rpms
/
exim
2
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

New version 

Resolves: rhbz#1842590
Used Exim maintainers keyring for GPG verification
Dropped CVE-2020-12783 patch (upstreamed)
Used better workaround for rhbz#1791878
  Resolves: rhbz#1842633
This commit is contained in:
Jaroslav Škarvada 2020-06-01 21:48:09 +02:00
parent 8b2730e97c
commit 5787faece7
6 changed files with 79 additions and 276 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

200
exim-4.93-CVE-2020-12783.patch
View File

@ -1,200 +0,0 @@
diff --git a/src/auths/auth-spa.c b/src/auths/auth-spa.c
index fc363df..44c99e9 100644
--- a/src/auths/auth-spa.c
+++ b/src/auths/auth-spa.c
@@ -374,27 +374,27 @@ void
spa_bits_to_base64 (uschar *out, const uschar *in, int inlen)
/* raw bytes in quasi-big-endian order to base 64 string (NUL-terminated) */
{
- for (; inlen >= 3; inlen -= 3)
- {
- *out++ = base64digits[in[0] >> 2];
- *out++ = base64digits[((in[0] << 4) & 0x30) | (in[1] >> 4)];
- *out++ = base64digits[((in[1] << 2) & 0x3c) | (in[2] >> 6)];
- *out++ = base64digits[in[2] & 0x3f];
- in += 3;
- }
- if (inlen > 0)
- {
- uschar fragment;
-
- *out++ = base64digits[in[0] >> 2];
- fragment = (in[0] << 4) & 0x30;
- if (inlen > 1)
- fragment |= in[1] >> 4;
- *out++ = base64digits[fragment];
- *out++ = (inlen < 2) ? '=' : base64digits[(in[1] << 2) & 0x3c];
- *out++ = '=';
- }
- *out = '\0';
+for (; inlen >= 3; inlen -= 3)
+ {
+ *out++ = base64digits[in[0] >> 2];
+ *out++ = base64digits[((in[0] << 4) & 0x30) | (in[1] >> 4)];
+ *out++ = base64digits[((in[1] << 2) & 0x3c) | (in[2] >> 6)];
+ *out++ = base64digits[in[2] & 0x3f];
+ in += 3;
+ }
+if (inlen > 0)
+ {
+ uschar fragment;
+
+ *out++ = base64digits[in[0] >> 2];
+ fragment = (in[0] << 4) & 0x30;
+ if (inlen > 1)
+ fragment |= in[1] >> 4;
+ *out++ = base64digits[fragment];
+ *out++ = (inlen < 2) ? '=' : base64digits[(in[1] << 2) & 0x3c];
+ *out++ = '=';
+ }
+*out = '\0';
}
@@ -404,52 +404,52 @@ int
spa_base64_to_bits (char *out, int outlength, const char *in)
/* base 64 to raw bytes in quasi-big-endian order, returning count of bytes */
{
- int len = 0;
- register uschar digit1, digit2, digit3, digit4;
+int len = 0;
+uschar digit1, digit2, digit3, digit4;
- if (in[0] == '+' && in[1] == ' ')
- in += 2;
- if (*in == '\r')
- return (0);
+if (in[0] == '+' && in[1] == ' ')
+ in += 2;
+if (*in == '\r')
+ return (0);
- do
+do
+ {
+ if (len >= outlength) /* Added by PH */
+ return -1; /* Added by PH */
+ digit1 = in[0];
+ if (DECODE64 (digit1) == BAD)
+ return -1;
+ digit2 = in[1];
+ if (DECODE64 (digit2) == BAD)
+ return -1;
+ digit3 = in[2];
+ if (digit3 != '=' && DECODE64 (digit3) == BAD)
+ return -1;
+ digit4 = in[3];
+ if (digit4 != '=' && DECODE64 (digit4) == BAD)
+ return -1;
+ in += 4;
+ *out++ = (DECODE64 (digit1) << 2) | (DECODE64 (digit2) >> 4);
+ ++len;
+ if (digit3 != '=')
{
+ if (len >= outlength) /* Added by PH */
