Bug#697444: marked as done (unblock: exim4/4.80-7)
Your message dated Sat, 05 Jan 2013 14:36:35 +0100
with message-id <50E82C63.2090203@thykier.net>
and subject line Re: Bug#697444: unblock: exim4/4.80-7
has caused the Debian Bug report #697444,
regarding unblock: exim4/4.80-7
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)
--
697444: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=697444
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems
--- Begin Message ---
Package: release.debian.org
Severity: normal
User: release.debian.org@packages.debian.org
Usertags: unblock
Please unblock package exim4. This is a minimal single-bugfix upload
for #697057.
Debian's exim configuration optionally allows to use spfquery to run
SPF-checks on incoming mail. Due to insufficient quoting it is
possible to pass on arbitrary arguments to spfquery and therefore
bypass SPF checks.
unblock exim4/4.80-7
thanks, cu andreas
File lists identical (after any substitutions)
Control files of package exim4: lines which differ (wdiff format)
-----------------------------------------------------------------
Version: [-4.80-6-] {+4.80-7+}
Control files of package exim4-base: lines which differ (wdiff format)
----------------------------------------------------------------------
Version: [-4.80-6-] {+4.80-7+}
Control files of package exim4-config: lines which differ (wdiff format)
------------------------------------------------------------------------
Version: [-4.80-6-] {+4.80-7+}
Control files of package exim4-daemon-heavy: lines which differ (wdiff format)
------------------------------------------------------------------------------
Version: [-4.80-6-] {+4.80-7+}
Control files of package exim4-daemon-heavy-dbg: lines which differ (wdiff format)
----------------------------------------------------------------------------------
Version: [-4.80-6-] {+4.80-7+}
Control files of package exim4-daemon-light: lines which differ (wdiff format)
------------------------------------------------------------------------------
Version: [-4.80-6-] {+4.80-7+}
Control files of package exim4-daemon-light-dbg: lines which differ (wdiff format)
----------------------------------------------------------------------------------
Version: [-4.80-6-] {+4.80-7+}
Control files of package exim4-dbg: lines which differ (wdiff format)
---------------------------------------------------------------------
Version: [-4.80-6-] {+4.80-7+}
Control files of package exim4-dev: lines which differ (wdiff format)
---------------------------------------------------------------------
Version: [-4.80-6-] {+4.80-7+}
Control files of package eximon4: lines which differ (wdiff format)
-------------------------------------------------------------------
Version: [-4.80-6-] {+4.80-7+}
diff -Nru exim4-4.80/debian/changelog exim4-4.80/debian/changelog
--- exim4-4.80/debian/changelog 2012-11-21 19:08:56.000000000 +0100
+++ exim4-4.80/debian/changelog 2013-01-02 19:37:26.000000000 +0100
@@ -1,3 +1,11 @@
+exim4 (4.80-7) unstable; urgency=low
+
+ * Use exim's ${quote:xxx} operator when invoking spfquery to disallow
+ bypassing of SPF validation by using special mailbox names. (Thanks to
+ Lekensteyn for diagnosis and testing.) Closes: #697057
+
+ -- Andreas Metzler <ametzler@debian.org> Wed, 02 Jan 2013 19:37:21 +0100
+
exim4 (4.80-6) unstable; urgency=low
* Cherrypick two changes from GIT:
diff -Nru exim4-4.80/debian/debconf/conf.d/acl/30_exim4-config_check_rcpt exim4-4.80/debian/debconf/conf.d/acl/30_exim4-config_check_rcpt
--- exim4-4.80/debian/debconf/conf.d/acl/30_exim4-config_check_rcpt 2012-09-23 12:07:23.000000000 +0200
+++ exim4-4.80/debian/debconf/conf.d/acl/30_exim4-config_check_rcpt 2013-01-02 19:36:16.000000000 +0100
@@ -265,10 +265,10 @@
log_message = SPF check failed.
!acl = acl_local_deny_exceptions
condition = ${run{/usr/bin/spfquery.mail-spf-perl --ip \
- \"$sender_host_address\" --identity \
+ ${quote:$sender_host_address} --identity \
${if def:sender_address_domain \
- {--scope mfrom --identity \"$sender_address\"}\
- {--scope helo --identity \"$sender_helo_name\"}}}\
+ {--scope mfrom --identity ${quote:$sender_address}}\
+ {--scope helo --identity ${quote:$sender_helo_name}}}}\
{no}{${if eq {$runrc}{1}{yes}{no}}}}
defer
--- End Message ---
--- Begin Message ---
On 2013-01-05 14:11, Andreas Metzler wrote:
> Package: release.debian.org
> Severity: normal
> User: release.debian.org@packages.debian.org
> Usertags: unblock
>
> Please unblock package exim4. This is a minimal single-bugfix upload
> for #697057.
>
> Debian's exim configuration optionally allows to use spfquery to run
> SPF-checks on incoming mail. Due to insufficient quoting it is
> possible to pass on arbitrary arguments to spfquery and therefore
> bypass SPF checks.
>
> unblock exim4/4.80-7
>
> thanks, cu andreas
Thanks for the report. However, exim4 has been unblocked by Adam since
the 2nd of January (AFAICT), so I am closing this bug now.
grep-excuses <source> from devscripts can be helpful in detecting
whether or not a given a package have a hint.
~Niels
--- End Message ---
Reply to: