--- Begin Message ---
Package: release.debian.org
Severity: normal
Tags: wheezy
User: release.debian.org@packages.debian.org
Usertags: pu
Hello,
the upload for DSA-3517-1 introduced a new expansion item
($initial_cwd). - Exim now changes to / at start and therefore cwd did
not show the original working directory anymore. However in the wheezy
upload $initial_cwd did not work because of a missing patch. I would
like to fix this with a upload to oldstable. (This does not apply to
jessie/testing/sid).
cu Andreas
--
`What a good friend you are to him, Dr. Maturin. His other friends are
so grateful to you.'
`I sew his ears on from time to time, sure'
diff -Nru exim4-4.80/debian/changelog exim4-4.80/debian/changelog
--- exim4-4.80/debian/changelog 2016-03-14 21:02:22.000000000 +0100
+++ exim4-4.80/debian/changelog 2016-06-11 15:06:20.000000000 +0200
@@ -1,3 +1,13 @@
+exim4 (4.80-7+deb7u4) wheezy; urgency=medium
+
+ * 89_03_Fix_initial_cwd_expansion.diff: Backport
+ 3de973a29de6852d61ba9bf1845835d08ca5a5ab (Delay chdir(/) until we opened
+ the main config) to actually make $initial_cwd expansion work.
+ (Thanks, Серж ИвановЪ for bugreport and pointer to missing patch)
+ Closes: #818897, #826646
+
+ -- Andreas Metzler <ametzler@debian.org> Sat, 11 Jun 2016 15:06:15 +0200
+
exim4 (4.80-7+deb7u3) wheezy; urgency=medium
* Non-maintainer upload.
diff -Nru exim4-4.80/debian/patches/89_03_Fix_initial_cwd_expansion.diff exim4-4.80/debian/patches/89_03_Fix_initial_cwd_expansion.diff
--- exim4-4.80/debian/patches/89_03_Fix_initial_cwd_expansion.diff 1970-01-01 01:00:00.000000000 +0100
+++ exim4-4.80/debian/patches/89_03_Fix_initial_cwd_expansion.diff 2016-06-11 15:04:46.000000000 +0200
@@ -0,0 +1,80 @@
+Backport of 3de973a29de6852d61ba9bf1845835d08ca5a5ab
+
+From: "Heiko Schlittermann (HS12-RIPE)" <hs@schlittermann.de>
+Date: Wed, 2 Mar 2016 22:07:45 +0100
+Subject: [PATCH] Delay chdir(/) until we opened the main config
+
+--- exim4-4.80.orig/src/exim.c
++++ exim4-4.80/src/exim.c
+@@ -3491,14 +3491,11 @@ init_lookup_list();
+
+ /* Read the main runtime configuration data; this gives up if there
+ is a failure. It leaves the configuration file open so that the subsequent
+-configuration data for delivery can be read if needed. */
++configuration data for delivery can be read if needed.
+
+-/* To be safe: change the working directory to /. */
+-if (Uchdir("/") < 0)
+- {
+- perror("exim: chdir `/': ");
+- exit(EXIT_FAILURE);
+- }
++NOTE: immediatly after opening the configuration file we change the working
++directory to "/"! Later we change to $spool_directory. We do it there, because
++during readconf_main() some expansion takes place already. */
+
+ /* Store the initial cwd before we change directories */
+ if ((initial_cwd = getcwd(NULL, 0)) == NULL)
+@@ -3509,6 +3506,8 @@ if ((initial_cwd = getcwd(NULL, 0)) == N
+
+ readconf_main();
+
++/* Now in directory "/" */
++
+ if (cleanup_environment() == FALSE)
+ log_write(0, LOG_PANIC_DIE, "Can't cleanup environment");
+
+--- exim4-4.80.orig/src/readconf.c
++++ exim4-4.80/src/readconf.c
+@@ -2906,14 +2906,6 @@ while((filename = string_nextinlist(&lis
+ != NULL)
+ {
+
+- /* To avoid confusion: Exim changes to / at the very beginning and
+- * and to $spool_directory later. */
+- if (filename[0] != '/')
+- {
+- fprintf(stderr, "-C %s: only absolute names are allowed\n", filename);
+- exit(EXIT_FAILURE);
+- }
+-
+ /* Cut out all the fancy processing unless specifically wanted */
+
+ #if defined(CONFIGURE_FILE_USE_NODE) || defined(CONFIGURE_FILE_USE_EUID)
+@@ -2967,6 +2959,15 @@ while((filename = string_nextinlist(&lis
+ if (config_file != NULL || errno != ENOENT) break;
+ }
+
++/* Now, once we found and opened our configuration file, we change the directory
++to a safe place. Later we change to $spool_directory. */
++
++if (Uchdir("/") < 0)
++ {
++ perror("exim: chdir `/': ");
++ exit(EXIT_FAILURE);
++ }
++
+ /* On success, save the name for verification; config_filename is used when
+ logging configuration errors (it changes for .included files) whereas
+ config_main_filename is the name shown by -bP. Failure to open a configuration
+--- exim4-4.80.orig/doc/spec.txt
++++ exim4-4.80/doc/spec.txt
+@@ -3305,8 +3305,6 @@ brief message about itself and exits.
+ first file that exists is used. Failure to open an existing file stops Exim
+ from proceeding any further along the list, and an error is generated.
+
+- The file names need to be absolute names.
+-
+ When this option is used by a caller other than root, and the list is
+ different from the compiled-in list, Exim gives up its root privilege
+ immediately, and runs with the real and effective uid and gid set to those
diff -Nru exim4-4.80/debian/patches/series exim4-4.80/debian/patches/series
--- exim4-4.80/debian/patches/series 2016-03-14 21:02:22.000000000 +0100
+++ exim4-4.80/debian/patches/series 2016-06-11 15:04:54.000000000 +0200
@@ -20,3 +20,4 @@
88_CVE-2016-1531.diff
89_01_only_warn_on_nonempty_environment.diff
89_02_Store-the-initial-working-directory.diff
+89_03_Fix_initial_cwd_expansion.diff
--- End Message ---
--- Begin Message ---
Hi,
On Sat, 2016-06-11 at 15:19 +0200, Andreas Metzler wrote:
> the upload for DSA-3517-1 introduced a new expansion item
> ($initial_cwd). - Exim now changes to / at start and therefore cwd did
> not show the original working directory anymore. However in the wheezy
> upload $initial_cwd did not work because of a missing patch. I would
> like to fix this with a upload to oldstable. (This does not apply to
> jessie/testing/sid).
I'm afraid that 7.11 was the final point release for wheezy, as
mentioned in https://www.debian.org/News/2016/2016060402
Any further updates to wheezy are now made via the LTS initiative, using
wheezy-security; https://wiki.debian.org/LTS/Development may be of use
in that respect.
Regards,
Adam
--- End Message ---