On Fri, 07 May 2010 10:34:29 +0200, "Yury V. Zaytsev" <[email protected]>
wrote:
> Why everybody gives links to some obscure SRPMs while it's obviously
> easier for us to take the patches from the email / mailing list and it
> takes the same amount of effort for the poster???
Ok, here is the lot. Please remove the existing smtp auth patch by me as I
created a new one with the same options to make things much more uniform
across this package. I've also edited the changelog and bumped the release
to 3.
--
Steven Haigh
Email: [email protected]
Web: http://www.crc.id.au
Phone: (03) 9001 6090 - 0412 935 897
Fax: (03) 8338 0299
--- spamass-milter.spec.orig 2010-03-08 00:02:19.000000000 +1100
+++ spamass-milter.spec 2010-05-07 19:12:53.000000000 +1000
@@ -5,14 +5,16 @@
Summary: Sendmail milter for spamassassin
Name: spamass-milter
Version: 0.3.1
-Release: 2%{?dist}
+Release: 3%{?dist}
License: GPL
Group: System Environment/Daemons
URL: http://savannah.gnu.org/projects/spamass-milt/
Source:
http://savannah.nongnu.org/download/spamass-milt/spamass-milter-%{version}.tar.gz
-Patch0: spamass-milter-smtp-auth.patch
+Patch0: spamass-milter-0.3.1-smtp-auth-bypass.patch
+Patch1: spamass-milter-0.3.1-popen.patch
+Patch2: spamass-milter-0.3.1-rcvd.patch
BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root
@@ -26,7 +28,9 @@
%prep
%setup -q
-%patch0 -p0 -b .smtpauth
+%patch0 -p1 -b .smtpauth
+%patch1 -p1 -b .popen
+%patch2 -p1 -b .rcvd
%{__cat} <<EOF >spamass-milter.sysconfig
### Override for your different local config
@@ -154,6 +158,10 @@
%{_sbindir}/spamass-milter
%changelog
+* Fri May 07 2010 Steven Haigh <[email protected]> - 0.3.1.3
+- Added patch to fix CVE-2010-1132.
+- Added patch to fix Received-header generation; this adds a space before the
"(" between macro_j and macro_v.)
+
* Sun Mar 07 2010 Yury V. Zaytsev <[email protected]> - 0.3.1-2
- Added SMTP AUTH patch by Steven Haigh.
diff -crB spamass-milter-0.3.1.orig/spamass-milter.cpp spamass-milter-0.3.1/spamass-milter.cpp
*** spamass-milter-0.3.1.orig/spamass-milter.cpp 2006-03-24 08:41:36.000000000 +1100
--- spamass-milter-0.3.1/spamass-milter.cpp 2010-05-07 13:58:36.000000000 +1000
***************
*** 171,180 ****
bool flag_expand = false; /* alias/virtusertable expansion */
bool warnedmacro = false; /* have we logged that we couldn't fetch a macro? */
- #if defined(__FreeBSD__) /* popen bug - see PR bin/50770 */
- static pthread_mutex_t popen_mutex = PTHREAD_MUTEX_INITIALIZER;
- #endif
-
// {{{ main()
int
--- 171,176 ----
***************
*** 461,519 ****
send another copy. The milter API will not let you send the
message AND return a failure code to the sender, so this is
the only way to do it. */
! #if defined(__FreeBSD__)
! int rv;
! #endif
!
! #if defined(HAVE_ASPRINTF)
! char *buf;
! #else
! char buf[1024];
! #endif
! char *fmt="%s \"%s\"";
FILE *p;
! #if defined(HAVE_ASPRINTF)
! asprintf(&buf, fmt, SENDMAIL, spambucket);
! #else
! #if defined(HAVE_SNPRINTF)
! snprintf(buf, sizeof(buf)-1, fmt, SENDMAIL, spambucket);
! #else
! /* XXX possible buffer overflow here */
! sprintf(buf, fmt, SENDMAIL, spambucket);
! #endif
! #endif
!
