Bug#849436: unblock: exim4/4.88~RC6-2

To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: Bug#849436: unblock: exim4/4.88~RC6-2
From: Andreas Metzler <ametzler@bebt.de>
Date: Tue, 27 Dec 2016 07:39:32 +0100
Message-id: <[🔎] 20161227063932.wfb3nbvqtfjextle@argenau.bebt.de>
Reply-to: Andreas Metzler <ametzler@bebt.de>, 849436@bugs.debian.org

Package: release.debian.org
Severity: normal
User: release.debian.org@packages.debian.org
Usertags: unblock

Please shorten the waiting time for migration of exim4 to testing. This
package's version includes a fix for CVE-2016-9963 (stable's DSA 3747-1).

* Add macro IGNORE_SMTP_LINE_LENGTH_LIMIT to allow disabling the SMTP DATA
  physical line limit check for both for SMTP DATA ACL and remote_smtp*
  transports. Closes: #828801
  Also update corresponding NEWS entry.
* [lintian] debian/changelog: s/lenght/length/
* Pull 75_Fix-DKIM-information-leakage.patch from upstream GIT, fixing DKIM
  information leakage issue CVE-2016-9963.

unblock exim4/4.88~RC6-2

TIA, cu Andreas
-- 
`What a good friend you are to him, Dr. Maturin. His other friends are
so grateful to you.'
`I sew his ears on from time to time, sure'

[The following lists of changes regard files as different if they have
different names, permissions or owners.]

Files in second .changes but not in first
-----------------------------------------
-rw-r--r--  root/root   /usr/lib/debug/.build-id/0e/6ccd0a87df0978d44e8c56384725977293a6dd.debug
-rw-r--r--  root/root   /usr/lib/debug/.build-id/41/1af8cce86cb5d33e1bdbb837691965bcf4bbe5.debug
-rw-r--r--  root/root   /usr/lib/debug/.build-id/46/d0128b00d8487771080db604a216ffe5bbc4c9.debug
-rw-r--r--  root/root   /usr/lib/debug/.build-id/8b/070c0099a8863f5af9e0dc6b4b8b30c882d5e3.debug
-rw-r--r--  root/root   /usr/lib/debug/.build-id/a2/748941706aae40a4a467296db62bc5fbc5874e.debug
-rw-r--r--  root/root   /usr/lib/debug/.build-id/b5/21f3139342b3cc5fefc9d5160d1c609170bdf2.debug
-rw-r--r--  root/root   /usr/lib/debug/.build-id/bc/5c505fbec14f3a52727df50b7ed9a256a6896a.debug
-rw-r--r--  root/root   /usr/lib/debug/.build-id/d6/5072ddeb66cc7ad6950e23e0ea5d2ea76f9015.debug

Files in first .changes but not in second
-----------------------------------------
-rw-r--r--  root/root   /usr/lib/debug/.build-id/37/68bfb280763a8320ac0cb1b3f5128a6b2f7d50.debug
-rw-r--r--  root/root   /usr/lib/debug/.build-id/67/180bb423dc99137f0dc7f115e46fa176414b9b.debug
-rw-r--r--  root/root   /usr/lib/debug/.build-id/71/e8fbf0661a197ef7edf1a50faf9114d0551867.debug
-rw-r--r--  root/root   /usr/lib/debug/.build-id/76/2c5a67771e75896543d5308d0f31e3a17102b1.debug
-rw-r--r--  root/root   /usr/lib/debug/.build-id/a0/65508918ffd2a967a51fb0e172d0d85890798c.debug
-rw-r--r--  root/root   /usr/lib/debug/.build-id/e0/2d1716e0c78e2d1fc27323ec0283c2048e0680.debug
-rw-r--r--  root/root   /usr/lib/debug/.build-id/f0/aa82f38a765839ff6488981bb29adf9d0c7f4d.debug
-rw-r--r--  root/root   /usr/lib/debug/.build-id/fc/0f8ff4895d18f4a3647db63921eba5887c1477.debug

