[gentoo-commits] repo/gentoo:master commit in: mail-mta/opensmtpd/files/, mail-mta/opensmtpd/ - gentoo-commits

From:	"Jason A. Donenfeld" <zx2c4@g.o>
To:	gentoo-commits@l.g.o
Subject:	[gentoo-commits] repo/gentoo:master commit in: mail-mta/opensmtpd/files/, mail-mta/opensmtpd/
Date:	Wed, 29 Jan 2020 08:51:44
Message-Id:	`1580287886.fabf7b6f4a9b8240f1ae4cef4dde4a2300722c9c.zx2c4@gentoo`

1

commit:     fabf7b6f4a9b8240f1ae4cef4dde4a2300722c9c

2

Author:     Jason A. Donenfeld <zx2c4 <AT> gentoo <DOT> org>

3

AuthorDate: Wed Jan 29 08:51:03 2020 +0000

4

Commit:     Jason A. Donenfeld <zx2c4 <AT> gentoo <DOT> org>

5

CommitDate: Wed Jan 29 08:51:26 2020 +0000

6

URL:        https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=fabf7b6f

7

8

mail-mta/opensmtpd: bump for security disaster

9

10

Package-Manager: Portage-2.3.84, Repoman-2.3.20

11

Signed-off-by: Jason A. Donenfeld <zx2c4 <AT> gentoo.org>

12

13

 .../files/opensmtpd-6.0.3_p1-security-fixes.patch  | 91 ++++++++++++++++++++++

14

 ...3_p1-r1.ebuild => opensmtpd-6.0.3_p1-r2.ebuild} |  3 +-

15

 2 files changed, 93 insertions(+), 1 deletion(-)

16

17

diff --git a/mail-mta/opensmtpd/files/opensmtpd-6.0.3_p1-security-fixes.patch b/mail-mta/opensmtpd/files/opensmtpd-6.0.3_p1-security-fixes.patch

18

new file mode 100644

19

index 00000000000..58f3ed8c38b

20

--- /dev/null

21

+++ b/mail-mta/opensmtpd/files/opensmtpd-6.0.3_p1-security-fixes.patch

22

@@ -0,0 +1,91 @@

23

+diff -ru OpenSMTPD-opensmtpd-6.0.3/smtpd/mta_session.c OpenSMTPD-opensmtpd-6.0.3-fixed/smtpd/mta_session.c

24

+--- OpenSMTPD-opensmtpd-6.0.3/smtpd/mta_session.c	2018-01-04 23:24:01.000000000 +0100

25

++++ OpenSMTPD-opensmtpd-6.0.3-fixed/smtpd/mta_session.c	2020-01-29 09:47:24.607457717 +0100

26

+@@ -1290,40 +1290,20 @@

27

+ 		break;

28

+

29

+ 	case IO_ERROR:

30

++	case IO_TLSERROR:

31

+ 		log_debug("debug: mta: %p: IO error: %s", s, io_error(io));

32

+-		if (!s->ready) {

33

+-			mta_error(s, "IO Error: %s", io_error(io));

34

+-			mta_connect(s);

35

+-			break;

36

+-		}

37

+-		else if (!(s->flags & (MTA_FORCE_TLS|MTA_FORCE_SMTPS|MTA_FORCE_ANYSSL))) {

38

+-			/* error in non-strict SSL negotiation, downgrade to plain */

39

+-			if (s->flags & MTA_TLS) {

40

+-				log_info("smtp-out: Error on session %016"PRIx64

41

+-				    ": opportunistic TLS failed, "

42

+-				    "downgrading to plain", s->id);

43

+-				s->flags &= ~MTA_TLS;

44

+-				s->flags |= MTA_DOWNGRADE_PLAIN;

45

+-				mta_connect(s);

46

+-				break;

47

+-			}

48

+-		}

49

+-		mta_error(s, "IO Error: %s", io_error(io));

50

+-		mta_free(s);

51

+-		break;

52

+

53

+-	case IO_TLSERROR:

54

+-		log_debug("debug: mta: %p: TLS IO error: %s", s, io_error(io));

