From: "Jason A. Donenfeld" <zx2c4@gentoo.org>
To: gentoo-commits@lists.gentoo.org
Subject: [gentoo-commits] repo/gentoo:master commit in: mail-mta/opensmtpd/files/, mail-mta/opensmtpd/
Date: Wed, 29 Jan 2020 08:51:39 +0000 (UTC) [thread overview]
Message-ID: <1580287886.fabf7b6f4a9b8240f1ae4cef4dde4a2300722c9c.zx2c4@gentoo> (raw)
commit: fabf7b6f4a9b8240f1ae4cef4dde4a2300722c9c
Author: Jason A. Donenfeld <zx2c4 <AT> gentoo <DOT> org>
AuthorDate: Wed Jan 29 08:51:03 2020 +0000
Commit: Jason A. Donenfeld <zx2c4 <AT> gentoo <DOT> org>
CommitDate: Wed Jan 29 08:51:26 2020 +0000
URL: https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=fabf7b6f
mail-mta/opensmtpd: bump for security disaster
Package-Manager: Portage-2.3.84, Repoman-2.3.20
Signed-off-by: Jason A. Donenfeld <zx2c4 <AT> gentoo.org>
.../files/opensmtpd-6.0.3_p1-security-fixes.patch | 91 ++++++++++++++++++++++
...3_p1-r1.ebuild => opensmtpd-6.0.3_p1-r2.ebuild} | 3 +-
2 files changed, 93 insertions(+), 1 deletion(-)
diff --git a/mail-mta/opensmtpd/files/opensmtpd-6.0.3_p1-security-fixes.patch b/mail-mta/opensmtpd/files/opensmtpd-6.0.3_p1-security-fixes.patch
new file mode 100644
index 00000000000..58f3ed8c38b
--- /dev/null
+++ b/mail-mta/opensmtpd/files/opensmtpd-6.0.3_p1-security-fixes.patch
@@ -0,0 +1,91 @@
+diff -ru OpenSMTPD-opensmtpd-6.0.3/smtpd/mta_session.c OpenSMTPD-opensmtpd-6.0.3-fixed/smtpd/mta_session.c
+--- OpenSMTPD-opensmtpd-6.0.3/smtpd/mta_session.c 2018-01-04 23:24:01.000000000 +0100
++++ OpenSMTPD-opensmtpd-6.0.3-fixed/smtpd/mta_session.c 2020-01-29 09:47:24.607457717 +0100
+@@ -1290,40 +1290,20 @@
+ break;
+
+ case IO_ERROR:
++ case IO_TLSERROR:
+ log_debug("debug: mta: %p: IO error: %s", s, io_error(io));
+- if (!s->ready) {
+- mta_error(s, "IO Error: %s", io_error(io));
+- mta_connect(s);
+- break;
+- }
+- else if (!(s->flags & (MTA_FORCE_TLS|MTA_FORCE_SMTPS|MTA_FORCE_ANYSSL))) {
+- /* error in non-strict SSL negotiation, downgrade to plain */
+- if (s->flags & MTA_TLS) {
+- log_info("smtp-out: Error on session %016"PRIx64
+- ": opportunistic TLS failed, "
+- "downgrading to plain", s->id);
+- s->flags &= ~MTA_TLS;
+- s->flags |= MTA_DOWNGRADE_PLAIN;
+- mta_connect(s);
+- break;
+- }
+- }
+- mta_error(s, "IO Error: %s", io_error(io));
+- mta_free(s);
+- break;
+
+- case IO_TLSERROR:
+- log_debug("debug: mta: %p: TLS IO error: %s", s, io_error(io));
+- if (!(s->flags & (MTA_FORCE_TLS|MTA_FORCE_SMTPS|MTA_FORCE_ANYSSL))) {
++ if (s->state == MTA_STARTTLS && s->use_smtp_tls) {
+ /* error in non-strict SSL negotiation, downgrade to plain */
+- log_info("smtp-out: TLS Error on session %016"PRIx64
+- ": TLS failed, "
++ log_info("smtp-out: Error on session %016"PRIx64
++ ": opportunistic TLS failed, "
+ "downgrading to plain", s->id);
+ s->flags &= ~MTA_TLS;
+ s->flags |= MTA_DOWNGRADE_PLAIN;
+ mta_connect(s);
+ break;
+ }
++
+ mta_error(s, "IO Error: %s", io_error(io));
+ mta_free(s);
+ break;
