Bug#803569: jessie-pu: package exim4/4.84-8+deb8u1
Andreas Metzler
ametzler at bebt.de
Sat Oct 31 13:33:10 UTC 2015
Package: release.debian.org
Severity: normal
Tags: jessie
User: release.debian.org at packages.debian.org
Usertags: pu
Hello,
I would like to fix 803562 in jessie. Exim's MIME checking ACL
(available in exim4-daemon-heavy) was found to not correctly handle
some broken MIME containers. Jessie contains most of the fixes, but
some additional issues were found later.
Debian's default setup does not set either acl_not_smtp_mime nor
acl_smtp_mime and is therefore not affected.
cu Andreas
--
`What a good friend you are to him, Dr. Maturin. His other friends are
so grateful to you.'
`I sew his ears on from time to time, sure'
-------------- next part --------------
File lists identical (after any substitutions)
Control files of package exim4: lines which differ (wdiff format)
-----------------------------------------------------------------
Depends: debconf (>= 0.5) | debconf-2.0, debconf (>= 1.4.69) | cdebconf (>= 0.39), exim4-base (>= [-4.84-8),-] {+4.84-8+deb8u1),+} exim4-base (<< [-4.84-8.1),-] {+4.84-8+deb8u1.1),+} exim4-daemon-light | exim4-daemon-heavy | exim4-daemon-custom
Version: [-4.84-8-] {+4.84-8+deb8u1+}
Control files of package exim4-base: lines which differ (wdiff format)
----------------------------------------------------------------------
Version: [-4.84-8-] {+4.84-8+deb8u1+}
Control files of package exim4-config: lines which differ (wdiff format)
------------------------------------------------------------------------
Version: [-4.84-8-] {+4.84-8+deb8u1+}
Control files of package exim4-daemon-heavy: lines which differ (wdiff format)
------------------------------------------------------------------------------
Depends: exim4-base (>= 4.84), libc6 (>= 2.15), libdb5.3, libgnutls-deb0-28 (>= 3.3.0), libldap-2.4-2 (>= 2.4.7), libmysqlclient18 (>= 5.5.24+dfsg-1), libpam0g (>= 0.99.7.1), libpcre3 (>= 1:8.35), libperl5.20 (>= [-5.20.1),-] {+5.20.2),+} libpq5, libsasl2-2, libsqlite3-0 (>= 3.5.9), debconf (>= 0.5) | debconf-2.0
Version: [-4.84-8-] {+4.84-8+deb8u1+}
Control files of package exim4-daemon-heavy-dbg: lines which differ (wdiff format)
----------------------------------------------------------------------------------
Version: [-4.84-8-] {+4.84-8+deb8u1+}
Control files of package exim4-daemon-light: lines which differ (wdiff format)
------------------------------------------------------------------------------
Version: [-4.84-8-] {+4.84-8+deb8u1+}
Control files of package exim4-daemon-light-dbg: lines which differ (wdiff format)
----------------------------------------------------------------------------------
Installed-Size: [-2078-] {+2079+}
Version: [-4.84-8-] {+4.84-8+deb8u1+}
Control files of package exim4-dbg: lines which differ (wdiff format)
---------------------------------------------------------------------
Version: [-4.84-8-] {+4.84-8+deb8u1+}
Control files of package exim4-dev: lines which differ (wdiff format)
---------------------------------------------------------------------
Version: [-4.84-8-] {+4.84-8+deb8u1+}
Control files of package eximon4: lines which differ (wdiff format)
-------------------------------------------------------------------
