1 |
commit: fabf7b6f4a9b8240f1ae4cef4dde4a2300722c9c |
2 |
Author: Jason A. Donenfeld <zx2c4 <AT> gentoo <DOT> org> |
3 |
AuthorDate: Wed Jan 29 08:51:03 2020 +0000 |
4 |
Commit: Jason A. Donenfeld <zx2c4 <AT> gentoo <DOT> org> |
5 |
CommitDate: Wed Jan 29 08:51:26 2020 +0000 |
6 |
URL: https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=fabf7b6f |
7 |
|
8 |
mail-mta/opensmtpd: bump for security disaster |
9 |
|
10 |
Package-Manager: Portage-2.3.84, Repoman-2.3.20 |
11 |
Signed-off-by: Jason A. Donenfeld <zx2c4 <AT> gentoo.org> |
12 |
|
13 |
.../files/opensmtpd-6.0.3_p1-security-fixes.patch | 91 ++++++++++++++++++++++ |
14 |
...3_p1-r1.ebuild => opensmtpd-6.0.3_p1-r2.ebuild} | 3 +- |
15 |
2 files changed, 93 insertions(+), 1 deletion(-) |
16 |
|
17 |
diff --git a/mail-mta/opensmtpd/files/opensmtpd-6.0.3_p1-security-fixes.patch b/mail-mta/opensmtpd/files/opensmtpd-6.0.3_p1-security-fixes.patch |
18 |
new file mode 100644 |
19 |
index 00000000000..58f3ed8c38b |
20 |
--- /dev/null |
21 |
+++ b/mail-mta/opensmtpd/files/opensmtpd-6.0.3_p1-security-fixes.patch |
22 |
@@ -0,0 +1,91 @@ |
23 |
+diff -ru OpenSMTPD-opensmtpd-6.0.3/smtpd/mta_session.c OpenSMTPD-opensmtpd-6.0.3-fixed/smtpd/mta_session.c |
24 |
+--- OpenSMTPD-opensmtpd-6.0.3/smtpd/mta_session.c 2018-01-04 23:24:01.000000000 +0100 |
25 |
++++ OpenSMTPD-opensmtpd-6.0.3-fixed/smtpd/mta_session.c 2020-01-29 09:47:24.607457717 +0100 |
26 |
+@@ -1290,40 +1290,20 @@ |
27 |
+ break; |
28 |
+ |
29 |
+ case IO_ERROR: |
30 |
++ case IO_TLSERROR: |
31 |
+ log_debug("debug: mta: %p: IO error: %s", s, io_error(io)); |
32 |
+- if (!s->ready) { |
33 |
+- mta_error(s, "IO Error: %s", io_error(io)); |
34 |
+- mta_connect(s); |
35 |
+- break; |
36 |
+- } |
37 |
+- else if (!(s->flags & (MTA_FORCE_TLS|MTA_FORCE_SMTPS|MTA_FORCE_ANYSSL))) { |
38 |
+- /* error in non-strict SSL negotiation, downgrade to plain */ |
39 |
+- if (s->flags & MTA_TLS) { |
40 |
+- log_info("smtp-out: Error on session %016"PRIx64 |
41 |
+- ": opportunistic TLS failed, " |
42 |
+- "downgrading to plain", s->id); |
43 |
+- s->flags &= ~MTA_TLS; |
44 |
+- s->flags |= MTA_DOWNGRADE_PLAIN; |
45 |
+- mta_connect(s); |
46 |
+- break; |
47 |
+- } |
48 |
+- } |
49 |
+- mta_error(s, "IO Error: %s", io_error(io)); |
50 |
+- mta_free(s); |
51 |
+- break; |
52 |
+ |
53 |
+- case IO_TLSERROR: |
54 |
+- log_debug("debug: mta: %p: TLS IO error: %s", s, io_error(io)); |
55 |
+- if (!(s->flags & (MTA_FORCE_TLS|MTA_FORCE_SMTPS|MTA_FORCE_ANYSSL))) { |
56 |
++ if (s->state == MTA_STARTTLS && s->use_smtp_tls) { |
57 |
+ /* error in non-strict SSL negotiation, downgrade to plain */ |
58 |
+- log_info("smtp-out: TLS Error on session %016"PRIx64 |
59 |
+- ": TLS failed, " |
60 |
++ log_info("smtp-out: Error on session %016"PRIx64 |
61 |
++ ": opportunistic TLS failed, " |
62 |