+ return -1; /* Added by PH */
+ *out++ =
+ ((DECODE64 (digit2) << 4) & 0xf0) | (DECODE64 (digit3) >> 2);
+ ++len;
+ if (digit4 != '=')
+ {
if (len >= outlength) /* Added by PH */
- return (-1); /* Added by PH */
- digit1 = in[0];
- if (DECODE64 (digit1) == BAD)
- return (-1);
- digit2 = in[1];
- if (DECODE64 (digit2) == BAD)
- return (-1);
- digit3 = in[2];
- if (digit3 != '=' && DECODE64 (digit3) == BAD)
- return (-1);
- digit4 = in[3];
- if (digit4 != '=' && DECODE64 (digit4) == BAD)
- return (-1);
- in += 4;
- *out++ = (DECODE64 (digit1) << 2) | (DECODE64 (digit2) >> 4);
+ return -1; /* Added by PH */
+ *out++ = ((DECODE64 (digit3) << 6) & 0xc0) | DECODE64 (digit4);
++len;
- if (digit3 != '=')
- {
- if (len >= outlength) /* Added by PH */
- return (-1); /* Added by PH */
- *out++ =
- ((DECODE64 (digit2) << 4) & 0xf0) | (DECODE64 (digit3) >> 2);
- ++len;
- if (digit4 != '=')
- {
- if (len >= outlength) /* Added by PH */
- return (-1); /* Added by PH */
- *out++ = ((DECODE64 (digit3) << 6) & 0xc0) | DECODE64 (digit4);
- ++len;
- }
- }
+ }
}
- while (*in && *in != '\r' && digit4 != '=');
+ }
+while (*in && *in != '\r' && digit4 != '=');
- return (len);
+return len;
}
diff --git a/src/auths/spa.c b/src/auths/spa.c
index 97e3b10..5bffdfb 100644
--- a/src/auths/spa.c
+++ b/src/auths/spa.c
@@ -139,7 +139,8 @@ SPAAuthChallenge challenge;
SPAAuthResponse response;
SPAAuthResponse *responseptr = &response;
uschar msgbuf[2048];
-uschar *clearpass;
+uschar *clearpass, *s;
+unsigned off;
/* send a 334, MS Exchange style, and grab the client's request,
unless we already have it via an initial response. */
@@ -194,9 +195,19 @@ that causes failure if the size of msgbuf is exceeded. ****/
{
int i;
- char *p = ((char*)responseptr) + IVAL(&responseptr->uUser.offset,0);
+ char * p;
int len = SVAL(&responseptr->uUser.len,0)/2;
+ if ( (off = IVAL(&responseptr->uUser.offset,0)) >= sizeof(SPAAuthResponse)
+ || len >= sizeof(responseptr->buffer)/2
+ || (p = (CS responseptr) + off) + len*2 >= CS (responseptr+1)
+ )
+ {
+ DEBUG(D_auth)
+ debug_printf("auth_spa_server(): bad uUser spec in response\n");
+ return FAIL;
+ }
+
if (len + 1 >= sizeof(msgbuf)) return FAIL;
for (i = 0; i < len; ++i)
{
@@ -245,9 +256,16 @@ spa_smb_nt_encrypt (clearpass, challenge.challengeData, ntRespData);
/* compare NT hash (LM may not be available) */
-if (memcmp(ntRespData,
- ((unsigned char*)responseptr)+IVAL(&responseptr->ntResponse.offset,0),
- 24) == 0)
+off = IVAL(&responseptr->ntResponse.offset,0);
+if (off >= sizeof(SPAAuthResponse) - 24)
+ {
+ DEBUG(D_auth)
+ debug_printf("auth_spa_server(): bad ntRespData spec in response\n");
+ return FAIL;
+ }
+s = (US responseptr) + off;
+
+if (memcmp(ntRespData, s, 24) == 0)
/* success. we have a winner. */
{
return auth_check_serv_cond(ablock);

86
exim-4.93-config.patch → exim-4.94-config.patch
View File

