From 892636a58d3044f2ea6f8e55a0fcc549e5432def Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Jaroslav=20=C5=A0karvada?= Date: Wed, 14 Feb 2018 13:28:19 +0100 Subject: [PATCH] New version Resolves: rhbz#1527710 Fixed buffer overflow in utility function Resolves: CVE-2018-6789 Updated and defuzzified patches Dropped mariadb-macro-fix patch (not needed) Dropped CVE-2017-1000369, calloutsize, CVE-2017-16943, CVE-2017-16944 patches (all upstreamed) --- .gitignore | 3 +- exim-4.89-CVE-2017-1000369.patch | 37 -- exim-4.89-CVE-2017-16943.patch | 27 - exim-4.89-CVE-2017-16944.patch | 41 -- exim-4.89-calloutsize.patch | 524 ------------------ exim-4.89-mariadb-macro-fix.patch | 73 --- ...er.patch => exim-4.90.1-allow-filter.patch | 4 +- ...9-config.patch => exim-4.90.1-config.patch | 54 +- ....88-cyrus.patch => exim-4.90.1-cyrus.patch | 4 +- ...atch => exim-4.90.1-dlopen-localscan.patch | 16 +- ...atch => exim-4.90.1-dynlookup-config.patch | 9 +- ...ent.patch => exim-4.90.1-environment.patch | 3 +- ...f.patch => exim-4.90.1-greylist-conf.patch | 14 +- ...onfig.patch => exim-4.90.1-pamconfig.patch | 14 +- ...ocmail.patch => exim-4.90.1-procmail.patch | 6 +- exim-4.88-rhl.patch => exim-4.90.1-rhl.patch | 6 +- ...atch => exim-4.90.1-smarthost-config.patch | 8 +- ...dconf.patch => exim-4.90.1-spamdconf.patch | 21 +- exim.spec | 55 +- sources | 2 +- 20 files changed, 107 insertions(+), 814 deletions(-) delete mode 100644 exim-4.89-CVE-2017-1000369.patch delete mode 100644 exim-4.89-CVE-2017-16943.patch delete mode 100644 exim-4.89-CVE-2017-16944.patch delete mode 100644 exim-4.89-calloutsize.patch delete mode 100644 exim-4.89-mariadb-macro-fix.patch rename exim-4.88-allow-filter.patch => exim-4.90.1-allow-filter.patch (81%) rename exim-4.89-config.patch => exim-4.90.1-config.patch (88%) rename exim-4.88-cyrus.patch => exim-4.90.1-cyrus.patch (90%) rename exim-4.89-dlopen-localscan.patch => exim-4.90.1-dlopen-localscan.patch (96%) rename exim-4.87-dynlookup-config.patch => exim-4.90.1-dynlookup-config.patch (75%) rename exim-4.89-environment.patch => exim-4.90.1-environment.patch (82%) rename exim-4.88-greylist-conf.patch => exim-4.90.1-greylist-conf.patch (94%) rename exim-4.88-pamconfig.patch => exim-4.90.1-pamconfig.patch (88%) rename exim-4.88-procmail.patch => exim-4.90.1-procmail.patch (90%) rename exim-4.88-rhl.patch => exim-4.90.1-rhl.patch (84%) rename exim-4.88-smarthost-config.patch => exim-4.90.1-smarthost-config.patch (92%) rename exim-4.87-spamdconf.patch => exim-4.90.1-spamdconf.patch (94%) diff --git a/.gitignore b/.gitignore index f059899..53bc958 100644 --- a/.gitignore +++ b/.gitignore @@ -1,2 +1 @@ -exim-*.tar.bz2 -/exim-4.89.tar.xz +exim-*.tar.xz diff --git a/exim-4.89-CVE-2017-1000369.patch b/exim-4.89-CVE-2017-1000369.patch deleted file mode 100644 index fd1e7f3..0000000 --- a/exim-4.89-CVE-2017-1000369.patch +++ /dev/null @@ -1,37 +0,0 @@ -diff --git a/src/exim.c b/src/exim.c -index a6a1ea8..394bf84 100644 ---- a/src/exim.c -+++ b/src/exim.c -@@ -3092,7 +3092,14 @@ for (i = 1; i < argc; i++) - - /* -oMr: Received protocol */ - -- else if (Ustrcmp(argrest, "Mr") == 0) received_protocol = argv[++i]; -+ else if (Ustrcmp(argrest, "Mr") == 0) -+ -+ if (received_protocol) -+ { -+ fprintf(stderr, "received_protocol is set already\n"); -+ exit(EXIT_FAILURE); -+ } -+ else received_protocol = argv[++i]; - - /* -oMs: Set sender host name */ - -@@ -3188,7 +3195,15 @@ for (i = 1; i < argc; i++) - - if (*argrest != 0) - { -- uschar *hn = Ustrchr(argrest, ':'); -+ uschar *hn; -+ -+ if (received_protocol) -+ { -+ fprintf(stderr, "received_protocol is set already\n"); -+ exit(EXIT_FAILURE); -+ } -+ -+ hn = Ustrchr(argrest, ':'); - if (hn == NULL) - { - received_protocol = argrest; diff --git a/exim-4.89-CVE-2017-16943.patch b/exim-4.89-CVE-2017-16943.patch deleted file mode 100644 index bd3468d..0000000 --- a/exim-4.89-CVE-2017-16943.patch +++ /dev/null @@ -1,27 +0,0 @@ -diff --git a/src/receive.c b/src/receive.c -index 7980c32..3246621 100644 ---- a/src/receive.c -+++ b/src/receive.c -@@ -1772,8 +1772,8 @@ for (;;) - (and sometimes lunatic messages can have ones that are 100s of K long) we - call store_release() for strings that have been copied - if the string is at - the start of a block (and therefore the only thing in it, because we aren't -- doing any other gets), the block gets freed. We can only do this because we -- know there are no other calls to store_get() going on. */ -+ doing any other gets), the block gets freed. We can only do this release if -+ there were no allocations since the once that we want to free. */ - - if (ptr >= header_size - 4) - { -@@ -1782,9 +1782,10 @@ for (;;) - header_size *= 2; - if (!store_extend(next->text, oldsize, header_size)) - { -+ BOOL release_ok = store_last_get[store_pool] == next->text; - uschar *newtext = store_get(header_size); - memcpy(newtext, next->text, ptr); -- store_release(next->text); -+ if (release_ok) store_release(next->text); - next->text = newtext; - } - } diff --git a/exim-4.89-CVE-2017-16944.patch b/exim-4.89-CVE-2017-16944.patch deleted file mode 100644 index 81e8032..0000000 --- a/exim-4.89-CVE-2017-16944.patch +++ /dev/null @@ -1,41 +0,0 @@ -diff --git a/src/receive.c b/src/receive.c -index 3246621..f19c8b9 100644 ---- a/src/receive.c -+++ b/src/receive.c -@@ -1827,7 +1827,7 @@ for (;;) - prevent further reading), and break out of the loop, having freed the - empty header, and set next = NULL to indicate no data line. */ - -- if (ptr == 0 && ch == '.' && (smtp_input || dot_ends)) -+ if (ptr == 0 && ch == '.' && dot_ends) - { - ch = (receive_getc)(GETC_BUFFER_UNLIMITED); - if (ch == '\r') -diff --git a/src/smtp_in.c b/src/smtp_in.c -index 1b45f84..0207540 100644 ---- a/src/smtp_in.c -+++ b/src/smtp_in.c -@@ -4955,16 +4955,23 @@ while (done <= 0) - DEBUG(D_receive) debug_printf("chunking state %d, %d bytes\n", - (int)chunking_state, chunking_data_left); - -+ /* push the current receive_* function on the "stack", and -+ replace them by bdat_getc(), which in turn will use the lwr_receive_* -+ functions to do the dirty work. */ - lwr_receive_getc = receive_getc; - lwr_receive_ungetc = receive_ungetc; -+ - receive_getc = bdat_getc; - receive_ungetc = bdat_ungetc; - -+ dot_ends = FALSE; -+ - goto DATA_BDAT; - } - - case DATA_CMD: - HAD(SCH_DATA); -+ dot_ends = TRUE; - - DATA_BDAT: /* Common code for DATA and BDAT */ - if (!discarded && recipients_count <= 0) diff --git a/exim-4.89-calloutsize.patch b/exim-4.89-calloutsize.patch deleted file mode 100644 index 02f8aba..0000000 --- a/exim-4.89-calloutsize.patch +++ /dev/null @@ -1,524 +0,0 @@ ---- exim-4.89/src/exim.c.calloutsize 2017-03-04 16:21:35.000000000 -0500 -+++ exim-4.89/src/exim.c 2017-08-16 15:52:41.424866990 -0400 -@@ -2738,7 +2738,7 @@ - /* -MCD: set the smtp_use_dsn flag; this indicates that the host - that exim is connected to supports the esmtp extension DSN */ - -- case 'D': smtp_peer_options |= PEER_OFFERED_DSN; break; -+ case 'D': smtp_peer_options |= OPTION_DSN; break; - - /* -MCG: set the queue name, to a non-default value */ - -@@ -2748,12 +2748,12 @@ - - /* -MCK: the peer offered CHUNKING. Must precede -MC */ - -- case 'K': smtp_peer_options |= PEER_OFFERED_CHUNKING; break; -+ case 'K': smtp_peer_options |= OPTION_CHUNKING; break; - - /* -MCP: set the smtp_use_pipelining flag; this is useful only when - it preceded -MC (see above) */ - -- case 'P': smtp_peer_options |= PEER_OFFERED_PIPE; break; -+ case 'P': smtp_peer_options |= OPTION_PIPE; break; - - /* -MCQ: pass on the pid of the queue-running process that started - this chain of deliveries and the fd of its synchronizing pipe; this -@@ -2768,14 +2768,14 @@ - /* -MCS: set the smtp_use_size flag; this is useful only when it - precedes -MC (see above) */ - -- case 'S': smtp_peer_options |= PEER_OFFERED_SIZE; break; -+ case 'S': smtp_peer_options |= OPTION_SIZE; break; - - #ifdef SUPPORT_TLS - /* -MCT: set the tls_offered flag; this is useful only when it - precedes -MC (see above). The flag indicates that the host to which - Exim is connected has offered TLS support. */ - -- case 'T': smtp_peer_options |= PEER_OFFERED_TLS; break; -+ case 'T': smtp_peer_options |= OPTION_TLS; break; - #endif - - default: badarg = TRUE; break; ---- exim-4.89/src/macros.h.calloutsize 2017-03-04 16:21:35.000000000 -0500 -+++ exim-4.89/src/macros.h 2017-08-16 15:38:52.876969094 -0400 -@@ -959,14 +959,14 @@ - - /* Codes for ESMTP facilities offered by peer */ - --#define PEER_OFFERED_TLS BIT(0) --#define PEER_OFFERED_IGNQ BIT(1) --#define PEER_OFFERED_PRDR BIT(2) --#define PEER_OFFERED_UTF8 BIT(3) --#define PEER_OFFERED_DSN BIT(4) --#define PEER_OFFERED_PIPE BIT(5) --#define PEER_OFFERED_SIZE BIT(6) --#define PEER_OFFERED_CHUNKING BIT(7) -+#define OPTION_TLS BIT(0) -+#define OPTION_IGNQ BIT(1) -+#define OPTION_PRDR BIT(2) -+#define OPTION_UTF8 BIT(3) -+#define OPTION_DSN BIT(4) -+#define OPTION_PIPE BIT(5) -+#define OPTION_SIZE BIT(6) -+#define OPTION_CHUNKING BIT(7) - - /* Argument for *_getc */ - ---- exim-4.89/src/transport.c.calloutsize 2017-08-16 15:38:52.876969094 -0400 -+++ exim-4.89/src/transport.c 2017-08-16 15:55:23.681414193 -0400 -@@ -1976,13 +1976,12 @@ - argv = CUSS child_exec_exim(CEE_RETURN_ARGV, TRUE, &i, FALSE, 0); - - if (smtp_authenticated) argv[i++] = US"-MCA"; -- -- if (smtp_peer_options & PEER_OFFERED_CHUNKING) argv[i++] = US"-MCK"; -- if (smtp_peer_options & PEER_OFFERED_DSN) argv[i++] = US"-MCD"; -- if (smtp_peer_options & PEER_OFFERED_PIPE) argv[i++] = US"-MCP"; -- if (smtp_peer_options & PEER_OFFERED_SIZE) argv[i++] = US"-MCS"; -+ if (smtp_peer_options & OPTION_CHUNKING) argv[i++] = US"-MCK"; -+ if (smtp_peer_options & OPTION_DSN) argv[i++] = US"-MCD"; -+ if (smtp_peer_options & OPTION_PIPE) argv[i++] = US"-MCP"; -+ if (smtp_peer_options & OPTION_SIZE) argv[i++] = US"-MCS"; - #ifdef SUPPORT_TLS -- if (smtp_peer_options & PEER_OFFERED_TLS) argv[i++] = US"-MCT"; -+ if (smtp_peer_options & OPTION_TLS) argv[i++] = US"-MCT"; - #endif - - if (queue_run_pid != (pid_t)0) ---- exim-4.89/src/transports/smtp.c.calloutsize 2017-03-04 16:21:35.000000000 -0500 -+++ exim-4.89/src/transports/smtp.c 2017-08-16 16:08:51.572126172 -0400 -@@ -1291,44 +1291,44 @@ - size_t bsize = Ustrlen(buf); - - #ifdef SUPPORT_TLS --if ( checks & PEER_OFFERED_TLS -+if ( checks & OPTION_TLS - && pcre_exec(regex_STARTTLS, NULL, CS buf, bsize, 0, PCRE_EOPT, NULL, 0) < 0) -- checks &= ~PEER_OFFERED_TLS; -+ checks &= ~OPTION_TLS; - #endif - --if ( checks & PEER_OFFERED_IGNQ -+if ( checks & OPTION_IGNQ - && pcre_exec(regex_IGNOREQUOTA, NULL, CS buf, bsize, 0, - PCRE_EOPT, NULL, 0) < 0) -- checks &= ~PEER_OFFERED_IGNQ; -+ checks &= ~OPTION_IGNQ; - --if ( checks & PEER_OFFERED_CHUNKING -+if ( checks & OPTION_CHUNKING - && pcre_exec(regex_CHUNKING, NULL, CS buf, bsize, 0, PCRE_EOPT, NULL, 0) < 0) -- checks &= ~PEER_OFFERED_CHUNKING; -+ checks &= ~OPTION_CHUNKING; - - #ifndef DISABLE_PRDR --if ( checks & PEER_OFFERED_PRDR -+if ( checks & OPTION_PRDR - && pcre_exec(regex_PRDR, NULL, CS buf, bsize, 0, PCRE_EOPT, NULL, 0) < 0) -- checks &= ~PEER_OFFERED_PRDR; -+ checks &= ~OPTION_PRDR; - #endif - - #ifdef SUPPORT_I18N --if ( checks & PEER_OFFERED_UTF8 -+if ( checks & OPTION_UTF8 - && pcre_exec(regex_UTF8, NULL, CS buf, bsize, 0, PCRE_EOPT, NULL, 0) < 0) -- checks &= ~PEER_OFFERED_UTF8; -+ checks &= ~OPTION_UTF8; - #endif - --if ( checks & PEER_OFFERED_DSN -+if ( checks & OPTION_DSN - && pcre_exec(regex_DSN, NULL, CS buf, bsize, 0, PCRE_EOPT, NULL, 0) < 0) -- checks &= ~PEER_OFFERED_DSN; -+ checks &= ~OPTION_DSN; - --if ( checks & PEER_OFFERED_PIPE -+if ( checks & OPTION_PIPE - && pcre_exec(regex_PIPELINING, NULL, CS buf, bsize, 0, - PCRE_EOPT, NULL, 0) < 0) -- checks &= ~PEER_OFFERED_PIPE; -+ checks &= ~OPTION_PIPE; - --if ( checks & PEER_OFFERED_SIZE -+if ( checks & OPTION_SIZE - && pcre_exec(regex_SIZE, NULL, CS buf, bsize, 0, PCRE_EOPT, NULL, 0) < 0) -- checks &= ~PEER_OFFERED_SIZE; -+ checks &= ~OPTION_SIZE; - - return checks; - } -@@ -1479,6 +1479,7 @@ - - if ((sx->max_rcpt = sx->tblock->max_addresses) == 0) sx->max_rcpt = 999999; - sx->peer_offered = 0; -+sx->avoid_option = 0; - sx->igquotstr = US""; - if (!sx->helo_data) sx->helo_data = sx->ob->helo_data; - #ifdef EXPERIMENTAL_DSN_INFO -@@ -1715,7 +1716,7 @@ - #ifdef SUPPORT_TLS - if (sx->smtps) - { -- smtp_peer_options |= PEER_OFFERED_TLS; -+ smtp_peer_options |= OPTION_TLS; - suppress_tls = FALSE; - sx->ob->tls_tempfail_tryclear = FALSE; - smtp_command = US"SSL-on-connect"; -@@ -1780,18 +1781,18 @@ - } - } - -- sx->peer_offered = smtp_peer_options = 0; -+ sx->avoid_option = sx->peer_offered = smtp_peer_options = 0; - - if (sx->esmtp || sx->lmtp) - { - sx->peer_offered = ehlo_response(sx->buffer, -- PEER_OFFERED_TLS /* others checked later */ -+ OPTION_TLS /* others checked later */ - ); - - /* Set tls_offered if the response to EHLO specifies support for STARTTLS. */ - - #ifdef SUPPORT_TLS -- smtp_peer_options |= sx->peer_offered & PEER_OFFERED_TLS; -+ smtp_peer_options |= sx->peer_offered & OPTION_TLS; - #endif - } - } -@@ -1825,7 +1826,7 @@ - for error analysis. */ - - #ifdef SUPPORT_TLS --if ( smtp_peer_options & PEER_OFFERED_TLS -+if ( smtp_peer_options & OPTION_TLS - && !suppress_tls - && verify_check_given_host(&sx->ob->hosts_avoid_tls, sx->host) != OK - && ( !sx->verify -@@ -1970,7 +1971,7 @@ - { - errno = ERRNO_TLSREQUIRED; - message = string_sprintf("a TLS session is required, but %s", -- smtp_peer_options & PEER_OFFERED_TLS -+ smtp_peer_options & OPTION_TLS - ? "an attempt to start TLS failed" : "the server did not offer TLS support"); - goto TLS_FAILED; - } -@@ -1991,60 +1992,60 @@ - { - sx->peer_offered = ehlo_response(sx->buffer, - 0 /* no TLS */ -- | (sx->lmtp && sx->ob->lmtp_ignore_quota ? PEER_OFFERED_IGNQ : 0) -- | PEER_OFFERED_CHUNKING -- | PEER_OFFERED_PRDR -+ | (sx->lmtp && sx->ob->lmtp_ignore_quota ? OPTION_IGNQ : 0) -+ | OPTION_CHUNKING -+ | OPTION_PRDR - #ifdef SUPPORT_I18N -- | (sx->addrlist->prop.utf8_msg ? PEER_OFFERED_UTF8 : 0) -+ | (sx->addrlist->prop.utf8_msg ? OPTION_UTF8 : 0) - /*XXX if we hand peercaps on to continued-conn processes, - must not depend on this addr */ - #endif -- | PEER_OFFERED_DSN -- | PEER_OFFERED_PIPE -- | (sx->ob->size_addition >= 0 ? PEER_OFFERED_SIZE : 0) -+ | OPTION_DSN -+ | OPTION_PIPE -+ | (sx->ob->size_addition >= 0 ? OPTION_SIZE : 0) - ); - - /* Set for IGNOREQUOTA if the response to LHLO specifies support and the - lmtp_ignore_quota option was set. */ - -- sx->igquotstr = sx->peer_offered & PEER_OFFERED_IGNQ ? US" IGNOREQUOTA" : US""; -+ sx->igquotstr = sx->peer_offered & OPTION_IGNQ ? US" IGNOREQUOTA" : US""; - - /* If the response to EHLO specified support for the SIZE parameter, note - this, provided size_addition is non-negative. */ - -- smtp_peer_options |= sx->peer_offered & PEER_OFFERED_SIZE; -+ smtp_peer_options |= sx->peer_offered & OPTION_SIZE; - - /* Note whether the server supports PIPELINING. If hosts_avoid_esmtp matched - the current host, esmtp will be false, so PIPELINING can never be used. If - the current host matches hosts_avoid_pipelining, don't do it. */ - -- if ( sx->peer_offered & PEER_OFFERED_PIPE -+ if ( sx->peer_offered & OPTION_PIPE - && verify_check_given_host(&sx->ob->hosts_avoid_pipelining, sx->host) != OK) -- smtp_peer_options |= PEER_OFFERED_PIPE; -+ smtp_peer_options |= OPTION_PIPE; - - DEBUG(D_transport) debug_printf("%susing PIPELINING\n", -- smtp_peer_options & PEER_OFFERED_PIPE ? "" : "not "); -+ smtp_peer_options & OPTION_PIPE ? "" : "not "); - -- if ( sx->peer_offered & PEER_OFFERED_CHUNKING -+ if ( sx->peer_offered & OPTION_CHUNKING - && verify_check_given_host(&sx->ob->hosts_try_chunking, sx->host) != OK) -- sx->peer_offered &= ~PEER_OFFERED_CHUNKING; -+ sx->peer_offered &= ~OPTION_CHUNKING; - -- if (sx->peer_offered & PEER_OFFERED_CHUNKING) -+ if (sx->peer_offered & OPTION_CHUNKING) - {DEBUG(D_transport) debug_printf("CHUNKING usable\n");} - - #ifndef DISABLE_PRDR -- if ( sx->peer_offered & PEER_OFFERED_PRDR -+ if ( sx->peer_offered & OPTION_PRDR - && verify_check_given_host(&sx->ob->hosts_try_prdr, sx->host) != OK) -- sx->peer_offered &= ~PEER_OFFERED_PRDR; -+ sx->peer_offered &= ~OPTION_PRDR; - -- if (sx->peer_offered & PEER_OFFERED_PRDR) -+ if (sx->peer_offered & OPTION_PRDR) - {DEBUG(D_transport) debug_printf("PRDR usable\n");} - #endif - - /* Note if the server supports DSN */ -- smtp_peer_options |= sx->peer_offered & PEER_OFFERED_DSN; -+ smtp_peer_options |= sx->peer_offered & OPTION_DSN; - DEBUG(D_transport) debug_printf("%susing DSN\n", -- sx->peer_offered & PEER_OFFERED_DSN ? "" : "not "); -+ sx->peer_offered & OPTION_DSN ? "" : "not "); - - /* Note if the response to EHLO specifies support for the AUTH extension. - If it has, check that this host is one we want to authenticate to, and do -@@ -2061,7 +2062,7 @@ - } - } - } --pipelining_active = !!(smtp_peer_options & PEER_OFFERED_PIPE); -+pipelining_active = !!(smtp_peer_options & OPTION_PIPE); - - /* The setting up of the SMTP call is now complete. Any subsequent errors are - message-specific. */ -@@ -2079,7 +2080,7 @@ - } - - /* If this is an international message we need the host to speak SMTPUTF8 */ --if (sx->utf8_needed && !(sx->peer_offered & PEER_OFFERED_UTF8)) -+if (sx->utf8_needed && !(sx->peer_offered & OPTION_UTF8)) - { - errno = ERRNO_UTF8_FWD; - goto RESPONSE_FAILED; -@@ -2202,14 +2203,15 @@ - - *p = 0; - --/* If we know the receiving MTA supports the SIZE qualification, -+/* If we know the receiving MTA supports the SIZE qualification, and we know it, - send it, adding something to the message size to allow for imprecision - and things that get added en route. Exim keeps the number of lines - in a message, so we can give an accurate value for the original message, but we - need some additional to handle added headers. (Double "." characters don't get - included in the count.) */ - --if (sx->peer_offered & PEER_OFFERED_SIZE) -+if ( message_size > 0 -+ && sx->peer_offered & OPTION_SIZE && !(sx->avoid_option & OPTION_SIZE)) - { - sprintf(CS p, " SIZE=%d", message_size+message_linecount+sx->ob->size_addition); - while (*p) p++; -@@ -2220,7 +2222,7 @@ - request that */ - - sx->prdr_active = FALSE; --if (sx->peer_offered & PEER_OFFERED_PRDR) -+if (sx->peer_offered & OPTION_PRDR) - for (addr = addrlist; addr; addr = addr->next) - if (addr->transport_return == PENDING_DEFER) - { -@@ -2239,7 +2241,7 @@ - /* If it supports internationalised messages, and this meesage need that, - request it */ - --if ( sx->peer_offered & PEER_OFFERED_UTF8 -+if ( sx->peer_offered & OPTION_UTF8 - && addrlist->prop.utf8_msg - && !addrlist->prop.utf8_downcvt - ) -@@ -2261,7 +2263,7 @@ - - /* Add any DSN flags to the mail command */ - --if (sx->peer_offered & PEER_OFFERED_DSN && !sx->dsn_all_lasthop) -+if (sx->peer_offered & OPTION_DSN && !sx->dsn_all_lasthop) - { - if (dsn_ret == dsn_ret_hdrs) - { Ustrcpy(p, " RET=HDRS"); p += 9; } -@@ -2297,7 +2299,7 @@ - - /* Add any DSN flags to the rcpt command */ - --if (sx->peer_offered & PEER_OFFERED_DSN && !(addr->dsn_flags & rf_dsnlasthop)) -+if (sx->peer_offered & OPTION_DSN && !(addr->dsn_flags & rf_dsnlasthop)) - { - if (addr->dsn_flags & rf_dsnflags) - { -@@ -2367,7 +2369,7 @@ - the delivery log line. */ - - if ( sx->addrlist->prop.utf8_msg -- && (sx->addrlist->prop.utf8_downcvt || !(sx->peer_offered & PEER_OFFERED_UTF8)) -+ && (sx->addrlist->prop.utf8_downcvt || !(sx->peer_offered & OPTION_UTF8)) - ) - { - if (s = string_address_utf8_to_alabel(s, &errstr), errstr) -@@ -2431,7 +2433,7 @@ - BOOL no_flush; - uschar * rcpt_addr; - -- addr->dsn_aware = sx->peer_offered & PEER_OFFERED_DSN -+ addr->dsn_aware = sx->peer_offered & OPTION_DSN - ? dsn_support_yes : dsn_support_no; - - address_count++; -@@ -2594,10 +2596,10 @@ - if ( transport_filter_argv - && *transport_filter_argv - && **transport_filter_argv -- && sx.peer_offered & PEER_OFFERED_CHUNKING -+ && sx.peer_offered & OPTION_CHUNKING - ) - { -- sx.peer_offered &= ~PEER_OFFERED_CHUNKING; -+ sx.peer_offered &= ~OPTION_CHUNKING; - DEBUG(D_transport) debug_printf("CHUNKING not usable due to transport filter\n"); - } - } -@@ -2656,7 +2658,7 @@ - If using CHUNKING, do not send a BDAT until we know how big a chunk we want - to send is. */ - --if ( !(sx.peer_offered & PEER_OFFERED_CHUNKING) -+if ( !(sx.peer_offered & OPTION_CHUNKING) - && (sx.ok || (pipelining_active && !mua_wrapper))) - { - int count = smtp_write_command(&sx.outblock, FALSE, "DATA\r\n"); -@@ -2686,7 +2688,7 @@ - well as body. Set the appropriate timeout value to be used for each chunk. - (Haven't been able to make it work using select() for writing yet.) */ - --if (!(sx.peer_offered & PEER_OFFERED_CHUNKING) && !sx.ok) -+if (!(sx.peer_offered & OPTION_CHUNKING) && !sx.ok) - { - /* Save the first address of the next batch. */ - sx.first_addr = sx.next_addr; -@@ -2712,7 +2714,7 @@ - of responses. The callback needs a whole bunch of state so set up - a transport-context structure to be passed around. */ - -- if (sx.peer_offered & PEER_OFFERED_CHUNKING) -+ if (sx.peer_offered & OPTION_CHUNKING) - { - tctx.check_string = tctx.escape_string = NULL; - tctx.options |= topt_use_bdat; -@@ -2737,7 +2739,7 @@ - transport_write_timeout = sx.ob->data_timeout; - smtp_command = US"sending data block"; /* For error messages */ - DEBUG(D_transport|D_v) -- if (sx.peer_offered & PEER_OFFERED_CHUNKING) -+ if (sx.peer_offered & OPTION_CHUNKING) - debug_printf(" will write message using CHUNKING\n"); - else - debug_printf(" SMTP>> writing message and terminating \".\"\n"); -@@ -2771,7 +2773,7 @@ - - smtp_command = US"end of data"; - -- if (sx.peer_offered & PEER_OFFERED_CHUNKING && sx.cmd_count > 1) -+ if (sx.peer_offered & OPTION_CHUNKING && sx.cmd_count > 1) - { - /* Reap any outstanding MAIL & RCPT commands, but not a DATA-go-ahead */ - switch(sync_responses(&sx, sx.cmd_count-1, 0)) -@@ -2926,7 +2928,7 @@ - #ifndef DISABLE_PRDR - if (sx.prdr_active) addr->flags |= af_prdr_used; - #endif -- if (sx.peer_offered & PEER_OFFERED_CHUNKING) addr->flags |= af_chunking_used; -+ if (sx.peer_offered & OPTION_CHUNKING) addr->flags |= af_chunking_used; - flag = '-'; - - #ifndef DISABLE_PRDR ---- exim-4.89/src/transports/smtp.h.calloutsize 2017-03-04 16:21:35.000000000 -0500 -+++ exim-4.89/src/transports/smtp.h 2017-08-16 15:38:52.877969104 -0400 -@@ -127,6 +127,7 @@ - int cmd_count; - - uschar peer_offered; -+ uschar avoid_option; - uschar * igquotstr; - uschar * helo_data; - #ifdef EXPERIMENTAL_DSN_INFO ---- exim-4.89/src/verify.c.calloutsize 2017-03-04 16:21:35.000000000 -0500 -+++ exim-4.89/src/verify.c 2017-08-16 15:51:37.913261370 -0400 -@@ -779,8 +779,12 @@ - postmaster-verify. - The sync_responses() would need to be taught about it and we'd - need another return code filtering out to here. -+ -+ Avoid using a SIZE option on the MAIL for all randon-rcpt checks. - */ - -+ sx.avoid_option = OPTION_SIZE; -+ - /* Remember when we last did a random test */ - new_domain_record.random_stamp = time(NULL); - -@@ -790,8 +794,9 @@ - case PENDING_OK: - new_domain_record.random_result = ccache_accept; - break; -- case FAIL: -+ case FAIL: /* the preferred result */ - new_domain_record.random_result = ccache_reject; -+ sx.avoid_option = 0; - - /* Between each check, issue RSET, because some servers accept only - one recipient after MAIL FROM:<>. -@@ -836,12 +841,14 @@ - else - done = TRUE; - -- /* Main verify. If the host is accepting all local parts, as determined -- by the "random" check, we don't need to waste time doing any further -- checking. */ -+ /* Main verify. For rcpt-verify use SIZE if we know it and we're not cacheing; -+ for sndr-verify never use it. */ - - if (done) - { -+ if (!(options & vopt_is_recipient && options & vopt_callout_no_cache)) -+ sx.avoid_option = OPTION_SIZE; -+ - done = FALSE; - switch(smtp_write_mail_and_rcpt_cmds(&sx, &yield)) - { -@@ -850,12 +857,12 @@ - case PENDING_OK: done = TRUE; - new_address_record.result = ccache_accept; - break; -- case FAIL: done = TRUE; -+ case FAIL: done = TRUE; - yield = FAIL; - *failure_ptr = US"recipient"; - new_address_record.result = ccache_reject; - break; -- default: break; -+ default: break; - } - break; - -@@ -908,6 +915,7 @@ - sx.ok = FALSE; - sx.send_rset = TRUE; - sx.completed_addr = FALSE; -+ sx.avoid_option = OPTION_SIZE; - - if( smtp_write_mail_and_rcpt_cmds(&sx, &yield) == 0 - && addr->transport_return == PENDING_OK diff --git a/exim-4.89-mariadb-macro-fix.patch b/exim-4.89-mariadb-macro-fix.patch deleted file mode 100644 index c5b9266..0000000 --- a/exim-4.89-mariadb-macro-fix.patch +++ /dev/null @@ -1,73 +0,0 @@ -diff --git a/src/lookups/mysql.c b/src/lookups/mysql.c -index 5cf15af..b5133bc 100644 ---- a/src/lookups/mysql.c -+++ b/src/lookups/mysql.c -@@ -14,6 +14,53 @@ functions. */ - - #include /* The system header */ - -+/* We define symbols for *_VERSION_ID (numeric), *_VERSION_STR (char*) -+and *_BASE_STR (char*). It's a bit of guesswork. Especially for mariadb -+with versions before 10.2, as they do not define there there specific symbols. -+*/ -+ -+// Newer (>= 10.2) MariaDB -+#if defined MARIADB_VERSION_ID -+#define EXIM_MxSQL_VERSION_ID MARIADB_VERSION_ID -+ -+// MySQL defines MYSQL_VERSION_ID, and MariaDB does so -+// https://dev.mysql.com/doc/refman/5.7/en/c-api-server-client-versions.html -+#elif defined LIBMYSQL_VERSION_ID -+#define EXIM_MxSQL_VERSION_ID LIBMYSQL_VERSION_ID -+#elif defined MYSQL_VERSION_ID -+#define EXIM_MxSQL_VERSION_ID MYSQL_VERSION_ID -+ -+#else -+#define EXIM_MYSQL_VERSION_ID 0 -+#endif -+ -+// Newer (>= 10.2) MariaDB -+#ifdef MARIADB_CLIENT_VERSION_STR -+#define EXIM_MxSQL_VERSION_STR MARIADB_CLIENT_VERSION_STR -+ -+// Mysql uses MYSQL_SERVER_VERSION -+#elif defined LIBMYSQL_VERSION -+#define EXIM_MxSQL_VERSION_STR LIBMYSQL_VERSION -+#elif defined MYSQL_SERVER_VERSION -+#define EXIM_MxSQL_VERSION_STR MYSQL_SERVER_VERSION -+ -+#else -+#define EXIM_MxSQL_VERSION_STR "N.A." -+#endif -+ -+#if defined MARIADB_BASE_VERSION -+#define EXIM_MxSQL_BASE_STR MARIADB_BASE_VERSION -+ -+#elif defined MARIADB_PACKAGE_VERSION -+#define EXIM_MxSQL_BASE_STR "mariadb" -+ -+#elif defined MYSQL_BASE_VERSION -+#define EXIM_MxSQL_BASE_STR MYSQL_BASE_VERSION -+ -+#else -+#define EXIM_MxSQL_BASE_STR "n.A." -+#endif -+ - - /* Structure and anchor for caching connections. */ - -@@ -432,10 +479,10 @@ return quoted; - void - mysql_version_report(FILE *f) - { --fprintf(f, "Library version: MySQL: Compile: %s [%s]\n" -- " Runtime: %s\n", -- MYSQL_SERVER_VERSION, MYSQL_COMPILATION_COMMENT, -- mysql_get_client_info()); -+fprintf(f, "Library version: MySQL: Compile: %lu %s [%s]\n" -+ " Runtime: %lu %s\n", -+ (long)EXIM_MxSQL_VERSION_ID, EXIM_MxSQL_VERSION_STR, EXIM_MxSQL_BASE_STR, -+ mysql_get_client_version(), mysql_get_client_info()); - #ifdef DYNLOOKUP - fprintf(f, " Exim version %s\n", EXIM_VERSION_STR); - #endif diff --git a/exim-4.88-allow-filter.patch b/exim-4.90.1-allow-filter.patch similarity index 81% rename from exim-4.88-allow-filter.patch rename to exim-4.90.1-allow-filter.patch index c579f40..644d6fa 100644 --- a/exim-4.88-allow-filter.patch +++ b/exim-4.90.1-allow-filter.patch @@ -1,8 +1,8 @@ diff --git a/src/configure.default b/src/configure.default -index 1e3c63f..0e7854c 100644 +index 2cce34b..50e9236 100644 --- a/src/configure.default +++ b/src/configure.default -@@ -724,7 +724,7 @@ userforward: +@@ -727,7 +727,7 @@ userforward: # local_part_suffix = +* : -* # local_part_suffix_optional