From 84967cdd477f8cb9992d3eafe55b23ff6c1d8b6b Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Jaroslav=20=C5=A0karvada?= Date: Wed, 23 Jul 2014 17:44:25 +0200 Subject: [PATCH] New version Resolves: CVE-2014-2972 - De-fuzzified patches --- ....82-config.patch => exim-4.83-config.patch | 38 +++++++++---------- ....patch => exim-4.83-dlopen-localscan.patch | 25 ++++++------ ...amdconf.patch => exim-4.83-spamdconf.patch | 2 +- exim.spec | 15 +++++--- 4 files changed, 43 insertions(+), 37 deletions(-) rename exim-4.82-config.patch => exim-4.83-config.patch (92%) rename exim-4.82-dlopen-localscan.patch => exim-4.83-dlopen-localscan.patch (93%) rename exim-4.82-spamdconf.patch => exim-4.83-spamdconf.patch (99%) diff --git a/exim-4.82-config.patch b/exim-4.83-config.patch similarity index 92% rename from exim-4.82-config.patch rename to exim-4.83-config.patch index d20928b..252e00a 100644 --- a/exim-4.82-config.patch +++ b/exim-4.83-config.patch @@ -1,8 +1,8 @@ diff --git a/scripts/Configure-Makefile b/scripts/Configure-Makefile -index 5e8a726..31a5aad 100755 +index eeb26ee..9cb6385 100755 --- a/scripts/Configure-Makefile +++ b/scripts/Configure-Makefile -@@ -233,7 +233,7 @@ if [ "${EXIM_PERL}" != "" ] ; then +@@ -249,7 +249,7 @@ if [ "${EXIM_PERL}" != "" ] ; then mv $mft $mftt echo "PERL_CC=`$PERL_COMMAND -MConfig -e 'print $Config{cc}'`" >>$mft @@ -12,7 +12,7 @@ index 5e8a726..31a5aad 100755 echo "" >>$mft cat $mftt >> $mft diff --git a/src/EDITME b/src/EDITME -index 3f818f3..6cc58a8 100644 +index d576fd7..a3ffd48 100644 --- a/src/EDITME +++ b/src/EDITME @@ -98,7 +98,7 @@ @@ -121,7 +121,7 @@ index 3f818f3..6cc58a8 100644 # If you're using ClamAV and are backporting fixes to an old version, instead # of staying current (which is the more usual approach) then you may need to -@@ -560,7 +562,7 @@ FIXED_NEVER_USERS=root +@@ -573,7 +575,7 @@ FIXED_NEVER_USERS=root # CONFIGURE_OWNER setting, to specify a configuration file which is listed in # the TRUSTED_CONFIG_LIST file, then root privileges are not dropped by Exim. @@ -130,7 +130,7 @@ index 3f818f3..6cc58a8 100644 #------------------------------------------------------------------------------ -@@ -605,15 +607,13 @@ FIXED_NEVER_USERS=root +@@ -618,15 +620,13 @@ FIXED_NEVER_USERS=root # included in the Exim binary. You will then need to set up the run time # configuration to make use of the mechanism(s) selected. @@ -153,7 +153,7 @@ index 3f818f3..6cc58a8 100644 #------------------------------------------------------------------------------ -@@ -634,7 +634,7 @@ FIXED_NEVER_USERS=root +@@ -647,7 +647,7 @@ FIXED_NEVER_USERS=root # one that is set in the headers_charset option. The default setting is # defined by this setting: @@ -162,7 +162,7 @@ index 3f818f3..6cc58a8 100644 # If you are going to make use of $header_xxx expansions in your configuration # file, or if your users are going to use them in filter files, and the normal -@@ -654,7 +654,7 @@ HEADERS_CHARSET="ISO-8859-1" +@@ -667,7 +667,7 @@ HEADERS_CHARSET="ISO-8859-1" # the Sieve filter support. For those OS where iconv() is known to be installed # as standard, the file in OS/Makefile-xxxx