Control files of package exim4: lines which differ (wdiff format)
-----------------------------------------------------------------
Depends: debconf (>= 0.5) | debconf-2.0, debconf (>= 1.4.69) | cdebconf (>= 0.39), exim4-base (>= [-4.88~RC6-1),-] {+4.88~RC6-2),+} exim4-base (<< [-4.88~RC6-1.1),-] {+4.88~RC6-2.1),+} exim4-daemon-light | exim4-daemon-heavy | exim4-daemon-custom
Version: [-4.88~RC6-1-] {+4.88~RC6-2+}

Control files of package exim4-base: lines which differ (wdiff format)
----------------------------------------------------------------------
Version: [-4.88~RC6-1-] {+4.88~RC6-2+}

Control files of package exim4-config: lines which differ (wdiff format)
------------------------------------------------------------------------
Version: [-4.88~RC6-1-] {+4.88~RC6-2+}

Control files of package exim4-daemon-heavy: lines which differ (wdiff format)
------------------------------------------------------------------------------
Version: [-4.88~RC6-1-] {+4.88~RC6-2+}

Control files of package exim4-daemon-heavy-dbg: lines which differ (wdiff format)
----------------------------------------------------------------------------------
Build-Ids: [-e02d1716e0c78e2d1fc27323ec0283c2048e0680-] {+a2748941706aae40a4a467296db62bc5fbc5874e+}
Version: [-4.88~RC6-1-] {+4.88~RC6-2+}

Control files of package exim4-daemon-light: lines which differ (wdiff format)
------------------------------------------------------------------------------
Version: [-4.88~RC6-1-] {+4.88~RC6-2+}

Control files of package exim4-daemon-light-dbg: lines which differ (wdiff format)
----------------------------------------------------------------------------------
Build-Ids: [-3768bfb280763a8320ac0cb1b3f5128a6b2f7d50-] {+0e6ccd0a87df0978d44e8c56384725977293a6dd+}
Version: [-4.88~RC6-1-] {+4.88~RC6-2+}

Control files of package exim4-dbg: lines which differ (wdiff format)
---------------------------------------------------------------------
Build-Ids: [-67180bb423dc99137f0dc7f115e46fa176414b9b 71e8fbf0661a197ef7edf1a50faf9114d0551867 762c5a67771e75896543d5308d0f31e3a17102b1 a065508918ffd2a967a51fb0e172d0d85890798c fc0f8ff4895d18f4a3647db63921eba5887c1477-] {+411af8cce86cb5d33e1bdbb837691965bcf4bbe5 46d0128b00d8487771080db604a216ffe5bbc4c9 8b070c0099a8863f5af9e0dc6b4b8b30c882d5e3 b521f3139342b3cc5fefc9d5160d1c609170bdf2 d65072ddeb66cc7ad6950e23e0ea5d2ea76f9015+}
Version: [-4.88~RC6-1-] {+4.88~RC6-2+}

Control files of package exim4-dev: lines which differ (wdiff format)
---------------------------------------------------------------------
Version: [-4.88~RC6-1-] {+4.88~RC6-2+}

Control files of package eximon4: lines which differ (wdiff format)
-------------------------------------------------------------------
Version: [-4.88~RC6-1-] {+4.88~RC6-2+}
diff -Nru exim4-4.88~RC6/debian/changelog exim4-4.88~RC6/debian/changelog
--- exim4-4.88~RC6/debian/changelog	2016-12-08 07:19:18.000000000 +0100
+++ exim4-4.88~RC6/debian/changelog	2016-12-22 16:50:21.000000000 +0100
@@ -1,3 +1,15 @@
+exim4 (4.88~RC6-2) unstable; urgency=high
+
+  * Add macro IGNORE_SMTP_LINE_LENGTH_LIMIT to allow disabling the SMTP DATA
+    physical line limit check for both for SMTP DATA ACL and remote_smtp*
+    transports. Closes: #828801
+    Also update corresponding NEWS entry.
+  * [lintian] debian/changelog: s/lenght/length/
+  * Pull 75_Fix-DKIM-information-leakage.patch from upstream GIT, fixing DKIM
+    information leakage issue CVE-2016-9963.
+
+ -- Andreas Metzler <ametzler@debian.org>  Thu, 22 Dec 2016 16:50:21 +0100
+
 exim4 (4.88~RC6-1) unstable; urgency=low
 
   * New upstream version.
@@ -109,7 +121,7 @@
       expansion. https://bugs.exim.org/show_bug.cgi?id=165
   * Copy information message on rejecting overlong lines in data ACL from
     upstream example configuration. Closes: #823418
-  * Add NEWS entry on line-lenght-limit introduced in 4.87~RC1-1.
+  * Add NEWS entry on line-length-limit introduced in 4.87~RC1-1.
     Closes: 821830
 
  -- Andreas Metzler <ametzler@debian.org>  Sun, 08 May 2016 14:03:10 +0200
@@ -3805,7 +3817,7 @@
     - Supports CRL (Certificate Revocation List) (Closes: #229063)
     - exim_dbmbuild does not crash on _very_ long RHS values.
       (Closes: #231597)
-    - route_list does not use a fixed lenght buffer anymore. (Closes: #231979)
+    - route_list does not use a fixed length buffer anymore. (Closes: #231979)
     - An empty tls_verify_certificates file is correctly interpreted as empty
       list instead of breaking TLS. (Closes: #236478)
   * Korean translation of debconf templates by Changwoo Ryu (Closes: #241499)
diff -Nru exim4-4.88~RC6/debian/debconf/conf.d/acl/40_exim4-config_check_data exim4-4.88~RC6/debian/debconf/conf.d/acl/40_exim4-config_check_data
--- exim4-4.88~RC6/debian/debconf/conf.d/acl/40_exim4-config_check_data	2016-09-25 14:46:29.000000000 +0200
+++ exim4-4.88~RC6/debian/debconf/conf.d/acl/40_exim4-config_check_data	2016-12-18 13:59:15.000000000 +0100
@@ -11,9 +11,11 @@
   # Deny if the message contains an overlong line.  Per the standards
   # we should never receive one such via SMTP.
   #
+  .ifndef IGNORE_SMTP_LINE_LENGTH_LIMIT
   deny    message    = maximum allowed line length is 998 octets, \
                        got $max_received_linelength
           condition  = ${if > {$max_received_linelength}{998}}
+  .endif
 
   # Deny unless the address list headers are syntactically correct.
   #
diff -Nru exim4-4.88~RC6/debian/debconf/conf.d/transport/30_exim4-config_remote_smtp exim4-4.88~RC6/debian/debconf/conf.d/transport/30_exim4-config_remote_smtp
--- exim4-4.88~RC6/debian/debconf/conf.d/transport/30_exim4-config_remote_smtp	2016-09-25 14:46:29.000000000 +0200
+++ exim4-4.88~RC6/debian/debconf/conf.d/transport/30_exim4-config_remote_smtp	2016-12-18 13:59:52.000000000 +0100
@@ -9,7 +9,9 @@
 remote_smtp:
   debug_print = "T: remote_smtp for $local_part@$domain"
   driver = smtp
+.ifndef IGNORE_SMTP_LINE_LENGTH_LIMIT
   message_size_limit = ${if > {$max_received_linelength}{998} {1}{0}}
+.endif
 .ifdef REMOTE_SMTP_HOSTS_AVOID_TLS
   hosts_avoid_tls = REMOTE_SMTP_HOSTS_AVOID_TLS
 .endif
diff -Nru exim4-4.88~RC6/debian/debconf/conf.d/transport/30_exim4-config_remote_smtp_smarthost exim4-4.88~RC6/debian/debconf/conf.d/transport/30_exim4-config_remote_smtp_smarthost
--- exim4-4.88~RC6/debian/debconf/conf.d/transport/30_exim4-config_remote_smtp_smarthost	2016-09-25 14:46:29.000000000 +0200
+++ exim4-4.88~RC6/debian/debconf/conf.d/transport/30_exim4-config_remote_smtp_smarthost	2016-12-18 14:00:13.000000000 +0100
@@ -12,7 +12,9 @@
 remote_smtp_smarthost:
   debug_print = "T: remote_smtp_smarthost for $local_part@$domain"
   driver = smtp
+.ifndef IGNORE_SMTP_LINE_LENGTH_LIMIT
   message_size_limit = ${if > {$max_received_linelength}{998} {1}{0}}
+.endif
   hosts_try_auth = <; ${if exists{CONFDIR/passwd.client} \
         {\
         ${lookup{$host}nwildlsearch{CONFDIR/passwd.client}{$host_address}}\
diff -Nru exim4-4.88~RC6/debian/NEWS exim4-4.88~RC6/debian/NEWS
--- exim4-4.88~RC6/debian/NEWS	2016-09-25 14:46:29.000000000 +0200
+++ exim4-4.88~RC6/debian/NEWS	2016-12-18 14:04:32.000000000 +0100
@@ -1,9 +1,11 @@
 exim4 (4.87-3) unstable; urgency=medium
 
-  Starting with 4.87~RC1-1 exim will not accept messages with physical lines
-  longer than 998 characters. Delivery of such RFC-violating message might
-  fail and subsequently cause routing errors and loss of legitimate mail.
-  See <https://bugs.exim.org/show_bug.cgi?id=1684>.
+  Starting with 4.87~RC1-1 exim will not accept or send out messages with
+  physical lines longer than 998 characters by SMTP DATA. Delivery of such
+  RFC-violating message might fail and subsequently cause routing errors and
+  loss of legitimate mail.  See <https://bugs.exim.org/show_bug.cgi?id=1684>.
+  This limit can be disabled by setting the macro
+  IGNORE_SMTP_LINE_LENGTH_LIMIT.
 
