diff options
-rw-r--r-- | network/opensmtpd/fix-crash-on-authentication.patch | 43 | ||||
-rw-r--r-- | network/opensmtpd/openbsd64-020-smtpd.patch | 31 | ||||
-rw-r--r-- | network/opensmtpd/openbsd65-029-smptd-tls.patch | 52 | ||||
-rw-r--r-- | network/opensmtpd/openbsd66-019-smtpd-exec.patch | 46 | ||||
-rw-r--r-- | network/opensmtpd/opensmtpd.SlackBuild | 18 | ||||
-rw-r--r-- | network/opensmtpd/opensmtpd.info | 6 |
6 files changed, 190 insertions, 6 deletions
diff --git a/network/opensmtpd/fix-crash-on-authentication.patch b/network/opensmtpd/fix-crash-on-authentication.patch new file mode 100644 index 000000000000..c20b5e0a0ef9 --- /dev/null +++ b/network/opensmtpd/fix-crash-on-authentication.patch @@ -0,0 +1,43 @@ +From 9b5f70b93e038df5446bd37a4adac5a0380748e7 Mon Sep 17 00:00:00 2001 +From: johannes <johannes.brechtmann@gmail.com> +Date: Wed, 21 Feb 2018 23:57:11 +0100 +Subject: [PATCH] crypt_checkpass: include HAVE_CRYPT_H definition, add NULL + check + +--- + openbsd-compat/crypt_checkpass.c | 9 ++++++++- + 1 file changed, 8 insertions(+), 1 deletion(-) + +diff --git a/openbsd-compat/crypt_checkpass.c b/openbsd-compat/crypt_checkpass.c +index dafd2dae..d10b3a57 100644 +--- a/openbsd-compat/crypt_checkpass.c ++++ b/openbsd-compat/crypt_checkpass.c +@@ -1,5 +1,6 @@ + /* OPENBSD ORIGINAL: lib/libc/crypt/cryptutil.c */ + ++#include "includes.h" + #include <errno.h> + #ifdef HAVE_CRYPT_H + #include <crypt.h> +@@ -10,6 +11,8 @@ + int + crypt_checkpass(const char *pass, const char *goodhash) + { ++ char *c; ++ + if (goodhash == NULL) + goto fail; + +@@ -17,7 +20,11 @@ crypt_checkpass(const char *pass, const char *goodhash) + if (strlen(goodhash) == 0 && strlen(pass) == 0) + return 0; + +- if (strcmp(crypt(pass, goodhash), goodhash) == 0) ++ c = crypt(pass, goodhash); ++ if (c == NULL) ++ goto fail; ++ ++ if (strcmp(c, goodhash) == 0) + return 0; + + fail: diff --git a/network/opensmtpd/openbsd64-020-smtpd.patch b/network/opensmtpd/openbsd64-020-smtpd.patch new file mode 100644 index 000000000000..8ce7178da8b1 --- /dev/null +++ b/network/opensmtpd/openbsd64-020-smtpd.patch @@ -0,0 +1,31 @@ +OpenBSD 6.4 errata 020, August 2, 2019 + +smtpd can crash on excessively large input, causing a denial of service. + +--- a/smtpd/smtp_session.c 3 Sep 2018 19:01:29 -0000 1.337 ++++ b/smtpd/smtp_session.c 1 Aug 2019 21:18:53 -0000 +@@ -1904,15 +1904,21 @@ smtp_reply(struct smtp_session *s, char + { + va_list ap; + int n; +- char buf[LINE_MAX], tmp[LINE_MAX]; ++ char buf[LINE_MAX*2], tmp[LINE_MAX*2]; + + va_start(ap, fmt); + n = vsnprintf(buf, sizeof buf, fmt, ap); + va_end(ap); +- if (n == -1 || n >= LINE_MAX) +- fatalx("smtp_reply: line too long"); ++ if (n < 0) ++ fatalx("smtp_reply: response format error"); + if (n < 4) + fatalx("smtp_reply: response too short"); ++ if (n >= (int)sizeof buf) { ++ /* only first three bytes are used by SMTP logic, ++ * so if _our_ reply does not fit entirely in the ++ * buffer, it's ok to truncate. ++ */ ++ } + + log_trace(TRACE_SMTP, "smtp: %p: >>> %s", s, buf); + diff --git a/network/opensmtpd/openbsd65-029-smptd-tls.patch b/network/opensmtpd/openbsd65-029-smptd-tls.patch new file mode 100644 index 000000000000..a2727decf8f7 --- /dev/null +++ b/network/opensmtpd/openbsd65-029-smptd-tls.patch @@ -0,0 +1,52 @@ +OpenBSD 6.5 errata 029, January 30, 2020: + +smtpd can crash on opportunistic TLS downgrade, causing a denial of service. + +--- usr.sbin/smtpd/mta_session.c 23 Dec 2018 16:37:53 -0000 1.115 ++++ usr.sbin/smtpd/mta_session.c 20 Jan 2020 10:36:58 -0000 +@@ -1292,40 +1292,20 @@ mta_io(struct io *io, int evt, void *arg + break; + + case IO_ERROR: ++ case IO_TLSERROR: + log_debug("debug: mta: %p: IO error: %s", s, io_error(io)); +- if (!s->ready) { +- mta_error(s, "IO Error: %s", io_error(io)); +- mta_connect(s); +- break; +- } +- else if (!(s->flags & (MTA_FORCE_TLS|MTA_FORCE_SMTPS|MTA_FORCE_ANYSSL))) { +- /* error in non-strict SSL negotiation, downgrade to plain */ +- if (s->flags & MTA_TLS) { +- log_info("smtp-out: Error on session %016"PRIx64 +- ": opportunistic TLS failed, " +- "downgrading to plain", s->id); +- s->flags &= ~MTA_TLS; +- s->flags |= MTA_DOWNGRADE_PLAIN; +- mta_connect(s); +- break; +- } +- } +- mta_error(s, "IO Error: %s", io_error(io)); +- mta_free(s); +- break; + +- case IO_TLSERROR: +- log_debug("debug: mta: %p: TLS IO error: %s", s, io_error(io)); +- if (!(s->flags & (MTA_FORCE_TLS|MTA_FORCE_SMTPS|MTA_FORCE_ANYSSL))) { ++ if (s->state == MTA_STARTTLS && s->use_smtp_tls) { + /* error in non-strict SSL negotiation, downgrade to plain */ +- log_info("smtp-out: TLS Error on session %016"PRIx64 +- ": TLS failed, " ++ log_info("smtp-out: Error on session %016"PRIx64 ++ ": opportunistic TLS failed, " + "downgrading to plain", s->id); + s->flags &= ~MTA_TLS; + s->flags |= MTA_DOWNGRADE_PLAIN; + mta_connect(s); + break; + } ++ + mta_error(s, "IO Error: %s", io_error(io)); + mta_free(s); + break; diff --git a/network/opensmtpd/openbsd66-019-smtpd-exec.patch b/network/opensmtpd/openbsd66-019-smtpd-exec.patch new file mode 100644 index 000000000000..93ce19dcb170 --- /dev/null +++ b/network/opensmtpd/openbsd66-019-smtpd-exec.patch @@ -0,0 +1,46 @@ +OpenBSD 6.6 errata 019, January 30, 2020: + +An incorrect check allows an attacker to trick mbox delivery into executing +arbitrary commands as root and lmtp delivery into executing arbitrary commands +as an unprivileged user. + +--- usr.sbin/smtpd/smtp_session.c 4 Oct 2019 08:34:29 -0000 1.415 ++++ usr.sbin/smtpd/smtp_session.c 26 Jan 2020 05:56:37 -0000 +@@ -2012,24 +2012,22 @@ smtp_mailaddr(struct mailaddr *maddr, ch + memmove(maddr->user, p, strlen(p) + 1); + } + +- if (!valid_localpart(maddr->user) || +- !valid_domainpart(maddr->domain)) { +- /* accept empty return-path in MAIL FROM, required for bounces */ +- if (mailfrom && maddr->user[0] == '\0' && maddr->domain[0] == '\0') +- return (1); ++ /* accept empty return-path in MAIL FROM, required for bounces */ ++ if (mailfrom && maddr->user[0] == '\0' && maddr->domain[0] == '\0') ++ return (1); + +- /* no user-part, reject */ +- if (maddr->user[0] == '\0') +- return (0); +- +- /* no domain, local user */ +- if (maddr->domain[0] == '\0') { +- (void)strlcpy(maddr->domain, domain, +- sizeof(maddr->domain)); +- return (1); +- } ++ /* no or invalid user-part, reject */ ++ if (maddr->user[0] == '\0' || !valid_localpart(maddr->user)) + return (0); ++ ++ /* no domain part, local user */ ++ if (maddr->domain[0] == '\0') { ++ (void)strlcpy(maddr->domain, domain, ++ sizeof(maddr->domain)); + } ++ ++ if (!valid_domainpart(maddr->domain)) ++ return (0); + + return (1); + } diff --git a/network/opensmtpd/opensmtpd.SlackBuild b/network/opensmtpd/opensmtpd.SlackBuild index c1dfd8d7d696..052a1fcf0373 100644 --- a/network/opensmtpd/opensmtpd.SlackBuild +++ b/network/opensmtpd/opensmtpd.SlackBuild @@ -24,8 +24,8 @@ # ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. PRGNAM=opensmtpd -VERSION=${VERSION:-6.6.2p1} -BUILD=${BUILD:-1} +VERSION=${VERSION:-6.0.3p1} +BUILD=${BUILD:-5} TAG=${TAG:-_SBo} if [ -z "$ARCH" ]; then @@ -92,6 +92,18 @@ find -L . \ \( -perm 666 -o -perm 664 -o -perm 640 -o -perm 600 -o -perm 444 \ -o -perm 440 -o -perm 400 \) -exec chmod 644 {} \; +# fix reply buffer overflow +cat $CWD/openbsd64-020-smtpd.patch | patch -p1 + +# fix tls downgrade +cat $CWD/openbsd65-029-smptd-tls.patch | patch -p1 + +# fix exec +cat $CWD/openbsd66-019-smtpd-exec.patch | patch -p1 + +# check null from crypt function +cat $CWD/fix-crash-on-authentication.patch | patch -p1 + CFLAGS="$SLKCFLAGS -D_DEFAULT_SOURCE" \ CXXFLAGS="$SLKCFLAGS" \ ./configure \ @@ -161,7 +173,7 @@ find $PKG/usr/man -type f -exec gzip -9 {} \; for i in $( find $PKG/usr/man -type l ) ; do ln -s $( readlink $i ).gz $i.gz ; rm $i ; done mkdir -p $PKG/usr/doc/$PRGNAM-$VERSION -cp -a INSTALL LICENSE README.md $PKG/usr/doc/$PRGNAM-$VERSION +cp -a INSTALL LICENSE README.md THANKS $PKG/usr/doc/$PRGNAM-$VERSION cat $CWD/README > $PKG/usr/doc/$PRGNAM-$VERSION/README.slackware cat $CWD/$PRGNAM.SlackBuild > $PKG/usr/doc/$PRGNAM-$VERSION/$PRGNAM.SlackBuild diff --git a/network/opensmtpd/opensmtpd.info b/network/opensmtpd/opensmtpd.info index 4254ccf7364c..093088029945 100644 --- a/network/opensmtpd/opensmtpd.info +++ b/network/opensmtpd/opensmtpd.info @@ -1,8 +1,8 @@ PRGNAM="opensmtpd" -VERSION="6.6.2p1" +VERSION="6.0.3p1" HOMEPAGE="https://www.opensmtpd.org/" -DOWNLOAD="https://www.opensmtpd.org/archives/opensmtpd-6.6.2p1.tar.gz" -MD5SUM="bd29619f56c009a4eb4879304771822b" +DOWNLOAD="https://www.opensmtpd.org/archives/opensmtpd-6.0.3p1.tar.gz" +MD5SUM="66e496bb0f3303d660744f4fa2178765" DOWNLOAD_x86_64="" MD5SUM_x86_64="" REQUIRES="libasr" |