Bug#698701: tpu: dspam/3.10.1+dfsg-8

To: Jonathan Wiltshire <jmw@debian.org>, submit@bugs.debian.org
Subject: Bug#698701: tpu: dspam/3.10.1+dfsg-8
From: "Thomas Preud'homme" <robotux@debian.org>
Date: Fri, 22 Feb 2013 12:11:57 +0100
Message-id: <201302221211.57704.robotux@debian.org>
Reply-to: "Thomas Preud'homme" <robotux@debian.org>, 698701@bugs.debian.org
In-reply-to: <201302112345.47325.robotux@debian.org>
References: <20130122131544.2211.52386.reportbug@cerclon.rsr.lip6.fr> <20130211214211.GF5321@ernie.home.powdarrmonkey.net> <201302112345.47325.robotux@debian.org>

Subject: unblock: dspam/3.10.1+dfsg-9
Package: release.debian.org
User: release.debian.org@packages.debian.org
Usertags: unblock
Severity: normal

This mail follow the discussion with Jonathan Wiltshire in bug #698701 [1], 
hence the In-Reply-To.

[1] http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=698701#32

Le lundi 11 février 2013 23:45:46, Thomas Preud'homme a écrit :
> 
> I'd rather have a fix though.

I came up with this patch.

% egrep -RIn "recipient[^s]*=" src 
src/dspam.c:503:        ATX->recipient = CTX->username;
src/dspam.c:948:    ATX->recipient=args;
src/dspam.c:1675:      ATX->recipient = node_rcpt->ptr;
src/dspam.c:1683:      ATX->recipient = node_nt->ptr;
src/dspam.c:1694:      ATX->recipient = mailbox;

mailbox and args are of respective size 256 and 1024 bytes. node_rcpt->ptr and 
node_nt->ptr on the other hand are exactly the size of the string. They are 
allocated when calling nt_add (which call nt_node_create).

Thus, the approach is to copy node_rcpt->ptr and node_nt->ptr into an array of 
size 256 as well and this size can be used to limit the strlcpy when copying 
CTX->username to ATX->recipient. I don't like to hardcode the size but didn't 
find anything better for now. I'll forward upstream and let him find a long term 
solution.

Would you agree for an upload to tpu with sufficient testing in unstable before?

Best regards,

Thomas

diff -Nru dspam-3.10.2+dfsg/debian/changelog dspam-3.10.2+dfsg/debian/changelog
--- dspam-3.10.2+dfsg/debian/changelog	2013-02-11 14:55:20.000000000 +0100
+++ dspam-3.10.2+dfsg/debian/changelog	2013-02-22 11:54:57.000000000 +0100
@@ -1,3 +1,10 @@
+dspam (3.10.2+dfsg-7) unstable; urgency=low
+
+  * Add a new version of the patch fixing recipient corruption when releasing
+    a message from quarantine (Closes: #698136).
+
+ -- Thomas Preud'homme <robotux@debian.org>  Fri, 22 Feb 2013 11:28:17 +0100
+
 dspam (3.10.2+dfsg-6) unstable; urgency=low
 
   * Drop patch fixing recipient corruption when releasing a message from
diff -Nru dspam-3.10.2+dfsg/debian/patches/009_fix_recipient_corruption_when_releasing_message_from_quarantine.diff dspam-3.10.2+dfsg/debian/patches/009_fix_recipient_corruption_when_releasing_message_from_quarantine.diff
--- dspam-3.10.2+dfsg/debian/patches/009_fix_recipient_corruption_when_releasing_message_from_quarantine.diff	1970-01-01 01:00:00.000000000 +0100
+++ dspam-3.10.2+dfsg/debian/patches/009_fix_recipient_corruption_when_releasing_message_from_quarantine.diff	2013-02-22 11:54:57.000000000 +0100
@@ -0,0 +1,53 @@
+Description: Fix recipient corruption when releasing a message from quarantine
+
+When releasing mail from quarantine, dspam corrupts the FROM part in the
+SMTP/LMTP handshake.
+
+Author: Allan Ievers <aimail-dspam_users@rearden.com>
+Origin: vendor
+Bug-Debian: http://bugs.debian.org/698136
+Forwarded: no
+Last-Update: 2013-01-14
+
+--- a/src/dspam.c
++++ b/src/dspam.c
+@@ -499,8 +499,9 @@ process_message (
+                 ATX->train_pristine = 1;
+         }
+ 
+-        /* Change also the mail recipient */
+-        ATX->recipient = CTX->username;
++        /* Change also the mail recipient. ATX->recipient either points to
++	 * recipient[] or mailbox[] in process_users, hence the size of 256 */
++        strlcpy(ATX->recipient, CTX->username, 256);
+ 
+       }
+     }
+@@ -1634,6 +1635,7 @@ int process_users(AGENT_CTX *ATX, buffer *message) {
+     char filename[MAX_FILENAME_LENGTH];
+     int optin, optout;
+     char *username = NULL;
++    char recipient[256];
+ 
+     /* If ServerParameters specifies a --user, there will only be one
+      * instance on the stack, but possible multiple recipients. So we
+@@ -1672,7 +1674,7 @@ int process_users(AGENT_CTX *ATX, buffer *message) {
+ 	username = node_nt->ptr;
+ 
+     if (node_rcpt) {
+-      ATX->recipient = node_rcpt->ptr;
++      strlcpy(recipient, node_rcpt->ptr, sizeof(recipient));
+       node_rcpt = c_nt_next (ATX->recipients, &c_rcpt);
+     } else {
+ 
+@@ -1680,8 +1682,9 @@ int process_users(AGENT_CTX *ATX, buffer *message) {
+       if (have_rcpts)
+         break;
+ 
+-      ATX->recipient = node_nt->ptr;
++      strlcpy(recipient, node_nt->ptr, sizeof(recipient));
+     }
++    ATX->recipient = recipient;
+ 
+       /* If support for "+detail" is enabled, save full mailbox name for
+          delivery and strip detail for processing */
diff -Nru dspam-3.10.2+dfsg/debian/patches/series dspam-3.10.2+dfsg/debian/patches/series
--- dspam-3.10.2+dfsg/debian/patches/series	2013-02-11 14:55:20.000000000 +0100
+++ dspam-3.10.2+dfsg/debian/patches/series	2013-02-22 11:54:57.000000000 +0100
@@ -5,3 +5,4 @@
 006_default-daemon-port.diff
 007_process_quarantine_if_spanish.diff
 008_fix_exim_integration_doc.diff
+009_fix_recipient_corruption_when_releasing_message_from_quarantine.diff

Attachment: signature.asc
Description: This is a digitally signed message part.

Reply to:

Prev by Date: Bug#701178: preapproval unblock: dspam/dspam/3.10.1+dfsg-9
Next by Date: Bug#701130: marked as done (unblock: pygobject/3.2.2-2)
Previous by thread: Bug#698701: tpu: dspam/3.10.1+dfsg-8
Next by thread: Processed: closing 690411
Index(es):
- Date
- Thread