Bug#611446: marked as done (unblock: exim4/4.72-5)

[owner@bugs.debian.org (Debian Bug Tracking System)]

Your message dated Sat, 29 Jan 2011 16:13:50 +0000
with message-id <1296317630.3206.2188.camel@hathi.jungle.funky-badger.org>
and subject line Re: Bug#611446: unblock: exim4/4.72-5
has caused the Debian Bug report #611446,
regarding unblock: exim4/4.72-5
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
611446: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=611446
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems

--- Begin Message ---

• To: Debian Bug Tracking System <submit@bugs.debian.org>
• Subject: unblock: exim4/4.72-5
• From: Andreas Metzler <ametzler@downhill.at.eu.org>
• Date: Sat, 29 Jan 2011 14:57:51 +0100
• Message-id: <[🔎] 20110129135751.GA15504@downhill.g.la>

Package: release.debian.org
Severity: normal
User: release.debian.org@packages.debian.org
Usertags: freeze-exception


Please unblock package exim4

This release fixes a a single bug:
PP/06 Bugzilla 1071: fix delivery logging with untrusted macros.
 If dropping privileges for untrusted macros, we disabled normal logging
 on the basis that it would fail; for the Exim run-time user, this is not
 the case, and it resulted in successful deliveries going unlogged.

http://bugs.debian.org/610611

Thanks in advance.
cu andreas

unblock exim4/4.72-5

diff -Nru exim4-4.72/debian/changelog exim4-4.72/debian/changelog
--- exim4-4.72/debian/changelog	2011-01-22 17:48:25.000000000 +0100
+++ exim4-4.72/debian/changelog	2011-01-29 14:33:59.000000000 +0100
@@ -1,3 +1,13 @@
+exim4 (4.72-5) unstable; urgency=medium
+
+  * 80_4.74_deliverylogging.patch (Pulled from upstream git): If a non-debug
+    daemon was invoked with a non-whitelisted macro, then logs from after
+    attempting delivery would be silently lost, including for successful
+    delivery.  This log-loss bug was introduced as part of the security
+    lockdown for fixing CVE-2010-4345. Closes: #610611
+
+ -- Andreas Metzler <ametzler@debian.org>  Sat, 29 Jan 2011 14:33:36 +0100
+
 exim4 (4.72-4) unstable; urgency=medium
 
   * In spf example use spf-tools-perl's spfquery instead of the one from
diff -Nru exim4-4.72/debian/patches/80_4.74_deliverylogging.patch exim4-4.72/debian/patches/80_4.74_deliverylogging.patch
--- exim4-4.72/debian/patches/80_4.74_deliverylogging.patch	1970-01-01 01:00:00.000000000 +0100
+++ exim4-4.72/debian/patches/80_4.74_deliverylogging.patch	2011-01-29 14:23:38.000000000 +0100
@@ -0,0 +1,29 @@
+From b7487bcec431809cb7fc3c2b42fcd607e43d37e7 Mon Sep 17 00:00:00 2001
+From: Phil Pennock <pdp@exim.org>
+Date: Sun, 23 Jan 2011 05:44:45 -0500
+Subject: [PATCH 1/2] Bug 1071: fix delivery logging with untrusted macros.
+
+If dropping privileges for untrusted macros, we disabled normal logging
+on the basis that it would fail; for the Exim run-time user, this is not
+the case, and it resulted in successful deliveries going unlogged.
+
+
+diff -NurBbp a/src/exim.c b/src/exim.c
+--- a/src/exim.c	2011-01-29 14:20:00.000000000 +0100
++++ b/src/exim.c	2011-01-29 14:20:37.000000000 +0100
+@@ -3426,9 +3426,13 @@ if ((
+   and should be used for any logging information because attempts to write
+   to the log will usually fail. To arrange this, we unset really_exim. However,
+   if no stderr is available there is no point - we might as well have a go
+-  at the log (if it fails, syslog will be written). */
++  at the log (if it fails, syslog will be written).
+ 
+-  if (log_stderr != NULL) really_exim = FALSE;
++  Note that if the invoker is Exim, the logs remain available. Messing with
++  this causes unlogged successful deliveries.  */
++
++  if ((log_stderr != NULL) && (real_uid != exim_uid))
++    really_exim = FALSE;
+   }
+ 
+ /* Privilege is to be retained for the moment. It may be dropped later,
diff -Nru exim4-4.72/debian/patches/series exim4-4.72/debian/patches/series
--- exim4-4.72/debian/patches/series	2011-01-21 19:35:49.000000000 +0100
+++ exim4-4.72/debian/patches/series	2011-01-29 14:24:25.000000000 +0100
@@ -19,3 +19,4 @@
 80_4.73rc1_7_filter_D_option.patch
 80_4.73rc1_8_updatedocumentation.patch
 80_4.74_CVE-2011-0017.patch
+80_4.74_deliverylogging.patch

Attachment: signature.asc
Description: Digital signature

--- End Message ---

--- Begin Message ---

• To: Andreas Metzler <ametzler@downhill.at.eu.org>, 611446-done@bugs.debian.org
• Subject: Re: Bug#611446: unblock: exim4/4.72-5
• From: "Adam D. Barratt" <adam@adam-barratt.org.uk>
• Date: Sat, 29 Jan 2011 16:13:50 +0000
• Message-id: <1296317630.3206.2188.camel@hathi.jungle.funky-badger.org>
• In-reply-to: <[🔎] 20110129135751.GA15504@downhill.g.la>
• References: <[🔎] 20110129135751.GA15504@downhill.g.la>

On Sat, 2011-01-29 at 14:57 +0100, Andreas Metzler wrote:
> Please unblock package exim4
> 
> This release fixes a a single bug:
> PP/06 Bugzilla 1071: fix delivery logging with untrusted macros.
>  If dropping privileges for untrusted macros, we disabled normal logging
>  on the basis that it would fail; for the Exim run-time user, this is not
>  the case, and it resulted in successful deliveries going unlogged.

Unblocked, and aged; thanks.

Regards,

Adam

--- End Message ---