file = $home/.forward diff --git a/exim-4.89-config.patch b/exim-4.90.1-config.patch similarity index 88% rename from exim-4.89-config.patch rename to exim-4.90.1-config.patch index 3976531..c156cd7 100644 --- a/exim-4.89-config.patch +++ b/exim-4.90.1-config.patch @@ -1,8 +1,8 @@ diff --git a/scripts/Configure-Makefile b/scripts/Configure-Makefile -index 3e486a6..6c4afec 100755 +index 2af1927..e461505 100755 --- a/scripts/Configure-Makefile +++ b/scripts/Configure-Makefile -@@ -269,7 +269,7 @@ if [ "${EXIM_PERL}" != "" ] ; then +@@ -296,7 +296,7 @@ if [ "${EXIM_PERL}" != "" ] ; then mv $mft $mftt echo "PERL_CC=`$PERL_COMMAND -MConfig -e 'print $Config{cc}'`" >>$mft @@ -12,7 +12,7 @@ index 3e486a6..6c4afec 100755 echo "" >>$mft cat $mftt >> $mft diff --git a/src/EDITME b/src/EDITME -index df74aac..0caf02d 100644 +index 72e26ce..0bd97f1 100644 --- a/src/EDITME +++ b/src/EDITME @@ -98,7 +98,7 @@ @@ -51,7 +51,7 @@ index df74aac..0caf02d 100644 # Many sites define a user called "exim", with an appropriate default group, # and use -@@ -232,7 +232,7 @@ TRANSPORT_SMTP=yes +@@ -237,7 +237,7 @@ TRANSPORT_SMTP=yes # This one is special-purpose, and commonly not required, so it is not # included by default. @@ -60,7 +60,7 @@ index df74aac..0caf02d 100644 #------------------------------------------------------------------------------ -@@ -241,9 +241,9 @@ TRANSPORT_SMTP=yes +@@ -246,9 +246,9 @@ TRANSPORT_SMTP=yes # MBX, is included only when requested. If you do not know what this is about, # leave these settings commented out. @@ -73,7 +73,7 @@ index df74aac..0caf02d 100644 #------------------------------------------------------------------------------ -@@ -301,19 +301,21 @@ LOOKUP_DBM=yes +@@ -306,20 +306,22 @@ LOOKUP_DBM=yes LOOKUP_LSEARCH=yes LOOKUP_DNSDB=yes @@ -84,6 +84,7 @@ index df74aac..0caf02d 100644 # LOOKUP_IBASE=yes -# LOOKUP_LDAP=yes -# LOOKUP_MYSQL=yes +-# LOOKUP_MYSQL_PC=mariadb -# LOOKUP_NIS=yes -# LOOKUP_NISPLUS=yes +LOOKUP_LDAP=yes @@ -91,6 +92,7 @@ index df74aac..0caf02d 100644 +LOOKUP_INCLUDE=-I/usr/include/mysql +LOOKUP_LIBS=-lldap -llber -lsqlite3 -L/usr/$(_lib)/mysql -lmysqlclient -lpq +LOOKUP_MYSQL=yes ++LOOKUP_MYSQL_PC=mariadb +LOOKUP_NIS=yes +LOOKUP_NISPLUS=yes # LOOKUP_ORACLE=yes @@ -105,7 +107,7 @@ index df74aac..0caf02d 100644 # LOOKUP_WHOSON=yes # These two settings are obsolete; all three lookups are compiled when -@@ -390,7 +392,7 @@ EXIM_MONITOR=eximon.bin +@@ -396,7 +398,7 @@ EXIM_MONITOR=eximon.bin # and the MIME ACL. Please read the documentation to learn more about these # features. @@ -114,7 +116,7 @@ index df74aac..0caf02d 100644 #------------------------------------------------------------------------------ # If you're using ClamAV and are backporting fixes to an old version, instead -@@ -577,7 +579,7 @@ FIXED_NEVER_USERS=root +@@ -584,7 +586,7 @@ FIXED_NEVER_USERS=root # CONFIGURE_OWNER setting, to specify a configuration file which is listed in # the TRUSTED_CONFIG_LIST file, then root privileges are not dropped by Exim. @@ -123,7 +125,7 @@ index df74aac..0caf02d 100644 #------------------------------------------------------------------------------ -@@ -622,17 +624,14 @@ FIXED_NEVER_USERS=root +@@ -629,17 +631,14 @@ FIXED_NEVER_USERS=root # included in the Exim binary. You will then need to set up the run time # configuration to make use of the mechanism(s) selected. @@ -149,7 +151,7 @@ index df74aac..0caf02d 100644 # Heimdal through 1.5 required pkg-config 'heimdal-gssapi'; Heimdal 7.1 # requires multiple pkg-config files to work with Exim, so the second example -@@ -656,7 +655,7 @@ FIXED_NEVER_USERS=root +@@ -663,7 +662,7 @@ FIXED_NEVER_USERS=root # one that is set in the headers_charset option. The default setting is # defined by this setting: @@ -158,7 +160,7 @@ index df74aac..0caf02d 100644 # If you are going to make use of $header_xxx expansions in your configuration # file, or if your users are going to use them in filter files, and the normal -@@ -676,7 +675,7 @@ HEADERS_CHARSET="ISO-8859-1" +@@ -683,7 +682,7 @@ HEADERS_CHARSET="ISO-8859-1" # the Sieve filter support. For those OS where iconv() is known to be installed # as standard, the file in OS/Makefile-xxxx contains # @@ -167,7 +169,7 @@ index df74aac..0caf02d 100644 # # If you are not using one of those systems, but have installed iconv(), you # need to uncomment that line above. In some cases, you may find that iconv() -@@ -745,11 +744,11 @@ HEADERS_CHARSET="ISO-8859-1" +@@ -752,11 +751,11 @@ HEADERS_CHARSET="ISO-8859-1" # leave these settings commented out. # This setting is required for any TLS support (either OpenSSL or GnuTLS) @@ -182,7 +184,7 @@ index df74aac..0caf02d 100644 # Uncomment the first and either the second or the third of these if you # are using GnuTLS. If you have pkg-config, then the second, else the third. -@@ -818,7 +817,7 @@ HEADERS_CHARSET="ISO-8859-1" +@@ -825,7 +824,7 @@ HEADERS_CHARSET="ISO-8859-1" # Once you have done this, "make install" will build the info files and # install them in the directory you have defined. @@ -191,7 +193,7 @@ index df74aac..0caf02d 100644 #------------------------------------------------------------------------------ -@@ -831,7 +830,7 @@ HEADERS_CHARSET="ISO-8859-1" +@@ -838,7 +837,7 @@ HEADERS_CHARSET="ISO-8859-1" # %s. This will be replaced by one of the strings "main", "panic", or "reject" # to form the final file names. Some installations may want something like this: @@ -200,7 +202,7 @@ index df74aac..0caf02d 100644 # which results in files with names /var/log/exim_mainlog, etc. The directory # in which the log files are placed must exist; Exim does not try to create -@@ -903,7 +902,7 @@ ZCAT_COMMAND=/usr/bin/zcat +@@ -910,7 +909,7 @@ ZCAT_COMMAND=/usr/bin/zcat # (version 5.004 or later) installed, set EXIM_PERL to perl.o. Using embedded # Perl costs quite a lot of resources. Only do this if you really need it. @@ -209,7 +211,7 @@ index df74aac..0caf02d 100644 #------------------------------------------------------------------------------ -@@ -913,7 +912,7 @@ ZCAT_COMMAND=/usr/bin/zcat +@@ -920,7 +919,7 @@ ZCAT_COMMAND=/usr/bin/zcat # that the local_scan API is made available by the linker. You may also need # to add -ldl to EXTRALIBS so that dlopen() is available to Exim. @@ -218,7 +220,7 @@ index df74aac..0caf02d 100644 #------------------------------------------------------------------------------ -@@ -923,7 +922,7 @@ ZCAT_COMMAND=/usr/bin/zcat +@@ -930,7 +929,7 @@ ZCAT_COMMAND=/usr/bin/zcat # support, which is intended for use in conjunction with the SMTP AUTH # facilities, is included only when requested by the following setting: @@ -227,7 +229,7 @@ index df74aac..0caf02d 100644 # You probably need to add -lpam to EXTRALIBS, and in some releases of # GNU/Linux -ldl is also needed. -@@ -1021,7 +1020,7 @@ ZCAT_COMMAND=/usr/bin/zcat +@@ -1028,7 +1027,7 @@ ZCAT_COMMAND=/usr/bin/zcat # group. Once you have installed saslauthd, you should arrange for it to be # started by root at boot time. @@ -236,20 +238,18 @@ index df74aac..0caf02d 100644 #------------------------------------------------------------------------------ -@@ -1034,9 +1033,9 @@ ZCAT_COMMAND=/usr/bin/zcat - # You may well also have to specify a local "include" file and an additional +@@ -1042,8 +1041,8 @@ ZCAT_COMMAND=/usr/bin/zcat # library for TCP wrappers, so you probably need something like this: # --# USE_TCP_WRAPPERS=yes + # USE_TCP_WRAPPERS=yes -# CFLAGS=-O -I/usr/local/include -# EXTRALIBS_EXIM=-L/usr/local/lib -lwrap -+USE_TCP_WRAPPERS=yes +CFLAGS+=$(RPM_OPT_FLAGS) $(PIE) -+EXTRALIBS_EXIM=-lwrap -lpam -ldl -export-dynamic -rdynamic ++EXTRALIBS_EXIM=-lpam -ldl -export-dynamic -rdynamic # # but of course there may need to be other things in CFLAGS and EXTRALIBS_EXIM # as well. -@@ -1088,7 +1087,7 @@ SYSTEM_ALIASES_FILE=/etc/aliases +@@ -1095,7 +1094,7 @@ SYSTEM_ALIASES_FILE=/etc/aliases # is "yes", as well as supporting line editing, a history of input lines in the # current run is maintained. @@ -258,7 +258,7 @@ index df74aac..0caf02d 100644 # You may need to add -ldl to EXTRALIBS when you set USE_READLINE=yes. # Note that this option adds to the size of the Exim binary, because the -@@ -1098,7 +1097,7 @@ SYSTEM_ALIASES_FILE=/etc/aliases +@@ -1112,7 +1111,7 @@ SYSTEM_ALIASES_FILE=/etc/aliases #------------------------------------------------------------------------------ # Uncomment this setting to include IPv6 support. @@ -267,7 +267,7 @@ index df74aac..0caf02d 100644 ############################################################################### # THINGS YOU ALMOST NEVER NEED TO MENTION # -@@ -1119,13 +1118,13 @@ SYSTEM_ALIASES_FILE=/etc/aliases +@@ -1133,13 +1132,13 @@ SYSTEM_ALIASES_FILE=/etc/aliases # haven't got Perl, Exim will still build and run; you just won't be able to # use those utilities. @@ -288,7 +288,7 @@ index df74aac..0caf02d 100644 #------------------------------------------------------------------------------ -@@ -1327,7 +1326,7 @@ EXIM_TMPDIR="/tmp" +@@ -1341,7 +1340,7 @@ EXIM_TMPDIR="/tmp" # (process id) to a file so that it can easily be identified. The path of the # file can be specified here. Some installations may want something like this: diff --git a/exim-4.88-cyrus.patch b/exim-4.90.1-cyrus.patch similarity index 90% rename from exim-4.88-cyrus.patch rename to exim-4.90.1-cyrus.patch index 395de3a..13d7efe 100644 --- a/exim-4.88-cyrus.patch +++ b/exim-4.90.1-cyrus.patch @@ -1,8 +1,8 @@ diff --git a/src/configure.default b/src/configure.default -index 8b6162b..d588898 100644 +index 562d0be..1138335 100644 --- a/src/configure.default +++ b/src/configure.default -@@ -765,6 +765,16 @@ address_reply: +@@ -768,6 +768,16 @@ address_reply: driver = autoreply diff --git a/exim-4.89-dlopen-localscan.patch b/exim-4.90.1-dlopen-localscan.patch similarity index 96% rename from exim-4.89-dlopen-localscan.patch rename to exim-4.90.1-dlopen-localscan.patch index 3e94d2e..39053a3 100644 --- a/exim-4.89-dlopen-localscan.patch +++ b/exim-4.90.1-dlopen-localscan.patch @@ -1,8 +1,8 @@ diff --git a/src/EDITME b/src/EDITME -index 0caf02d..6957546 100644 +index 0bd97f1..ce2b047 100644 --- a/src/EDITME +++ b/src/EDITME -@@ -802,6 +802,20 @@ TLS_LIBS=-lssl -lcrypto +@@ -809,6 +809,20 @@ TLS_LIBS=-lssl -lcrypto #------------------------------------------------------------------------------ @@ -24,10 +24,10 @@ index 0caf02d..6957546 100644 # documentation. Other forms are available separately. If you want to install # the documentation in "info" format, first fetch the Texinfo documentation diff --git a/src/config.h.defaults b/src/config.h.defaults -index 58e1813..9b18f98 100644 +index 4750523..e3943a8 100644 --- a/src/config.h.defaults +++ b/src/config.h.defaults -@@ -28,6 +28,8 @@ it's a default value. */ +@@ -31,6 +31,8 @@ Do not put spaces between # and the 'define'. #define AUTH_VARS 3 @@ -37,7 +37,7 @@ index 58e1813..9b18f98 100644 #define CONFIGURE_FILE diff --git a/src/globals.c b/src/globals.c -index 79ac37f..b7d690f 100644 +index 5df84bd..74724fd 100644 --- a/src/globals.c +++ b/src/globals.c @@ -167,6 +167,10 @@ uschar *tls_verify_hosts = NULL; @@ -52,7 +52,7 @@ index 79ac37f..b7d690f 100644 /* Per Recipient Data Response variables */ BOOL prdr_enable = FALSE; diff --git a/src/globals.h b/src/globals.h -index 340f1ae..4b65781 100644 +index 37d4cad..2b313e0 100644 --- a/src/globals.h +++ b/src/globals.h @@ -126,6 +126,11 @@ extern uschar *tls_try_verify_hosts; /* Optional client verification */ @@ -251,10 +251,10 @@ index 3500047..8599172 100644 + /* End of local_scan.c */ diff --git a/src/readconf.c b/src/readconf.c -index 790f073..6e88bcd 100644 +index 8d5f38c..73095be 100644 --- a/src/readconf.c +++ b/src/readconf.c -@@ -318,6 +318,9 @@ static optionlist optionlist_config[] = { +@@ -195,6 +195,9 @@ static optionlist optionlist_config[] = { { "local_from_prefix", opt_stringptr, &local_from_prefix }, { "local_from_suffix", opt_stringptr, &local_from_suffix }, { "local_interfaces", opt_stringptr, &local_interfaces }, diff --git a/exim-4.87-dynlookup-config.patch b/exim-4.90.1-dynlookup-config.patch similarity index 75% rename from exim-4.87-dynlookup-config.patch rename to exim-4.90.1-dynlookup-config.patch index d922078..1d9a120 100644 --- a/exim-4.87-dynlookup-config.patch +++ b/exim-4.90.1-dynlookup-config.patch @@ -1,8 +1,8 @@ diff --git a/src/EDITME b/src/EDITME -index df3dcc8..de01565 100644 +index ce2b047..ad06440 100644 --- a/src/EDITME +++ b/src/EDITME -@@ -306,14 +306,16 @@ LOOKUP_DSEARCH=yes +@@ -311,15 +311,17 @@ LOOKUP_DSEARCH=yes # LOOKUP_IBASE=yes LOOKUP_LDAP=yes LDAP_LIB_TYPE=OPENLDAP2 @@ -10,10 +10,11 @@ index df3dcc8..de01565 100644 -LOOKUP_LIBS=-lldap -llber -lsqlite3 -L/usr/$(_lib)/mysql -lmysqlclient -lpq -LOOKUP_MYSQL=yes +LOOKUP_LIBS=-lldap -llber -lsqlite3 -+LOOKUP_MYSQL_INCLUDE=-I/usr/include/mysql -+LOOKUP_MYSQL_LIBS=-L/usr/${_lib}/mysql -lmysqlclient ++LOOKUP_INCLUDE=-I/usr/include/mysql ++LOOKUP_MYSQL_LIBS=-lmysqlclient +LOOKUP_PGSQL_LIBS=-lpq +LOOKUP_MYSQL=2 + LOOKUP_MYSQL_PC=mariadb LOOKUP_NIS=yes LOOKUP_NISPLUS=yes # LOOKUP_ORACLE=yes diff --git a/exim-4.89-environment.patch b/exim-4.90.1-environment.patch similarity index 82% rename from exim-4.89-environment.patch rename to exim-4.90.1-environment.patch index c579b72..aae43f6 100644 --- a/exim-4.89-environment.patch +++ b/exim-4.90.1-environment.patch @@ -1,7 +1,8 @@ diff --git a/src/configure.default b/src/configure.default +index b955c6e..590c664 100644 --- a/src/configure.default +++ b/src/configure.default -@@ -357,8 +357,8 @@ timeout_frozen_after = 7d +@@ -360,8 +360,8 @@ timeout_frozen_after = 7d # Note that TZ is handled separately by the timezone runtime option # and TIMEZONE_DEFAULT buildtime option. diff --git a/exim-4.88-greylist-conf.patch