Bug#773465: unblock: exim4/4.84-5

[Andreas Metzler <ametzler@bebt.de>]

Package: release.debian.org
Severity: normal
User: release.debian.org@packages.debian.org
Usertags: unblock

Please unblock package exim4.

unblock exim4/4.84-5

This is a bugfix only upload, featuring two fixes of important
priority:
* 82_quoted-or-r-2047-encoded.diff pulled from upstream git (sans
  testsuite), extends the fix in 4.84-2.
This can fixes a crash in the MIME ACL.
<http://bugs.exim.org/show_bug.cgi?id=1558>
* 81_buffer-overrun-in-spam-acl.diff from upstream git. Fix a buffer
  overrun with control characters in argument of spam= acl condition.
  <http://bugs.exim.org/show_bug.cgi?id=1552>

Thanks, cu Andreas
-- 
`What a good friend you are to him, Dr. Maturin. His other friends are
so grateful to you.'
`I sew his ears on from time to time, sure'

diff -Nru exim4-4.84/debian/changelog exim4-4.84/debian/changelog
--- exim4-4.84/debian/changelog	2014-10-19 13:36:07.000000000 +0200
+++ exim4-4.84/debian/changelog	2014-12-17 19:03:45.000000000 +0100
@@ -1,3 +1,24 @@
+exim4 (4.84-5) unstable; urgency=medium
+
+  * 82_quoted-or-r-2047-encoded.diff pulled from upstream git (sans
+    testsuite), extends the fix in 4.84-2.
+
+ -- Andreas Metzler <ametzler@debian.org>  Wed, 17 Dec 2014 19:03:39 +0100
+
+exim4 (4.84-4) unstable; urgency=medium
+
+  * Unset message_prefix/message_sufix in maildrop_pipe transport. Maildrop
+    neither expects a mbox-style From nor an empty line add the end. (Thanks,
+    Edward Betts) Closes: #769396
+  * Change the init script's restart order from { regenerate_config; stop;
+    start ; } to { stop; regenerate_config; start ; }. (Thanks, Jakub Warmuz)
+    Closes: #768874
+  * 81_buffer-overrun-in-spam-acl.diff from upstream git. Fix a buffer overrun
+    with control characters in argument of spam= acl condition.
+    <http://bugs.exim.org/show_bug.cgi?id=1552>
+
+ -- Andreas Metzler <ametzler@debian.org>  Sun, 30 Nov 2014 08:24:04 +0100
+
 exim4 (4.84-3) unstable; urgency=medium
 