@ -1,5 +1,5 @@
diff --git a/scripts/Configure-Makefile b/scripts/Configure-Makefile
index ecd2083..cf1eeb2 100755
index 61368ec..e8fe9ef 100755
--- a/scripts/Configure-Makefile
+++ b/scripts/Configure-Makefile
@@ -297,7 +297,7 @@ if [ "${EXIM_PERL}" != "" ] ; then
@ -12,10 +12,10 @@ index ecd2083..cf1eeb2 100755
echo "" >>$mft
cat $mftt >> $mft
diff --git a/src/EDITME b/src/EDITME
index 83325ab..968ef81 100644
index e568bdb..9e82528 100644
--- a/src/EDITME
+++ b/src/EDITME
@@ -100,7 +100,7 @@
@@ -99,7 +99,7 @@
# /usr/local/sbin. The installation script will try to create this directory,
# and any superior directories, if they do not exist.
@ -24,7 +24,7 @@ index 83325ab..968ef81 100644
#------------------------------------------------------------------------------
@@ -116,7 +116,7 @@ BIN_DIRECTORY=/usr/exim/bin
@@ -115,7 +115,7 @@ BIN_DIRECTORY=/usr/exim/bin
# don't exist. It will also install a default runtime configuration if this
# file does not exist.
@ -33,7 +33,7 @@ index 83325ab..968ef81 100644
# It is possible to specify a colon-separated list of files for CONFIGURE_FILE.
# In this case, Exim will use the first of them that exists when it is run.
@@ -133,7 +133,7 @@ CONFIGURE_FILE=/usr/exim/configure
@@ -132,7 +132,7 @@ CONFIGURE_FILE=/usr/exim/configure
# deliveries. (Local deliveries run as various non-root users, typically as the
# owner of a local mailbox.) Specifying these values as root is not supported.
@ -42,7 +42,7 @@ index 83325ab..968ef81 100644
# If you specify EXIM_USER as a name, this is looked up at build time, and the
# uid number is built into the binary. However, you can specify that this
@@ -154,7 +154,7 @@ EXIM_USER=
@@ -153,7 +153,7 @@ EXIM_USER=
# for EXIM_USER (e.g. EXIM_USER=exim), you don't need to set EXIM_GROUP unless
# you want to use a group other than the default group for the given user.
@ -51,7 +51,7 @@ index 83325ab..968ef81 100644
# Many sites define a user called "exim", with an appropriate default group,
# and use
@@ -211,10 +211,10 @@ SPOOL_DIRECTORY=/var/spool/exim
@@ -210,10 +210,10 @@ SPOOL_DIRECTORY=/var/spool/exim
# If you are buliding with TLS, the library configuration must be done:
# Uncomment this if you are using OpenSSL
@ -64,7 +64,7 @@ index 83325ab..968ef81 100644
# TLS_LIBS=-lssl -lcrypto
# TLS_LIBS=-L/usr/local/openssl/lib -lssl -lcrypto
@@ -338,7 +338,7 @@ TRANSPORT_SMTP=yes
@@ -337,7 +337,7 @@ TRANSPORT_SMTP=yes
# This one is special-purpose, and commonly not required, so it is not
# included by default.
@ -73,7 +73,7 @@ index 83325ab..968ef81 100644
#------------------------------------------------------------------------------
@@ -347,9 +347,9 @@ TRANSPORT_SMTP=yes
@@ -346,9 +346,9 @@ TRANSPORT_SMTP=yes
# MBX, is included only when requested. If you do not know what this is about,
# leave these settings commented out.
@ -86,7 +86,7 @@ index 83325ab..968ef81 100644
#------------------------------------------------------------------------------
@@ -407,20 +407,25 @@ LOOKUP_DBM=yes
@@ -406,20 +406,25 @@ LOOKUP_DBM=yes
LOOKUP_LSEARCH=yes
LOOKUP_DNSDB=yes
@ -122,7 +122,7 @@ index 83325ab..968ef81 100644
# LOOKUP_SQLITE_PC=sqlite3
# LOOKUP_WHOSON=yes
@@ -433,7 +438,7 @@ LOOKUP_DNSDB=yes
@@ -432,7 +437,7 @@ LOOKUP_DNSDB=yes
# Some platforms may need this for LOOKUP_NIS:
@ -131,7 +131,7 @@ index 83325ab..968ef81 100644
#------------------------------------------------------------------------------
# If you have set LOOKUP_LDAP=yes, you should set LDAP_LIB_TYPE to indicate
@@ -499,7 +504,7 @@ SUPPORT_DANE=yes
@@ -498,7 +503,7 @@ SUPPORT_DANE=yes
# files are defaulted in the OS/Makefile-Default file, but can be overridden in
# local OS-specific make files.
@ -140,7 +140,7 @@ index 83325ab..968ef81 100644
#------------------------------------------------------------------------------
@@ -509,7 +514,7 @@ SUPPORT_DANE=yes
@@ -508,7 +513,7 @@ SUPPORT_DANE=yes
# and the MIME ACL. Please read the documentation to learn more about these
# features.
@ -149,7 +149,7 @@ index 83325ab..968ef81 100644
# If you have content scanning you may wish to only include some of the scanner
# interfaces. Uncomment any of these lines to remove that code.
@@ -592,12 +598,12 @@
@@ -595,12 +600,12 @@ DISABLE_MAL_MKS=yes
# Uncomment the following line to add DMARC checking capability, implemented
# using libopendmarc libraries. You must have SPF and DKIM support enabled also.
@ -165,7 +165,7 @@ index 83325ab..968ef81 100644
# Uncomment the following line to add ARC (Authenticated Received Chain)
# support. You must have SPF and DKIM support enabled also.
@@ -707,7 +712,7 @@ FIXED_NEVER_USERS=root
@@ -713,7 +718,7 @@ FIXED_NEVER_USERS=root
# CONFIGURE_OWNER setting, to specify a configuration file which is listed in
# the TRUSTED_CONFIG_LIST file, then root privileges are not dropped by Exim.
@ -174,7 +174,7 @@ index 83325ab..968ef81 100644
#------------------------------------------------------------------------------
@@ -752,18 +757,18 @@ FIXED_NEVER_USERS=root
@@ -758,18 +763,18 @@ FIXED_NEVER_USERS=root
# included in the Exim binary. You will then need to set up the run time
# configuration to make use of the mechanism(s) selected.
@ -201,7 +201,7 @@ index 83325ab..968ef81 100644
# Heimdal through 1.5 required pkg-config 'heimdal-gssapi'; Heimdal 7.1
# requires multiple pkg-config files to work with Exim, so the second example
@@ -787,7 +792,7 @@ FIXED_NEVER_USERS=root
@@ -796,7 +801,7 @@ FIXED_NEVER_USERS=root
# one that is set in the headers_charset option. The default setting is
# defined by this setting:
@ -210,7 +210,7 @@ index 83325ab..968ef81 100644
# If you are going to make use of $header_xxx expansions in your configuration
# file, or if your users are going to use them in filter files, and the normal
@@ -807,7 +812,7 @@ HEADERS_CHARSET="ISO-8859-1"
@@ -816,7 +821,7 @@ HEADERS_CHARSET="ISO-8859-1"
# the Sieve filter support. For those OS where iconv() is known to be installed
# as standard, the file in OS/Makefile-xxxx contains
#
@ -219,7 +219,7 @@ index 83325ab..968ef81 100644
#
# If you are not using one of those systems, but have installed iconv(), you
# need to uncomment that line above. In some cases, you may find that iconv()
@@ -883,7 +888,7 @@ HEADERS_CHARSET="ISO-8859-1"
@@ -892,7 +897,7 @@ HEADERS_CHARSET="ISO-8859-1"
# Once you have done this, "make install" will build the info files and
# install them in the directory you have defined.
@ -228,7 +228,7 @@ index 83325ab..968ef81 100644
#------------------------------------------------------------------------------
@@ -896,7 +901,7 @@ HEADERS_CHARSET="ISO-8859-1"
@@ -905,7 +910,7 @@ HEADERS_CHARSET="ISO-8859-1"