+diff -ru OpenSMTPD-opensmtpd-6.0.3/smtpd/smtp_session.c OpenSMTPD-opensmtpd-6.0.3-fixed/smtpd/smtp_session.c
+--- OpenSMTPD-opensmtpd-6.0.3/smtpd/smtp_session.c 2018-01-04 23:24:01.000000000 +0100
++++ OpenSMTPD-opensmtpd-6.0.3-fixed/smtpd/smtp_session.c 2020-01-29 09:47:24.610791335 +0100
+@@ -2004,25 +2004,23 @@
+ memmove(maddr->user, p, strlen(p) + 1);
+ }
+
+- if (!valid_localpart(maddr->user) ||
+- !valid_domainpart(maddr->domain)) {
+- /* accept empty return-path in MAIL FROM, required for bounces */
+- if (mailfrom && maddr->user[0] == '\0' && maddr->domain[0] == '\0')
+- return (1);
++ /* accept empty return-path in MAIL FROM, required for bounces */
++ if (mailfrom && maddr->user[0] == '\0' && maddr->domain[0] == '\0')
++ return (1);
+
+- /* no user-part, reject */
+- if (maddr->user[0] == '\0')
+- return (0);
+-
+- /* no domain, local user */
+- if (maddr->domain[0] == '\0') {
+- (void)strlcpy(maddr->domain, domain,
+- sizeof(maddr->domain));
+- return (1);
+- }
++ /* no or invalid user-part, reject */
++ if (maddr->user[0] == '\0' || !valid_localpart(maddr->user))
+ return (0);
++
++ /* no domain part, local user */
++ if (maddr->domain[0] == '\0') {
++ (void)strlcpy(maddr->domain, domain,
++ sizeof(maddr->domain));
+ }
+
++ if (!valid_domainpart(maddr->domain))
++ return (0);
++
+ return (1);
+ }
+
diff --git a/mail-mta/opensmtpd/opensmtpd-6.0.3_p1-r1.ebuild b/mail-mta/opensmtpd/opensmtpd-6.0.3_p1-r2.ebuild
similarity index 96%
rename from mail-mta/opensmtpd/opensmtpd-6.0.3_p1-r1.ebuild
rename to mail-mta/opensmtpd/opensmtpd-6.0.3_p1-r2.ebuild
index bd087d961d5..bed05258e9c 100644
--- a/mail-mta/opensmtpd/opensmtpd-6.0.3_p1-r1.ebuild
+++ b/mail-mta/opensmtpd/opensmtpd-6.0.3_p1-r2.ebuild
@@ -1,4 +1,4 @@
-# Copyright 1999-2019 Gentoo Authors
+# Copyright 1999-2020 Gentoo Authors
# Distributed under the terms of the GNU General Public License v2
EAPI=7
@@ -42,6 +42,7 @@ S=${WORKDIR}/${P/_}
PATCHES=(
"${FILESDIR}/${P}-fix-crash-on-auth.patch"
"${FILESDIR}/${P}-openssl_1.1.patch"
+ "${FILESDIR}/${P}-security-fixes.patch"
)
src_configure() {
next reply other threads:[~2020-01-29 8:51 UTC|newest]
Thread overview: 10+ messages / expand[flat|nested] mbox.gz Atom feed top
2020-01-29 8:51 Jason A. Donenfeld [this message]
-- strict thread matches above, loose matches on Subject: below --
2024-04-14 16:09 [gentoo-commits] repo/gentoo:master commit in: mail-mta/opensmtpd/files/, mail-mta/opensmtpd/ Matthew Smith
2023-09-05 14:37 David Seifert
2023-08-26 14:22 David Seifert
2023-04-26 3:51 Sam James
2019-01-02 19:11 Jason A. Donenfeld
2017-04-12 14:05 Jason Donenfeld
2016-06-25 14:55 Jason Donenfeld
2015-10-05 15:11 Jason Donenfeld
2015-10-05 8:44 Jason Donenfeld
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1580287886.fabf7b6f4a9b8240f1ae4cef4dde4a2300722c9c.zx2c4@gentoo \
--to=zx2c4@gentoo.org \
--cc=gentoo-commits@lists.gentoo.org \
--cc=gentoo-dev@lists.gentoo.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox