Bug#773478: unblock: bsd-mailx/8.1.2-0.20141216cvs-1

To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: Bug#773478: unblock: bsd-mailx/8.1.2-0.20141216cvs-1
From: Robert Luberda <robert@debian.org>
Date: Thu, 18 Dec 2014 20:22:52 +0100
Message-id: <[🔎] 20141218192251.GA4640@vox.robbo.home>
Reply-to: Robert Luberda <robert@debian.org>, 773478@bugs.debian.org

Package: release.debian.org
Severity: normal
User: release.debian.org@packages.debian.org
Usertags: unblock

Please unblock the following version of bsd-mailx:
bsd-mailx (8.1.2-0.20141216cvs-1) unstable; urgency=high

  * New upstream version from OpenBSD cvs repository. The version consists of:

    - The changes that are part of the following recent stable security update
      by Florian Weimer:

        bsd-mailx (8.1.2-0.20111106cvs-1+deb7u1) wheezy-security; urgency=high
          * Apply OpenBSD patches from Todd Miller:
            + 80-remove_T.patch (remove undocumented/obsolete -T option)
            + 81-minus_f.patch (adjust -f processing)
            + 82-expandaddr.patch (fix CVE-2014-7844)
            + 83-nosendmail.patch (make -- work for option parsing suppression)

    - A simple change in lex.c related to preferring mkostemp(O_CLOEXEC) over
      mkstemp()+fcntl(F_SETFD) and fopen("re") over fopen("r")+fcntl(F_SETFD).

    - A change in fio.c to use glob() to expand filenames. The change however
      is not enabled in the Debian package (i.e. outside of `#ifdef DEBIAN'
      code) as wordexp() function instead has been used in Debian for last
      10 years.

  * Bump Standards-Version to 3.9.6.

 -- Robert Luberda <robert@debian.org>  Thu, 18 Dec 2014 00:45:40 +0100


I'm attaching the full debdiff to this e-mail. 
To make the review easier please find below the upstream code 
differencies between 
- previous version (8.1.2-0.20140825cvs-1) with all Florian's patches 
  from wheezy security applied
- and the version I've just uploaded.


diff -Nur -x debian -x CVS -x .pc -x .git bsd-mailx.patches/fio.c bsd-mailx/fio.c
--- bsd-mailx.patches/fio.c	2014-12-17 23:54:58.000000000 +0100
+++ bsd-mailx/fio.c	2014-12-18 20:05:45.000000000 +0100
@@ -1,4 +1,4 @@
-/*	$OpenBSD: fio.c,v 1.33 2014/01/17 18:42:30 okan Exp $	*/
+/*	$OpenBSD: fio.c,v 1.34 2014/12/16 18:31:06 millert Exp $	*/
 /*	$NetBSD: fio.c,v 1.8 1997/07/07 22:57:55 phil Exp $	*/
 
 /*
@@ -37,6 +37,9 @@
 #include <unistd.h>
 #include <paths.h>
 #include <errno.h>
+#ifndef DEBIAN
+#include <glob.h>
+#endif
 #include "extern.h"
 
 #ifdef DEBIAN
@@ -424,17 +427,13 @@
 char *
 expand(char *name)
 {
+#ifndef DEBIAN
+	const int flags = GLOB_BRACE|GLOB_TILDE|GLOB_NOSORT;
+#endif
 	char xname[PATHSIZE];
 	char cmdbuf[PATHSIZE];		/* also used for file names */
 #ifdef DEBIAN
 	wordexp_t p;
-#else
-	pid_t pid;
-	int l;
-	char *cp, *shell;
-	int pivec[2];
-	struct stat sbuf;
-	extern int wait_status;
 #endif
 
 	/*
@@ -511,47 +510,23 @@
 
 	}
 #else
// [ RL - note the whole block is not applicable to Debian, as it is
// #else branch for #ifdef DEBIAN ]
-
-	/* XXX - just use glob(3) and env expansion instead? */
-	if (pipe(pivec) < 0) {
-		warn("pipe");
-		return(name);
-	}
-	(void)snprintf(cmdbuf, sizeof(cmdbuf), "echo %s", name);
-	shell = value("SHELL");
-	pid = start_command(shell, 0, -1, pivec[1], "-c", cmdbuf, NULL);
-	if (pid < 0) {
-		(void)close(pivec[0]);
-		(void)close(pivec[1]);
-		return(NULL);
-	}
-	(void)close(pivec[1]);
-	l = myread(pivec[0], xname, PATHSIZE);
-	if (l < 0)
-		warn("read"); /* report error before errno changes */
-	(void)close(pivec[0]);
-	if (wait_child(pid) < 0 && WIFSIGNALED(wait_status) &&
-	    WTERMSIG(wait_status) != SIGPIPE) {
-		fprintf(stderr, "\"%s\": Expansion failed.\n", name);
-		return(NULL);
-	}
-	if (l < 0)
-		return(NULL);
-	if (l == 0) {
+	/* XXX - does not expand enviroment variables. */
+	switch (glob(name, flags, NULL, &names)) {
+	case 0:
+		if (names.gl_pathc == 1)
+			match = savestr(names.gl_pathv[0]);
+		else
+			fprintf(stderr, "\"%s\": Ambiguous.\n", name);
+		break;
+	case GLOB_NOSPACE:
+		fprintf(stderr, "\"%s\": Out of memory.\n", name);
+		break;
+	case GLOB_NOMATCH:
 		fprintf(stderr, "\"%s\": No match.\n", name);
-		return(NULL);
-	}
-	if (l == PATHSIZE) {
-		fprintf(stderr, "\"%s\": Expansion buffer overflow.\n", name);
-		return(NULL);
-	}
-	xname[l] = '\0';
-	for (cp = &xname[l-1]; *cp == '\n' && cp > xname; cp--)
-		;
-	cp[1] = '\0';
-	if (strchr(xname, ' ') && stat(xname, &sbuf) < 0) {
-		fprintf(stderr, "\"%s\": Ambiguous.\n", name);
-		return(NULL);
+		break;
+	default:
+		fprintf(stderr, "\"%s\": Expansion failed.\n", name);
+		break;
 	}
 	return(savestr(xname));
 #endif
diff -Nur -x debian -x CVS -x .pc -x .git bsd-mailx.patches/glob.h bsd-mailx/glob.h
--- bsd-mailx.patches/glob.h	2014-12-17 23:54:59.000000000 +0100
+++ bsd-mailx/glob.h	2014-12-18 00:04:44.000000000 +0100
@@ -1,4 +1,4 @@
-/*	$OpenBSD: glob.h,v 1.7 2003/06/03 02:56:11 millert Exp $	*/
+/*	$OpenBSD: glob.h,v 1.8 2014/11/24 20:01:43 millert Exp $	*/
 /*	$NetBSD: glob.h,v 1.4 1996/06/08 19:48:25 christos Exp $	*/
 
 /*
diff -Nur -x debian -x CVS -x .pc -x .git bsd-mailx.patches/lex.c bsd-mailx/lex.c
--- bsd-mailx.patches/lex.c	2014-12-17 23:54:59.000000000 +0100
+++ bsd-mailx/lex.c	2014-12-18 20:05:45.000000000 +0100
@@ -1,4 +1,4 @@
-/*	$OpenBSD: lex.c,v 1.37 2014/05/20 01:25:23 guenther Exp $	*/
+/*	$OpenBSD: lex.c,v 1.38 2014/10/26 20:38:13 guenther Exp $	*/
 /*	$NetBSD: lex.c,v 1.10 1997/05/17 19:55:13 pk Exp $	*/
 
 /*
@@ -125,13 +125,11 @@
// [ RL - this is the mkostemp change mentioned in changelog. In case
// you don't like the change, I can make new version with a patch that 
// will revert it ]
 	mailsize = fsize(ibuf);
 	(void)snprintf(tempname, sizeof(tempname),
 	    "%s/mail.RxXXXXXXXXXX", tmpdir);
-	if ((fd = mkstemp(tempname)) == -1 ||
+	if ((fd = mkostemp(tempname, O_CLOEXEC)) == -1 ||
 	    (otf = fdopen(fd, "w")) == NULL)
 		err(1, "%s", tempname);
-	(void)fcntl(fileno(otf), F_SETFD, FD_CLOEXEC);
-	if ((itf = fopen(tempname, "r")) == NULL)
+	if ((itf = fopen(tempname, "re")) == NULL)
 		err(1, "%s", tempname);
-	(void)fcntl(fileno(itf), F_SETFD, FD_CLOEXEC);
 	(void)rm(tempname);
 	setptr(ibuf, (off_t)0);
 	setmsize(msgCount);
diff -Nur -x debian -x CVS -x .pc -x .git bsd-mailx.patches/mail.1 bsd-mailx/mail.1
--- bsd-mailx.patches/mail.1	2014-12-17 23:56:58.000000000 +0100
+++ bsd-mailx/mail.1	2014-12-18 20:05:45.000000000 +0100
@@ -1,4 +1,4 @@
-.\"	$OpenBSD: mail.1,v 1.65 2014/03/27 13:08:24 jmc Exp $
+.\"	$OpenBSD: mail.1,v 1.70 2014/12/16 18:37:17 millert Exp $
 .\"
 .\" Copyright (c) 1980, 1990, 1993
 .\"	The Regents of the University of California.  All rights reserved.
@@ -29,7 +29,7 @@
 .\"
 .\"	@(#)mail.1	8.8 (Berkeley) 4/28/95
 .\"
-.Dd $Mdocdate: March 27 2014 $
+.Dd $Mdocdate: December 16 2014 $
 .Dt MAIL 1
 .Os
 .Sh NAME
@@ -970,6 +970,11 @@
 .Nm mail
 to interpret a period alone on a line as the terminator
 of a message you are sending.
+.It Ar expandaddr
+Causes
+.Nm mail
+to expand message recipient addresses, as explained in the section
+.Sx Recipient address specifications .
 .It Ar hold
 This option is used to hold messages in the system mailbox
 by default.
diff -Nur -x debian -x CVS -x .pc -x .git bsd-mailx.patches/main.c bsd-mailx/main.c
--- bsd-mailx.patches/main.c	2014-12-17 23:56:58.000000000 +0100
+++ bsd-mailx/main.c	2014-12-18 20:05:45.000000000 +0100
@@ -1,4 +1,4 @@
-/*	$OpenBSD: main.c,v 1.23 2009/10/27 23:59:40 deraadt Exp $	*/
+/*	$OpenBSD: main.c,v 1.26 2014/12/16 18:37:17 millert Exp $	*/
 /*	$NetBSD: main.c,v 1.7 1997/05/13 06:15:57 mikel Exp $	*/
 
 /*
diff -Nur -x debian -x CVS -x .pc -x .git bsd-mailx.patches/names.c bsd-mailx/names.c
--- bsd-mailx.patches/names.c	2014-12-17 23:56:12.000000000 +0100
+++ bsd-mailx/names.c	2014-12-18 20:05:45.000000000 +0100
@@ -1,4 +1,4 @@
-/*	$OpenBSD: names.c,v 1.20 2014/08/15 03:51:40 guenther Exp $	*/
+/*	$OpenBSD: names.c,v 1.21 2014/12/16 18:36:46 millert Exp $	*/
 /*	$NetBSD: names.c,v 1.5 1996/06/08 19:48:32 christos Exp $	*/
 
 /*
diff -Nur -x debian -x CVS -x .pc -x .git bsd-mailx.patches/quit.c bsd-mailx/quit.c
--- bsd-mailx.patches/quit.c	2014-12-17 23:54:59.000000000 +0100
+++ bsd-mailx/quit.c	2014-12-18 20:05:45.000000000 +0100
@@ -1,4 +1,4 @@
-/*	$OpenBSD: quit.c,v 1.20 2009/10/27 23:59:40 deraadt Exp $	*/
+/*	$OpenBSD: quit.c,v 1.21 2014/11/24 20:01:43 millert Exp $	*/
 /*	$NetBSD: quit.c,v 1.6 1996/12/28 07:11:07 tls Exp $	*/
 
 /*



unblock bsd-mailx/8.1.2-0.20141216cvs-1

-- System Information:
Debian Release: 8.0
  APT prefers unstable
  APT policy: (990, 'unstable'), (200, 'testing')
Architecture: i386 (i686)

Kernel: Linux 3.16-3-686-pae (SMP w/1 CPU core)
Locale: LANG=pl_PL.UTF-8, LC_CTYPE=pl_PL.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: sysvinit (via /sbin/init)

Attachment: bsd-mailx_8.1.2-0.20141216cvs-1.debdiff.gz
Description: application/gzip

Reply to:

Follow-Ups:
- Bug#773478: marked as done (unblock: bsd-mailx/8.1.2-0.20141216cvs-1)
  - From: owner@bugs.debian.org (Debian Bug Tracking System)

Prev by Date: Bug#773447: marked as done (unblock: keystone/2014.1.3-4)
Next by Date: Bug#773479: pu: package intel-microcode/1.20140913.1
Previous by thread: Bug#773465: marked as done (unblock: exim4/4.84-6)
Next by thread: Bug#773478: marked as done (unblock: bsd-mailx/8.1.2-0.20141216cvs-1)
Index(es):
- Date
- Thread