# %s. This will be replaced by one of the strings "main", "panic", or "reject"
# to form the final file names. Some installations may want something like this:
@ -237,7 +237,7 @@ index 83325ab..968ef81 100644
# which results in files with names /var/log/exim_mainlog, etc. The directory
# in which the log files are placed must exist; Exim does not try to create
@@ -968,7 +973,7 @@ ZCAT_COMMAND=/usr/bin/zcat
@@ -977,7 +982,7 @@ ZCAT_COMMAND=/usr/bin/zcat
# (version 5.004 or later) installed, set EXIM_PERL to perl.o. Using embedded
# Perl costs quite a lot of resources. Only do this if you really need it.
@ -246,7 +246,7 @@ index 83325ab..968ef81 100644
#------------------------------------------------------------------------------
@@ -978,7 +983,7 @@ ZCAT_COMMAND=/usr/bin/zcat
@@ -987,7 +992,7 @@ ZCAT_COMMAND=/usr/bin/zcat
# that the local_scan API is made available by the linker. You may also need
# to add -ldl to EXTRALIBS so that dlopen() is available to Exim.
@ -255,7 +255,7 @@ index 83325ab..968ef81 100644
#------------------------------------------------------------------------------
@@ -988,7 +993,7 @@ ZCAT_COMMAND=/usr/bin/zcat
@@ -997,7 +1002,7 @@ ZCAT_COMMAND=/usr/bin/zcat
# support, which is intended for use in conjunction with the SMTP AUTH
# facilities, is included only when requested by the following setting:
@ -264,7 +264,7 @@ index 83325ab..968ef81 100644
# You probably need to add -lpam to EXTRALIBS, and in some releases of
# GNU/Linux -ldl is also needed.
@@ -1000,12 +1005,12 @@ ZCAT_COMMAND=/usr/bin/zcat
@@ -1009,12 +1014,12 @@ ZCAT_COMMAND=/usr/bin/zcat
# If you may want to use outbound (client-side) proxying, using Socks5,
# uncomment the line below.
@ -279,7 +279,7 @@ index 83325ab..968ef81 100644
#------------------------------------------------------------------------------
@@ -1029,9 +1050,9 @@
@@ -1038,9 +1043,9 @@ ZCAT_COMMAND=/usr/bin/zcat
# installed on your system (www.libspf2.org). Depending on where it is installed
# you may have to edit the CFLAGS and LDFLAGS lines.
@ -291,7 +291,7 @@ index 83325ab..968ef81 100644
#------------------------------------------------------------------------------
@@ -1096,7 +1102,7 @@ ZCAT_COMMAND=/usr/bin/zcat
@@ -1105,7 +1110,7 @@ ZCAT_COMMAND=/usr/bin/zcat
# group. Once you have installed saslauthd, you should arrange for it to be
# started by root at boot time.
@ -300,7 +300,7 @@ index 83325ab..968ef81 100644
#------------------------------------------------------------------------------
@@ -1110,8 +1115,8 @@ ZCAT_COMMAND=/usr/bin/zcat
@@ -1119,8 +1124,8 @@ ZCAT_COMMAND=/usr/bin/zcat
# library for TCP wrappers, so you probably need something like this:
#
# USE_TCP_WRAPPERS=yes
@ -311,7 +311,7 @@ index 83325ab..968ef81 100644
#
# but of course there may need to be other things in CFLAGS and EXTRALIBS_EXIM
# as well.
@@ -1163,7 +1168,7 @@ SYSTEM_ALIASES_FILE=/etc/aliases
@@ -1172,7 +1177,7 @@ SYSTEM_ALIASES_FILE=/etc/aliases
# is "yes", as well as supporting line editing, a history of input lines in the
# current run is maintained.
@ -320,7 +320,7 @@ index 83325ab..968ef81 100644
# You may need to add -ldl to EXTRALIBS when you set USE_READLINE=yes.
# Note that this option adds to the size of the Exim binary, because the
@@ -1180,7 +1185,7 @@ SYSTEM_ALIASES_FILE=/etc/aliases
@@ -1189,7 +1194,7 @@ SYSTEM_ALIASES_FILE=/etc/aliases
#------------------------------------------------------------------------------
# Uncomment this setting to include IPv6 support.
@ -329,7 +329,7 @@ index 83325ab..968ef81 100644
###############################################################################
# THINGS YOU ALMOST NEVER NEED TO MENTION #
@@ -1201,13 +1206,13 @@ SYSTEM_ALIASES_FILE=/etc/aliases
@@ -1210,13 +1215,13 @@ SYSTEM_ALIASES_FILE=/etc/aliases
# haven't got Perl, Exim will still build and run; you just won't be able to
# use those utilities.
@ -350,7 +350,7 @@ index 83325ab..968ef81 100644
#------------------------------------------------------------------------------
@@ -1409,7 +1414,7 @@ EXIM_TMPDIR="/tmp"
@@ -1418,7 +1423,7 @@ EXIM_TMPDIR="/tmp"
# (process id) to a file so that it can easily be identified. The path of the
# file can be specified here. Some installations may want something like this:
@ -360,7 +360,7 @@ index 83325ab..968ef81 100644
# If PID_FILE_PATH is not defined, Exim writes a file in its spool directory
# using the name "exim-daemon.pid".
diff --git a/src/configure.default b/src/configure.default
index cf38305..8ddabfe 100644
index 3423ee0..7d1e552 100644
--- a/src/configure.default
+++ b/src/configure.default
@@ -67,7 +67,7 @@
@ -534,8 +534,8 @@ index cf38305..8ddabfe 100644
+ # point. The first one denies, whereas the second just warns. The third
+ # triggers greylisting for any host in the blacklist.
#
# deny message = rejected because $sender_host_address is in a black list at $dnslist_domain\n$dnslist_text
# dnslists = black.list.example
# deny dnslists = black.list.example
# message = rejected because $sender_host_address is in a black list at $dnslist_domain\n$dnslist_text
@@ -513,6 +561,10 @@ acl_check_rcpt:
# warn dnslists = black.list.example
# add_header = X-Warning: $sender_host_address is in a black list at $dnslist_domain
@ -695,9 +695,9 @@ index cf38305..8ddabfe 100644
# This router matches local user mailboxes. If the router fails, the error
# message is "Unknown user".
@@ -812,6 +937,25 @@ remote_smtp:
hosts_try_prdr = *
.endif
@@ -809,6 +934,25 @@ remote_smtp:
driver = smtp
message_size_limit = ${if > {$max_received_linelength}{998} {1}{0}}
+# This transport is used for delivering messages over SMTP using the
+# "message submission" port (RFC4409).
@ -721,7 +721,7 @@ index cf38305..8ddabfe 100644
# This transport is used for delivering messages to a smarthost, if the
# smarthost router is enabled. This starts from the same basis as
@@ -867,8 +1011,8 @@ local_delivery:
@@ -861,8 +1005,8 @@ local_delivery:
delivery_date_add
envelope_to_add
return_path_add
@ -732,7 +732,7 @@ index cf38305..8ddabfe 100644
# This transport is used for handling pipe deliveries generated by alias or
@@ -901,6 +1045,16 @@ address_reply:
@@ -895,6 +1039,16 @@ address_reply:
driver = autoreply
@ -749,7 +749,7 @@ index cf38305..8ddabfe 100644
######################################################################
# RETRY CONFIGURATION #
@@ -941,6 +1095,21 @@ begin rewrite
@@ -935,6 +1089,21 @@ begin rewrite
# AUTHENTICATION CONFIGURATION #
######################################################################
@ -771,7 +771,7 @@ index cf38305..8ddabfe 100644
# The following authenticators support plaintext username/password
# authentication using the standard PLAIN mechanism and the traditional
# but non-standard LOGIN mechanism, with Exim acting as the server.
@@ -956,7 +1125,7 @@ begin rewrite
@@ -950,7 +1119,7 @@ begin rewrite
# The default RCPT ACL checks for successful authentication, and will accept
# messages from authenticated users from anywhere on the Internet.
@ -780,7 +780,7 @@ index cf38305..8ddabfe 100644
# PLAIN authentication has no server prompts. The client sends its
# credentials in one lump, containing an authorization ID (which we do not
@@ -970,7 +1139,7 @@ begin authenticators
@@ -964,7 +1133,7 @@ begin authenticators
# driver = plaintext
# server_set_id = $auth2
# server_prompts = :
@ -789,7 +789,7 @@ index cf38305..8ddabfe 100644
# server_advertise_condition = ${if def:tls_in_cipher }
# LOGIN authentication has traditional prompts and responses. There is no
@@ -982,7 +1151,7 @@ begin authenticators
@@ -976,7 +1145,7 @@ begin authenticators
# driver = plaintext
# server_set_id = $auth1
# server_prompts = <| Username: | Password:

26
exim-4.93-dlopen-localscan.patch → exim-4.94-dlopen-localscan.patch
View File

@ -1,8 +1,8 @@
diff --git a/src/EDITME b/src/EDITME
index 968ef81..477f088 100644
index 9e82528..0ae84b1 100644
--- a/src/EDITME
+++ b/src/EDITME
@@ -872,6 +872,21 @@ HAVE_ICONV=yes
@@ -881,6 +881,21 @@ HAVE_ICONV=yes
# *** WARNING *** WARNING *** WARNING *** WARNING *** WARNING ***
@ -25,7 +25,7 @@ index 968ef81..477f088 100644
# The default distribution of Exim contains only the plain text form of the
# documentation. Other forms are available separately. If you want to install
diff --git a/src/config.h.defaults b/src/config.h.defaults
index b94b368..89b39e8 100644
index e17f015..008b97b 100644
--- a/src/config.h.defaults
+++ b/src/config.h.defaults
@@ -33,6 +33,8 @@ Do not put spaces between # and the 'define'.
@ -38,10 +38,10 @@ index b94b368..89b39e8 100644
#define CONFIGURE_FILE
diff --git a/src/globals.c b/src/globals.c
index 358c380..590ac63 100644
index fc3086f..aa11a9b 100644
--- a/src/globals.c
+++ b/src/globals.c
@@ -145,6 +145,10 @@ uschar *tls_verify_hosts = NULL;
@@ -147,6 +147,10 @@ uschar *tls_verify_hosts = NULL;
uschar *tls_advertise_hosts = NULL;
#endif
@ -53,10 +53,10 @@ index 358c380..590ac63 100644
/* Per Recipient Data Response variables */
BOOL prdr_enable = FALSE;
diff --git a/src/globals.h b/src/globals.h
index ca342ac..82a8661 100644
index c80c853..333455c 100644
--- a/src/globals.h
+++ b/src/globals.h
@@ -138,6 +138,11 @@ extern uschar *tls_try_verify_hosts; /* Optional client verification */
@@ -141,6 +141,11 @@ extern uschar *tls_try_verify_hosts; /* Optional client verification */
extern uschar *tls_verify_certificates;/* Path for certificates to check */
extern uschar *tls_verify_hosts; /* Mandatory client verification */
#endif
@ -256,16 +256,16 @@ index 4dd0b2b..72e0033 100644
+
/* End of local_scan.c */
diff --git a/src/readconf.c b/src/readconf.c
index 0233019..186ba39 100644
index 0d0769c..f1bb0ef 100644
--- a/src/readconf.c
+++ b/src/readconf.c
@@ -203,6 +203,9 @@ static optionlist optionlist_config[] = {
{ "local_from_prefix", opt_stringptr, &local_from_prefix },
{ "local_from_suffix", opt_stringptr, &local_from_suffix },
{ "local_interfaces", opt_stringptr, &local_interfaces },
@@ -205,6 +205,9 @@ static optionlist optionlist_config[] = {
{ "local_from_prefix", opt_stringptr, {&local_from_prefix} },
{ "local_from_suffix", opt_stringptr, {&local_from_suffix} },
{ "local_interfaces", opt_stringptr, {&local_interfaces} },
+#ifdef DLOPEN_LOCAL_SCAN
+ { "local_scan_path", opt_stringptr, &local_scan_path },
+#endif
#ifdef HAVE_LOCAL_SCAN
{ "local_scan_timeout", opt_time, &local_scan_timeout },
{ "local_scan_timeout", opt_time, {&local_scan_timeout} },
#endif

4
exim-4.93-libdir.patch → exim-4.94-libdir.patch
View File

@ -1,8 +1,8 @@
diff --git a/OS/Makefile-Linux b/OS/Makefile-Linux
index ae9f249..060658a 100644
index dfb2fa8..58c30f7 100644
--- a/OS/Makefile-Linux
+++ b/OS/Makefile-Linux
@@ -26,8 +26,8 @@ LIBRESOLV = -lresolv
@@ -27,8 +27,8 @@ LIBRESOLV = -lresolv
X11=/usr/X11R6
XINCLUDE=-I$(X11)/include

37
exim.spec
View File

@ -14,8 +14,8 @@
Summary: The exim mail transfer agent
Name: exim
Version: 4.93
Release: 3%{?dist}
Version: 4.94
Release: 1%{?dist}
License: GPLv2+
Url: https://www.exim.org/
Group: System Environment/Daemons
@ -52,11 +52,10 @@ Source25: exim-gen-cert
Source26: clamd.exim.service
%endif
Patch0: exim-4.93-config.patch
Patch1: exim-4.93-libdir.patch
Patch2: exim-4.93-dlopen-localscan.patch
Patch0: exim-4.94-config.patch
Patch1: exim-4.94-libdir.patch
Patch2: exim-4.94-dlopen-localscan.patch
Patch3: exim-4.85-pic.patch
Patch4: exim-4.93-CVE-2020-12783.patch
Requires: /etc/pki/tls/certs /etc/pki/tls/private
Requires: /etc/aliases
@ -70,7 +69,7 @@ BuildRequires: libspf2-devel libopendmarc-devel
BuildRequires: openldap-devel openssl-devel mysql-devel postgresql-devel
BuildRequires: libXaw-devel libXmu-devel libXext-devel libX11-devel libSM-devel
BuildRequires: libICE-devel libXpm-devel libXt-devel perl(ExtUtils::Embed)
BuildRequires: systemd-units libgsasl-devel
BuildRequires: systemd-units libgsasl-devel grep
%description
Exim is a message transfer agent (MTA) developed at the University of
@ -205,13 +204,18 @@ greylisting unconditional.
%patch1 -p1 -b .libdir
%patch2 -p1 -b .dl
%patch3 -p1 -b .fpic
%patch4 -p1 -b .CVE-2020-12783
cp src/EDITME Local/Makefile
sed -i 's@^# LOOKUP_MODULE_DIR=.*@LOOKUP_MODULE_DIR=%{_libdir}/exim/%{version}-%{release}/lookups@' Local/Makefile
sed -i 's@^# AUTH_LIBS=-lsasl2@AUTH_LIBS=-lsasl2@' Local/Makefile
cp exim_monitor/EDITME Local/eximon.conf
# Workaround for rhbz#1791878
pushd doc
for f in $(ls -dp cve-* | grep -v '/\|\(\.txt\)$'); do
mv "$f" "$f.txt"
done
popd
%build
%ifnarch s390 s390x sparc sparcv9 sparcv9v sparc64 sparc64v
@ -376,15 +380,6 @@ rm -rf $RPM_BUILD_ROOT
%check
build-`scripts/os-type`-`scripts/arch-type`/exim -C src/configure.default -bV
%pretrans
# Workaround for rhbz#1791878
if [ -d %{_docdir}/exim/doc/cve-2019-13917 ]; then
rm -f %{_docdir}/exim/doc/cve-2019-13917/*
rmdir %{_docdir}/exim/doc/cve-2019-13917
fi
exit 0
%pre
%{_sbindir}/groupadd -g 93 exim 2>/dev/null
%{_sbindir}/useradd -d %{_var}/spool/exim -s /sbin/nologin -G mail -M -r -u 93 -g exim exim 2>/dev/null
@ -610,6 +605,14 @@ test "$1" = 0 || %{_initrddir}/clamd.exim condrestart >/dev/null 2>&1 || :
%{_sysconfdir}/cron.daily/greylist-tidy.sh
%changelog
* Mon Jun 1 2020 Jaroslav Škarvada <jskarvad@redhat.com> - 4.94-1
- New version
Resolves: rhbz#1842590
- Used Exim maintainers keyring for GPG verification
- Dropped CVE-2020-12783 patch (upstreamed)
- Used better workaround for rhbz#1791878
Resolves: rhbz#1842633
* Fri May 15 2020 Jaroslav Škarvada <jskarvad@redhat.com> - 4.93-3
- Fixed out-of-bounds read in the SPA authenticator
Resolves: CVE-2020-12783

2
sources
View File

@ -1,2 +1,2 @@
SHA512 (sa-exim-4.2.tar.gz) = 2c1839c4d897bf65d19c754bbc9dc0674276ccad4a564c639591396afc23f1456decceec94817f62ee9b688f5d6d90436d3d47c869e04a69c955b1376c9fbd7b
SHA512 (exim-4.93.tar.xz) = 556c7fe75042739c3e92346b96c40960680fe2838589add5fad1f69f18600dd9ed128f367627c812051b3a3a1a64e740488d5ce8c198bf87b59fa84ab8a0eb5b
SHA512 (exim-4.94.tar.xz) = 3bf95ade30902327403e7308089a3e423761da5b0745397dace7c7fd15ba3838d93e0ee418f1fed57606f79e57b793c7c7407e5c0d526146f0036126d5d95316