIM.3p @man man/man3p/Mail::SpamAssassin::Plugin::DNSEval.3p +@man man/man3p/Mail::SpamAssassin::Plugin::FromNameSpoof.3p +@man man/man3p/Mail::SpamAssassin::Plugin::HashBL.3p @man man/man3p/Mail::SpamAssassin::Plugin::Hashcash.3p @man man/man3p/Mail::SpamAssassin::Plugin::MIMEEval.3p @man man/man3p/Mail::SpamAssassin::Plugin::MIMEHeader.3p @man man/man3p/Mail::SpamAssassin::Plugin::OneLineBodyRuleType.3p @man man/man3p/Mail::SpamAssassin::Plugin::PDFInfo.3p @man man/man3p/Mail::SpamAssassin::Plugin::PhishTag.3p +@man man/man3p/Mail::SpamAssassin::Plugin::Phishing.3p @man man/man3p/Mail::SpamAssassin::Plugin::Pyzor.3p @man man/man3p/Mail::SpamAssassin::Plugin::Razor2.3p @man man/man3p/Mail::SpamAssassin::Plugin::RelayCountry.3p @man man/man3p/Mail::SpamAssassin::Plugin::ReplaceTags.3p +@man man/man3p/Mail::SpamAssassin::Plugin::ResourceLimits.3p @man man/man3p/Mail::SpamAssassin::Plugin::Reuse.3p @man man/man3p/Mail::SpamAssassin::Plugin::Rule2XSBody.3p @man man/man3p/Mail::SpamAssassin::Plugin::SPF.3p @@ -205,7 +213,6 @@ ${P5SITE}/spamassassin-run.pod @man man/man3p/Mail::SpamAssassin::Util.3p @man man/man3p/Mail::SpamAssassin::Util::DependencyInfo.3p @man man/man3p/Mail::SpamAssassin::Util::Progress.3p -@man man/man3p/Mail::SpamAssassin::Util::RegistrarBoundaries.3p @man man/man3p/spamassassin-run.3p share/doc/SpamAssassin/ share/doc/SpamAssassin/CREDITS @@ -242,6 +249,7 @@ share/examples/SpamAssassin/init.pre @sample ${CONFDIR}/init.pre share/examples/SpamAssassin/local.cf @sample ${CONFDIR}/local.cf +@comment share/examples/SpamAssassin/svn_only.pre share/examples/SpamAssassin/v310.pre @sample ${CONFDIR}/v310.pre share/examples/SpamAssassin/v312.pre @@ -254,6 +262,8 @@ share/examples/SpamAssassin/v340.pre @sample ${CONFDIR}/v340.pre share/examples/SpamAssassin/v341.pre @sample ${CONFDIR}/v341.pre +share/examples/SpamAssassin/v342.pre +@sample ${CONFDIR}/v342.pre share/spamassassin/ share/spamassassin/10_default_prefs.cf share/spamassassin/10_hasbase.cf @@ -303,7 +313,9 @@ share/spamassassin/50_scores.cf share/spamassassin/60_adsp_override_dkim.cf share/spamassassin/60_awl.cf share/spamassassin/60_shortcircuit.cf +share/spamassassin/60_txrep.cf share/spamassassin/60_whitelist.cf +share/spamassassin/60_whitelist_auth.cf share/spamassassin/60_whitelist_dkim.cf share/spamassassin/60_whitelist_spf.cf share/spamassassin/60_whitelist_subject.cf Index: pkg/spamassassin.rc =================================================================== RCS file: /cvs/ports/mail/p5-Mail-SpamAssassin/pkg/spamassassin.rc,v retrieving revision 1.6 diff -u -p -r1.6 spamassassin.rc --- pkg/spamassassin.rc 11 Jan 2018 19:27:03 -0000 1.6 +++ pkg/spamassassin.rc 18 Sep 2018 07:08:03 -0000 @@ -7,6 +7,6 @@ daemon_flags="-u _spamdaemon -P" . /etc/rc.d/rc.subr -pexp="perl: ${daemon}${daemon_flags:+ ${daemon_flags}}" +pexp="/usr/bin/perl -T -w ${daemon}${daemon_flags:+ ${daemon_flags}}" rc_cmd $1