diffstat of debian/ for exim4_4.76-3 exim4_4.76-3ubuntu3.4 changelog | 208 +++++++++++ control | 7 debconf/conf.d/main/02_exim4-config_options | 10 exim4-config.NEWS | 15 patches/71_increase_smtp_cmd_buffer_size.patch | 24 + patches/CVE-2012-5671.patch | 46 ++ patches/CVE-2014-2972.patch | 75 ++++ patches/CVE-2016-1531-2.patch | 53 ++ patches/CVE-2016-1531-3.patch | 101 +++++ patches/CVE-2016-1531-4.patch | 93 +++++ patches/CVE-2016-1531.patch | 463 +++++++++++++++++++++++++ patches/CVE-2016-9963.patch | 66 +++ patches/series | 8 13 files changed, 1165 insertions(+), 4 deletions(-) diff -Nru exim4-4.76/debian/changelog exim4-4.76/debian/changelog --- exim4-4.76/debian/changelog 2011-09-18 09:49:16.000000000 +0000 +++ exim4-4.76/debian/changelog 2017-01-05 13:52:13.000000000 +0000 @@ -1,3 +1,74 @@ +exim4 (4.76-3ubuntu3.4) precise-security; urgency=medium + + * SECURITY UPDATE: DKIM information leakage + - debian/patches/CVE-2016-9963.patch: fix information leakage in + src/dkim.c, src/transports/smtp.c. + - CVE-2016-9963 + + -- Marc Deslauriers Thu, 05 Jan 2017 08:52:13 -0500 + +exim4 (4.76-3ubuntu3.3) precise-security; urgency=medium + + * SECURITY UPDATE: privilege escalation via crafted lookup value + - debian/patches/CVE-2014-2972.patch: only expand integers for integer + math once. + - CVE-2014-2972 + * SECURITY UPDATE: privilege escalation when used with perl_startup + - debian/patches/CVE-2016-1531.patch: add new add_environment and + keep_environment configuration options. + - debian/patches/CVE-2016-1531-2.patch: don't issue env warning if env + is empty. + - debian/patches/CVE-2016-1531-3.patch: store the initial working + directory, expand $initial_cwd. + - debian/patches/CVE-2016-1531-4.patch: delay chdir(/) until we opened + the main config. + - Add macros MAIN_KEEP_ENVIRONMENT and MAIN_ADD_ENVIRONMENT to set the + new options. Set "keep_environment =" by default to avoid a runtime + warning. + - Bump exim4-config Breaks to exim4-daemon-* (<< 4.76-3ubuntu3.3). + - debian/exim4-config.NEWS: Add entry to warn of potential breakage. + - CVE-2016-1531 + * WARNING: This update may break existing installations. + + -- Marc Deslauriers Mon, 14 Mar 2016 13:18:20 -0400 + +exim4 (4.76-3ubuntu3.2) precise-proposed; urgency=low + + * Increase smtp_cmd_buffer_size to 16384 (upstream bug #879, fixed in 4.77). + This allows using smtp kerberos/gssapi auth against AD/samba4 on windows. + (LP: #1088136) + + -- Sergey Urushkin Wed, 12 Dec 2012 16:05:42 -0800 + +exim4 (4.76-3ubuntu3.1) precise-security; urgency=low + + * SECURITY UPDATE: arbitrary code execution via dns decode logic + - debian/patches/CVE-2012-5671.patch: adjust max length and validate + against it in src/pdkim/pdkim.h, src/dkim.c. + - CVE-2012-5671 + + -- Marc Deslauriers Thu, 25 Oct 2012 08:26:32 -0400 + +exim4 (4.76-3ubuntu3) precise; urgency=low + + * Rebuild for libmysqlclient transition + + -- Clint Byrum Wed, 23 Nov 2011 23:29:35 -0800 + +exim4 (4.76-3ubuntu2) precise; urgency=low + + * Rebuild for Perl 5.14. + + -- Colin Watson Wed, 16 Nov 2011 01:22:39 +0000 + +exim4 (4.76-3ubuntu1) precise; urgency=low + + * Merge from debian unstable. Remaining changes: + - debian/control: Don't declare a Provides: default-mta; in Ubuntu, + we want postfix to be the default. + + -- Stéphane Graber Thu, 20 Oct 2011 11:29:07 -0400 + exim4 (4.76-3) unstable; urgency=low * [exim4-base.cron.daily] Correct invocation of