! debug(D_COPY, "calling %s", buf);
! #if defined(__FreeBSD__) /* popen bug - see PR bin/50770 */
! rv = pthread_mutex_lock(&popen_mutex);
! if (rv)
! {
! debug(D_ALWAYS, "Could not lock popen mutex: %s", strerror(rv));
! abort();
! }
! #endif
! p = popen(buf, "w");
if (!p)
{
! debug(D_COPY, "popen failed(%s). Will not send a copy to spambucket", strerror(errno));
} else
{
// Send message provided by SpamAssassin
fwrite(assassin->d().c_str(), assassin->d().size(), 1, p);
! pclose(p); p = NULL;
}
- #if defined(__FreeBSD__)
- rv = pthread_mutex_unlock(&popen_mutex);
- if (rv)
- {
- debug(D_ALWAYS, "Could not unlock popen mutex: %s", strerror(rv));
- abort();
- }
- #endif
- #if defined(HAVE_ASPRINTF)
- free(buf);
- #endif
}
return SMFIS_REJECT;
}
--- 457,479 ----
send another copy. The milter API will not let you send the
message AND return a failure code to the sender, so this is
the only way to do it. */
! char sendmail_prog[] = SENDMAIL;
! char *const popen_argv[] = { sendmail_prog, spambucket, NULL };
FILE *p;
+ pid_t pid;
! debug(D_COPY, "calling %s %s", SENDMAIL, spambucket);
! p = popenv(popen_argv, "w", &pid);
if (!p)
{
! debug(D_COPY, "popenv failed(%s). Will not send a copy to spambucket", strerror(errno));
} else
{
// Send message provided by SpamAssassin
fwrite(assassin->d().c_str(), assassin->d().size(), 1, p);
! fclose(p); p = NULL;
! waitpid(pid, NULL, 0);
}
}
return SMFIS_REJECT;
}
***************
*** 842,871 ****
/* open a pipe to sendmail so we can do address expansion */
char buf[1024];
! char *fmt="%s -bv \"%s\" 2>&1";
!
! #if defined(HAVE_SNPRINTF)
! snprintf(buf, sizeof(buf)-1, fmt, SENDMAIL, envrcpt[0]);
! #else
! /* XXX possible buffer overflow here */
! sprintf(buf, fmt, SENDMAIL, envrcpt[0]);
! #endif
!
! debug(D_RCPT, "calling %s", buf);
! #if defined(__FreeBSD__) /* popen bug - see PR bin/50770 */
! rv = pthread_mutex_lock(&popen_mutex);
! if (rv)
! {
! debug(D_ALWAYS, "Could not lock popen mutex: %s", strerror(rv));
! abort();
! }
! #endif
! p = popen(buf, "r");
if (!p)
{
! debug(D_RCPT, "popen failed(%s). Will not expand aliases", strerror(errno));
assassin->expandedrcpt.push_back(envrcpt[0]);
} else
{
--- 802,818 ----
/* open a pipe to sendmail so we can do address expansion */
char buf[1024];
! char sendmail_prog[] = SENDMAIL;
! char sendmail_mode[] = "-bv";
! char * const popen_argv[] = { sendmail_prog, sendmail_mode, envrcpt[0], NULL };
! pid_t pid;
! debug(D_RCPT, "calling %s -bv %s", SENDMAIL, envrcpt[0]);
! p = popenv(popen_argv, "r", &pid);
if (!p)
{
! debug(D_RCPT, "popenv failed(%s). Will not expand aliases", strerror(errno));
assassin->expandedrcpt.push_back(envrcpt[0]);
} else
{
***************
*** 890,905 ****
assassin->expandedrcpt.push_back(p+7);
}
}
! pclose(p); p = NULL;
}
- #if defined(__FreeBSD__)
- rv = pthread_mutex_unlock(&popen_mutex);
- if (rv)
- {
- debug(D_ALWAYS, "Could not unlock popen mutex: %s", strerror(rv));
- abort();
- }
- #endif
} else
{
assassin->expandedrcpt.push_back(envrcpt[0]);
--- 837,845 ----
assassin->expandedrcpt.push_back(p+7);
}
}
! fclose(p); p = NULL;
! waitpid(pid, NULL, 0);
}
} else
{
assassin->expandedrcpt.push_back(envrcpt[0]);
***************
*** 2157,2161 ****
--- 2097,2167 ----
warnedmacro = true;
}
+ /*
+ untrusted-argument-safe popen function - only supports "r" and "w" modes
+ for simplicity, and always reads stdout and stderr in "r" mode. Call
+ fclose to close the FILE, and waitpid to reap the child process (pid).
+ */
+ FILE *popenv(char *const argv[], const char *type, pid_t *pid)
+ {
+ FILE *iop;
+ int pdes[2];
+ int save_errno;
+
+ if ((*type != 'r' && *type != 'w') || type[1])
+ {
+ errno = EINVAL;
+ return (NULL);
+ }
+ if (pipe(pdes) < 0)
+ return (NULL);
+ switch (*pid = fork()) {
+
+ case -1: /* Error. */
+ save_errno = errno;
+ (void)close(pdes[0]);
+ (void)close(pdes[1]);
+ errno = save_errno;
+ return (NULL);
+ /* NOTREACHED */
+ case 0: /* Child. */
+ if (*type == 'r') {
+ /*
+ * The dup2() to STDIN_FILENO is repeated to avoid
+ * writing to pdes[1], which might corrupt the
+ * parent's copy. This isn't good enough in
+ * general, since the exit() is no return, so
+ * the compiler is free to corrupt all the local
+ * variables.