  -- Andreas Metzler <ametzler@debian.org>  Sun, 08 May 2016 14:03:10 +0200
 
diff -Nru exim4-4.88~RC6/debian/patches/75_Fix-DKIM-information-leakage.patch exim4-4.88~RC6/debian/patches/75_Fix-DKIM-information-leakage.patch
--- exim4-4.88~RC6/debian/patches/75_Fix-DKIM-information-leakage.patch	1970-01-01 01:00:00.000000000 +0100
+++ exim4-4.88~RC6/debian/patches/75_Fix-DKIM-information-leakage.patch	2016-12-18 18:16:03.000000000 +0100
@@ -0,0 +1,73 @@
+From 87cb4a166c47b57df48c2918e47801d77639fbb0 Mon Sep 17 00:00:00 2001
+From: Jeremy Harris <jgh@wizmail.org>
+Date: Fri, 16 Dec 2016 20:45:44 +0000
+Subject: [PATCH 1/2] Fix DKIM information leakage
+
+ 
+JH/34 SECURITY: Use proper copy of DATA command in error message.
+      Could leak key material.  Remotely exploitable.  CVE-2016-9963.
+
+diff --git a/src/dkim.c b/src/dkim.c
+index 3fa11c80..70c9547e 100644
+--- a/src/dkim.c
++++ b/src/dkim.c
+@@ -612,6 +612,7 @@ while ((dkim_signing_domain = string_nextinlist(&dkim_domain, &sep,
+ 			 CS dkim_private_key_expanded,
+ 			 PDKIM_ALGO_RSA_SHA256,
+ 			 dkim->dot_stuffed);
++  dkim_private_key_expanded[0] = '\0';
+   pdkim_set_optional(ctx,
+ 		      CS dkim_sign_headers_expanded,
+ 		      NULL,
+diff --git a/src/transports/smtp.c b/src/transports/smtp.c
+index d6ef34ef..a19e85ff 100644
+--- a/src/transports/smtp.c
++++ b/src/transports/smtp.c
+@@ -285,10 +285,11 @@ static uschar *rf_names[] = { US"NEVER", US"SUCCESS", US"FAILURE", US"DELAY" };
+ 
+ /* Local statics */
+ 
+-static uschar *smtp_command;   /* Points to last cmd for error messages */
+-static uschar *mail_command;   /* Points to MAIL cmd for error messages */
+-static BOOL    update_waiting; /* TRUE to update the "wait" database */
+-static BOOL    pipelining_active; /* current transaction is in pipe mode */
++static uschar *smtp_command;		/* Points to last cmd for error messages */
++static uschar *mail_command;		/* Points to MAIL cmd for error messages */
++static uschar *data_command = US"";	/* Points to DATA cmd for error messages */
++static BOOL    update_waiting;		/* TRUE to update the "wait" database */
++static BOOL    pipelining_active;	/* current transaction is in pipe mode */
+ 
+ 
+ /*************************************************
+@@ -1390,10 +1391,14 @@ uschar * buffer = tctx->buffer;
+ /* Write SMTP chunk header command */
+ 
+ if (chunk_size > 0)
++  {
+   if((cmd_count = smtp_write_command(tctx->outblock, FALSE, "BDAT %u%s\r\n",
+ 			      chunk_size,
+ 			      flags & tc_chunk_last ? " LAST" : "")
+      ) < 0) return ERROR;
++  if (flags & tc_chunk_last)
++    data_command = string_copy(big_buffer);  /* Save for later error message */
++  }
+ 
+ prev_cmd_count = cmd_count += tctx->cmd_count;
+ 
+@@ -2512,6 +2517,7 @@ if (  !(peer_offered & PEER_OFFERED_CHUNKING)
+     default: goto RESPONSE_FAILED;       /* I/O error, or any MAIL/DATA error */
+     }
+   pipelining_active = FALSE;
++  data_command = string_copy(big_buffer);  /* Save for later error message */
+   }
+ 
+ /* If there were no good recipients (but otherwise there have been no
+@@ -2735,7 +2741,7 @@ else
+ #else
+ 	    "LMTP error after %s: %s",
+ #endif
+-            big_buffer, string_printing(buffer));
++            data_command, string_printing(buffer));
+           setflag(addr, af_pass_message);   /* Allow message to go to user */
+           if (buffer[0] == '5')
+             addr->transport_return = FAIL;
diff -Nru exim4-4.88~RC6/debian/patches/series exim4-4.88~RC6/debian/patches/series
--- exim4-4.88~RC6/debian/patches/series	2016-11-19 17:39:37.000000000 +0100
+++ exim4-4.88~RC6/debian/patches/series	2016-12-18 18:16:06.000000000 +0100
@@ -8,4 +8,5 @@
 60_convert4r4.dpatch
 67_unnecessaryCopt.diff
 70_remove_exim-users_references.dpatch
+75_Fix-DKIM-information-leakage.patch
 92_CVE-2016-1238.diff

Attachment: signature.asc
Description: PGP signature

Reply to:

Follow-Ups:
- Bug#849436: marked as done (unblock: exim4/4.88~RC6-2)
  - From: owner@bugs.debian.org (Debian Bug Tracking System)

Prev by Date: Re: Security improvements for stable kernels
Next by Date: Bug#849438: jessie-pu: package libfcgi-perl/0.77-1+deb8u1
Previous by thread: Bug#829606: jessie-pu: package duck/0.7+deb8u1
Next by thread: Bug#849436: marked as done (unblock: exim4/4.88~RC6-2)
Index(es):
- Date
- Thread