Version: [-4.84-8-] {+4.84-8+deb8u1+}
diff -Nru exim4-4.84/debian/changelog exim4-4.84/debian/changelog
--- exim4-4.84/debian/changelog 2015-02-17 18:00:49.000000000 +0100
+++ exim4-4.84/debian/changelog 2015-10-31 13:55:10.000000000 +0100
@@ -1,3 +1,12 @@
+exim4 (4.84-8+deb8u1) jessie; urgency=medium
+
+ * Pull 85_Fix-crash-in-mime-acl-when-a-parameter-is-unterminat.patch
+ and 86_Avoid-crash-with-badly-terminated-non-recognised-mim.patch from
+ upstream GIT to fixup more MIME ACL related crashes. (Thanks, Lutz
+ Pre?ler) Closes: #803562
+
+ -- Andreas Metzler <ametzler at debian.org> Mon, 26 Oct 2015 17:42:16 +0100
+
exim4 (4.84-8) unstable; urgency=medium
* Pull 83_Remove-limit-on-remove_headers-item-size.-Bug-1533.patch and
diff -Nru exim4-4.84/debian/patches/85_Fix-crash-in-mime-acl-when-a-parameter-is-unterminat.patch exim4-4.84/debian/patches/85_Fix-crash-in-mime-acl-when-a-parameter-is-unterminat.patch
--- exim4-4.84/debian/patches/85_Fix-crash-in-mime-acl-when-a-parameter-is-unterminat.patch 1970-01-01 01:00:00.000000000 +0100
+++ exim4-4.84/debian/patches/85_Fix-crash-in-mime-acl-when-a-parameter-is-unterminat.patch 2015-10-31 13:50:54.000000000 +0100
@@ -0,0 +1,77 @@
+From bf485bf34df3fc2214765497a5552851c6a8977a Mon Sep 17 00:00:00 2001
+From: Jeremy Harris <jgh146exb at wizmail.org>
+Date: Tue, 30 Dec 2014 20:39:02 +0000
+Subject: [PATCH] Fix crash in mime acl when a parameter is unterminated
+
+Verified-by: Wolfgang Breyha <wbreyha at gmx.net>
+---
+ src/mime.c | 33 +++++++++++----------------------
+ test/confs/4000 | 1 +
+ test/log/4000 | 9 ++++++---
+ test/mail/4000.userx | 36 ++++++++++++++++++++++++++++++++++++
+ test/scripts/4000-scanning/4000 | 27 +++++++++++++++++++++++++++
+ test/stdout/4000 | 11 +++++++++++
+ 6 files changed, 92 insertions(+), 25 deletions(-)
+
+diff --git a/src/mime.c b/src/mime.c
+index a61e9f2..e5fe476 100644
+--- a/src/mime.c
++++ b/src/mime.c
+@@ -599,46 +599,35 @@ NEXT_PARAM_SEARCH:
+ /* found an interesting parameter? */
+ if (strncmpic(mp->name, p, mp->namelen) == 0)
+ {
+- uschar * q = p + mp->namelen;
+- int plen = 0;
+ int size = 0;
+ int ptr = 0;
+
+ /* yes, grab the value and copy to its corresponding expansion variable */
+- while(*q && *q != ';') /* ; terminates */
+- if (*q == '"')
++ p += mp->namelen;
++ while(*p && *p != ';') /* ; terminates */
++ if (*p == '"')
+ {
+- q++; /* skip leading " */
+- plen++; /* and account for the skip */
+- while(*q && *q != '"') /* " protects ; */
+- {
+- param_value = string_cat(param_value, &size, &ptr, q++, 1);
+- plen++;
+- }
+- if (*q)
+- {
+- q++; /* skip trailing " */
+- plen++;
+- }
++ p++; /* skip leading " */
++ while(*p && *p != '"') /* " protects ; */
++ param_value = string_cat(param_value, &size, &ptr, p++, 1);
++ if (*p) p++; /* skip trailing " */
+ }
+ else
+- {
+- param_value = string_cat(param_value, &size, &ptr, q++, 1);
+- plen++;
+- }
++ param_value = string_cat(param_value, &size, &ptr, p++, 1);
++ if (*p) p++; /* skip trailing ; */
+
+ if (param_value)
+ {
++ uschar * dummy;
+ param_value[ptr++] = '\0';
+
+ param_value = rfc2047_decode(param_value,
+- check_rfc2047_length, NULL, 32, NULL, &q);
++ check_rfc2047_length, NULL, 32, NULL, &dummy);
+ debug_printf("Found %s MIME parameter in %s header, "
+ "value is '%s'\n", mp->name, mime_header_list[i].name,
+ param_value);
+ }
+ *mp->value = param_value;
+- p += mp->namelen + plen + 1; /* name=, content, ; */
+ goto NEXT_PARAM_SEARCH;
+ }
+ }
diff -Nru exim4-4.84/debian/patches/86_Avoid-crash-with-badly-terminated-non-recognised-mim.patch exim4-4.84/debian/patches/86_Avoid-crash-with-badly-terminated-non-recognised-mim.patch
--- exim4-4.84/debian/patches/86_Avoid-crash-with-badly-terminated-non-recognised-mim.patch 1970-01-01 01:00:00.000000000 +0100
+++ exim4-4.84/debian/patches/86_Avoid-crash-with-badly-terminated-non-recognised-mim.patch 2015-10-31 13:50:54.000000000 +0100
@@ -0,0 +1,59 @@
+From e7c25d5b603a33e677efc4bccb6e5cac617e7ad5 Mon Sep 17 00:00:00 2001
+From: Jeremy Harris <jgh146exb at wizmail.org>
+Date: Thu, 1 Jan 2015 21:47:10 +0000
+Subject: [PATCH] Avoid crash with badly-terminated non-recognised mime
+ parameter
+
+---
+ src/mime.c | 18 +++++++++++-------
+ test/log/4000 | 3 +++
+ test/mail/4000.userx | 42 +++++++++++++++++++++++++++++++++++++++++
+ test/scripts/4000-scanning/4000 | 32 +++++++++++++++++++++++++++++++
+ test/stdout/4000 | 11 +++++++++++
+ 5 files changed, 99 insertions(+), 7 deletions(-)
+
+diff --git a/src/mime.c b/src/mime.c
+index e5fe476..948dd78 100644
+--- a/src/mime.c
++++ b/src/mime.c
+@@ -589,6 +589,7 @@ DECODE_HEADERS:
+ NEXT_PARAM_SEARCH:
+ while (*p)
+ {
++ /* debug_printf(" considering paramlist '%s'\n", p); */
+ mime_parameter * mp;
+ for (mp = mime_parameter_list;
+ mp < &mime_parameter_list[mime_parameter_list_size];
+@@ -623,7 +624,7 @@ NEXT_PARAM_SEARCH:
+
+ param_value = rfc2047_decode(param_value,
+ check_rfc2047_length, NULL, 32, NULL, &dummy);
+- debug_printf("Found %s MIME parameter in %s header, "
++ debug_printf(" Found %s MIME parameter in %s header, "
+ "value is '%s'\n", mp->name, mime_header_list[i].name,
+ param_value);
+ }
+@@ -631,14 +632,17 @@ NEXT_PARAM_SEARCH:
+ goto NEXT_PARAM_SEARCH;
+ }
+ }
+- /* There is something, but not one of our interesting parameters.
+- Advance to the next semicolon */
+- while(*p != ';')
++ /* There is something, but not one of our interesting parameters.
++ Advance to the next unquoted semicolon */
++ while(*p && *p != ';')
++ if (*p == '"')
+ {
+- if (*p == '"') while(*++p && *p != '"') ;
+- p++;
++ while(*++p && *p != '"') ;
++ if (*p) p++;
+ }
+- p++;
++ else
++ p++;
++ if (*p) p++;
+ }
+ }
+ }
diff -Nru exim4-4.84/debian/patches/series exim4-4.84/debian/patches/series
--- exim4-4.84/debian/patches/series 2015-02-17 17:55:04.000000000 +0100
+++ exim4-4.84/debian/patches/series 2015-10-31 13:50:54.000000000 +0100
@@ -13,3 +13,5 @@
82_quoted-or-r-2047-encoded.diff
83_Remove-limit-on-remove_headers-item-size.-Bug-1533.patch
84_Fix-truncation-of-items-in-headers_remove-lists-this.patch
+85_Fix-crash-in-mime-acl-when-a-parameter-is-unterminat.patch
+86_Avoid-crash-with-badly-terminated-non-recognised-mim.patch
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: not available
URL: <http://lists.alioth.debian.org/pipermail/pkg-exim4-maintainers/attachments/20151031/c98dae27/attachment-0001.sig>
More information about the Pkg-exim4-maintainers
mailing list