b/exim-4.90.1-greylist-conf.patch similarity index 94% rename from exim-4.88-greylist-conf.patch rename to exim-4.90.1-greylist-conf.patch index a579e66..880722f 100644 --- a/exim-4.88-greylist-conf.patch +++ b/exim-4.90.1-greylist-conf.patch @@ -1,5 +1,5 @@ diff --git a/src/configure.default b/src/configure.default -index 921c53b..a92c954 100644 +index 72675be..30ffc8c 100644 --- a/src/configure.default +++ b/src/configure.default @@ -107,6 +107,7 @@ hostlist relay_from_hosts = localhost @@ -10,7 +10,7 @@ index 921c53b..a92c954 100644 acl_smtp_rcpt = acl_check_rcpt acl_smtp_data = acl_check_data acl_smtp_mime = acl_check_mime -@@ -368,6 +369,29 @@ timeout_frozen_after = 7d +@@ -371,6 +372,29 @@ timeout_frozen_after = 7d begin acl @@ -40,7 +40,7 @@ index 921c53b..a92c954 100644 # This access control list is used for every RCPT command in an incoming # SMTP message. The tests are run in order until the address is either # accepted or denied. -@@ -493,7 +517,8 @@ acl_check_rcpt: +@@ -496,7 +520,8 @@ acl_check_rcpt: # There are no default checks on DNS black lists because the domains that # contain these lists are changing all the time. However, here are two # examples of how you can get Exim to perform a DNS black list lookup at this @@ -50,7 +50,7 @@ index 921c53b..a92c954 100644 # # deny message = rejected because $sender_host_address is in a black list at $dnslist_domain\n$dnslist_text # dnslists = black.list.example -@@ -501,6 +526,10 @@ acl_check_rcpt: +@@ -504,6 +529,10 @@ acl_check_rcpt: # warn dnslists = black.list.example # add_header = X-Warning: $sender_host_address is in a black list at $dnslist_domain # log_message = found in $dnslist_domain @@ -61,7 +61,7 @@ index 921c53b..a92c954 100644 ############################################################################# ############################################################################# -@@ -514,6 +543,10 @@ acl_check_rcpt: +@@ -517,6 +546,10 @@ acl_check_rcpt: # require verify = csa ############################################################################# @@ -72,7 +72,7 @@ index 921c53b..a92c954 100644 # At this point, the address has passed all the checks that have been # configured, so we accept it unconditionally. -@@ -546,6 +579,12 @@ acl_check_data: +@@ -549,6 +582,12 @@ acl_check_data: # deny condition = ${if !def:h_Message-ID: {1}} # message = RFC2822 says that all mail SHOULD have a Message-ID header.\n\ # Most messages without it are spam, so your mail has been rejected. @@ -85,7 +85,7 @@ index 921c53b..a92c954 100644 # Deny if the message contains a virus. Before enabling this check, you # must install a virus scanner and set the av_scanner option above. -@@ -580,8 +619,30 @@ acl_check_data: +@@ -583,8 +622,30 @@ acl_check_data: # message = Your message scored $spam_score SpamAssassin point. Report follows:\n\ # $spam_report diff --git a/exim-4.88-pamconfig.patch b/exim-4.90.1-pamconfig.patch similarity index 88% rename from exim-4.88-pamconfig.patch rename to exim-4.90.1-pamconfig.patch index 031cebe..bc8a078 100644 --- a/exim-4.88-pamconfig.patch +++ b/exim-4.90.1-pamconfig.patch @@ -1,5 +1,5 @@ diff --git a/src/configure.default b/src/configure.default -index d588898..61bdae8 100644 +index 1138335..0675b40 100644 --- a/src/configure.default +++ b/src/configure.default @@ -142,7 +142,7 @@ acl_smtp_data = acl_check_data @@ -20,9 +20,9 @@ index d588898..61bdae8 100644 +tls_certificate = /etc/pki/tls/certs/exim.pem +tls_privatekey = /etc/pki/tls/private/exim.pem - # In order to support roaming users who wish to send email from anywhere, - # you may want to make Exim listen on other ports as well as port 25, in -@@ -162,8 +162,8 @@ acl_smtp_data = acl_check_data + # For OpenSSL, prefer EC- over RSA-authenticated ciphers + # tls_require_ciphers = ECDSA:RSA:!COMPLEMENTOFDEFAULT +@@ -165,8 +165,8 @@ acl_smtp_data = acl_check_data # them you should also allow TLS-on-connect on the traditional but # non-standard port 465. @@ -33,7 +33,7 @@ index d588898..61bdae8 100644 # Specify the domain you want to be added to all unqualified addresses -@@ -221,6 +221,24 @@ never_users = root +@@ -224,6 +224,24 @@ never_users = root host_lookup = * @@ -58,7 +58,7 @@ index d588898..61bdae8 100644 # The settings below cause Exim to make RFC 1413 (ident) callbacks # for all incoming SMTP calls. You can limit the hosts to which these -@@ -844,7 +862,7 @@ begin authenticators +@@ -847,7 +865,7 @@ begin authenticators # driver = plaintext # server_set_id = $auth2 # server_prompts = : @@ -67,7 +67,7 @@ index d588898..61bdae8 100644 # server_advertise_condition = ${if def:tls_in_cipher } # LOGIN authentication has traditional prompts and responses. There is no -@@ -856,7 +874,7 @@ begin authenticators +@@ -859,7 +877,7 @@ begin authenticators # driver = plaintext # server_set_id = $auth1 # server_prompts = <| Username: | Password: diff --git a/exim-4.88-procmail.patch b/exim-4.90.1-procmail.patch similarity index 90% rename from exim-4.88-procmail.patch rename to exim-4.90.1-procmail.patch index 1227d84..e172d9d 100644 --- a/exim-4.88-procmail.patch +++ b/exim-4.90.1-procmail.patch @@ -1,8 +1,8 @@ diff --git a/src/configure.default b/src/configure.default -index ecc3d6e..1e3c63f 100644 +index 8b4575c..2cce34b 100644 --- a/src/configure.default +++ b/src/configure.default -@@ -732,6 +732,12 @@ userforward: +@@ -735,6 +735,12 @@ userforward: pipe_transport = address_pipe reply_transport = address_reply @@ -15,7 +15,7 @@ index ecc3d6e..1e3c63f 100644 # This router matches local user mailboxes. If the router fails, the error # message is "Unknown user". -@@ -773,6 +779,16 @@ remote_smtp: +@@ -776,6 +782,16 @@ remote_smtp: driver = smtp message_size_limit = ${if > {$max_received_linelength}{998} {1}{0}} diff --git a/exim-4.88-rhl.patch b/exim-4.90.1-rhl.patch similarity index 84% rename from exim-4.88-rhl.patch rename to exim-4.90.1-rhl.patch index 0a8af5a..879c640 100644 --- a/exim-4.88-rhl.patch +++ b/exim-4.90.1-rhl.patch @@ -1,8 +1,8 @@ diff --git a/src/configure.default b/src/configure.default -index 985f1d0..8b6162b 100644 +index 1dc9b91..562d0be 100644 --- a/src/configure.default +++ b/src/configure.default -@@ -630,7 +630,7 @@ system_aliases: +@@ -633,7 +633,7 @@ system_aliases: driver = redirect allow_fail allow_defer @@ -11,7 +11,7 @@ index 985f1d0..8b6162b 100644 # user = exim file_transport = address_file pipe_transport = address_pipe -@@ -731,8 +731,8 @@ local_delivery: +@@ -734,8 +734,8 @@ local_delivery: delivery_date_add envelope_to_add return_path_add diff --git a/exim-4.88-smarthost-config.patch b/exim-4.90.1-smarthost-config.patch similarity index 92% rename from exim-4.88-smarthost-config.patch rename to exim-4.90.1-smarthost-config.patch index 75c3fcd..b8bce18 100644 --- a/exim-4.88-smarthost-config.patch +++ b/exim-4.90.1-smarthost-config.patch @@ -1,8 +1,8 @@ diff --git a/src/configure.default b/src/configure.default -index a92c954..13599ae 100644 +index 30ffc8c..b955c6e 100644 --- a/src/configure.default +++ b/src/configure.default -@@ -840,6 +840,15 @@ remote_smtp: +@@ -843,6 +843,15 @@ remote_smtp: driver = smtp message_size_limit = ${if > {$max_received_linelength}{998} {1}{0}} @@ -18,7 +18,7 @@ index a92c954..13599ae 100644 # This transport invokes procmail to deliver mail procmail: driver = pipe -@@ -948,6 +957,21 @@ begin rewrite +@@ -951,6 +960,21 @@ begin rewrite # AUTHENTICATION CONFIGURATION # ###################################################################### @@ -40,7 +40,7 @@ index a92c954..13599ae 100644 # The following authenticators support plaintext username/password # authentication using the standard PLAIN mechanism and the traditional # but non-standard LOGIN mechanism, with Exim acting as the server. -@@ -963,7 +987,7 @@ begin rewrite +@@ -966,7 +990,7 @@ begin rewrite # The default RCPT ACL checks for successful authentication, and will accept # messages from authenticated users from anywhere on the Internet. diff --git a/exim-4.87-spamdconf.patch b/exim-4.90.1-spamdconf.patch similarity index 94% rename from exim-4.87-spamdconf.patch rename to exim-4.90.1-spamdconf.patch index c5a21f6..5f8816a 100644 --- a/exim-4.87-spamdconf.patch +++ b/exim-4.90.1-spamdconf.patch @@ -1,5 +1,7 @@ ---- a/src/configure.default.spamd 2016-12-25 21:06:57.453758443 +0000 -+++ b/src/configure.default 2016-12-25 21:07:49.940188407 +0000 +diff --git a/src/configure.default b/src/configure.default +index 0675b40..8b4575c 100644 +--- a/src/configure.default ++++ b/src/configure.default @@ -109,6 +109,7 @@ hostlist relay_from_hosts = localhost acl_smtp_rcpt = acl_check_rcpt @@ -17,7 +19,7 @@ # For spam scanning, there is a similar option that defines the interface to -@@ -431,7 +432,8 @@ acl_check_rcpt: +@@ -434,7 +435,8 @@ acl_check_rcpt: accept local_parts = postmaster domains = +local_domains @@ -27,7 +29,7 @@ require verify = sender -@@ -535,27 +537,63 @@ acl_check_data: +@@ -538,27 +540,63 @@ acl_check_data: got $max_received_linelength condition = ${if > {$max_received_linelength}{998}} @@ -50,17 +52,17 @@ - # Add headers to a message if it is judged to be spam. Before enabling this, - # you must install SpamAssassin. You may also need to set the spamd_address - # option above. -- # ++ # Bypass SpamAssassin checks if the message is too large. + # - # warn spam = nobody - # add_header = X-Spam_score: $spam_score\n\ - # X-Spam_score_int: $spam_score_int\n\ - # X-Spam_bar: $spam_bar\n\ - # X-Spam_report: $spam_report -+ # Bypass SpamAssassin checks if the message is too large. -+ # + # accept condition = ${if >={$message_size}{100000} {1}} + # add_header = X-Spam-Note: SpamAssassin run bypassed due to message size -+ + +- # Accept the message. + # Run SpamAssassin, but allow for it to fail or time out. Add a warning message + # and accept the mail if that happens. Add an X-Spam-Flag: header if the SA + # score exceeds the SA system threshold. @@ -76,8 +78,7 @@ + # + # warn add_header = X-Spam-Score: $spam_score ($spam_bar)\n\ + # X-Spam-Report: $spam_report - -- # Accept the message. ++ + # And reject if the SpamAssassin score is greater than ten + # + # deny condition = ${if >{$spam_score_int}{100} {1}} diff --git a/exim.spec b/exim.spec index 9814ac0..0c06dbb 100644 --- a/exim.spec +++ b/exim.spec @@ -13,8 +13,8 @@ Summary: The exim mail transfer agent Name: exim -Version: 4.89 -Release: 7%{?dist} +Version: 4.90.1 +Release: 1%{?dist} License: GPLv2+ Url: http://www.exim.org/ Group: System Environment/Daemons @@ -46,33 +46,21 @@ Source24: exim.service Source25: exim-gen-cert Source26: clamd.exim.service -Patch4: exim-4.88-rhl.patch -Patch6: exim-4.89-config.patch +Patch4: exim-4.90.1-rhl.patch +Patch6: exim-4.90.1-config.patch Patch8: exim-4.82-libdir.patch -Patch12: exim-4.88-cyrus.patch -Patch13: exim-4.88-pamconfig.patch -Patch14: exim-4.87-spamdconf.patch -Patch18: exim-4.89-dlopen-localscan.patch -Patch19: exim-4.88-procmail.patch -Patch20: exim-4.88-allow-filter.patch +Patch12: exim-4.90.1-cyrus.patch +Patch13: exim-4.90.1-pamconfig.patch +Patch14: exim-4.90.1-spamdconf.patch +Patch18: exim-4.90.1-dlopen-localscan.patch +Patch19: exim-4.90.1-procmail.patch +Patch20: exim-4.90.1-allow-filter.patch Patch21: exim-4.87-localhost-is-local.patch -Patch22: exim-4.88-greylist-conf.patch -Patch23: exim-4.88-smarthost-config.patch -Patch25: exim-4.87-dynlookup-config.patch -# Upstream ticket: http://bugs.exim.org/show_bug.cgi?id=1584 +Patch22: exim-4.90.1-greylist-conf.patch +Patch23: exim-4.90.1-smarthost-config.patch +Patch25: exim-4.90.1-dynlookup-config.patch Patch26: exim-4.85-pic.patch -Patch27: exim-4.89-environment.patch -# Backported from upstream: -# https://github.com/Exim/exim/commit/65e061b76867a9ea7aeeb535341b790b90ae6c21 -Patch28: exim-4.89-CVE-2017-1000369.patch -# Backported from upstream: -# https://git.exim.org/exim.git/commitdiff/14de8063d82edc5bf003ed50abdea55ac542679b -Patch29: exim-4.89-calloutsize.patch -Patch30: exim-4.89-mariadb-macro-fix.patch -# Upstream ticket: https://bugs.exim.org/show_bug.cgi?id=2199 -Patch31: exim-4.89-CVE-2017-16943.patch -# Upstream ticket: https://bugs.exim.org/show_bug.cgi?id=2201 -Patch32: exim-4.89-CVE-2017-16944.patch +Patch27: exim-4.90.1-environment.patch Requires: /etc/pki/tls/certs /etc/pki/tls/private Requires: /etc/aliases @@ -219,11 +207,6 @@ greylisting unconditional. %patch25 -p1 -b .dynconfig %patch26 -p1 -b .fpic %patch27 -p1 -b .environment -%patch28 -p1 -b .CVE-2017-1000369 -%patch29 -p1 -b .calloutsize -%patch30 -p1 -b .mariadb-macro-fix -%patch31 -p1 -b .CVE-2017-16943 -%patch32 -p1 -b .CVE-2017-16944 cp src/EDITME Local/Makefile sed -i 's@^# LOOKUP_MODULE_DIR=.*@LOOKUP_MODULE_DIR=%{_libdir}/exim/%{version}-%{release}/lookups@' Local/Makefile @@ -604,6 +587,16 @@ test "$1" = 0 || %{_initrddir}/clamd.exim condrestart >/dev/null 2>&1 || : %{_sysconfdir}/cron.daily/greylist-tidy.sh %changelog +* Tue Feb 13 2018 Jaroslav Škarvada - 4.90.1-1 +- New version + Resolves: rhbz#1527710 +- Fixed buffer overflow in utility function + Resolves: CVE-2018-6789 +- Updated and defuzzified patches +- Dropped mariadb-macro-fix patch (not needed) +- Dropped CVE-2017-1000369, calloutsize, CVE-2017-16943, + CVE-2017-16944 patches (all upstreamed) + * Fri Dec 1 2017 Jaroslav Škarvada - 4.89-7 - Fixed denial of service Resolves: CVE-2017-16944 diff --git a/sources b/sources index 2360d71..0995d54 100644 --- a/sources +++ b/sources @@ -1 +1 @@ -SHA512 (exim-4.89.tar.xz) = ce5faef3847a5baf1b4fec1ffe46ce7efaafb24e63bcc52a61f38e8312a88eccaa816c3947ba428bef3eed38b1e91e606f6ed07bc0a3e14c6a6ed0ecb41eb9fa +SHA512 (exim-4.90.1.tar.xz) = b4830a2e03023b2bafc9e62535f467bb61b0f1398b6b3af0a7ef6f49e6cba60a9496e6762d0898b7ac1c2823db8cf96ed9f37e26b05809b4ba01725d9e72b806