mail(1), options need to be @@ -18,6 +89,14 @@ -- Andreas Metzler Sun, 18 Sep 2011 11:49:13 +0200 +exim4 (4.76-2ubuntu1) oneiric; urgency=low + + * Merge from debian unstable. Remaining changes: + - debian/control: Don't declare a Provides: default-mta; in Ubuntu, + we want postfix to be the default. + + -- Stéphane Graber Mon, 30 May 2011 17:48:56 -0400 + exim4 (4.76-2) unstable; urgency=low * debian/rules: Remove test/ and test-stamp on clean. @@ -30,6 +109,14 @@ -- Andreas Metzler Sun, 29 May 2011 18:21:03 +0200 +exim4 (4.76-1ubuntu1) oneiric; urgency=low + + * Merge from debian unstable. Remaining changes (LP: #779391): + - debian/control: Don't declare a Provides: default-mta; in Ubuntu, + we want postfix to be the default. + + -- Stéphane Graber Mon, 23 May 2011 12:37:30 -0400 + exim4 (4.76-1) unstable; urgency=low * New upstream version. @@ -76,6 +163,14 @@ -- Andreas Metzler Fri, 06 May 2011 20:08:51 +0200 +exim4 (4.75-2ubuntu1) oneiric; urgency=low + + * Merge from debian unstable. Remaining changes: + - debian/control: Don't declare a Provides: default-mta; in Ubuntu, + we want postfix to be the default. + + -- Stéphane Graber Fri, 06 May 2011 14:51:28 -0400 + exim4 (4.75-2) unstable; urgency=low * clamav socket on Debian is clamd:/var/run/clamav/clamd.ctl, fix @@ -118,6 +213,24 @@ -- Andreas Metzler Thu, 24 Feb 2011 19:02:07 +0100 +exim4 (4.74-1ubuntu1) natty; urgency=low + + * Merge from debian experimental. Remaining changes: (LP: #713855) + - debian/patches/71_exiq_grep_error_on_messages_without_size.patch: + + Improve handling of broken messages when "exim4 -bp" (mailq) + reports lines without size info. (Closes: #528625) + - debian/control: Don't declare a Provides: default-mta; in Ubuntu, + we want postfix to be the default. + - debian/{control,rules}: Add and enable hardened build for PIE. + (Closes: #542726) + * Update 71_exiq_grep_error_on_messages_without_size.patch to get way + which upstream has fixed it. Probably it can be dropped with next + upstream release. + * This upload fixes CVE: (LP: #708023) + - CVE-2011-0017 + + -- Artur Rona Wed, 09 Feb 2011 21:31:35 +0100 + exim4 (4.74-1) experimental; urgency=low * 4.74 release, should build on hurd again. @@ -143,6 +256,20 @@ -- Andreas Metzler Sun, 23 Jan 2011 14:02:36 +0100 +exim4 (4.73~rc1-1ubuntu1) natty; urgency=low + + * Merge from debian unstable. Remaining changes: (LP: #697934) + - debian/patches/71_exiq_grep_error_on_messages_without_size.patch: + + Improve handling of broken messages when "exim4 -bp" (mailq) + reports lines without size info. + - debian/control: Don't declare a Provides: default-mta; in Ubuntu, + we want postfix to be the default. + - debian/{control,rules}: Add and enable hardened build for PIE. + (Closes: #542726) + * Drop B-D on libmysqlclient15-dev, resolved in Debian. + + -- Artur Rona Tue, 28 Dec 2010 22:20:17 +0100 + exim4 (4.73~rc1-1) experimental; urgency=low * New upstream release candidate. @@ -238,6 +365,20 @@ -- Andreas Metzler Sun, 26 Dec 2010 15:13:08 +0100 +exim4 (4.72-2ubuntu1) natty; urgency=low + + * Merge from debian unstable. Remaining changes: (LP: #671615) + - debian/patches/71_exiq_grep_error_on_messages_without_size.dpatch: + Improve handling of broken messages when "exim4 -bp" (mailq) reports + lines without size info. + - Don't declare a Provides: default-mta; in Ubuntu, we want postfix to be + the default. + - debian/control: Change build