diff options
Diffstat (limited to 'network/opensmtpd')
| -rw-r--r-- | network/opensmtpd/aliases | 34 | ||||
| -rw-r--r-- | network/opensmtpd/fix-crash-on-authentication.patch | 43 | ||||
| -rw-r--r-- | network/opensmtpd/openbsd64-020-smtpd.patch | 31 | ||||
| -rw-r--r-- | network/opensmtpd/openbsd65-029-smptd-tls.patch | 52 | ||||
| -rw-r--r-- | network/opensmtpd/openbsd65-031-smtpd-envelope.patch | 199 | ||||
| -rw-r--r-- | network/opensmtpd/openbsd66-019-smtpd-exec.patch | 46 | ||||
| -rw-r--r-- | network/opensmtpd/opensmtpd.SlackBuild | 31 | ||||
| -rw-r--r-- | network/opensmtpd/opensmtpd.info | 6 |
8 files changed, 44 insertions, 398 deletions
diff --git a/network/opensmtpd/aliases b/network/opensmtpd/aliases index ea54878974..85cc8e71ac 100644 --- a/network/opensmtpd/aliases +++ b/network/opensmtpd/aliases @@ -1,23 +1,49 @@ -# See aliases(5) for more information +# Sample aliases file installed in /etc/opensmtpd/aliases +# +# Aliases in this file will NOT be expanded in the header from +# Mail, but WILL be visible over networks or from /usr/libexec/mail.local. +# +# >>>>>>>>>> The program "newaliases" must be run after +# >> NOTE >> this file is updated for any changes to +# >>>>>>>>>> show through to smtpd. +# + +# Person who should get root's mail. Don't receive mail as root! +#root: you # Basic system aliases -- these MUST be present MAILER-DAEMON: postmaster postmaster: root # General redirections for pseudo accounts -bin: root daemon: root named: root -nobody: root uucp: root www: root ftp-bugs: root +# Redirections for pseudo accounts that should not receive mail +bin: /dev/null +build: /dev/null +nobody: /dev/null +sshd: /dev/null + # Well-known aliases manager: root dumper: root operator: root -abuse: postmaster + +# RFC 2142: NETWORK OPERATIONS MAILBOX NAMES +abuse: root +# noc: root +security: root + +# RFC 2142: SUPPORT MAILBOX NAMES FOR SPECIFIC INTERNET SERVICES +# hostmaster: root +# usenet: root +# news: usenet +# webmaster: root +# ftp: root # trap decode to catch security attacks decode: root diff --git a/network/opensmtpd/fix-crash-on-authentication.patch b/network/opensmtpd/fix-crash-on-authentication.patch deleted file mode 100644 index c20b5e0a0e..0000000000 --- a/network/opensmtpd/fix-crash-on-authentication.patch +++ /dev/null @@ -1,43 +0,0 @@ -From 9b5f70b93e038df5446bd37a4adac5a0380748e7 Mon Sep 17 00:00:00 2001 -From: johannes <johannes.brechtmann@gmail.com> -Date: Wed, 21 Feb 2018 23:57:11 +0100 -Subject: [PATCH] crypt_checkpass: include HAVE_CRYPT_H definition, add NULL - check - ---- - openbsd-compat/crypt_checkpass.c | 9 ++++++++- - 1 file changed, 8 insertions(+), 1 deletion(-) - -diff --git a/openbsd-compat/crypt_checkpass.c b/openbsd-compat/crypt_checkpass.c -index dafd2dae..d10b3a57 100644 ---- a/openbsd-compat/crypt_checkpass.c -+++ b/openbsd-compat/crypt_checkpass.c -@@ -1,5 +1,6 @@ - /* OPENBSD ORIGINAL: lib/libc/crypt/cryptutil.c */ - -+#include "includes.h" - #include <errno.h> - #ifdef HAVE_CRYPT_H - #include <crypt.h> -@@ -10,6 +11,8 @@ - int - crypt_checkpass(const char *pass, const char *goodhash) - { -+ char *c; -+ - if (goodhash == NULL) - goto fail; - -@@ -17,7 +20,11 @@ crypt_checkpass(const char *pass, const char *goodhash) - if (strlen(goodhash) == 0 && strlen(pass) == 0) - return 0; - -- if (strcmp(crypt(pass, goodhash), goodhash) == 0) -+ c = crypt(pass, goodhash); -+ if (c == NULL) -+ goto fail; -+ -+ if (strcmp(c, goodhash) == 0) - return 0; - - fail: diff --git a/network/opensmtpd/openbsd64-020-smtpd.patch b/network/opensmtpd/openbsd64-020-smtpd.patch deleted file mode 100644 index 8ce7178da8..0000000000 --- a/network/opensmtpd/openbsd64-020-smtpd.patch +++ /dev/null @@ -1,31 +0,0 @@ -OpenBSD 6.4 errata 020, August 2, 2019 - -smtpd can crash on excessively large input, causing a denial of service. - ---- a/smtpd/smtp_session.c 3 Sep 2018 19:01:29 -0000 1.337 -+++ b/smtpd/smtp_session.c 1 Aug 2019 21:18:53 -0000 -@@ -1904,15 +1904,21 @@ smtp_reply(struct smtp_session *s, char - { - va_list ap; - int n; -- char buf[LINE_MAX], tmp[LINE_MAX]; -+ char buf[LINE_MAX*2], tmp[LINE_MAX*2]; - - va_start(ap, fmt); - n = vsnprintf(buf, sizeof buf, fmt, ap); - va_end(ap); -- if (n == -1 || n >= LINE_MAX) -- fatalx("smtp_reply: line too long"); -+ if (n < 0) -+ fatalx("smtp_reply: response format error"); - if (n < 4) - fatalx("smtp_reply: response too short"); -+ if (n >= (int)sizeof buf) { -+ /* only first three bytes are used by SMTP logic, -+ * so if _our_ reply does not fit entirely in the -+ * buffer, it's ok to truncate. -+ */ -+ } - - log_trace(TRACE_SMTP, "smtp: %p: >>> %s", s, buf); - diff --git a/network/opensmtpd/openbsd65-029-smptd-tls.patch b/network/opensmtpd/openbsd65-029-smptd-tls.patch deleted file mode 100644 index a2727decf8..0000000000 --- a/network/opensmtpd/openbsd65-029-smptd-tls.patch +++ /dev/null @@ -1,52 +0,0 @@ -OpenBSD 6.5 errata 029, January 30, 2020: - -smtpd can crash on opportunistic TLS downgrade, causing a denial of service. - ---- usr.sbin/smtpd/mta_session.c 23 Dec 2018 16:37:53 -0000 1.115 -+++ usr.sbin/smtpd/mta_session.c 20 Jan 2020 10:36:58 -0000 -@@ -1292,40 +1292,20 @@ mta_io(struct io *io, int evt, void *arg - break; - - case IO_ERROR: -+ case IO_TLSERROR: - log_debug("debug: mta: %p: IO error: %s", s, io_error(io)); -- if (!s->ready) { -- mta_error(s, "IO Error: %s", io_error(io)); -- mta_connect(s); -- break; -- } -- else if (!(s->flags & (MTA_FORCE_TLS|MTA_FORCE_SMTPS|MTA_FORCE_ANYSSL))) { -- /* error in non-strict SSL negotiation, downgrade to plain */ -- if (s->flags & MTA_TLS) { -- log_info("smtp-out: Error on session %016"PRIx64 -- ": opportunistic TLS failed, " -- "downgrading to plain", s->id); -- s->flags &= ~MTA_TLS; -- s->flags |= MTA_DOWNGRADE_PLAIN; -- mta_connect(s); -- break; -- } -- } -- mta_error(s, "IO Error: %s", io_error(io)); -- mta_free(s); -- break; - -- case IO_TLSERROR: -- log_debug("debug: mta: %p: TLS IO error: %s", s, io_error(io)); -- if (!