[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#1082935: marked as done (bookworm-pu: package exim4/4.96-15+deb12u6)

Your message dated Sat, 09 Nov 2024 10:51:02 +0000
with message-id <b0a29248bc631362ed06a8879f93b8cdae5414d0.camel@adam-barratt.org.uk>
and subject line Closing bugs released with 12.8
has caused the Debian Bug report #1082935,
regarding bookworm-pu: package exim4/4.96-15+deb12u6
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
1082935: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1082935
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems
--- Begin Message --- 
Package: release.debian.org
Severity: normal
Tags: bookworm
X-Debbugs-Cc: exim4@packages.debian.org
Control: affects -1 + src:exim4
User: release.debian.org@packages.debian.org
Usertags: pu

Hello,

I would like to fix a exim regression in bookworm (introduced in 4.96):
   * Fix crash in dbmnz when looking up keys with no content.
     Closes: #1080472
https://bugs.exim.org/show_bug.cgi?id=3079
The backport has been requested by a user, it was fixed in unstable in
4.97-7.

[ Checklist ]
  [x] *all* changes are documented in the d/changelog
  [x] I reviewed all changes and I approve them
  [x] attach debdiff against the package in (old)stable
  [x] the issue is verified as fixed in unstable

cu Andreas
-- 
`What a good friend you are to him, Dr. Maturin. His other friends are
so grateful to you.'
`I sew his ears on from time to time, sure'

diff -Nru exim4-4.96/debian/changelog exim4-4.96/debian/changelog
--- exim4-4.96/debian/changelog	2024-07-09 10:53:35.000000000 +0200
+++ exim4-4.96/debian/changelog	2024-09-28 16:49:26.000000000 +0200
@@ -1,3 +1,10 @@
+exim4 (4.96-15+deb12u6) bookworm; urgency=medium
+
+  * Fix crash in dbmnz when looking up keys with no content.
+    Closes: #1080472
+
+ -- Andreas Metzler <ametzler@debian.org>  Sat, 28 Sep 2024 16:49:26 +0200
+
 exim4 (4.96-15+deb12u5) bookworm-security; urgency=high
 