contains # @@ -171,7 +171,7 @@ index 3f818f3..6cc58a8 100644 # # If you are not using one of those systems, but have installed iconv(), you # need to uncomment that line above. In some cases, you may find that iconv() -@@ -716,11 +716,11 @@ HEADERS_CHARSET="ISO-8859-1" +@@ -729,11 +729,11 @@ HEADERS_CHARSET="ISO-8859-1" # leave these settings commented out. # This setting is required for any TLS support (either OpenSSL or GnuTLS) @@ -186,7 +186,7 @@ index 3f818f3..6cc58a8 100644 # Uncomment the first and either the second or the third of these if you # are using GnuTLS. If you have pkg-config, then the second, else the third. -@@ -785,7 +785,7 @@ HEADERS_CHARSET="ISO-8859-1" +@@ -798,7 +798,7 @@ HEADERS_CHARSET="ISO-8859-1" # Once you have done this, "make install" will build the info files and # install them in the directory you have defined. @@ -195,7 +195,7 @@ index 3f818f3..6cc58a8 100644 #------------------------------------------------------------------------------ -@@ -798,7 +798,7 @@ HEADERS_CHARSET="ISO-8859-1" +@@ -811,7 +811,7 @@ HEADERS_CHARSET="ISO-8859-1" # %s. This will be replaced by one of the strings "main", "panic", or "reject" # to form the final file names. Some installations may want something like this: @@ -204,7 +204,7 @@ index 3f818f3..6cc58a8 100644 # which results in files with names /var/log/exim_mainlog, etc. The directory # in which the log files are placed must exist; Exim does not try to create -@@ -864,7 +864,7 @@ ZCAT_COMMAND=/usr/bin/zcat +@@ -877,7 +877,7 @@ ZCAT_COMMAND=/usr/bin/zcat # (version 5.004 or later) installed, set EXIM_PERL to perl.o. Using embedded # Perl costs quite a lot of resources. Only do this if you really need it. @@ -213,7 +213,7 @@ index 3f818f3..6cc58a8 100644 #------------------------------------------------------------------------------ -@@ -874,7 +874,7 @@ ZCAT_COMMAND=/usr/bin/zcat +@@ -887,7 +887,7 @@ ZCAT_COMMAND=/usr/bin/zcat # that the local_scan API is made available by the linker. You may also need # to add -ldl to EXTRALIBS so that dlopen() is available to Exim. @@ -222,7 +222,7 @@ index 3f818f3..6cc58a8 100644 #------------------------------------------------------------------------------ -@@ -884,7 +884,7 @@ ZCAT_COMMAND=/usr/bin/zcat +@@ -897,7 +897,7 @@ ZCAT_COMMAND=/usr/bin/zcat # support, which is intended for use in conjunction with the SMTP AUTH # facilities, is included only when requested by the following setting: @@ -231,7 +231,7 @@ index 3f818f3..6cc58a8 100644 # You probably need to add -lpam to EXTRALIBS, and in some releases of # GNU/Linux -ldl is also needed. -@@ -952,7 +952,7 @@ ZCAT_COMMAND=/usr/bin/zcat +@@ -965,7 +965,7 @@ ZCAT_COMMAND=/usr/bin/zcat # group. Once you have installed saslauthd, you should arrange for it to be # started by root at boot time. @@ -240,7 +240,7 @@ index 3f818f3..6cc58a8 100644 #------------------------------------------------------------------------------ -@@ -965,9 +965,9 @@ ZCAT_COMMAND=/usr/bin/zcat +@@ -978,9 +978,9 @@ ZCAT_COMMAND=/usr/bin/zcat # You may well also have to specify a local "include" file and an additional # library for TCP wrappers, so you