   * Apply patch to Italian (it) debconf template translation, thanks to
diff -Nru exim4-4.84/debian/debconf/conf.d/transport/30_exim4-config_maildrop_pipe exim4-4.84/debian/debconf/conf.d/transport/30_exim4-config_maildrop_pipe
--- exim4-4.84/debian/debconf/conf.d/transport/30_exim4-config_maildrop_pipe	2012-09-23 12:07:23.000000000 +0200
+++ exim4-4.84/debian/debconf/conf.d/transport/30_exim4-config_maildrop_pipe	2014-11-18 18:58:37.000000000 +0100
@@ -4,6 +4,8 @@
   driver = pipe
   path = "/bin:/usr/bin:/usr/local/bin"
   command = "/usr/bin/maildrop"
+  message_prefix =
+  message_suffix =
   return_path_add
   delivery_date_add
   envelope_to_add
diff -Nru exim4-4.84/debian/exim4-base.exim4.init exim4-4.84/debian/exim4-base.exim4.init
--- exim4-4.84/debian/exim4-base.exim4.init	2014-07-22 19:16:03.000000000 +0200
+++ exim4-4.84/debian/exim4-base.exim4.init	2014-11-18 18:58:37.000000000 +0100
@@ -239,10 +239,10 @@
     ;;
   restart)
     log_daemon_msg "Stopping MTA for restart"
+    stop_exim
     # regenerate exim4.conf
     upex4conf
     isconfigvalid
-    stop_exim
     log_end_msg 0
     sleep 2
     log_daemon_msg "Restarting MTA"
diff -Nru exim4-4.84/debian/patches/81_buffer-overrun-in-spam-acl.diff exim4-4.84/debian/patches/81_buffer-overrun-in-spam-acl.diff
--- exim4-4.84/debian/patches/81_buffer-overrun-in-spam-acl.diff	1970-01-01 01:00:00.000000000 +0100
+++ exim4-4.84/debian/patches/81_buffer-overrun-in-spam-acl.diff	2014-12-17 18:55:57.000000000 +0100
@@ -0,0 +1,26 @@
+From e252eb8c71ea3bddb32bf73bddc8b22cfde2bc3a Mon Sep 17 00:00:00 2001
+From: Jeremy Harris <jgh146exb@wizmail.org>
+Date: Thu, 27 Nov 2014 16:26:44 +0000
+Subject: [PATCH] Fix buffer overrun in spam= acl condition.  Bug 1552
+
+---
+ src/spam.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/src/spam.c b/src/spam.c
+index 7eb6fbf..76bf7d6 100644
+--- a/src/spam.c
++++ b/src/spam.c
+@@ -129,7 +129,8 @@ spam(uschar **listptr)
+         (spamd_address_container *)store_get(sizeof(spamd_address_container));
+ 
+       /* grok spamd address and port */
+-      if( sscanf(CS address, "%s %u", this_spamd->tcp_addr, &(this_spamd->tcp_port)) != 2 ) {
++      if (sscanf(CS address, "%23s %u", this_spamd->tcp_addr, &(this_spamd->tcp_port)) != 2)
++        {
+         log_write(0, LOG_MAIN,
+           "spam acl condition: warning - invalid spamd address: '%s'", address);
+         continue;
+-- 
+2.1.3
+
diff -Nru exim4-4.84/debian/patches/82_quoted-or-r-2047-encoded.diff exim4-4.84/debian/patches/82_quoted-or-r-2047-encoded.diff
--- exim4-4.84/debian/patches/82_quoted-or-r-2047-encoded.diff	1970-01-01 01:00:00.000000000 +0100
+++ exim4-4.84/debian/patches/82_quoted-or-r-2047-encoded.diff	2014-12-17 19:01:38.000000000 +0100
@@ -0,0 +1,194 @@
+From 5c6cf6a0d5cb7da39e7fde01dca1ff862c1fa1c8 Mon Sep 17 00:00:00 2001
+From: Jeremy Harris <jgh146exb@wizmail.org>
+Date: Sun, 14 Dec 2014 15:15:34 +0000
+Subject: [PATCH] Account properly for quoted or 2047-encoded MIME parameters
+ while walking headers. Bug 1558
+
+---
+ src/mime.c                  | 103 ++++++++++++++++++++++------------------
+ test/log/4000                   |   3 ++
+ test/mail/4000.userx            |  38 +++++++++++++++
+ test/scripts/4000-scanning/4000 |  29 +++++++++++
+ test/stdout/4000                |  11 +++++
+ 5 files changed, 137 insertions(+), 47 deletions(-)
+
+diff --git a/src/mime.c b/src/mime.c
+index ab701f2..a61e9f2 100644
+--- a/src/mime.c
++++ b/src/mime.c
+@@ -528,26 +528,24 @@ while(1)
+    */
+   if (context != NULL)
+     {
+-    while(fgets(CS header, MIME_MAX_HEADER_SIZE, f) != NULL)
++    while(fgets(CS header, MIME_MAX_HEADER_SIZE, f))
+       {
+       /* boundary line must start with 2 dashes */
+-      if (Ustrncmp(header,"--",2) == 0)
+-        {
+-	if (Ustrncmp((header+2),context->boundary,Ustrlen(context->boundary)) == 0)
++      if (  Ustrncmp(header, "--", 2) == 0
++	 && Ustrncmp(header+2, context->boundary, Ustrlen(context->boundary)) == 0)
++	{
++	/* found boundary */
++	if (Ustrncmp((header+2+Ustrlen(context->boundary)), "--", 2) == 0)
+ 	  {
+-	  /* found boundary */
+-	  if (Ustrncmp((header+2+Ustrlen(context->boundary)),"--",2) == 0)
+-	    {
+-	    /* END boundary found */
+-	    debug_printf("End boundary found %s\n", context->boundary);
+-	    return rc;
+-	    }
+-	  else
+-	    debug_printf("Next part with boundary %s\n", context->boundary);
+-
+-	  /* can't use break here */
+-	  goto DECODE_HEADERS;
++	  /* END boundary found */
++	  debug_printf("End boundary found %s\n", context->boundary);
++	  return rc;
+ 	  }
++	else
++	  debug_printf("Next part with boundary %s\n", context->boundary);
++
++	/* can't use break here */
++	goto DECODE_HEADERS;
+ 	}
+       }
+     /* Hit EOF or read error. Ugh. */
+@@ -557,92 +555,103 @@ while(1)
+ 
+ DECODE_HEADERS:
+   /* parse headers, set up expansion variables */
+-  while (mime_get_header(f,header))
++  while (mime_get_header(f, header))
+     {
+     int i;
+     /* loop through header list */
+     for (i = 0; i < mime_header_list_size; i++)
+-      {
+-      uschar *header_value = NULL;
+-      int header_value_len = 0;
+-
+-      /* found an interesting header? */
+-      if (strncmpic(mime_header_list[i].name,header,mime_header_list[i].namelen) == 0)
+-	{
+-	uschar *p = header + mime_header_list[i].namelen;
+-	/* yes, grab the value (normalize to lower case)
+-	   and copy to its corresponding expansion variable */
++      if (strncmpic(mime_header_list[i].name,
++	    header, mime_header_list[i].namelen) == 0)
++	{				/* found an interesting header */
++	uschar * header_value;
++	int header_value_len;
++	uschar * p = header + mime_header_list[i].namelen;
++
++	/* grab the value (normalize to lower case)
++	and copy to its corresponding expansion variable */
+ 	while(*p != ';')
+ 	  {
+ 	  *p = tolower(*p);
+ 	  p++;
+ 	  }
+-	header_value_len = (p - (header + mime_header_list[i].namelen));
+-	header_value = (uschar *)malloc(header_value_len+1);
+-	memset(header_value,0,header_value_len+1);
++	header_value_len = p - (header + mime_header_list[i].namelen);
+ 	p = header + mime_header_list[i].namelen;
+-	Ustrncpy(header_value, p, header_value_len);
+-	debug_printf("Found %s MIME header, value is '%s'\n", mime_header_list[i].name, header_value);
++	header_value = string_copyn(p, header_value_len);
++	debug_printf("Found %s MIME header, value is '%s'\n",
++			mime_header_list[i].name, header_value);
+ 	*((uschar **)(mime_header_list[i].value)) = header_value;
+ 
+ 	/* make p point to the next character after the closing ';' */
+-	p += (header_value_len+1);
++	p += header_value_len+1;
+ 
+-	/* grab all param=value tags on the remaining line, check if they are interesting */
++	/* grab all param=value tags on the remaining line,
++	check if they are interesting */
+ NEXT_PARAM_SEARCH:
+-	while (*p != 0)
++	while (*p)
+ 	  {
+ 	  mime_parameter * mp;
+ 	  for (mp = mime_parameter_list;
+ 	       mp < &mime_parameter_list[mime_parameter_list_size];
+ 	       mp++)
+ 	    {
+-	    uschar *param_value = NULL;
+-	    int param_value_len = 0;
++	    uschar * param_value = NULL;
+ 
+ 	    /* found an interesting parameter? */
+ 	    if (strncmpic(mp->name, p, mp->namelen) == 0)
+ 	      {
+-	      uschar *q = p + mp->namelen;
++	      uschar * q = p + mp->namelen;
++	      int plen = 0;
+ 	      int size = 0;
+ 	      int ptr = 0;
+ 
+ 	      /* yes, grab the value and copy to its corresponding expansion variable */
+ 	      while(*q && *q != ';')		/* ; terminates */
+-		{
+ 		if (*q == '"')
+ 		  {
+ 		  q++;				/* skip leading " */
+-		  while(*q && *q != '"')	/* which protects ; */
++		  plen++;			/* and account for the skip */
++		  while(*q && *q != '"')	/* " protects ; */
++		    {
+ 		    param_value = string_cat(param_value, &size, &ptr, q++, 1);
+-		  if (*q) q++;			/* skip trailing " */
++		    plen++;
++		    }
++		  if (*q)
++		    {
++		    q++;			/* skip trailing " */
++		    plen++;
++		    }
+ 		  }
+ 		else
++		  {
+ 		  param_value = string_cat(param_value, &size, &ptr, q++, 1);
+-		}
++		  plen++;
++		  }
++
+ 	      if (param_value)
+ 		{
+ 		param_value[ptr++] = '\0';
+-		param_value_len = ptr;
+ 
+ 		param_value = rfc2047_decode(param_value,
+-		      check_rfc2047_length, NULL, 32, &param_value_len, &q);
++		      check_rfc2047_length, NULL, 32, NULL, &q);
+ 		debug_printf("Found %s MIME parameter in %s header, "
+ 		      "value is '%s'\n", mp->name, mime_header_list[i].name,
+ 		      param_value);
+ 		}
+ 	      *mp->value = param_value;
+-	      p += (mp->namelen + param_value_len + 1);
++	      p += mp->namelen + plen + 1;	/* name=, content, ; */
+ 	      goto NEXT_PARAM_SEARCH;
+ 	    }
+ 	  }
+ 	  /* There is something, but not one of our interesting parameters.
+ 	     Advance to the next semicolon */
+-	  while(*p != ';') p++;
++	  while(*p != ';')
++	    {
++	    if (*p == '"') while(*++p && *p != '"') ;
++	    p++;
++	    }
+ 	  p++;
+ 	}
+       }
+-    }
+   }
+ 
+   /* set additional flag variables (easier access) */
diff -Nru exim4-4.84/debian/patches/series exim4-4.84/debian/patches/series
--- exim4-4.84/debian/patches/series	2014-08-29 20:04:26.000000000 +0200
+++ exim4-4.84/debian/patches/series	2014-12-17 18:59:00.000000000 +0100
@@ -9,3 +9,5 @@
 67_unnecessaryCopt.diff
 70_remove_exim-users_references.dpatch
 80_mime_empty_charset.diff
+81_buffer-overrun-in-spam-acl.diff
+82_quoted-or-r-2047-encoded.diff

Attachment: signature.asc
Description: Digital signature