55

+-		if (!(s->flags & (MTA_FORCE_TLS|MTA_FORCE_SMTPS|MTA_FORCE_ANYSSL))) {

56

++		if (s->state == MTA_STARTTLS && s->use_smtp_tls) {

57

+ 			/* error in non-strict SSL negotiation, downgrade to plain */

58

+-			log_info("smtp-out: TLS Error on session %016"PRIx64

59

+-			    ": TLS failed, "

60

++			log_info("smtp-out: Error on session %016"PRIx64

61

++			    ": opportunistic TLS failed, "

62

+ 			    "downgrading to plain", s->id);

63

+ 			s->flags &= ~MTA_TLS;

64

+ 			s->flags |= MTA_DOWNGRADE_PLAIN;

65

+ 			mta_connect(s);

66

+ 			break;

67

+ 		}

68

++

69

+ 		mta_error(s, "IO Error: %s", io_error(io));

70

+ 		mta_free(s);

71

+ 		break;

72

+diff -ru OpenSMTPD-opensmtpd-6.0.3/smtpd/smtp_session.c OpenSMTPD-opensmtpd-6.0.3-fixed/smtpd/smtp_session.c

73

+--- OpenSMTPD-opensmtpd-6.0.3/smtpd/smtp_session.c	2018-01-04 23:24:01.000000000 +0100

74

++++ OpenSMTPD-opensmtpd-6.0.3-fixed/smtpd/smtp_session.c	2020-01-29 09:47:24.610791335 +0100

75

+@@ -2004,25 +2004,23 @@

76

+ 		memmove(maddr->user, p, strlen(p) + 1);

77

+ 	}

78

+

79

+-	if (!valid_localpart(maddr->user) ||

80

+-	    !valid_domainpart(maddr->domain)) {

81

+-		/* accept empty return-path in MAIL FROM, required for bounces */

82

+-		if (mailfrom && maddr->user[0] == '\0' && maddr->domain[0] == '\0')

83

+-			return (1);

84

++	/* accept empty return-path in MAIL FROM, required for bounces */

85

++	if (mailfrom && maddr->user[0] == '\0' && maddr->domain[0] == '\0')

86

++		return (1);

87

+

88

+-		/* no user-part, reject */

89

+-		if (maddr->user[0] == '\0')

90

+-			return (0);

91

+-

92

+-		/* no domain, local user */

93

+-		if (maddr->domain[0] == '\0') {

94

+-			(void)strlcpy(maddr->domain, domain,

95

+-			    sizeof(maddr->domain));

96

+-			return (1);

97

+-		}

98

++	/* no or invalid user-part, reject */

99

++	if (maddr->user[0] == '\0' || !valid_localpart(maddr->user))

100

+ 		return (0);

101

++

102

++	/* no domain part, local user */

103

++	if (maddr->domain[0] == '\0') {

104

++		(void)strlcpy(maddr->domain, domain,

105

++			sizeof(maddr->domain));

106

+ 	}

107

+

108

++	if (!valid_domainpart(maddr->domain))

109

++		return (0);

110

++

111

+ 	return (1);

112

+ }

113

+

114

115

diff --git a/mail-mta/opensmtpd/opensmtpd-6.0.3_p1-r1.ebuild b/mail-mta/opensmtpd/opensmtpd-6.0.3_p1-r2.ebuild

116

similarity index 96%

117

rename from mail-mta/opensmtpd/opensmtpd-6.0.3_p1-r1.ebuild

118

rename to mail-mta/opensmtpd/opensmtpd-6.0.3_p1-r2.ebuild

119

index bd087d961d5..bed05258e9c 100644

120

--- a/mail-mta/opensmtpd/opensmtpd-6.0.3_p1-r1.ebuild

121

+++ b/mail-mta/opensmtpd/opensmtpd-6.0.3_p1-r2.ebuild

122

@@ -1,4 +1,4 @@

123

-# Copyright 1999-2019 Gentoo Authors

124

+# Copyright 1999-2020 Gentoo Authors

125

 # Distributed under the terms of the GNU General Public License v2

126

127

 EAPI=7

128

@@ -42,6 +42,7 @@ S=${WORKDIR}/${P/_}

129

 PATCHES=(

130

 	"${FILESDIR}/${P}-fix-crash-on-auth.patch"

