From 5787faece729d1093b1be9b142432ef11311a2a4 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Jaroslav=20=C5=A0karvada?= Date: Mon, 1 Jun 2020 21:48:09 +0200 Subject: [PATCH] New version Resolves: rhbz#1842590 Used Exim maintainers keyring for GPG verification Dropped CVE-2020-12783 patch (upstreamed) Used better workaround for rhbz#1791878 Resolves: rhbz#1842633 --- exim-4.93-CVE-2020-12783.patch | 200 ------------------ ....93-config.patch => exim-4.94-config.patch | 86 ++++---- ....patch => exim-4.94-dlopen-localscan.patch | 26 +-- ....93-libdir.patch => exim-4.94-libdir.patch | 4 +- exim.spec | 37 ++-- sources | 2 +- 6 files changed, 79 insertions(+), 276 deletions(-) delete mode 100644 exim-4.93-CVE-2020-12783.patch rename exim-4.93-config.patch => exim-4.94-config.patch (93%) rename exim-4.93-dlopen-localscan.patch => exim-4.94-dlopen-localscan.patch (92%) rename exim-4.93-libdir.patch => exim-4.94-libdir.patch (81%) diff --git a/exim-4.93-CVE-2020-12783.patch b/exim-4.93-CVE-2020-12783.patch deleted file mode 100644 index 85c542a..0000000 --- a/exim-4.93-CVE-2020-12783.patch +++ /dev/null @@ -1,200 +0,0 @@ -diff --git a/src/auths/auth-spa.c b/src/auths/auth-spa.c -index fc363df..44c99e9 100644 ---- a/src/auths/auth-spa.c -+++ b/src/auths/auth-spa.c -@@ -374,27 +374,27 @@ void - spa_bits_to_base64 (uschar *out, const uschar *in, int inlen) - /* raw bytes in quasi-big-endian order to base 64 string (NUL-terminated) */ - { -- for (; inlen >= 3; inlen -= 3) -- { -- *out++ = base64digits[in[0] >> 2]; -- *out++ = base64digits[((in[0] << 4) & 0x30) | (in[1] >> 4)]; -- *out++ = base64digits[((in[1] << 2) & 0x3c) | (in[2] >> 6)]; -- *out++ = base64digits[in[2] & 0x3f]; -- in += 3; -- } -- if (inlen > 0) -- { -- uschar fragment; -- -- *out++ = base64digits[in[0] >> 2]; -- fragment = (in[0] << 4) & 0x30; -- if (inlen > 1) -- fragment |= in[1] >> 4; -- *out++ = base64digits[fragment]; -- *out++ = (inlen < 2) ? '=' : base64digits[(in[1] << 2) & 0x3c]; -- *out++ = '='; -- } -- *out = '\0'; -+for (; inlen >= 3; inlen -= 3) -+ { -+ *out++ = base64digits[in[0] >> 2]; -+ *out++ = base64digits[((in[0] << 4) & 0x30) | (in[1] >> 4)]; -+ *out++ = base64digits[((in[1] << 2) & 0x3c) | (in[2] >> 6)]; -+ *out++ = base64digits[in[2] & 0x3f]; -+ in += 3; -+ } -+if (inlen > 0) -+ { -+ uschar fragment; -+ -+ *out++ = base64digits[in[0] >> 2]; -+ fragment = (in[0] << 4) & 0x30; -+ if (inlen > 1) -+ fragment |= in[1] >> 4; -+ *out++ = base64digits[fragment]; -+ *out++ = (inlen < 2) ? '=' : base64digits[(in[1] << 2) & 0x3c]; -+ *out++ = '='; -+ } -+*out = '\0'; - } - - -@@ -404,52 +404,52 @@ int - spa_base64_to_bits (char *out, int outlength, const char *in) - /* base 64 to raw bytes in quasi-big-endian order, returning count of bytes */ - { -- int len = 0; -- register uschar digit1, digit2, digit3, digit4; -+int len = 0; -+uschar digit1, digit2, digit3, digit4; - -- if (in[0] == '+' && in[1] == ' ') -- in += 2; -- if (*in == '\r') -- return (0); -+if (in[0] == '+' && in[1] == ' ') -+ in += 2; -+if (*in == '\r') -+ return (0); - -- do -+do -+ { -+ if (len >= outlength) /* Added by PH */ -+ return -1; /* Added by PH */ -+ digit1 = in[0]; -+ if (DECODE64 (digit1) == BAD) -+ return -1; -+ digit2 = in[1]; -+ if (DECODE64 (digit2) == BAD) -+ return -1; -+ digit3 = in[2]; -+ if (digit3 != '=' && DECODE64 (digit3) == BAD) -+ return -1; -+ digit4 = in[3]; -+ if (digit4 != '=' && DECODE64 (digit4) == BAD) -+ return -1; -+ in += 4; -+ *out++ = (DECODE64 (digit1) << 2) | (DECODE64 (digit2) >> 4); -+ ++len; -+ if (digit3 != '=') - { -+ if (len >= outlength) /* Added by PH */ -+ return -1; /* Added by PH */ -+ *out++ = -+ ((DECODE64 (digit2) << 4) & 0xf0) | (DECODE64 (digit3) >> 2); -+ ++len; -+ if (digit4 != '=') -+ { - if (len >= outlength) /* Added by PH */ -- return (-1); /* Added by PH */ -- digit1 = in[0]; -- if (DECODE64 (digit1) == BAD) -- return (-1); -- digit2 = in[1]; -- if (DECODE64 (digit2) == BAD) -- return (-1); -- digit3 = in[2]; -- if (digit3 != '=' && DECODE64 (digit3) == BAD) -- return (-1); -- digit4 = in[3]; -- if (digit4 != '=' && DECODE64 (digit4) == BAD) -- return (-1); -- in += 4; -- *out++ = (DECODE64 (digit1) << 2) | (DECODE64 (digit2) >> 4); -+ return -1; /* Added by PH */ -+ *out++ = ((DECODE64 (digit3) << 6) & 0xc0) | DECODE64 (digit4); - ++len; -- if (digit3 != '=') -- { -- if (len >= outlength) /* Added by PH */ -- return (-1); /* Added by PH */ -- *out++ = -- ((DECODE64 (digit2) << 4) & 0xf0) | (DECODE64 (digit3) >> 2); -- ++len; -- if (digit4 != '=') -- { -- if (len >= outlength) /* Added by PH */ -- return (-1); /* Added by PH */ -- *out++ = ((DECODE64 (digit3) << 6) & 0xc0) | DECODE64 (digit4); -- ++len; -- } -- } -+ } - } -- while (*in && *in != '\r' && digit4 != '='); -+ } -+while (*in && *in != '\r' && digit4 != '='); - -- return (len); -+return len; - } - - -diff --git a/src/auths/spa.c b/src/auths/spa.c -index 97e3b10..5bffdfb 100644 ---- a/src/auths/spa.c -+++ b/src/auths/spa.c -@@ -139,7 +139,8 @@ SPAAuthChallenge challenge; - SPAAuthResponse response; - SPAAuthResponse *responseptr = &response; - uschar msgbuf[2048]; --uschar *clearpass; -+uschar *clearpass, *s; -+unsigned off; - - /* send a 334, MS Exchange style, and grab the client's request, - unless we already have it via an initial response. */ -@@ -194,9 +195,19 @@ that causes failure if the size of msgbuf is exceeded. ****/ - - { - int i; -- char *p = ((char*)responseptr) + IVAL(&responseptr->uUser.offset,0); -+ char * p; - int len = SVAL(&responseptr->uUser.len,0)/2; - -+ if ( (off = IVAL(&responseptr->uUser.offset,0)) >= sizeof(SPAAuthResponse) -+ || len >= sizeof(responseptr->buffer)/2 -+ || (p = (CS responseptr) + off) + len*2 >= CS (responseptr+1) -+ ) -+ { -+ DEBUG(D_auth) -+ debug_printf("auth_spa_server(): bad uUser spec in response\n"); -+ return FAIL; -+ } -+ - if (len + 1 >= sizeof(msgbuf)) return FAIL; - for (i = 0; i < len; ++i) - { -@@ -245,9 +256,16 @@ spa_smb_nt_encrypt (clearpass, challenge.challengeData, ntRespData); - - /* compare NT hash (LM may not be available) */ - --if (memcmp(ntRespData, -- ((unsigned char*)responseptr)+IVAL(&responseptr->ntResponse.offset,0), -- 24) == 0) -+off = IVAL(&responseptr->ntResponse.offset,0); -+if (off >= sizeof(SPAAuthResponse) - 24) -+ { -+ DEBUG(D_auth) -+ debug_printf("auth_spa_server(): bad ntRespData spec in response\n"); -+ return FAIL; -+ } -+s = (US responseptr) + off; -+ -+if (memcmp(ntRespData, s, 24) == 0) - /* success. we have a winner. */ - { - return auth_check_serv_cond(ablock); diff --git a/exim-4.93-config.patch b/exim-4.94-config.patch similarity index 93% rename from exim-4.93-config.patch rename to exim-4.94-config.patch index c98a96e..f4fd003 100644 --- a/exim-4.93-config.patch +++ b/exim-4.94-config.patch @@ -1,5 +1,5 @@ diff --git a/scripts/Configure-Makefile b/scripts/Configure-Makefile -index ecd2083..cf1eeb2 100755 +index 61368ec..e8fe9ef 100755 --- a/scripts/Configure-Makefile +++ b/scripts/Configure-Makefile @@ -297,7 +297,7 @@ if [ "${EXIM_PERL}" != "" ] ; then @@ -12,10 +12,10 @@ index ecd2083..cf1eeb2 100755 echo "" >>$mft cat $mftt >> $mft diff --git a/src/EDITME b/src/EDITME -index 83325ab..968ef81 100644 +index e568bdb..9e82528 100644 --- a/src/EDITME +++ b/src/EDITME -@@ -100,7 +100,7 @@ +@@ -99,7 +99,7 @@ # /usr/local/sbin. The installation script will try to create this directory, # and any superior directories, if they do not exist. @@ -24,7 +24,7 @@ index 83325ab..968ef81 100644 #------------------------------------------------------------------------------ -@@ -116,7 +116,7 @@ BIN_DIRECTORY=/usr/exim/bin +@@ -115,7 +115,7 @@ BIN_DIRECTORY=/usr/exim/bin # don't exist. It will also install a default runtime configuration if this # file does not exist. @@ -33,7 +33,7 @@ index 83325ab..968ef81 100644 # It is possible to specify a colon-separated list of files for CONFIGURE_FILE. # In this case, Exim will use the first of them that exists when it is run. -@@ -133,7 +133,7 @@ CONFIGURE_FILE=/usr/exim/configure +@@ -132,7 +132,7 @@ CONFIGURE_FILE=/usr/exim/configure # deliveries. (Local deliveries run as various non-root users, typically as the # owner of a local mailbox.) Specifying these values as root is not supported. @@ -42,7 +42,7 @@ index 83325ab..968ef81 100644 # If you specify EXIM_USER as a name, this is looked up at build time, and the # uid number is built into the binary. However, you can specify that this -@@ -154,7 +154,7 @@ EXIM_USER= +@@ -153,7 +153,7 @@ EXIM_USER= # for EXIM_USER (e.g. EXIM_USER=exim), you don't need to set EXIM_GROUP unless # you want to use a group other than the default group for the given user. @@ -51,7 +51,7 @@ index 83325ab..968ef81 100644 # Many sites define a user called "exim", with an appropriate default group, # and use -@@ -211,10 +211,10 @@ SPOOL_DIRECTORY=/var/spool/exim +@@ -210,10 +210,10 @@ SPOOL_DIRECTORY=/var/spool/exim # If you are buliding with TLS, the library configuration must be done: # Uncomment this if you are using OpenSSL @@ -64,7 +64,7 @@ index 83325ab..968ef81 100644 # TLS_LIBS=-lssl -lcrypto # TLS_LIBS=-L/usr/local/openssl/lib -lssl -lcrypto -@@ -338,7 +338,7 @@ TRANSPORT_SMTP=yes +@@ -337,7 +337,7 @@ TRANSPORT_SMTP=yes # This one is special-purpose, and commonly not required, so it is not # included by default. @@ -73,7 +73,7 @@ index 83325ab..968ef81 100644 #------------------------------------------------------------------------------ -@@ -347,9 +347,9 @@ TRANSPORT_SMTP=yes +@@ -346,9 +346,9 @@ TRANSPORT_SMTP=yes # MBX, is included only when requested. If you do not know what this is about, # leave these settings commented out. @@ -86,7 +86,7 @@ index 83325ab..968ef81 100644 #------------------------------------------------------------------------------ -@@ -407,20 +407,25 @@ LOOKUP_DBM=yes +@@ -406,20 +406,25 @@ LOOKUP_DBM=yes LOOKUP_LSEARCH=yes LOOKUP_DNSDB=yes @@ -122,7 +122,7 @@ index 83325ab..968ef81 100644 # LOOKUP_SQLITE_PC=sqlite3 # LOOKUP_WHOSON=yes -@@ -433,7 +438,7 @@ LOOKUP_DNSDB=yes +@@ -432,7 +437,7 @@ LOOKUP_DNSDB=yes # Some platforms may need this for LOOKUP_NIS: @@ -131,7 +131,7 @@ index 83325ab..968ef81 100644 #------------------------------------------------------------------------------ # If you have set LOOKUP_LDAP=yes, you should set LDAP_LIB_TYPE to indicate -@@ -499,7 +504,7 @@ SUPPORT_DANE=yes +@@ -498,7 +503,7 @@ SUPPORT_DANE=yes # files are defaulted in the OS/Makefile-Default file, but can be overridden in # local OS-specific make files. @@ -140,7 +140,7 @@ index 83325ab..968ef81 100644 #------------------------------------------------------------------------------ -@@ -509,7 +514,7 @@ SUPPORT_DANE=yes +@@ -508,7 +513,7 @@ SUPPORT_DANE=yes # and the MIME ACL. Please read the documentation to learn more about these # features. @@ -149,7 +149,7 @@ index 83325ab..968ef81 100644 # If you have content scanning you may wish to only include some of the scanner # interfaces. Uncomment any of these lines to remove that code. -@@ -592,12 +598,12 @@ +@@ -595,12 +600,12 @@ DISABLE_MAL_MKS=yes # Uncomment the following line to add DMARC checking capability, implemented # using libopendmarc libraries. You must have SPF and DKIM support enabled also. @@ -165,7 +165,7 @@ index 83325ab..968ef81 100644 # Uncomment the following line to add ARC (Authenticated Received Chain) # support. You must have SPF and DKIM support enabled also. -@@ -707,7 +712,7 @@ FIXED_NEVER_USERS=root +@@ -713,7 +718,7 @@ FIXED_NEVER_USERS=root # CONFIGURE_OWNER setting, to specify a configuration file which is listed in # the TRUSTED_CONFIG_LIST file, then root privileges are not dropped by Exim. @@ -174,7 +174,7 @@ index 83325ab..968ef81 100644 #------------------------------------------------------------------------------ -@@ -752,18 +757,18 @@ FIXED_NEVER_USERS=root +@@ -758,18 +763,18 @@ FIXED_NEVER_USERS=root # included in the Exim binary. You will then need to set up the run time # configuration to make use of the mechanism(s) selected. @@ -201,7 +201,7 @@ index 83325ab..968ef81 100644 # Heimdal through 1.5 required pkg-config 'heimdal-gssapi'; Heimdal 7.1 # requires multiple pkg-config files to work with Exim, so the second example -@@ -787,7 +792,7 @@ FIXED_NEVER_USERS=root +@@ -796,7 +801,7 @@ FIXED_NEVER_USERS=root # one that is set in the headers_charset option. The default setting is # defined by this setting: @@ -210,7 +210,7 @@ index 83325ab..968ef81 100644 # If you are going to make use of $header_xxx expansions in your configuration # file, or if your users are going to use them in filter files, and the normal -@@ -807,7 +812,7 @@ HEADERS_CHARSET="ISO-8859-1" +@@ -816,7 +821,7 @@ HEADERS_CHARSET="ISO-8859-1" # the Sieve filter support. For those OS where iconv() is known to be installed # as standard, the file in OS/Makefile-xxxx contains # @@ -219,7 +219,7 @@ index 83325ab..968ef81 100644 # # If you are not using one of those systems, but have installed iconv(), you # need to uncomment that line above. In some cases, you may find that iconv() -@@ -883,7 +888,7 @@ HEADERS_CHARSET="ISO-8859-1" +@@ -892,7 +897,7 @@ HEADERS_CHARSET="ISO-8859-1" # Once you have done this, "make install" will build the info files and # install them in the directory you have defined. @@ -228,7 +228,7 @@ index 83325ab..968ef81 100644 #------------------------------------------------------------------------------ -@@ -896,7 +901,7 @@ HEADERS_CHARSET="ISO-8859-1" +@@ -905,7 +910,7 @@ HEADERS_CHARSET="ISO-8859-1" # %s. This will be replaced by one of the strings "main", "panic", or "reject" # to form the final file names. Some installations may want something like this: @@ -237,7 +237,7 @@ index 83325ab..968ef81 100644 # which results in files with names /var/log/exim_mainlog, etc. The directory # in which the log files are placed must exist; Exim does not try to create -@@ -968,7 +973,7 @@ ZCAT_COMMAND=/usr/bin/zcat +@@ -977,7 +982,7 @@ ZCAT_COMMAND=/usr/bin/zcat # (version 5.004 or later) installed, set EXIM_PERL to perl.o. Using embedded # Perl costs quite a lot of resources. Only do this if you really need it. @@ -246,7 +246,7 @@ index 83325ab..968ef81 100644 #------------------------------------------------------------------------------ -@@ -978,7 +983,7 @@ ZCAT_COMMAND=/usr/bin/zcat +@@ -987,7 +992,7 @@ ZCAT_COMMAND=/usr/bin/zcat # that the local_scan API is made available by the linker. You may also need # to add -ldl to EXTRALIBS so that dlopen() is available to Exim. @@ -255,7 +255,7 @@ index 83325ab..968ef81 100644 #------------------------------------------------------------------------------ -@@ -988,7 +993,7 @@ ZCAT_COMMAND=/usr/bin/zcat +@@ -997,7 +1002,7 @@ ZCAT_COMMAND=/usr/bin/zcat # support, which is intended for use in conjunction with the SMTP AUTH # facilities, is included only when requested by the following setting: @@ -264,7 +264,7 @@ index 83325ab..968ef81 100644 # You probably need to add -lpam to EXTRALIBS, and in some releases of # GNU/Linux -ldl is also needed. -@@ -1000,12 +1005,12 @@ ZCAT_COMMAND=/usr/bin/zcat +@@ -1009,12 +1014,12 @@ ZCAT_COMMAND=/usr/bin/zcat # If you may want to use outbound (client-side) proxying, using Socks5, # uncomment the line below. @@ -279,7 +279,7 @@ index 83325ab..968ef81 100644 #------------------------------------------------------------------------------ -@@ -1029,9 +1050,9 @@ +@@ -1038,9 +1043,9 @@ ZCAT_COMMAND=/usr/bin/zcat # installed on your system (www.libspf2.org). Depending on where it is installed # you may have to edit the CFLAGS and LDFLAGS lines. @@ -291,7 +291,7 @@ index 83325ab..968ef81 100644 #------------------------------------------------------------------------------ -@@ -1096,7 +1102,7 @@ ZCAT_COMMAND=/usr/bin/zcat +@@ -1105,7 +1110,7 @@ ZCAT_COMMAND=/usr/bin/zcat # group. Once you have installed saslauthd, you should arrange for it to be # started by root at boot time. @@ -300,7 +300,7 @@ index 83325ab..968ef81 100644 #------------------------------------------------------------------------------ -@@ -1110,8 +1115,8 @@ ZCAT_COMMAND=/usr/bin/zcat +@@ -1119,8 +1124,8 @@ ZCAT_COMMAND=/usr/bin/zcat # library for TCP wrappers, so you probably need something like this: # # USE_TCP_WRAPPERS=yes @@ -311,7 +311,7 @@ index 83325ab..968ef81 100644 # # but of course there may need to be other things in CFLAGS and EXTRALIBS_EXIM # as well. -@@ -1163,7 +1168,7 @@ SYSTEM_ALIASES_FILE=/etc/aliases +@@ -1172,7 +1177,7 @@ SYSTEM_ALIASES_FILE=/etc/aliases # is "yes", as well as supporting line editing, a history of input lines in the # current run is maintained. @@ -320,7 +320,7 @@ index 83325ab..968ef81 100644 # You may need to add -ldl to EXTRALIBS when you set USE_READLINE=yes. # Note that this option adds to the size of the Exim binary, because the -@@ -1180,7 +1185,7 @@ SYSTEM_ALIASES_FILE=/etc/aliases +@@ -1189,7 +1194,7 @@ SYSTEM_ALIASES_FILE=/etc/aliases #------------------------------------------------------------------------------ # Uncomment this setting to include IPv6 support. @@ -329,7 +329,7 @@ index 83325ab..968ef81 100644 ############################################################################### # THINGS YOU ALMOST NEVER NEED TO MENTION # -@@ -1201,13 +1206,13 @@ SYSTEM_ALIASES_FILE=/etc/aliases +@@ -1210,13 +1215,13 @@ SYSTEM_ALIASES_FILE=/etc/aliases # haven't got Perl, Exim will still build and run; you just won't be able to # use those utilities. @@ -350,7 +350,7 @@ index 83325ab..968ef81 100644 #------------------------------------------------------------------------------ -@@ -1409,7 +1414,7 @@ EXIM_TMPDIR="/tmp" +@@ -1418,7 +1423,7 @@ EXIM_TMPDIR="/tmp" # (process id) to a file so that it can easily be identified. The path of the # file can be specified here. Some installations may want something like this: @@ -360,7 +360,7 @@ index 83325ab..968ef81 100644 # If PID_FILE_PATH is not defined, Exim writes a file in its spool directory # using the name "exim-daemon.pid". diff --git a/src/configure.default b/src/configure.default -index cf38305..8ddabfe 100644 +index 3423ee0..7d1e552 100644 --- a/src/configure.default +++ b/src/configure.default @@ -67,7 +67,7 @@ @@ -534,8 +534,8 @@ index cf38305..8ddabfe 100644 + # point. The first one denies, whereas the second just warns. The third + # triggers greylisting for any host in the blacklist. # - # deny message = rejected because $sender_host_address is in a black list at $dnslist_domain\n$dnslist_text - # dnslists = black.list.example + # deny dnslists = black.list.example + # message = rejected because $sender_host_address is in a black list at $dnslist_domain\n$dnslist_text @@ -513,6 +561,10 @@ acl_check_rcpt: # warn dnslists = black.list.example # add_header = X-Warning: $sender_host_address is in a black list at $dnslist_domain @@ -695,9 +695,9 @@ index cf38305..8ddabfe 100644 # This router matches local user mailboxes. If the router fails, the error # message is "Unknown user". -@@ -812,6 +937,25 @@ remote_smtp: - hosts_try_prdr = * - .endif +@@ -809,6 +934,25 @@ remote_smtp: + driver = smtp + message_size_limit = ${if > {$max_received_linelength}{998} {1}{0}} +# This transport is used for delivering messages over SMTP using the +# "message submission" port (RFC4409). @@ -721,7 +721,7 @@ index cf38305..8ddabfe 100644 # This transport is used for delivering messages to a smarthost, if the # smarthost router is enabled. This starts from the same basis as -@@ -867,8 +1011,8 @@ local_delivery: +@@ -861,8 +1005,8 @@ local_delivery: delivery_date_add envelope_to_add return_path_add @@ -732,7 +732,7 @@ index cf38305..8ddabfe 100644 # This transport is used for handling pipe deliveries generated by alias or -@@ -901,6 +1045,16 @@ address_reply: +@@ -895,6 +1039,16 @@ address_reply: driver = autoreply @@ -749,7 +749,7 @@ index cf38305..8ddabfe 100644 ###################################################################### # RETRY CONFIGURATION # -@@ -941,6 +1095,21 @@ begin rewrite +@@ -935,6 +1089,21 @@ begin rewrite # AUTHENTICATION CONFIGURATION # ###################################################################### @@ -771,7 +771,7 @@ index cf38305..8ddabfe 100644 # The following authenticators support plaintext username/password # authentication using the standard PLAIN mechanism and the traditional # but non-standard LOGIN mechanism, with Exim acting as the server. -@@ -956,7 +1125,7 @@ begin rewrite +@@ -950,7 +1119,7 @@ begin rewrite # The default RCPT ACL checks for successful authentication, and will accept # messages from authenticated users from anywhere on the Internet. @@ -780,7 +780,7 @@ index cf38305..8ddabfe 100644 # PLAIN authentication has no server prompts. The client sends its # credentials in one lump, containing an authorization ID (which we do not -@@ -970,7 +1139,7 @@ begin authenticators +@@ -964,7 +1133,7 @@ begin authenticators # driver = plaintext # server_set_id = $auth2 # server_prompts = : @@ -789,7 +789,7 @@ index cf38305..8ddabfe 100644 # server_advertise_condition = ${if def:tls_in_cipher } # LOGIN authentication has traditional prompts and responses. There is no -@@ -982,7 +1151,7 @@ begin authenticators +@@ -976,7 +1145,7 @@ begin authenticators # driver = plaintext # server_set_id = $auth1 # server_prompts = <| Username: | Password: diff --git a/exim-4.93-dlopen-localscan.patch b/exim-4.94-dlopen-localscan.patch similarity index 92% rename from exim-4.93-dlopen-localscan.patch rename to exim-4.94-dlopen-localscan.patch index 2791305..a44a04e 100644 --- a/exim-4.93-dlopen-localscan.patch +++ b/exim-4.94-dlopen-localscan.patch @@ -1,8 +1,8 @@ diff --git a/src/EDITME b/src/EDITME -index 968ef81..477f088 100644 +index 9e82528..0ae84b1 100644 --- a/src/EDITME +++ b/src/EDITME -@@ -872,6 +872,21 @@ HAVE_ICONV=yes +@@ -881,6 +881,21 @@ HAVE_ICONV=yes # *** WARNING *** WARNING *** WARNING *** WARNING *** WARNING *** @@ -25,7 +25,7 @@ index 968ef81..477f088 100644 # The default distribution of Exim contains only the plain text form of the # documentation. Other forms are available separately. If you want to install diff --git a/src/config.h.defaults b/src/config.h.defaults -index b94b368..89b39e8 100644 +index e17f015..008b97b 100644 --- a/src/config.h.defaults +++ b/src/config.h.defaults @@ -33,6 +33,8 @@ Do not put spaces between # and the 'define'. @@ -38,10 +38,10 @@ index b94b368..89b39e8 100644 #define CONFIGURE_FILE diff --git a/src/globals.c b/src/globals.c -index 358c380..590ac63 100644 +index fc3086f..aa11a9b 100644 --- a/src/globals.c +++ b/src/globals.c -@@ -145,6 +145,10 @@ uschar *tls_verify_hosts = NULL; +@@ -147,6 +147,10 @@ uschar *tls_verify_hosts = NULL; uschar *tls_advertise_hosts = NULL; #endif @@ -53,10 +53,10 @@ index 358c380..590ac63 100644 /* Per Recipient Data Response variables */ BOOL prdr_enable = FALSE; diff --git a/src/globals.h b/src/globals.h -index ca342ac..82a8661 100644 +index c80c853..333455c 100644 --- a/src/globals.h +++ b/src/globals.h -@@ -138,6 +138,11 @@ extern uschar *tls_try_verify_hosts; /* Optional client verification */ +@@ -141,6 +141,11 @@ extern uschar *tls_try_verify_hosts; /* Optional client verification */ extern uschar *tls_verify_certificates;/* Path for certificates to check */ extern uschar *tls_verify_hosts; /* Mandatory client verification */ #endif @@ -256,16 +256,16 @@ index 4dd0b2b..72e0033 100644 + /* End of local_scan.c */ diff --git a/src/readconf.c b/src/readconf.c -index 0233019..186ba39 100644 +index 0d0769c..f1bb0ef 100644 --- a/src/readconf.c +++ b/src/readconf.c -@@ -203,6 +203,9 @@ static optionlist optionlist_config[] = { - { "local_from_prefix", opt_stringptr, &local_from_prefix }, - { "local_from_suffix", opt_stringptr, &local_from_suffix }, - { "local_interfaces", opt_stringptr, &local_interfaces }, +@@ -205,6 +205,9 @@ static optionlist optionlist_config[] = { + { "local_from_prefix", opt_stringptr, {&local_from_prefix} }, + { "local_from_suffix", opt_stringptr, {&local_from_suffix} }, + { "local_interfaces", opt_stringptr, {&local_interfaces} }, +#ifdef DLOPEN_LOCAL_SCAN + { "local_scan_path", opt_stringptr, &local_scan_path }, +#endif #ifdef HAVE_LOCAL_SCAN - { "local_scan_timeout", opt_time, &local_scan_timeout }, + { "local_scan_timeout", opt_time, {&local_scan_timeout} }, #endif diff --git a/exim-4.93-libdir.patch b/exim-4.94-libdir.patch similarity index 81% rename from exim-4.93-libdir.patch rename to exim-4.94-libdir.patch index 7d560b4..34a1fa1 100644 --- a/exim-4.93-libdir.patch +++ b/exim-4.94-libdir.patch @@ -1,8 +1,8 @@ diff --git a/OS/Makefile-Linux b/OS/Makefile-Linux -index ae9f249..060658a 100644 +index dfb2fa8..58c30f7 100644 --- a/OS/Makefile-Linux +++ b/OS/Makefile-Linux -@@ -26,8 +26,8 @@ LIBRESOLV = -lresolv +@@ -27,8 +27,8 @@ LIBRESOLV = -lresolv X11=/usr/X11R6 XINCLUDE=-I$(X11)/include diff --git a/exim.spec b/exim.spec index 8f8f9db..c6725d9 100644 --- a/exim.spec +++ b/exim.spec @@ -14,8 +14,8 @@ Summary: The exim mail transfer agent Name: exim -Version: 4.93 -Release: 3%{?dist} +Version: 4.94 +Release: 1%{?dist} License: GPLv2+ Url: https://www.exim.org/ Group: System Environment/Daemons @@ -52,11 +52,10 @@ Source25: exim-gen-cert Source26: clamd.exim.service %endif -Patch0: exim-4.93-config.patch -Patch1: exim-4.93-libdir.patch -Patch2: exim-4.93-dlopen-localscan.patch +Patch0: exim-4.94-config.patch +Patch1: exim-4.94-libdir.patch +Patch2: exim-4.94-dlopen-localscan.patch Patch3: exim-4.85-pic.patch -Patch4: exim-4.93-CVE-2020-12783.patch Requires: /etc/pki/tls/certs /etc/pki/tls/private Requires: /etc/aliases @@ -70,7 +69,7 @@ BuildRequires: libspf2-devel libopendmarc-devel BuildRequires: openldap-devel openssl-devel mysql-devel postgresql-devel BuildRequires: libXaw-devel libXmu-devel libXext-devel libX11-devel libSM-devel BuildRequires: libICE-devel libXpm-devel libXt-devel perl(ExtUtils::Embed) -BuildRequires: systemd-units libgsasl-devel +BuildRequires: systemd-units libgsasl-devel grep %description Exim is a message transfer agent (MTA) developed at the University of @@ -205,13 +204,18 @@ greylisting unconditional. %patch1 -p1 -b .libdir %patch2 -p1 -b .dl %patch3 -p1 -b .fpic -%patch4 -p1 -b .CVE-2020-12783 cp src/EDITME Local/Makefile sed -i 's@^# LOOKUP_MODULE_DIR=.*@LOOKUP_MODULE_DIR=%{_libdir}/exim/%{version}-%{release}/lookups@' Local/Makefile sed -i 's@^# AUTH_LIBS=-lsasl2@AUTH_LIBS=-lsasl2@' Local/Makefile cp exim_monitor/EDITME Local/eximon.conf +# Workaround for rhbz#1791878 +pushd doc +for f in $(ls -dp cve-* | grep -v '/\|\(\.txt\)$'); do + mv "$f" "$f.txt" +done +popd %build %ifnarch s390 s390x sparc sparcv9 sparcv9v sparc64 sparc64v @@ -376,15 +380,6 @@ rm -rf $RPM_BUILD_ROOT %check build-`scripts/os-type`-`scripts/arch-type`/exim -C src/configure.default -bV -%pretrans -# Workaround for rhbz#1791878 -if [ -d %{_docdir}/exim/doc/cve-2019-13917 ]; then - rm -f %{_docdir}/exim/doc/cve-2019-13917/* - rmdir %{_docdir}/exim/doc/cve-2019-13917 -fi - -exit 0 - %pre %{_sbindir}/groupadd -g 93 exim 2>/dev/null %{_sbindir}/useradd -d %{_var}/spool/exim -s /sbin/nologin -G mail -M -r -u 93 -g exim exim 2>/dev/null @@ -610,6 +605,14 @@ test "$1" = 0 || %{_initrddir}/clamd.exim condrestart >/dev/null 2>&1 || : %{_sysconfdir}/cron.daily/greylist-tidy.sh %changelog +* Mon Jun 1 2020 Jaroslav Škarvada - 4.94-1 +- New version + Resolves: rhbz#1842590 +- Used Exim maintainers keyring for GPG verification +- Dropped CVE-2020-12783 patch (upstreamed) +- Used better workaround for rhbz#1791878 + Resolves: rhbz#1842633 + * Fri May 15 2020 Jaroslav Škarvada - 4.93-3 - Fixed out-of-bounds read in the SPA authenticator Resolves: CVE-2020-12783 diff --git a/sources b/sources index 371d096..2550b80 100644 --- a/sources +++ b/sources @@ -1,2 +1,2 @@ SHA512 (sa-exim-4.2.tar.gz) = 2c1839c4d897bf65d19c754bbc9dc0674276ccad4a564c639591396afc23f1456decceec94817f62ee9b688f5d6d90436d3d47c869e04a69c955b1376c9fbd7b -SHA512 (exim-4.93.tar.xz) = 556c7fe75042739c3e92346b96c40960680fe2838589add5fad1f69f18600dd9ed128f367627c812051b3a3a1a64e740488d5ce8c198bf87b59fa84ab8a0eb5b +SHA512 (exim-4.94.tar.xz) = 3bf95ade30902327403e7308089a3e423761da5b0745397dace7c7fd15ba3838d93e0ee418f1fed57606f79e57b793c7c7407e5c0d526146f0036126d5d95316