(s->flags & (MTA_FORCE_TLS|MTA_FORCE_SMTPS|MTA_FORCE_ANYSSL))) { -+ if (s->state == MTA_STARTTLS && s->use_smtp_tls) { - /* error in non-strict SSL negotiation, downgrade to plain */ -- log_info("smtp-out: TLS Error on session %016"PRIx64 -- ": TLS failed, " -+ log_info("smtp-out: Error on session %016"PRIx64 -+ ": opportunistic TLS failed, " - "downgrading to plain", s->id); - s->flags &= ~MTA_TLS; - s->flags |= MTA_DOWNGRADE_PLAIN; - mta_connect(s); - break; - } -+ - mta_error(s, "IO Error: %s", io_error(io)); - mta_free(s); - break; diff --git a/network/opensmtpd/openbsd65-031-smtpd-envelope.patch b/network/opensmtpd/openbsd65-031-smtpd-envelope.patch deleted file mode 100644 index cd59f1d6fa..0000000000 --- a/network/opensmtpd/openbsd65-031-smtpd-envelope.patch +++ /dev/null @@ -1,199 +0,0 @@ -OpenBSD 6.5 errata 031, February 24, 2020: - -An out of bounds read in smtpd allows an attacker to inject arbitrary -commands into the envelope file which are then executed as root. -Separately, missing privilege revocation in smtpctl allows arbitrary -commands to be run with the _smtpq group. - ---- a/smtpd/makemap.c.orig 2018-01-10 05:06:40.000000000 -0800 -+++ b/smtpd/makemap.c 2020-02-24 15:41:18.278340410 -0800 -@@ -105,8 +105,13 @@ makemap(int prog_mode, int argc, char *a - int ch, dbputs = 0, Uflag = 0; - DBTYPE dbtype = DB_HASH; - char *p; -+ gid_t gid; - int fd = -1; - -+ gid = getgid(); -+ if (setresgid(gid, gid, gid) == -1) -+ err(1, "setresgid"); -+ - log_init(1, LOG_MAIL); - - mode = prog_mode; -@@ -180,9 +185,9 @@ makemap(int prog_mode, int argc, char *a - errx(1, "database name too long"); - } - -- execlp("makemap", "makemap", "-d", argv[0], "-o", dbname, "-", -- (char *)NULL); -- err(1, "execlp"); -+ execl(PATH_MAKEMAP, "makemap", "-d", argv[0], "-o", dbname, -+ "-", (char *)NULL); -+ err(1, "execl"); - } - - if (mode == P_NEWALIASES) { ---- a/smtpd/mta_session.c.orig 2020-02-08 10:24:17.692029666 -0800 -+++ b/smtpd/mta_session.c 2020-02-24 15:46:46.121342818 -0800 -@@ -1214,7 +1214,7 @@ mta_io(struct io *io, int evt, void *arg - if (cont) { - if (s->replybuf[0] == '\0') - (void)strlcat(s->replybuf, line, sizeof s->replybuf); -- else { -+ else if (len > 4) { - line = line + 4; - if (isdigit((int)*line) && *(line + 1) == '.' && - isdigit((int)*line+2) && *(line + 3) == '.' && -@@ -1229,7 +1229,9 @@ mta_io(struct io *io, int evt, void *arg - /* last line of a reply, check if we're on a continuation to parse out status and ESC. - * if we overflow reply buffer or are not on continuation, log entire last line. - */ -- if (s->replybuf[0] != '\0') { -+ if (s->replybuf[0] == '\0') -+ (void)strlcat(s->replybuf, line, sizeof