131

 	"${FILESDIR}/${P}-openssl_1.1.patch"

132

+	"${FILESDIR}/${P}-security-fixes.patch"

133

)

134

135

 src_configure() {

1	commit: fabf7b6f4a9b8240f1ae4cef4dde4a2300722c9c
2	Author: Jason A. Donenfeld <zx2c4 <AT> gentoo <DOT> org>
3	AuthorDate: Wed Jan 29 08:51:03 2020 +0000
4	Commit: Jason A. Donenfeld <zx2c4 <AT> gentoo <DOT> org>
5	CommitDate: Wed Jan 29 08:51:26 2020 +0000
6	URL: https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=fabf7b6f
7
8	mail-mta/opensmtpd: bump for security disaster
9
10	Package-Manager: Portage-2.3.84, Repoman-2.3.20
11	Signed-off-by: Jason A. Donenfeld <zx2c4 <AT> gentoo.org>
12
13	.../files/opensmtpd-6.0.3_p1-security-fixes.patch \| 91 ++++++++++++++++++++++
14	...3_p1-r1.ebuild => opensmtpd-6.0.3_p1-r2.ebuild} \| 3 +-
15	2 files changed, 93 insertions(+), 1 deletion(-)
16
17	diff --git a/mail-mta/opensmtpd/files/opensmtpd-6.0.3_p1-security-fixes.patch b/mail-mta/opensmtpd/files/opensmtpd-6.0.3_p1-security-fixes.patch
18	new file mode 100644
19	index 00000000000..58f3ed8c38b
20	--- /dev/null
21	+++ b/mail-mta/opensmtpd/files/opensmtpd-6.0.3_p1-security-fixes.patch
22	@@ -0,0 +1,91 @@
23	+diff -ru OpenSMTPD-opensmtpd-6.0.3/smtpd/mta_session.c OpenSMTPD-opensmtpd-6.0.3-fixed/smtpd/mta_session.c
24	+--- OpenSMTPD-opensmtpd-6.0.3/smtpd/mta_session.c 2018-01-04 23:24:01.000000000 +0100
25	++++ OpenSMTPD-opensmtpd-6.0.3-fixed/smtpd/mta_session.c 2020-01-29 09:47:24.607457717 +0100
26	+@@ -1290,40 +1290,20 @@
27	+ break;
28	+
29	+ case IO_ERROR:
30	++ case IO_TLSERROR:
31	+ log_debug("debug: mta: %p: IO error: %s", s, io_error(io));
32	+- if (!s->ready) {
33	+- mta_error(s, "IO Error: %s", io_error(io));
34	+- mta_connect(s);
35	+- break;
36	+- }
37	+- else if (!(s->flags & (MTA_FORCE_TLS\|MTA_FORCE_SMTPS\|MTA_FORCE_ANYSSL))) {
38	+- /* error in non-strict SSL negotiation, downgrade to plain */
39	+- if (s->flags & MTA_TLS) {
40	+- log_info("smtp-out: Error on session %016"PRIx64
41	+- ": opportunistic TLS failed, "
42	+- "downgrading to plain", s->id);
43	+- s->flags &= ~MTA_TLS;
44	+- s->flags \|= MTA_DOWNGRADE_PLAIN;
45	+- mta_connect(s);
46	+- break;
47	+- }
48	+- }
49	+- mta_error(s, "IO Error: %s", io_error(io));
50	+- mta_free(s);
51	+- break;
52	+
53	+- case IO_TLSERROR:
54	+- log_debug("debug: mta: %p: TLS IO error: %s", s, io_error(io));
55	+- if (!(s->flags & (MTA_FORCE_TLS\|MTA_FORCE_SMTPS\|MTA_FORCE_ANYSSL))) {
56	++ if (s->state == MTA_STARTTLS && s->use_smtp_tls) {
57	+ /* error in non-strict SSL negotiation, downgrade to plain */
58	+- log_info("smtp-out: TLS Error on session %016"PRIx64
59	+- ": TLS failed, "
60	++ log_info("smtp-out: Error on session %016"PRIx64