   * Fix parsing of multiline RFC 2231 header filename parameter in mime ACL.
diff -Nru exim4-4.96/debian/patches/80_Lookups-fix-dbmnz-crash-on-zero-length-datum.-Bug-30.patch exim4-4.96/debian/patches/80_Lookups-fix-dbmnz-crash-on-zero-length-datum.-Bug-30.patch
--- exim4-4.96/debian/patches/80_Lookups-fix-dbmnz-crash-on-zero-length-datum.-Bug-30.patch	1970-01-01 01:00:00.000000000 +0100
+++ exim4-4.96/debian/patches/80_Lookups-fix-dbmnz-crash-on-zero-length-datum.-Bug-30.patch	2024-09-28 16:46:44.000000000 +0200
@@ -0,0 +1,141 @@
+From a7e6ad0ba38cf088e841c321042f81966d846b4b Mon Sep 17 00:00:00 2001
+From: Jeremy Harris <jgh146exb@wizmail.org>
+Date: Sat, 16 Mar 2024 13:50:45 +0000
+Subject: [PATCH] Lookups: fix dbmnz crash on zero-length datum.  Bug 3079
+
+Broken-by: 6d2c02560e5c
+---
+ doc/ChangeLog                |   3 +++
+ src/dbfn.c                       |  12 +++++++-----
+ src/exim_dbutil.c                |  12 +++++++-----
+ src/lookups/dbmdb.c              |   5 ++++-
+ test/aux-fixed/2302.emptydbmnzlookup | Bin 0 -> 12288 bytes
+ test/confs/2302                      |   3 +++
+ test/scripts/2300-DBM/2302           |   4 ++++
+ test/stdout/2302                     |   1 +
+ 8 files changed, 29 insertions(+), 11 deletions(-)
+ create mode 100644 test/aux-fixed/2302.emptydbmnzlookup
+ create mode 100644 test/confs/2302
+ create mode 100644 test/scripts/2300-DBM/2302
+ create mode 100644 test/stdout/2302
+
+--- a/doc/ChangeLog
++++ b/doc/ChangeLog
+@@ -64,10 +64,13 @@ JH/20 Fix TLSA lookups.  Previously dns_
+ 
+ JH/23 Fix crash in string expansions. Previously, if an empty variable was
+       immediately followed by an expansion operator, a null-indirection read
+       was done, killing the process.
+ 
++JH/25 Bug 3079: Fix crash in dbmnz.  When a key was present for zero-length
++      data a null pointer was followed.  Find and testcase by Sebastian Bugge.
++
+ JH/27 Fix ${srs_encode ..}.  Previously it would give a bad result for one day
+       every 1024 days.
+ 
+ JH/28 Bug 2996: Fix a crash in the smtp transport.  When finding that the
+       message being considered for delivery was already being handled by
+--- a/src/dbfn.c
++++ b/src/dbfn.c
+@@ -236,16 +236,17 @@ Arguments:
+ Returns: a pointer to the retrieved record, or
+          NULL if the record is not found
+ */
+ 
+ void *
+-dbfn_read_with_length(open_db *dbblock, const uschar *key, int *length)
++dbfn_read_with_length(open_db * dbblock, const uschar * key, int * length)
+ {
+-void *yield;
++void * yield;
+ EXIM_DATUM key_datum, result_datum;
+ int klen = Ustrlen(key) + 1;
+ uschar * key_copy = store_get(klen, key);
++unsigned dlen;
+ 
+ memcpy(key_copy, key, klen);
+ 
+ DEBUG(D_hints_lookup) debug_printf_indent("dbfn_read: key=%s\n", key);
+ 
+@@ -257,13 +258,14 @@ exim_datum_size_set(&key_datum, klen);
+ if (!exim_dbget(dbblock->dbptr, &key_datum, &result_datum)) return NULL;
+ 
+ /* Assume the data store could have been tainted.  Properly, we should
+ store the taint status with the data. */
+ 
+-yield = store_get(exim_datum_size_get(&result_datum), GET_TAINTED);
+-memcpy(yield, exim_datum_data_get(&result_datum), exim_datum_size_get(&result_datum));
+-if (length) *length = exim_datum_size_get(&result_datum);
++dlen = exim_datum_size_get(&result_datum);
++yield = store_get(dlen, GET_TAINTED);
++memcpy(yield, exim_datum_data_get(&result_datum), dlen);
++if (length) *length = dlen;
+ 
+ exim_datum_free(&result_datum);    /* Some DBM libs require freeing */
+ return yield;
+ }
+ 
+--- a/src/exim_dbutil.c
++++ b/src/exim_dbutil.c
+@@ -401,16 +401,17 @@ Arguments:
+ Returns: a pointer to the retrieved record, or
+          NULL if the record is not found
+ */
+ 
+ void *
+-dbfn_read_with_length(open_db *dbblock, const uschar *key, int *length)
++dbfn_read_with_length(open_db * dbblock, const uschar * key, int * length)
+ {
+-void *yield;
++void * yield;
+ EXIM_DATUM key_datum, result_datum;
+ int klen = Ustrlen(key) + 1;
+ uschar * key_copy = store_get(klen, key);
++unsigned dlen;
+ 
+ memcpy(key_copy, key, klen);
+ 
+ exim_datum_init(&key_datum);         /* Some DBM libraries require the datum */
+ exim_datum_init(&result_datum);      /* to be cleared before use. */
+@@ -420,13 +421,14 @@ exim_datum_size_set(&key_datum, klen);
+ if (!exim_dbget(dbblock->dbptr, &key_datum, &result_datum)) return NULL;
+ 
+ /* Assume for now that anything stored could have been tainted. Properly
+ we should store the taint status along with the data. */
+ 
+-yield = store_get(exim_datum_size_get(&result_datum), GET_TAINTED);
+-memcpy(yield, exim_datum_data_get(&result_datum), exim_datum_size_get(&result_datum));
+-if (length) *length = exim_datum_size_get(&result_datum);
++dlen = exim_datum_size_get(&result_datum);
++yield = store_get(dlen, GET_TAINTED);
++memcpy(yield, exim_datum_data_get(&result_datum), dlen);
++if (length) *length = dlen;
+ 
+ exim_datum_free(&result_datum);    /* Some DBM libs require freeing */
+ return yield;
+ }
+ 
+--- a/src/lookups/dbmdb.c
++++ b/src/lookups/dbmdb.c
+@@ -99,11 +99,12 @@ exim_datum_data_set(&key,
+   memcpy(store_get(length, keystring), keystring, length)); /* key can have embedded NUL */
+ exim_datum_size_set(&key, length);
+ 
+ if (exim_dbget(d, &key, &data))
+   {
+-  *result = string_copyn(exim_datum_data_get(&data), exim_datum_size_get(&data));
++  unsigned len = exim_datum_size_get(&data);
++  *result = len > 0 ? string_copyn(exim_datum_data_get(&data), len) : US"";
+   exim_datum_free(&data);            /* Some DBM libraries need a free() call */
+   return OK;
+   }
+ return FAIL;
+ }
+@@ -280,5 +281,7 @@ lookup_info dbmjz_lookup_info = {
+ 
+ static lookup_info *_lookup_list[] = { &dbm_lookup_info, &dbmz_lookup_info, &dbmjz_lookup_info };
+ lookup_module_info dbmdb_lookup_module_info = { LOOKUP_MODULE_INFO_MAGIC, _lookup_list, 3 };
+ 
+ /* End of lookups/dbmdb.c */
++/* vi: aw ai sw=2
++*/
diff -Nru exim4-4.96/debian/patches/series exim4-4.96/debian/patches/series
--- exim4-4.96/debian/patches/series	2024-07-09 10:53:35.000000000 +0200
+++ exim4-4.96/debian/patches/series	2024-09-28 16:46:46.000000000 +0200
@@ -53,4 +53,5 @@
 78_01-Fix-MIME-parsing-of-filenames-specified-using-multip.patch
 78_02-MIME-support-RFC-2331-for-name-.-Bug-3099.patch
 78_03-Compiler-quietening.patch
+80_Lookups-fix-dbmnz-crash-on-zero-length-datum.-Bug-30.patch
 90_localscan_dlopen.dpatch

Attachment: signature.asc
Description: PGP signature


--- End Message ---
--- Begin Message --- 
Source: release.debian.org
Version: 12.8

Hi,

Each of the updates tracked by these bugs was included in today's 12.8
bookworm point release.

Regards,

Adam

--- End Message ---
Reply to: