Package: release.debian.org Severity: normal Tags: jessie User: release.debian.org@packages.debian.org Usertags: pu Hello, I would like to fix 803562 in jessie. Exim's MIME checking ACL (available in exim4-daemon-heavy) was found to not correctly handle some broken MIME containers. Jessie contains most of the fixes, but some additional issues were found later. Debian's default setup does not set either acl_not_smtp_mime nor acl_smtp_mime and is therefore not affected. cu Andreas -- `What a good friend you are to him, Dr. Maturin. His other friends are so grateful to you.' `I sew his ears on from time to time, sure'
File lists identical (after any substitutions) Control files of package exim4: lines which differ (wdiff format) ----------------------------------------------------------------- Depends: debconf (>= 0.5) | debconf-2.0, debconf (>= 1.4.69) | cdebconf (>= 0.39), exim4-base (>= [-4.84-8),-] {+4.84-8+deb8u1),+} exim4-base (<< [-4.84-8.1),-] {+4.84-8+deb8u1.1),+} exim4-daemon-light | exim4-daemon-heavy | exim4-daemon-custom Version: [-4.84-8-] {+4.84-8+deb8u1+} Control files of package exim4-base: lines which differ (wdiff format) ---------------------------------------------------------------------- Version: [-4.84-8-] {+4.84-8+deb8u1+} Control files of package exim4-config: lines which differ (wdiff format) ------------------------------------------------------------------------ Version: [-4.84-8-] {+4.84-8+deb8u1+} Control files of package exim4-daemon-heavy: lines which differ (wdiff format) ------------------------------------------------------------------------------ Depends: exim4-base (>= 4.84), libc6 (>= 2.15), libdb5.3, libgnutls-deb0-28 (>= 3.3.0), libldap-2.4-2 (>= 2.4.7), libmysqlclient18 (>= 5.5.24+dfsg-1), libpam0g (>= 0.99.7.1), libpcre3 (>= 1:8.35), libperl5.20 (>= [-5.20.1),-] {+5.20.2),+} libpq5, libsasl2-2, libsqlite3-0 (>= 3.5.9), debconf (>= 0.5) | debconf-2.0 Version: [-4.84-8-] {+4.84-8+deb8u1+} Control files of package exim4-daemon-heavy-dbg: lines which differ (wdiff format) ---------------------------------------------------------------------------------- Version: [-4.84-8-] {+4.84-8+deb8u1+} Control files of package exim4-daemon-light: lines which differ (wdiff format) ------------------------------------------------------------------------------ Version: [-4.84-8-] {+4.84-8+deb8u1+} Control files of package exim4-daemon-light-dbg: lines which differ (wdiff format) ---------------------------------------------------------------------------------- Installed-Size: [-2078-] {+2079+} Version: [-4.84-8-] {+4.84-8+deb8u1+} Control files of package exim4-dbg: lines which differ (wdiff format) --------------------------------------------------------------------- Version: [-4.84-8-] {+4.84-8+deb8u1+} Control files of package exim4-dev: lines which differ (wdiff format) --------------------------------------------------------------------- Version: [-4.84-8-] {+4.84-8+deb8u1+} Control files of package eximon4: lines which differ (wdiff format) ------------------------------------------------------------------- Version: [-4.84-8-] {+4.84-8+deb8u1+} diff -Nru exim4-4.84/debian/changelog exim4-4.84/debian/changelog --- exim4-4.84/debian/changelog 2015-02-17 18:00:49.000000000 +0100 +++ exim4-4.84/debian/changelog 2015-10-31 13:55:10.000000000 +0100 @@ -1,3 +1,12 @@ +exim4 (4.84-8+deb8u1) jessie; urgency=medium + + * Pull 85_Fix-crash-in-mime-acl-when-a-parameter-is-unterminat.patch + and 86_Avoid-crash-with-badly-terminated-non-recognised-mim.patch from + upstream GIT to fixup more MIME ACL related crashes. (Thanks, Lutz + Preßler) Closes: #803562 + + -- Andreas Metzler <ametzler@debian.org> Mon, 26 Oct 2015 17:42:16 +0100 + exim4 (4.84-8) unstable; urgency=medium * Pull 83_Remove-limit-on-remove_headers-item-size.-Bug-1533.patch and diff -Nru exim4-4.84/debian/patches/85_Fix-crash-in-mime-acl-when-a-parameter-is-unterminat.patch exim4-4.84/debian/patches/85_Fix-crash-in-mime-acl-when-a-parameter-is-unterminat.patch --- exim4-4.84/debian/patches/85_Fix-crash-in-mime-acl-when-a-parameter-is-unterminat.patch 1970-01-01 01:00:00.000000000 +0100 +++ exim4-4.84/debian/patches/85_Fix-crash-in-mime-acl-when-a-parameter-is-unterminat.patch 2015-10-31 13:50:54.000000000 +0100 @@ -0,0 +1,77 @@ +From bf485bf34df3fc2214765497a5552851c6a8977a Mon Sep 17 00:00:00 2001 +From: Jeremy Harris <jgh146exb@wizmail.org> +Date: Tue, 30 Dec 2014 20:39:02 +0000 +Subject: [PATCH] Fix crash in mime acl when a parameter is unterminated + +Verified-by: Wolfgang Breyha <wbreyha@gmx.net> +--- + src/mime.c | 33 +++++++++++---------------------- + test/confs/4000 | 1 + + test/log/4000 | 9 ++++++--- + test/mail/4000.userx | 36 ++++++++++++++++++++++++++++++++++++ + test/scripts/4000-scanning/4000 | 27 +++++++++++++++++++++++++++ + test/stdout/4000 | 11 +++++++++++ + 6 files changed, 92 insertions(+), 25 deletions(-) + +diff --git a/src/mime.c b/src/mime.c +index a61e9f2..e5fe476 100644 +--- a/src/mime.c ++++ b/src/mime.c +@@ -599,46 +599,35 @@ NEXT_PARAM_SEARCH: + /* found an interesting parameter? */ + if (strncmpic(mp->name, p, mp->namelen) == 0) + { +- uschar * q = p + mp->namelen; +- int plen = 0; + int size = 0; + int ptr = 0; + + /* yes, grab the value and copy to its corresponding expansion variable */ +- while(*q && *q != ';') /* ; terminates */ +- if (*q == '"') ++ p += mp->namelen; ++ while(*p && *p != ';') /* ; terminates */ ++ if (*p == '"') + { +- q++; /* skip leading " */ +- plen++; /* and account for the skip */ +- while(*q && *q != '"') /* " protects ; */ +- { +- param_value = string_cat(param_value, &size, &ptr, q++, 1); +- plen++; +- } +- if (*q) +- { +- q++; /* skip trailing " */ +- plen++; +- } ++ p++; /* skip leading " */ ++ while(*p && *p != '"') /* " protects ; */ ++ param_value = string_cat(param_value, &size, &ptr, p++, 1); ++ if (*p) p++; /* skip trailing " */ + } + else +- { +- param_value = string_cat(param_value, &size, &ptr, q++, 1); +- plen++; +- } ++ param_value = string_cat(param_value, &size, &ptr, p++, 1); ++ if (*p) p++; /* skip trailing ; */ + + if (param_value) + { ++ uschar * dummy; + param_value[ptr++] = '\0'; + + param_value = rfc2047_decode(param_value, +- check_rfc2047_length, NULL, 32, NULL, &q); ++ check_rfc2047_length, NULL, 32, NULL, &dummy); + debug_printf("Found %s MIME parameter in %s header, " + "value is '%s'\n", mp->name, mime_header_list[i].name, + param_value); + } + *mp->value = param_value; +- p += mp->namelen + plen + 1; /* name=, content, ; */ + goto NEXT_PARAM_SEARCH; + } + } diff -Nru exim4-4.84/debian/patches/86_Avoid-crash-with-badly-terminated-non-recognised-mim.patch exim4-4.84/debian/patches/86_Avoid-crash-with-badly-terminated-non-recognised-mim.patch --- exim4-4.84/debian/patches/86_Avoid-crash-with-badly-terminated-non-recognised-mim.patch 1970-01-01 01:00:00.000000000 +0100 +++ exim4-4.84/debian/patches/86_Avoid-crash-with-badly-terminated-non-recognised-mim.patch 2015-10-31 13:50:54.000000000 +0100 @@ -0,0 +1,59 @@ +From e7c25d5b603a33e677efc4bccb6e5cac617e7ad5 Mon Sep 17 00:00:00 2001 +From: Jeremy Harris <jgh146exb@wizmail.org> +Date: Thu, 1 Jan 2015 21:47:10 +0000 +Subject: [PATCH] Avoid crash with badly-terminated non-recognised mime + parameter + +--- + src/mime.c | 18 +++++++++++------- + test/log/4000 | 3 +++ + test/mail/4000.userx | 42 +++++++++++++++++++++++++++++++++++++++++ + test/scripts/4000-scanning/4000 | 32 +++++++++++++++++++++++++++++++ + test/stdout/4000 | 11 +++++++++++ + 5 files changed, 99 insertions(+), 7 deletions(-) + +diff --git a/src/mime.c b/src/mime.c +index e5fe476..948dd78 100644 +--- a/src/mime.c ++++ b/src/mime.c +@@ -589,6 +589,7 @@ DECODE_HEADERS: + NEXT_PARAM_SEARCH: + while (*p) + { ++ /* debug_printf(" considering paramlist '%s'\n", p); */ + mime_parameter * mp; + for (mp = mime_parameter_list; + mp < &mime_parameter_list[mime_parameter_list_size]; +@@ -623,7 +624,7 @@ NEXT_PARAM_SEARCH: + + param_value = rfc2047_decode(param_value, + check_rfc2047_length, NULL, 32, NULL, &dummy); +- debug_printf("Found %s MIME parameter in %s header, " ++ debug_printf(" Found %s MIME parameter in %s header, " + "value is '%s'\n", mp->name, mime_header_list[i].name, + param_value); + } +@@ -631,14 +632,17 @@ NEXT_PARAM_SEARCH: + goto NEXT_PARAM_SEARCH; + } + } +- /* There is something, but not one of our interesting parameters. +- Advance to the next semicolon */ +- while(*p != ';') ++ /* There is something, but not one of our interesting parameters. ++ Advance to the next unquoted semicolon */ ++ while(*p && *p != ';') ++ if (*p == '"') + { +- if (*p == '"') while(*++p && *p != '"') ; +- p++; ++ while(*++p && *p != '"') ; ++ if (*p) p++; + } +- p++; ++ else ++ p++; ++ if (*p) p++; + } + } + } diff -Nru exim4-4.84/debian/patches/series exim4-4.84/debian/patches/series --- exim4-4.84/debian/patches/series 2015-02-17 17:55:04.000000000 +0100 +++ exim4-4.84/debian/patches/series 2015-10-31 13:50:54.000000000 +0100 @@ -13,3 +13,5 @@ 82_quoted-or-r-2047-encoded.diff 83_Remove-limit-on-remove_headers-item-size.-Bug-1533.patch 84_Fix-truncation-of-items-in-headers_remove-lists-this.patch +85_Fix-crash-in-mime-acl-when-a-parameter-is-unterminat.patch +86_Avoid-crash-with-badly-terminated-non-recognised-mim.patch
Attachment:
signature.asc
Description: PGP signature