diff options
Diffstat (limited to 'network/opensmtpd/openbsd65-031-smtpd-envelope.patch')
| -rw-r--r-- | network/opensmtpd/openbsd65-031-smtpd-envelope.patch | 199 |
1 files changed, 0 insertions, 199 deletions
diff --git a/network/opensmtpd/openbsd65-031-smtpd-envelope.patch b/network/opensmtpd/openbsd65-031-smtpd-envelope.patch deleted file mode 100644 index cd59f1d6fa74b..0000000000000 --- a/network/opensmtpd/openbsd65-031-smtpd-envelope.patch +++ /dev/null @@ -1,199 +0,0 @@ -OpenBSD 6.5 errata 031, February 24, 2020: - -An out of bounds read in smtpd allows an attacker to inject arbitrary -commands into the envelope file which are then executed as root. -Separately, missing privilege revocation in smtpctl allows arbitrary -commands to be run with the _smtpq group. - ---- a/smtpd/makemap.c.orig 2018-01-10 05:06:40.000000000 -0800 -+++ b/smtpd/makemap.c 2020-02-24 15:41:18.278340410 -0800 -@@ -105,8 +105,13 @@ makemap(int prog_mode, int argc, char *a - int ch, dbputs = 0, Uflag = 0; - DBTYPE dbtype = DB_HASH; - char *p; -+ gid_t gid; - int fd = -1; - -+ gid = getgid(); -+ if (setresgid(gid, gid, gid) == -1) -+ err(1, "setresgid"); -+ - log_init(1, LOG_MAIL); - - mode = prog_mode; -@@ -180,9 +185,9 @@ makemap(int prog_mode, int argc, char *a - errx(1, "database name too long"); - } - -- execlp("makemap", "makemap", "-d", argv[0], "-o", dbname, "-", -- (char *)NULL); -- err(1, "execlp"); -+ execl(PATH_MAKEMAP, "makemap", "-d", argv[0], "-o", dbname, -+ "-", (char *)NULL); -+ err(1, "execl"); - } - - if (mode == P_NEWALIASES) { ---- a/smtpd/mta_session.c.orig 2020-02-08 10:24:17.692029666 -0800 -+++ b/smtpd/mta_session.c 2020-02-24 15:46:46.121342818 -0800 -@@ -1214,7 +1214,7 @@ mta_io(struct io *io, int evt, void *arg - if (cont) { - if (s->replybuf[0] == '\0') - (void)strlcat(s->replybuf, line, sizeof s->replybuf); -- else { -+ else if (len > 4) { - line = line + 4; - if (isdigit((int)*line) && *(line + 1) == '.' && - isdigit((int)*line+2) && *(line + 3) == '.' && -@@ -1229,7 +1229,9 @@ mta_io(struct io *io, int evt, void *arg - /* last line of a reply, check if we're on a continuation to parse out status and ESC. - * if we overflow reply buffer or are not on continuation, log entire last line. - */ -- if (s->replybuf[0] != '\0') { -+ if (s->replybuf[0] == '\0') -+ (void)strlcat(s->replybuf, line, sizeof s->replybuf); -+ else if (len > 4) { - p = line + 4; - if (isdigit((int)*p) && *(p + 1) == '.' && - isdigit((int)*p+2) && *(p + 3) == '.' && -@@ -1238,8 +1240,6 @@ mta_io(struct io *io, int evt, void *arg - if (strlcat(s->replybuf, p, sizeof s->replybuf) >= sizeof s->replybuf) - (void)strlcpy(s->replybuf, line, sizeof s->replybuf); - } -- else -- (void)strlcpy(s->replybuf, line, sizeof s->replybuf); - - if (s->state == MTA_QUIT) { - log_info("%016"PRIx64" mta event=closed reason=quit messages=%zu", ---- a/smtpd/smtpctl.c.orig 2018-01-10 05:06:40.000000000 -0800 -+++ b/smtpd/smtpctl.c 2020-02-24 14:57:04.687320914 -0800 -@@ -1116,7 +1116,7 @@ sendmail_compat(int argc, char **argv) - */ - for (i = 1; i < argc; i++) - if (strncmp(argv[i], "-bi", 3) == 0) -- exit(makemap(P_NEWALIASES, argc, argv)); -+ exit(makemap(P_SENDMAIL, argc, argv)); - - if (!srv_connect()) - offlinefp = offline_file(); ---- a/smtpd/smtpd-defines.h.orig 2018-01-10 05:06:40.000000000 -0800 -+++ b/smtpd/smtpd-defines.h 2020-02-24 15:00:29.616322420 -0800 -@@ -46,6 +46,9 @@ - #ifndef PATH_SPOOL - #define PATH_SPOOL "/var/spool/smtpd" - #endif -+#ifndef PATH_MAKEUP -+#define PATH_MAKEMAP "/usr/sbin/makemap" -+#endif - - #define SUBADDRESSING_DELIMITER "+" - ---- a/smtpd/smtpd.c.orig 2018-01-10 05:06:40.000000000 -0800 -+++ b/smtpd/smtpd.c 2020-02-24 15:55:55.503346854 -0800 -@@ -109,9 +109,10 @@ static struct mproc *setup_peer(enum smt - static int imsg_wait(struct imsgbuf *, struct imsg *, int); - - static void offline_scan(int, short, void *); --static int offline_add(char *); -+static int offline_add(char *, uid_t, gid_t); - static void offline_done(void); --static int offline_enqueue(char *); -+static int offline_enqueue(char *, uid_t, gid_t); -+ - - static void purge_task(void); - static int parent_auth_user(const char *, const char *); -@@ -136,6 +137,8 @@ struct child { - - struct offline { - TAILQ_ENTRY(offline) entry; -+ uid_t uid; -+ gid_t gid; - char *path; - }; - -@@ -1409,7 +1412,8 @@ offline_scan(int fd, short ev, void *arg - continue; - } - -- if (offline_add(e->fts_name)) { -+ if (offline_add(e->fts_name, e->fts_statp->st_uid, -+ e->fts_statp->st_gid)) { - log_warnx("warn: smtpd: " - "could not add offline message %s", e->fts_name); - continue; -@@ -1429,7 +1433,7 @@ offline_scan(int fd, short ev, void *arg - } - - static int --offline_enqueue(char *name) -+offline_enqueue(char *name, uid_t uid, gid_t gid) - { - char *path; - struct stat sb; -@@ -1491,6 +1495,18 @@ offline_enqueue(char *name) - _exit(1); - } - -+ if (sb.st_uid != uid) { -+ log_warnx("warn: smtpd: file %s has bad uid %d", -+ path, sb.st_uid); -+ _exit(1); -+ } -+ -+ if (sb.st_gid != gid) { -+ log_warnx("warn: smtpd: file %s has bad gid %d", -+ path, sb.st_gid); -+ _exit(1); -+ } -+ - pw = getpwuid(sb.st_uid); - if (pw == NULL) { - log_warnx("warn: smtpd: getpwuid for uid %d failed", -@@ -1547,17 +1563,19 @@ offline_enqueue(char *name) - } - - static int --offline_add(char *path) -+offline_add(char *path, uid_t uid, gid_t gid) - { - struct offline *q; - - if (offline_running < OFFLINE_QUEUEMAX) - /* skip queue */ -- return offline_enqueue(path); -+ return offline_enqueue(path, uid, gid); - - q = malloc(sizeof(*q) + strlen(path) + 1); - if (q == NULL) - return (-1); -+ q->uid = uid; -+ q->gid = gid; - q->path = (char *)q + sizeof(*q); - memmove(q->path, path, strlen(path) + 1); - TAILQ_INSERT_TAIL(&offline_q, q, entry); -@@ -1576,7 +1594,8 @@ offline_done(void) - if ((q = TAILQ_FIRST(&offline_q)) == NULL) - break; /* all done */ - TAILQ_REMOVE(&offline_q, q, entry); -- offline_enqueue(q->path); -+ offline_enqueue(q->path, q->uid, q->gid); -+ - free(q); - } - } ---- a/smtpd/smtpd.h.orig 2018-01-10 05:06:40.000000000 -0800 -+++ b/smtpd/smtpd.h 2020-02-24 15:20:09.043331085 -0800 -@@ -128,8 +128,10 @@ - #define MTA_EXT_DSN 0x400 - - --#define P_NEWALIASES 0 --#define P_MAKEMAP 1 -+#define P_SENDMAIL 0 -+#define P_NEWALIASES 1 -+#define P_MAKEMAP 2 -+ - - struct userinfo { - char username[SMTPD_VUSERNAME_SIZE]; |