+ "downgrading to plain", s->id); |
63 |
+ s->flags &= ~MTA_TLS; |
64 |
+ s->flags |= MTA_DOWNGRADE_PLAIN; |
65 |
+ mta_connect(s); |
66 |
+ break; |
67 |
+ } |
68 |
++ |
69 |
+ mta_error(s, "IO Error: %s", io_error(io)); |
70 |
+ mta_free(s); |
71 |
+ break; |
72 |
+diff -ru OpenSMTPD-opensmtpd-6.0.3/smtpd/smtp_session.c OpenSMTPD-opensmtpd-6.0.3-fixed/smtpd/smtp_session.c |
73 |
+--- OpenSMTPD-opensmtpd-6.0.3/smtpd/smtp_session.c 2018-01-04 23:24:01.000000000 +0100 |
74 |
++++ OpenSMTPD-opensmtpd-6.0.3-fixed/smtpd/smtp_session.c 2020-01-29 09:47:24.610791335 +0100 |
75 |
+@@ -2004,25 +2004,23 @@ |
76 |
+ memmove(maddr->user, p, strlen(p) + 1); |
77 |
+ } |
78 |
+ |
79 |
+- if (!valid_localpart(maddr->user) || |
80 |
+- !valid_domainpart(maddr->domain)) { |
81 |
+- /* accept empty return-path in MAIL FROM, required for bounces */ |
82 |
+- if (mailfrom && maddr->user[0] == '\0' && maddr->domain[0] == '\0') |
83 |
+- return (1); |
84 |
++ /* accept empty return-path in MAIL FROM, required for bounces */ |
85 |
++ if (mailfrom && maddr->user[0] == '\0' && maddr->domain[0] == '\0') |
86 |
++ return (1); |
87 |
+ |
88 |
+- /* no user-part, reject */ |
89 |
+- if (maddr->user[0] == '\0') |
90 |
+- return (0); |
91 |
+- |
92 |
+- /* no domain, local user */ |
93 |
+- if (maddr->domain[0] == '\0') { |
94 |
+- (void)strlcpy(maddr->domain, domain, |
95 |
+- sizeof(maddr->domain)); |
96 |
+- return (1); |
97 |
+- } |
98 |
++ /* no or invalid user-part, reject */ |
99 |
++ if (maddr->user[0] == '\0' || !valid_localpart(maddr->user)) |
100 |
+ return (0); |
101 |
++ |
102 |
++ /* no domain part, local user */ |
103 |
++ if (maddr->domain[0] == '\0') { |
104 |
++ (void)strlcpy(maddr->domain, domain, |
105 |
++ sizeof(maddr->domain)); |
106 |
+ } |
107 |
+ |
108 |
++ if (!valid_domainpart(maddr->domain)) |
109 |
++ return (0); |
110 |
++ |
111 |
+ return (1); |
112 |
+ } |
113 |
+ |
114 |
|
115 |
diff --git a/mail-mta/opensmtpd/opensmtpd-6.0.3_p1-r1.ebuild b/mail-mta/opensmtpd/opensmtpd-6.0.3_p1-r2.ebuild |
116 |
similarity index 96% |
117 |
rename from mail-mta/opensmtpd/opensmtpd-6.0.3_p1-r1.ebuild |
118 |
rename to mail-mta/opensmtpd/opensmtpd-6.0.3_p1-r2.ebuild |
119 |
index bd087d961d5..bed05258e9c 100644 |
120 |
--- a/mail-mta/opensmtpd/opensmtpd-6.0.3_p1-r1.ebuild |
121 |
+++ b/mail-mta/opensmtpd/opensmtpd-6.0.3_p1-r2.ebuild |
122 |
@@ -1,4 +1,4 @@ |
123 |
-# Copyright 1999-2019 Gentoo Authors |
124 |
+# Copyright 1999-2020 Gentoo Authors |
125 |
# Distributed under the terms of the GNU General Public License v2 |
126 |
|
127 |
EAPI=7 |
128 |
@@ -42,6 +42,7 @@ S=${WORKDIR}/${P/_} |
129 |
PATCHES=( |
130 |
"${FILESDIR}/${P}-fix-crash-on-auth.patch" |
131 |
"${FILESDIR}/${P}-openssl_1.1.patch" |
132 |
+ "${FILESDIR}/${P}-security-fixes.patch" |
133 |
) |
134 |
|
135 |
src_configure() { |