61	++ ": opportunistic TLS failed, "
62	+ "downgrading to plain", s->id);
63	+ s->flags &= ~MTA_TLS;
64	+ s->flags \|= MTA_DOWNGRADE_PLAIN;
65	+ mta_connect(s);
66	+ break;
67	+ }
68	++
69	+ mta_error(s, "IO Error: %s", io_error(io));
70	+ mta_free(s);
71	+ break;
72	+diff -ru OpenSMTPD-opensmtpd-6.0.3/smtpd/smtp_session.c OpenSMTPD-opensmtpd-6.0.3-fixed/smtpd/smtp_session.c
73	+--- OpenSMTPD-opensmtpd-6.0.3/smtpd/smtp_session.c 2018-01-04 23:24:01.000000000 +0100
74	++++ OpenSMTPD-opensmtpd-6.0.3-fixed/smtpd/smtp_session.c 2020-01-29 09:47:24.610791335 +0100
75	+@@ -2004,25 +2004,23 @@
76	+ memmove(maddr->user, p, strlen(p) + 1);
77	+ }
78	+
79	+- if (!valid_localpart(maddr->user) \|\|
80	+- !valid_domainpart(maddr->domain)) {
81	+- /* accept empty return-path in MAIL FROM, required for bounces */
82	+- if (mailfrom && maddr->user[0] == '\0' && maddr->domain[0] == '\0')
83	+- return (1);
84	++ /* accept empty return-path in MAIL FROM, required for bounces */
85	++ if (mailfrom && maddr->user[0] == '\0' && maddr->domain[0] == '\0')
86	++ return (1);
87	+
88	+- /* no user-part, reject */
89	+- if (maddr->user[0] == '\0')
90	+- return (0);
91	+-
92	+- /* no domain, local user */
93	+- if (maddr->domain[0] == '\0') {
94	+- (void)strlcpy(maddr->domain, domain,
95	+- sizeof(maddr->domain));
96	+- return (1);
97	+- }
98	++ /* no or invalid user-part, reject */
99	++ if (maddr->user[0] == '\0' \|\| !valid_localpart(maddr->user))
100	+ return (0);
101	++
102	++ /* no domain part, local user */
103	++ if (maddr->domain[0] == '\0') {
104	++ (void)strlcpy(maddr->domain, domain,
105	++ sizeof(maddr->domain));
106	+ }
107	+
108	++ if (!valid_domainpart(maddr->domain))
109	++ return (0);
110	++
111	+ return (1);
112	+ }
113	+
114
115	diff --git a/mail-mta/opensmtpd/opensmtpd-6.0.3_p1-r1.ebuild b/mail-mta/opensmtpd/opensmtpd-6.0.3_p1-r2.ebuild
116	similarity index 96%
117	rename from mail-mta/opensmtpd/opensmtpd-6.0.3_p1-r1.ebuild
118	rename to mail-mta/opensmtpd/opensmtpd-6.0.3_p1-r2.ebuild
119	index bd087d961d5..bed05258e9c 100644
120	--- a/mail-mta/opensmtpd/opensmtpd-6.0.3_p1-r1.ebuild
121	+++ b/mail-mta/opensmtpd/opensmtpd-6.0.3_p1-r2.ebuild
122	@@ -1,4 +1,4 @@
123	-# Copyright 1999-2019 Gentoo Authors
124	+# Copyright 1999-2020 Gentoo Authors
125	# Distributed under the terms of the GNU General Public License v2
126
127	EAPI=7
128	@@ -42,6 +42,7 @@ S=${WORKDIR}/${P/_}
129	PATCHES=(
130	"${FILESDIR}/${P}-fix-crash-on-auth.patch"
131	"${FILESDIR}/${P}-openssl_1.1.patch"
132	+ "${FILESDIR}/${P}-security-fixes.patch"
133	)
134
135	src_configure() {

Gentoo Archives: gentoo-commits