probably need something like this: # @@ -253,7 +253,7 @@ index 3f818f3..6cc58a8 100644 # # but of course there may need to be other things in CFLAGS and EXTRALIBS_EXIM # as well. -@@ -1019,7 +1019,7 @@ SYSTEM_ALIASES_FILE=/etc/aliases +@@ -1032,7 +1032,7 @@ SYSTEM_ALIASES_FILE=/etc/aliases # is "yes", as well as supporting line editing, a history of input lines in the # current run is maintained. @@ -262,7 +262,7 @@ index 3f818f3..6cc58a8 100644 # You may need to add -ldl to EXTRALIBS when you set USE_READLINE=yes. # Note that this option adds to the size of the Exim binary, because the -@@ -1029,7 +1029,7 @@ SYSTEM_ALIASES_FILE=/etc/aliases +@@ -1042,7 +1042,7 @@ SYSTEM_ALIASES_FILE=/etc/aliases #------------------------------------------------------------------------------ # Uncomment this setting to include IPv6 support. @@ -271,7 +271,7 @@ index 3f818f3..6cc58a8 100644 ############################################################################### # THINGS YOU ALMOST NEVER NEED TO MENTION # -@@ -1050,13 +1050,13 @@ SYSTEM_ALIASES_FILE=/etc/aliases +@@ -1063,13 +1063,13 @@ SYSTEM_ALIASES_FILE=/etc/aliases # haven't got Perl, Exim will still build and run; you just won't be able to # use those utilities. @@ -292,7 +292,7 @@ index 3f818f3..6cc58a8 100644 #------------------------------------------------------------------------------ -@@ -1256,7 +1256,7 @@ TMPDIR="/tmp" +@@ -1269,7 +1269,7 @@ TMPDIR="/tmp" # (process id) to a file so that it can easily be identified. The path of the # file can be specified here. Some installations may want something like this: diff --git a/exim-4.82-dlopen-localscan.patch b/exim-4.83-dlopen-localscan.patch similarity index 93% rename from exim-4.82-dlopen-localscan.patch rename to exim-4.83-dlopen-localscan.patch index ac5233c..9538345 100644 --- a/exim-4.82-dlopen-localscan.patch +++ b/exim-4.83-dlopen-localscan.patch @@ -1,8 +1,8 @@ diff --git a/src/EDITME b/src/EDITME -index 6cc58a8..07f8211 100644 +index a3ffd48..c186529 100644 --- a/src/EDITME +++ b/src/EDITME -@@ -770,6 +770,20 @@ TLS_LIBS=-lssl -lcrypto +@@ -783,6 +783,20 @@ TLS_LIBS=-lssl -lcrypto #------------------------------------------------------------------------------ @@ -24,7 +24,7 @@ index 6cc58a8..07f8211 100644 # documentation. Other forms are available separately. If you want to install # the documentation in "info" format, first fetch the Texinfo documentation diff --git a/src/config.h.defaults b/src/config.h.defaults -index 8c1e799..d5f9e55 100644 +index ba4615c..878e687 100644 --- a/src/config.h.defaults +++ b/src/config.h.defaults @@ -27,6 +27,8 @@ it's a default value. */ @@ -37,10 +37,10 @@ index 8c1e799..d5f9e55 100644 #define CONFIGURE_FILE diff --git a/src/globals.c b/src/globals.c -index 133a7bf..4423f07 100644 +index d3f9987..c01d430 100644 --- a/src/globals.c +++ b/src/globals.c -@@ -149,6 +149,10 @@ uschar *tls_verify_certificates= NULL; +@@ -162,6 +162,10 @@ uschar *tls_verify_certificates= NULL; uschar *tls_verify_hosts = NULL; #endif @@ -48,23 +48,24 @@ index 133a7bf..4423f07 100644 +uschar *local_scan_path = NULL; +#endif + - #ifdef EXPERIMENTAL_PRDR + #ifndef DISABLE_PRDR /* Per Recipient Data Response variables */ BOOL prdr_enable = FALSE; diff --git a/src/globals.h b/src/globals.h index 265f94e..fde0f47 100644 --- a/src/globals.h +++ b/src/globals.h -@@ -117,6 +117,9 @@ extern uschar *tls_verify_certificates;/* Path for certificates to check */ +@@ -117,6 +117,10 @@ extern uschar *tls_verify_certificates;/* Path for certificates to check */ extern uschar *tls_verify_hosts; /* Mandatory client verification */ #endif +#ifdef DLOPEN_LOCAL_SCAN +extern uschar *local_scan_path; /* Path to local_scan() library */ +#endif - - /* Input-reading functions for messages, so we can use special ones for - incoming TCP/IP. */ ++ + #ifdef EXPERIMENTAL_DSN + extern uschar *dsn_envid; /* DSN envid string */ + extern int dsn_ret; /* DSN ret type*/ diff --git a/src/local_scan.c b/src/local_scan.c index 3500047..8599172 100644 --- a/src/local_scan.c @@ -249,10 +250,10 @@ index 3500047..8599172 100644 + /* End of local_scan.c */ diff --git a/src/readconf.c b/src/readconf.c -index 77c7984..da9d582 100644 +index adb538c..d378b3a 100644 --- a/src/readconf.c +++ b/src/readconf.c -@@ -286,6 +286,9 @@ static optionlist optionlist_config[] = { +@@ -290,6 +290,9 @@ static optionlist optionlist_config[] = { { "local_from_prefix", opt_stringptr, &local_from_prefix }, { "local_from_suffix", opt_stringptr, &local_from_suffix }, { "local_interfaces", opt_stringptr, &local_interfaces }, diff --git a/exim-4.82-spamdconf.patch b/exim-4.83-spamdconf.patch similarity index 99% rename from exim-4.82-spamdconf.patch rename to exim-4.83-spamdconf.patch index e13b57f..b931f11 100644 --- a/exim-4.82-spamdconf.patch +++ b/exim-4.83-spamdconf.patch @@ -72,7 +72,7 @@ index 38f0f56..8b599d2 100644 - # X-Spam_score_int: $spam_score_int\n\ - # X-Spam_bar: $spam_bar\n\ - # X-Spam_report: $spam_report -+ ++ + # Unconditionally add score and report headers + # + # warn add_header = X-Spam-Score: $spam_score ($spam_bar)\n\ diff --git a/exim.spec b/exim.spec index 5abad44..cf4f016 100644 --- a/exim.spec +++ b/exim.spec @@ -14,8 +14,8 @@ Summary: The exim mail transfer agent Name: exim -Version: 4.82.1 -Release: 4%{?dist} +Version: 4.83 +Release: 1%{?dist} License: GPLv2+ Url: http://www.exim.org/ Group: System Environment/Daemons @@ -53,12 +53,12 @@ Source26: clamd.exim.service %endif Patch4: exim-rhl.patch -Patch6: exim-4.82-config.patch +Patch6: exim-4.83-config.patch Patch8: exim-4.82-libdir.patch Patch12: exim-4.82-cyrus.patch Patch13: exim-4.82-pamconfig.patch -Patch14: exim-4.82-spamdconf.patch -Patch18: exim-4.82-dlopen-localscan.patch +Patch14: exim-4.83-spamdconf.patch +Patch18: exim-4.83-dlopen-localscan.patch Patch19: exim-4.82-procmail.patch Patch20: exim-4.82-allow-filter.patch Patch21: exim-4.82-localhost-is-local.patch @@ -611,6 +611,11 @@ test "$1" = 0 || %{_initrddir}/clamd.exim condrestart >/dev/null 2>&1 || : %{_sysconfdir}/cron.daily/greylist-tidy.sh %changelog +* Wed Jul 23 2014 Jaroslav Škarvada - 4.83-1 +- New version + Resolves: CVE-2014-2972 +- De-fuzzified patches + * Wed Jul 9 2014 Jaroslav Škarvada - 4.82.1-4 - Do not build clamav on RHEL - Fixed build without clamav