+ */
+ (void)close(pdes[0]);
+ (void)dup2(pdes[1], STDOUT_FILENO);
+ (void)dup2(pdes[1], STDERR_FILENO);
+ if (pdes[1] != STDOUT_FILENO && pdes[1] != STDERR_FILENO) {
+ (void)close(pdes[1]);
+ }
+ } else {
+ if (pdes[0] != STDIN_FILENO) {
+ (void)dup2(pdes[0], STDIN_FILENO);
+ (void)close(pdes[0]);
+ }
+ (void)close(pdes[1]);
+ }
+ execv(argv[0], argv);
+ exit(127);
+ /* NOTREACHED */
+ }
+
+ /* Parent; assume fdopen can't fail. */
+ if (*type == 'r') {
+ iop = fdopen(pdes[0], type);
+ (void)close(pdes[1]);
+ } else {
+ iop = fdopen(pdes[1], type);
+ (void)close(pdes[0]);
+ }
+
+ return (iop);
+ }
// }}}
// vim6:ai:noexpandtab
diff -crB spamass-milter-0.3.1.orig/spamass-milter.h spamass-milter-0.3.1/spamass-milter.h
*** spamass-milter-0.3.1.orig/spamass-milter.h 2006-03-24 09:07:55.000000000 +1100
--- spamass-milter-0.3.1/spamass-milter.h 2010-05-07 13:48:31.000000000 +1000
***************
*** 186,190 ****
--- 186,191 ----
void parse_debuglevel(char* string);
char *strlwr(char *str);
void warnmacro(char *macro, char *scope);
+ FILE *popenv(char *const argv[], const char *type, pid_t *pid);
#endif
The code in spamass-milter.cpp that tries to create a
Sendmail-compatible header is broken and generates a header
that is incorrectly parsed by SpamAssassin.
This is mostly fixed in CVS apart from the space that needs
adding prior to the "(" between macro_j and macro_v.
https://savannah.nongnu.org/bugs/index.php?17178
http://bugs.debian.org/510665
http://bugzilla.redhat.com/496763
--- spamass-milter-0.3.1/spamass-milter.cpp.ori 2006-03-23 15:41:36.000000000
-0600
+++ spamass-milter-0.3.1/spamass-milter.cpp 2009-04-20 20:03:31.000000000
-0500
@@ -1002,9 +1002,9 @@
assassin->output((string)
"Received: from "+macro_s+" ("+macro__+")\r\n\t"+
- "by "+macro_j+"("+macro_v+"/"+macro_Z+") with
"+macro_r+" id "+macro_i+"\r\n\t"+
+ "by "+macro_j+" ("+macro_v+"/"+macro_Z+") with
"+macro_r+" id "+macro_i+";\r\n\t"+
macro_b+"\r\n\t"+
- "(envelope-from "+assassin->from()+"\r\n");
+ "(envelope-from "+assassin->from()+")\r\n");
} else
assassin->output((string)"X-Envelope-To: "+envrcpt[0]+"\r\n");
diff -crB spamass-milter-0.3.1.orig/spamass-milter.cpp spamass-milter-0.3.1/spamass-milter.cpp
*** spamass-milter-0.3.1.orig/spamass-milter.cpp 2006-03-24 08:41:36.000000000 +1100
--- spamass-milter-0.3.1/spamass-milter.cpp 2010-02-12 03:59:16.000000000 +1100 ***************
*** 775,780 ****
--- 775,784 ----
SpamAssassin* assassin;
struct context *sctx = (struct context *)smfi_getpriv(ctx);
char *queueid;
+ if (smfi_getsymval (ctx, "{auth_type}") != NULL)
+ {
+ return SMFIS_ACCEPT;
+ }
if (sctx == NULL)
{
diff -crB spamass-milter-0.3.1.orig/spamass-milter.cpp spamass-milter-0.3.1/spamass-milter.cpp
*** spamass-milter-0.3.1.orig/spamass-milter.cpp 2006-03-24 08:41:36.000000000 +1100
--- spamass-milter-0.3.1/spamass-milter.cpp 2010-05-07 13:18:54.000000000 +1000
***************
*** 776,781 ****
--- 776,788 ----
struct context *sctx = (struct context *)smfi_getpriv(ctx);
char *queueid;
+ // spamass-milter-0.3.1-smtp-auth-bypass.patch start.
+ if (smfi_getsymval (ctx, "{auth_type}") != NULL)
+ {
+ return SMFIS_ACCEPT;
+ }
+ // spamass-milter-0.3.1-smtp-auth-bypass.patch end.
+
if (sctx == NULL)
{
debug(D_ALWAYS, "smfi_getpriv failed!");
_______________________________________________
users mailing list
[email protected]
http://lists.rpmforge.net/mailman/listinfo/users