s->replybuf); -+ else if (len > 4) { - p = line + 4; - if (isdigit((int)*p) && *(p + 1) == '.' && - isdigit((int)*p+2) && *(p + 3) == '.' && -@@ -1238,8 +1240,6 @@ mta_io(struct io *io, int evt, void *arg - if (strlcat(s->replybuf, p, sizeof s->replybuf) >= sizeof s->replybuf) - (void)strlcpy(s->replybuf, line, sizeof s->replybuf); - } -- else -- (void)strlcpy(s->replybuf, line, sizeof s->replybuf); - - if (s->state == MTA_QUIT) { - log_info("%016"PRIx64" mta event=closed reason=quit messages=%zu", ---- a/smtpd/smtpctl.c.orig 2018-01-10 05:06:40.000000000 -0800 -+++ b/smtpd/smtpctl.c 2020-02-24 14:57:04.687320914 -0800 -@@ -1116,7 +1116,7 @@ sendmail_compat(int argc, char **argv) - */ - for (i = 1; i < argc; i++) - if (strncmp(argv[i], "-bi", 3) == 0) -- exit(makemap(P_NEWALIASES, argc, argv)); -+ exit(makemap(P_SENDMAIL, argc, argv)); - - if (!srv_connect()) - offlinefp = offline_file(); ---- a/smtpd/smtpd-defines.h.orig 2018-01-10 05:06:40.000000000 -0800 -+++ b/smtpd/smtpd-defines.h 2020-02-24 15:00:29.616322420 -0800 -@@ -46,6 +46,9 @@ - #ifndef PATH_SPOOL - #define PATH_SPOOL "/var/spool/smtpd" - #endif -+#ifndef PATH_MAKEUP -+#define PATH_MAKEMAP "/usr/sbin/makemap" -+#endif - - #define SUBADDRESSING_DELIMITER "+" - ---- a/smtpd/smtpd.c.orig 2018-01-10 05:06:40.000000000 -0800 -+++ b/smtpd/smtpd.c 2020-02-24 15:55:55.503346854 -0800 -@@ -109,9 +109,10 @@ static struct mproc *setup_peer(enum smt - static int imsg_wait(struct imsgbuf *, struct imsg *, int); - - static void offline_scan(int, short, void *); --static int offline_add(char *); -+static int offline_add(char *, uid_t, gid_t); - static void offline_done(void); --static int offline_enqueue(char *); -+static int offline_enqueue(char *, uid_t, gid_t); -+ - - static void purge_task(void); - static int parent_auth_user(const char *, const char *); -@@ -136,6 +137,8 @@ struct child { - - struct offline { - TAILQ_ENTRY(offline) entry; -+ uid_t uid; -+ gid_t gid; - char *path; - }; - -@@ -1409,7 +1412,8 @@ offline_scan(int fd, short ev, void *arg - continue; - } - -- if (offline_add(e->fts_name)) { -+ if (offline_add(e->fts_name, e->fts_statp->st_uid, -+ e->fts_statp->st_gid)) { - log_warnx("warn: smtpd: " - "could not add offline message %s", e->fts_name); - continue; -@@ -1429,7 +1433,7 @@ offline_scan(int fd, short ev, void *arg - } - - static int --offline_enqueue(char *name) -+offline_enqueue(char *name, uid_t uid, gid_t gid) - { - char *path; - struct stat sb; -@@ -1491,6 +1495,18 @@ offline_enqueue(char *name) - _exit(1); - } - -+ if (sb.st_uid != uid) { -+ log_warnx("warn: smtpd: file %s has bad uid %d", -+ path, sb.st_uid); -+ _exit(1); -+ } -+ -+ if (sb.st_gid != gid) { -+ log_warnx("warn: smtpd: file %s has bad gid %d", -+ path, sb.st_gid); -+ _exit(1); -+ } -+ - pw = getpwuid(sb.st_uid); - if (pw == NULL) { - log_warnx("warn: smtpd: getpwuid for uid %d failed", -@@ -1547,17 +1563,19 @@ offline_enqueue(char *name) - } - - static int --offline_add(char *path) -+offline_add(char *path, uid_t uid, gid_t gid) - { - struct offline *q; - - if (offline_running < OFFLINE_QUEUEMAX) - /* skip queue */ -- return offline_enqueue(path); -+ return offline_enqueue(path, uid, gid); - - q = malloc(sizeof(*q) + strlen(path) + 1); - if (q == NULL) - return (-1); -+ q->uid = uid; -+ q->gid = gid; - q->path = (char *)q + sizeof(*q); - memmove(q->path, path, strlen(path) + 1); - TAILQ_INSERT_TAIL(&offline_q, q, entry); -@@ -1576,7 +1594,8 @@ offline_done(void) - if ((q = TAILQ_FIRST(&offline_q)) == NULL) - break; /* all done */ - TAILQ_REMOVE(&offline_q, q, entry); -- offline_enqueue(q->path); -+ offline_enqueue(q->path, q->uid, q->gid); -+ - free(q); - } - } ---- a/smtpd/smtpd.h.orig 2018-01-10 05:06:40.000000000 -0800 -+++ b/smtpd/smtpd.h 2020-02-24 15:20:09.043331085 -0800 -@@ -128,8 +128,10 @@ - #define MTA_EXT_DSN 0x400 - - --#define P_NEWALIASES 0 --#define P_MAKEMAP 1 -+#define P_SENDMAIL 0 -+#define P_NEWALIASES 1 -+#define P_MAKEMAP 2 -+ - - struct userinfo { - char username[SMTPD_VUSERNAME_SIZE]; diff --git a/network/opensmtpd/openbsd66-019-smtpd-exec.patch b/network/opensmtpd/openbsd66-019-smtpd-exec.patch deleted file mode 100644 index 93ce19dcb1..0000000000 --- a/network/opensmtpd/openbsd66-019-smtpd-exec.patch +++ /dev/null @@ -1,46 +0,0 @@ -OpenBSD 6.6 errata 019, January 30, 2020: - -An incorrect check allows an attacker to trick mbox delivery into executing -arbitrary commands as root and lmtp delivery into executing arbitrary commands -as an unprivileged user. - ---- usr.sbin/smtpd/smtp_session.c 4 Oct 2019 08:34:29 -0000 1.415 -+++ usr.sbin/smtpd/smtp_session.c 26 Jan 2020 05:56:37 -0000 -@@ -2012,24 +2012,22 @@ smtp_mailaddr(struct mailaddr *maddr, ch - memmove(maddr->user, p, strlen(p) + 1); - } - -- if (!valid_localpart(maddr->user) || -- !valid_domainpart(maddr->domain)) { -- /* accept empty return-path in MAIL FROM, required for bounces */ -- if (mailfrom && maddr->user[0] == '\0' && maddr->domain[0] == '\0') -- return (1); -+ /* accept empty return-path in MAIL FROM, required for bounces */ -+ if (mailfrom && maddr->user[0] == '\0' && maddr->domain[0] == '\0') -+ return (1); - -- /* no user-part, reject */ -- if (maddr->user[0] == '\0') -- return (0); -- -- /* no domain, local user */ -- if (maddr->domain[0] == '\0') { -- (void)strlcpy(maddr->domain, domain, -- sizeof(maddr->domain)); -- return (1); -- } -+ /* no or invalid user-part, reject */ -+ if (maddr->user[0] == '\0' || !valid_localpart(maddr->user)) - return (0); -+ -+ /* no domain part, local user */ -+ if (maddr->domain[0] == '\0') { -+ (void)strlcpy(maddr->domain, domain, -+ sizeof(maddr->domain)); - } -+ -+ if (!valid_domainpart(maddr->domain)) -+ return (0); - - return (1); - } diff --git a/network/opensmtpd/opensmtpd.SlackBuild b/network/opensmtpd/opensmtpd.SlackBuild index 54a4f8e4cf..afda7fedc1 100644 --- a/network/opensmtpd/opensmtpd.SlackBuild +++ b/network/opensmtpd/opensmtpd.SlackBuild @@ -24,8 +24,8 @@ # ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. PRGNAM=opensmtpd -VERSION=${VERSION:-6.0.3p1} -BUILD=${BUILD:-6} +VERSION=${VERSION:-6.6.4p1} +BUILD=${BUILD:-1} TAG=${TAG:-_SBo} if [ -z "$ARCH" ]; then @@ -92,21 +92,6 @@ find -L . \ \( -perm 666 -o -perm 664 -o -perm 640 -o -perm 600 -o -perm 444 \ -o -perm 440 -o -perm 400 \) -exec chmod 644 {} \; -# fix reply buffer overflow -cat $CWD/openbsd64-020-smtpd.patch | patch -p1 - -# fix tls downgrade -cat $CWD/openbsd65-029-smptd-tls.patch | patch -p1 - -# fix exec -cat $CWD/openbsd66-019-smtpd-exec.patch | patch -p1 - -# check null from crypt function -cat $CWD/fix-crash-on-authentication.patch | patch -p1 - -# fix smtpctl envelop -cat $CWD/openbsd65-031-smtpd-envelope.patch | patch -p1 - CFLAGS="$SLKCFLAGS -D_DEFAULT_SOURCE" \ CXXFLAGS="$SLKCFLAGS" \ ./configure \ @@ -150,10 +135,16 @@ ln -s smtpctl $PKG/usr/sbin/makemap mkdir -p $PKG/etc/rc.d cat $CWD/rc.opensmtpd > $PKG/etc/rc.d/rc.opensmtpd.new -# Don't clobber the config file +# copy original smtpd.conf file +cp -p $PKG/etc/opensmtpd/smtpd.conf $PKG/etc/opensmtpd/smtpd.conf.upstream.default + +# Don't clobber the existing config file mv $PKG/etc/opensmtpd/smtpd.conf $PKG/etc/opensmtpd/smtpd.conf.new # and reflect the correct path to aliases file -sed -i "s,/etc/mail/,/etc/opensmtpd/,g" $PKG/etc/opensmtpd/smtpd.conf.new +# and use mbox instead of maildir +sed -i -e "s,/etc/mail/,/etc/opensmtpd/,g" \ + -e "s,maildir alias,mbox alias,g" \ + $PKG/etc/opensmtpd/smtpd.conf.new # Create (but don't clobber) the aliases file cat $CWD/aliases > $PKG/etc/opensmtpd/aliases.new @@ -176,7 +167,7 @@ find $PKG/usr/man -type f -exec gzip -9 {} \; for i in $( find $PKG/usr/man -type l ) ; do ln -s $( readlink $i ).gz $i.gz ; rm $i ; done mkdir -p $PKG/usr/doc/$PRGNAM-$VERSION -cp -a INSTALL LICENSE README.md THANKS $PKG/usr/doc/$PRGNAM-$VERSION +cp -a INSTALL LICENSE README.md $PKG/usr/doc/$PRGNAM-$VERSION cat $CWD/README > $PKG/usr/doc/$PRGNAM-$VERSION/README.slackware cat $CWD/$PRGNAM.SlackBuild > $PKG/usr/doc/$PRGNAM-$VERSION/$PRGNAM.SlackBuild diff --git a/network/opensmtpd/opensmtpd.info b/network/opensmtpd/opensmtpd.info index 0930880299..b8753bc31d 100644 --- a/network/opensmtpd/opensmtpd.info +++ b/network/opensmtpd/opensmtpd.info @@ -1,8 +1,8 @@ PRGNAM="opensmtpd" -VERSION="6.0.3p1" +VERSION="6.6.4p1" HOMEPAGE="https://www.opensmtpd.org/" -DOWNLOAD="https://www.opensmtpd.org/archives/opensmtpd-6.0.3p1.tar.gz" -MD5SUM="66e496bb0f3303d660744f4fa2178765" +DOWNLOAD="https://www.opensmtpd.org/archives/opensmtpd-6.6.4p1.tar.gz" +MD5SUM="4744943277f9a6dc942e7560dbdb5643" DOWNLOAD_x86_64="" MD5SUM_x86_64="" REQUIRES="libasr" |