dependencies to MySQL 5.1. + - debian/{control,rules}: add and enable hardened build for PIE + (Closes: #542726). + + -- Artur Rona Fri, 05 Nov 2010 21:05:47 +0100 + exim4 (4.72-2) unstable; urgency=low [ Marc Haber ] @@ -261,6 +402,20 @@ -- Andreas Metzler Sat, 30 Oct 2010 13:38:26 +0200 +exim4 (4.72-1ubuntu1) maverick; urgency=low + + * Merge with Debian unstable (LP: #609620). Remaining changes: + + debian/patches/71_exiq_grep_error_on_messages_without_size.dpatch: + Improve handling of broken messages when "exim4 -bp" (mailq) reports + lines without size info. + + Don't declare a Provides: default-mta; in Ubuntu, we want postfix to be + the default. + + debian/control: Change build dependencies to MySQL 5.1. + + debian/{control,rules}: add and enable hardened build for PIE + (Closes: #542726). + + -- Artur Rona Sun, 25 Jul 2010 02:00:42 +0200 + exim4 (4.72-1) unstable; urgency=low * New upstream release. (Identical to the git snapshot previously @@ -312,6 +467,20 @@ -- Andreas Metzler Thu, 25 Mar 2010 17:34:30 +0100 +exim4 (4.71-3ubuntu1) lucid; urgency=low + + * Merge with Debian unstable (lp: #501657). Remaining changes: + + debian/patches/71_exiq_grep_error_on_messages_without_size.dpatch: + Improve handling of broken messages when "exim4 -bp" (mailq) reports + lines without size info. + + Don't declare a Provides: default-mta; in Ubuntu, we want postfix to be + the default. + + debian/control: Change build dependencies to MySQL 5.1. + + debian/{control,rules}: add and enable hardened build for PIE + (Debian bug 542726). + + -- Michael Bienia Fri, 01 Jan 2010 16:28:19 +0100 + exim4 (4.71-3) unstable; urgency=low * exim4-base.cron.daily: Do not run exim_tidydb on Berkeley DB logfiles. @@ -426,6 +595,35 @@ -- Andreas Metzler Sat, 17 Oct 2009 14:26:54 +0200 +exim4 (4.69-11ubuntu4) karmic; urgency=low + + * debian/{control,rules}: add and enable hardened build for PIE + (Debian bug 542726). + + -- Kees Cook Thu, 20 Aug 2009 17:33:26 -0700 + +exim4 (4.69-11ubuntu3) karmic; urgency=low + + * debian/control: Change build dependencies to MySQL 5.1. + + -- Mathias Gug Mon, 17 Aug 2009 17:57:26 -0400 + +exim4 (4.69-11ubuntu2) karmic; urgency=low + + * Don't declare a Provides: default-mta; in Ubuntu, we want postfix to be + the default. + + -- Steve Langasek Wed, 03 Jun 2009 15:39:14 +0000 + +exim4 (4.69-11ubuntu1) karmic; urgency=low + + * Merge from debian unstable (LP: #375923), remaining changes: + - debian/patches/71_exiq_grep_error_on_messages_without_size.dpatch: + Improve handling of broken messages when "exim4 -bp" (mailq) reports + lines without size info + + -- Thierry Carrez Wed, 13 May 2009 12:15:29 +0200 + exim4 (4.69-11) unstable; urgency=medium * Build-Depend on lynx-cur|lynx instead of lynx. (lynx is just a dummy @@ -483,6 +681,15 @@ -- Andreas Metzler Sat, 02 May 2009 09:05:56 +0200 +exim4 (4.69-9ubuntu1) jaunty; urgency=low + + [ Daniel van Eeden ] + * debian/patches/71_exiq_grep_error_on_messages_without_size.dpatch: + Improve handling of broken messages when "exim4 -bp" (mailq) reports lines + w/o size info, LP: #18194 + + -- Dustin Kirkland Wed, 11 Feb 2009 06:43:52 -0600 + exim4 (4.69-9) unstable; urgency=medium * [update-exim4.conf]: Use POSIX character classes [:alnum:] or explicit @@ -4063,4 +4270,3 @@ -- Mark Baker Mon, 4 Mar 2002 23:04:52 +0000 - diff -Nru exim4-4.76/debian/control exim4-4.76/debian/control --- exim4-4.76/debian/control 2011-09-18 09:44:21.000000000 +0000 +++ exim4-4.76/debian/control 2016-03-14 17:19:05.000000000 +0000 @@ -1,7 +1,8 @@ Source: exim4 Section: mail Priority: standard -Maintainer: Exim4 Maintainers +Maintainer: Ubuntu Developers +XSBC-Original-Maintainer: Exim4 Maintainers Uploaders: Andreas Metzler ,Marc Haber Homepage: http://www.exim.org/ Standards-Version: 3.9.2 @@ -54,7 +55,7 @@ Package: exim4-config Architecture: all -Breaks: exim4-daemon-light (<<4.69.1), exim4-daemon-heavy (<<4.69.1) +Breaks: exim4-daemon-light (<< 4.76-3ubuntu3.3), exim4-daemon-heavy (<< 4.76-3ubuntu3.3) Provides: exim4-config-2 Conflicts: exim, exim-tls, exim4-config, exim4-config-2, ${MTA-Conflicts} Depends: ${shlibs:Depends}, ${misc:Depends}, adduser @@ -88,7 +89,7 @@ Package: exim4-daemon-light Architecture: any -Provides: mail-transport-agent, exim4-localscanapi-1.0, exim4-localscanapi-1.1, default-mta +Provides: mail-transport-agent, exim4-localscanapi-1.0, exim4-localscanapi-1.1 Conflicts: mail-transport-agent Replaces: mail-transport-agent, exim4-base (<= 4.61-1) Depends: exim4-base (>= ${Upstream-Version}), ${shlibs:Depends}, ${misc:Depends} diff -Nru exim4-4.76/debian/debconf/conf.d/main/02_exim4-config_options exim4-4.76/debian/debconf/conf.d/main/02_exim4-config_options --- exim4-4.76/debian/debconf/conf.d/main/02_exim4-config_options 2011-04-10 10:52:27.000000000 +0000 +++ exim4-4.76/debian/debconf/conf.d/main/02_exim4-config_options 2016-03-14 17:18:39.000000000 +0000 @@ -198,3 +198,13 @@ # SMTP Banner. The example includes the Debian version in the SMTP dialog # MAIN_SMTP_BANNER = "${primary_hostname} ESMTP Exim ${version_number} (Debian package MAIN_PACKAGE_VERSION) ${tod_full}" # smtp_banner = $smtp_active_hostname ESMTP Exim $version_number $tod_full + +.ifdef MAIN_KEEP_ENVIRONMENT +keep_environment = MAIN_KEEP_ENVIRONMENT +.else +# set option to empty value to avoid warning. +keep_environment = +.endif +.ifdef MAIN_ADD_ENVIRONMENT +add_environment = MAIN_ADD_ENVIRONMENT +.endif diff -Nru exim4-4.76/debian/exim4-config.NEWS exim4-4.76/debian/exim4-config.NEWS --- exim4-4.76/debian/exim4-config.NEWS 2007-10-07 11:18:57.000000000 +0000 +++ exim4-4.76/debian/exim4-config.NEWS 2016-03-14 17:19:32.000000000 +0000 @@ -1,3 +1,18 @@ +exim4 (4.76-3ubuntu3.3) precise-security; urgency=medium + + The security fix for CVE-2016-1531 now cleans the complete environment + on startup including any subprocesses such as transports that call + other programs. + + This change may break existing installations. + + Two new configuration options were introduced to change the new default + behaviour, keep_environment and add_environment. The debian + configuration adds the macros MAIN_KEEP_ENVIRONMENT and + MAIN_ADD_ENVIRONMENT to easily set the options. + + -- Marc Deslauriers Mon, 14 Mar 2016 11:26:13 -0400 + exim4 (4.68-1) unstable; urgency=low In order to fix #420217, the handling of incoming messages to diff -Nru exim4-4.76/debian/patches/71_increase_smtp_cmd_buffer_size.patch exim4-4.76/debian/patches/71_increase_smtp_cmd_buffer_size.patch --- exim4-4.76/debian/patches/71_increase_smtp_cmd_buffer_size.patch 1970-01-01 00:00:00.000000000 +0000 +++ exim4-4.76/debian/patches/71_increase_smtp_cmd_buffer_size.patch 2012-12-13 00:04:35.000000000 +0000 @@ -0,0 +1,24 @@ +Description: Increase smtp_cmd_buffer_size to 16384 +Author: Paul Fisher +Forwarded: http://bugs.exim.org/show_bug.cgi?id=879 +Bug-Ubuntu: https://bugs.launchpad.net/ubuntu/+source/exim4/+bug/1088136 + +diff -u -r exim-4.69/src/smtp_in.c exim-4.69-cmd-buffer/src/smtp_in.c +--- exim-4.69/src/smtp_in.c 2007-09-28 05:21:57.000000000 -0700 ++++ exim-4.69-cmd-buffer/src/smtp_in.c 2009-08-13 20:09:12.000000000 -0700 +@@ -37,9 +37,14 @@ + /* Size of buffer for reading SMTP commands. We used to use 512, as defined + by RFC 821. However, RFC 1869 specifies that this must be increased for SMTP + commands that accept arguments, and this in particular applies to AUTH, where +-the data can be quite long. */ ++the data can be quite long. More recently this value was 2048 in Exim; ++however, RFC 4954 (circa 2007) recommends 12288 bytes to handle AUTH. Clients ++such as Thunderbird will send an AUTH with an initial-response for GSSAPI. ++The maximum size of a Kerberos ticket under Windows 2003 is 12000 bytes, and ++we need room to handle large base64-encoded AUTHs for GSSAPI. ++*/ + +-#define smtp_cmd_buffer_size 2048 ++#define smtp_cmd_buffer_size 16384 + + /* Size of buffer for reading SMTP incoming packets */ diff -Nru exim4-4.76/debian/patches/CVE-2012-5671.patch exim4-4.76/debian/patches/CVE-2012-5671.patch --- exim4-4.76/debian/patches/CVE-2012-5671.patch 1970-01-01 00:00:00.000000000 +0000 +++ exim4-4.76/debian/patches/CVE-2012-5671.patch 2012-10-25 12:26:27.000000000 +0000 @@ -0,0 +1,46 @@ +From 4263f395efd136dece52d765dfcff3c96f17506e Mon Sep 17 00:00:00 2001 +From: Phil Pennock +Date: Wed, 24 Oct 2012 23:26:29 -0400 +Subject: [PATCH 1/3] SECURITY: DKIM DNS buffer overflow protection + +CVE-2012-5671 + +malloc/heap overflow, with a 60kB window of overwrite. +Requires DNS under control of person sending email, leaves plenty of +evidence, but is very likely exploitable on OSes that have not been +well hardened. +--- + doc/doc-txt/ChangeLog | 8 ++++++++ + src/src/dkim.c | 3 +++ + src/src/pdkim/pdkim.h | 4 ++-- + 3 files changed, 13 insertions(+), 2 deletions(-) + +Index: exim4-4.76/src/dkim.c +=================================================================== +--- exim4-4.76.orig/src/dkim.c 2011-05-09 04:36:25.000000000 -0400 ++++ exim4-4.76/src/dkim.c 2012-10-25 08:26:24.009726695 -0400 +@@ -44,6 +44,9 @@ + "%.*s", (int)len, (char *)((rr->data)+rr_offset)); + rr_offset+=len; + answer_offset+=len; ++ if (answer_offset >= PDKIM_DNS_TXT_MAX_RECLEN) { ++ return PDKIM_FAIL; ++ } + } + } + else return PDKIM_FAIL; +Index: exim4-4.76/src/pdkim/pdkim.h +=================================================================== +--- exim4-4.76.orig/src/pdkim/pdkim.h 2011-05-09 04:36:25.000000000 -0400 ++++ exim4-4.76/src/pdkim/pdkim.h 2012-10-25 08:26:24.009726695 -0400 +@@ -29,8 +29,8 @@ + + /* -------------------------------------------------------------------------- */ + /* Length of the preallocated buffer for the "answer" from the dns/txt +- callback function. */ +-#define PDKIM_DNS_TXT_MAX_RECLEN 4096 ++ callback function. This should match the maximum RDLENGTH from DNS. */ ++#define PDKIM_DNS_TXT_MAX_RECLEN (1 << 16) + + /* -------------------------------------------------------------------------- */ + /* Function success / error codes */ diff -Nru exim4-4.76/debian/patches/CVE-2014-2972.patch exim4-4.76/debian/patches/CVE-2014-2972.patch --- exim4-4.76/debian/patches/CVE-2014-2972.patch 1970-01-01 00:00:00.000000000 +0000 +++ exim4-4.76/debian/patches/CVE-2014-2972.patch 2016-03-14 17:31:21.000000000 +0000 @@ -0,0 +1,75 @@ +Backport of: + +From 7685ce68148a083d7759e78d01aa5198fc099c44 Mon Sep 17 00:00:00 2001 +From: Tony Finch +Date: Wed, 16 Jul 2014 06:13:39 -0700 +Subject: [PATCH] Only expand integers for integer math once + +--- + src/src/expand.c | 31 ++++++++++++++++++++++++++++--- + 1 file changed, 28 insertions(+), 3 deletions(-) + +Index: exim4-4.76/src/expand.c +=================================================================== +--- exim4-4.76.orig/src/expand.c 2016-03-14 13:01:39.938870443 -0400 ++++ exim4-4.76/src/expand.c 2016-03-14 13:03:15.400009413 -0400 +@@ -16,6 +16,7 @@ + /* Recursively called function */ + + static uschar *expand_string_internal(uschar *, BOOL, uschar **, BOOL); ++static int expanded_string_integer(uschar *, BOOL); + + #ifdef STAND_ALONE + #ifndef SUPPORT_CRYPTEQ +@@ -2078,7 +2079,7 @@ + } + else + { +- num[i] = expand_string_integer(sub[i], FALSE); ++ num[i] = expanded_string_integer(sub[i], FALSE); + if (expand_string_message != NULL) return NULL; + } + } +@@ -5853,7 +5854,7 @@ + int max; + uschar *s; + +- max = expand_string_integer(sub, TRUE); ++ max = expanded_string_integer(sub, TRUE); + if (expand_string_message != NULL) + goto EXPAND_FAILED; + s = string_sprintf("%d", pseudo_random_number(max)); +@@ -6050,8 +6051,32 @@ + int + expand_string_integer(uschar *string, BOOL isplus) + { ++return expanded_string_integer(expand_string(string), isplus); ++} ++ ++ ++/************************************************* ++ * Interpret string as an integer * ++ *************************************************/ ++ ++/* Convert a string (that has already been expanded) into an integer. ++ ++This function is used inside the expansion code. ++ ++Arguments: ++ s the string to be expanded ++ isplus TRUE if a non-negative number is expected ++ ++Returns: the integer value, or ++ -1 if string is NULL (which implies an expansion error) ++ -2 for an integer interpretation error ++ expand_string_message is set NULL for an OK integer ++*/ ++ ++static int ++expanded_string_integer(uschar *s, BOOL isplus) ++{ + long int value; +-uschar *s = expand_string(string); + uschar *msg = US"invalid integer \"%s\""; + uschar *endptr; + diff -Nru exim4-4.76/debian/patches/CVE-2016-1531-2.patch exim4-4.76/debian/patches/CVE-2016-1531-2.patch --- exim4-4.76/debian/patches/CVE-2016-1531-2.patch 1970-01-01 00:00:00.000000000 +0000 +++ exim4-4.76/debian/patches/CVE-2016-1531-2.patch 2016-03-14 17:52:23.000000000 +0000 @@ -0,0 +1,53 @@ +Backport of: + +From ce0cc17e69f8018341c65618aa87cdff3f329074 Mon Sep 17 00:00:00 2001 +From: "Heiko Schlittermann (HS12-RIPE)" +Date: Fri, 11 Mar 2016 23:44:53 +0100 +Subject: [PATCH] Don't issue env warning if env is empty + +keep_environment needs to be mentioned in the runtime config. +Setting add_environment isn't enough to suppress the warning. + +(cherry picked from commit 8e58ed807c77febfde61d3cf47928302f93cc99c) +--- + doc/doc-docbook/spec.xfpt | 7 ++++--- + src/src/readconf.c | 6 +++--- + test/confs/0615 | 1 + + test/stderr/0615 | 20 ++++++++------------ + 4 files changed, 16 insertions(+), 18 deletions(-) + +Index: exim4-4.76/doc/spec.txt +=================================================================== +--- exim4-4.76.orig/doc/spec.txt 2016-03-14 13:52:20.171947825 -0400 ++++ exim4-4.76/doc/spec.txt 2016-03-14 13:52:20.163947727 -0400 +@@ -12889,8 +12889,10 @@ + You may work around this using a regular expression that does not match the + macro name: ^[F]OO_HOME$. + +-Current versions of Exim issue a warning during startupif you do not mention +-keep_environment or add_environment in your runtime configuration file. ++Current versions of Exim issue a warning during startup if you do not mention ++keep_environment in your runtime configuration file and if there is ++anything in your environment. Future versions may not issue that warning ++anymore. + + +--------------+---------+----------+-----------+ + |keep_malformed|Use: main|Type: time|Default: 4d| +Index: exim4-4.76/src/readconf.c +=================================================================== +--- exim4-4.76.orig/src/readconf.c 2016-03-14 13:52:20.171947825 -0400 ++++ exim4-4.76/src/readconf.c 2016-03-14 13:52:20.163947727 -0400 +@@ -3257,10 +3257,10 @@ + } + #endif + +-if ((!add_environment || *add_environment == '\0') && !keep_environment) ++if (!keep_environment && environ && *environ) + log_write(0, LOG_MAIN, +- "WARNING: purging the environment.\n" +- " Suggested action: use keep_environment and add_environment.\n"); ++ "Warning: purging the environment.\n" ++ " Suggested action: use keep_environment."); + } + + diff -Nru exim4-4.76/debian/patches/CVE-2016-1531-3.patch exim4-4.76/debian/patches/CVE-2016-1531-3.patch --- exim4-4.76/debian/patches/CVE-2016-1531-3.patch 1970-01-01 00:00:00.000000000 +0000 +++ exim4-4.76/debian/patches/CVE-2016-1531-3.patch 2016-03-14 17:18:00.000000000 +0000 @@ -0,0 +1,101 @@ +Backport of: + +From f1ff8cb17d215a94986d0bc9e8bd4bec73333838 Mon Sep 17 00:00:00 2001 +From: "Heiko Schlittermann (HS12-RIPE)" +Date: Wed, 9 Mar 2016 11:13:42 +0100 +Subject: [PATCH] Store the initial working directory, expand $initial_cwd. Bug + 1805 + +(cherry picked from commit 3615fa9a06356891367c66ed284cef9db5cefca3) +--- + doc/doc-docbook/spec.xfpt | 6 ++++++ + doc/doc-txt/NewStuff | 2 ++ + src/src/exim.c | 12 ++++++++++-- + src/src/expand.c | 1 + + src/src/globals.c | 1 + + src/src/globals.h | 1 + + 6 files changed, 21 insertions(+), 2 deletions(-) + +Index: exim4-4.76/doc/spec.txt +=================================================================== +--- exim4-4.76.orig/doc/spec.txt 2016-03-14 13:16:29.001565572 -0400 ++++ exim4-4.76/doc/spec.txt 2016-03-14 13:16:28.993565475 -0400 +@@ -9962,6 +9962,13 @@ + + See $host_lookup_deferred. + ++$initial_cwd ++ ++ This variable contains the full path name of the initial working ++ directory of the current Exim process. This may differ from the current ++ working directory, as Exim changes this to "/" during early startup, and ++ to $spool_directory later. ++ + $inode + + The only time this variable is set is while expanding the directory_file +Index: exim4-4.76/src/exim.c +=================================================================== +--- exim4-4.76.orig/src/exim.c 2016-03-14 13:16:29.001565572 -0400 ++++ exim4-4.76/src/exim.c 2016-03-14 13:17:07.102026974 -0400 +@@ -3430,6 +3430,13 @@ + exit(EXIT_FAILURE); + } + ++/* Store the initial cwd before we change directories */ ++if ((initial_cwd = getcwd(NULL, 0)) == NULL) ++ { ++ perror("exim: can't get the current working directory"); ++ exit(EXIT_FAILURE); ++ } ++ + readconf_main(); + + if (cleanup_environment() == FALSE) +@@ -3636,7 +3643,9 @@ + int i; + uschar *p = big_buffer; + Ustrcpy(p, "cwd="); +- (void)getcwd(CS p+4, big_buffer_size - 4); ++ ++ Ustrncpy(p + 4, initial_cwd, big_buffer_size-5); ++ + while (*p) p++; + (void)string_format(p, big_buffer_size - (p - big_buffer), " %d args:", argc); + while (*p) p++; +Index: exim4-4.76/src/expand.c +=================================================================== +--- exim4-4.76.orig/src/expand.c 2016-03-14 13:16:29.001565572 -0400 ++++ exim4-4.76/src/expand.c 2016-03-14 13:16:28.997565523 -0400 +@@ -453,6 +453,7 @@ + { "host_data", vtype_stringptr, &host_data }, + { "host_lookup_deferred",vtype_int, &host_lookup_deferred }, + { "host_lookup_failed", vtype_int, &host_lookup_failed }, ++ { "initial_cwd", vtype_stringptr, &initial_cwd }, + { "inode", vtype_ino, &deliver_inode }, + { "interface_address", vtype_stringptr, &interface_address }, + { "interface_port", vtype_int, &interface_port }, +Index: exim4-4.76/src/globals.c +=================================================================== +--- exim4-4.76.orig/src/globals.c 2016-03-14 13:16:29.001565572 -0400 ++++ exim4-4.76/src/globals.c 2016-03-14 13:17:31.942327735 -0400 +@@ -660,6 +660,7 @@ + int ignore_bounce_errors_after = 10*7*24*60*60; /* 10 weeks */ + BOOL ignore_fromline_local = FALSE; + uschar *ignore_fromline_hosts = NULL; ++uschar *initial_cwd = NULL; + uschar *interface_address = NULL; + int interface_port = -1; + BOOL is_inetd = FALSE; +Index: exim4-4.76/src/globals.h +=================================================================== +--- exim4-4.76.orig/src/globals.h 2016-03-14 13:16:29.001565572 -0400 ++++ exim4-4.76/src/globals.h 2016-03-14 13:17:45.622493355 -0400 +@@ -424,6 +424,7 @@ + extern int ignore_bounce_errors_after; /* Keep them for this time. */ + extern BOOL ignore_fromline_local; /* Local SMTP ignore fromline */ + extern uschar *ignore_fromline_hosts; /* Hosts permitted to send "From " */ ++extern uschar *initial_cwd; /* The directory we where in at startup */ + extern BOOL is_inetd; /* True for inetd calls */ + extern uschar *iterate_item; /* Item from iterate list */ + diff -Nru exim4-4.76/debian/patches/CVE-2016-1531-4.patch exim4-4.76/debian/patches/CVE-2016-1531-4.patch --- exim4-4.76/debian/patches/CVE-2016-1531-4.patch 1970-01-01 00:00:00.000000000 +0000 +++ exim4-4.76/debian/patches/CVE-2016-1531-4.patch 2016-03-14 17:52:31.000000000 +0000 @@ -0,0 +1,93 @@ +Backport of: + +From 3de973a29de6852d61ba9bf1845835d08ca5a5ab Mon Sep 17 00:00:00 2001 +From: "Heiko Schlittermann (HS12-RIPE)" +Date: Wed, 2 Mar 2016 22:07:45 +0100 +Subject: [PATCH] Delay chdir(/) until we opened the main config + +--- + doc/doc-docbook/spec.xfpt | 2 -- + src/src/exim.c | 13 ++++++------- + src/src/readconf.c | 17 +++++++++-------- + 3 files changed, 15 insertions(+), 17 deletions(-) + +Index: exim4-4.76/doc/spec.txt +=================================================================== +--- exim4-4.76.orig/doc/spec.txt 2016-03-14 13:52:27.432036402 -0400 ++++ exim4-4.76/doc/spec.txt 2016-03-14 13:52:27.428036353 -0400 +@@ -3250,8 +3250,6 @@ + first file that exists is used. Failure to open an existing file stops Exim + from proceeding any further along the list, and an error is generated. + +- The file names need to be absolute names. +- + When this option is used by a caller other than root, and the list is + different from the compiled-in list, Exim gives up its root privilege + immediately, and runs with the real and effective uid and gid set to those +Index: exim4-4.76/src/exim.c +=================================================================== +--- exim4-4.76.orig/src/exim.c 2016-03-14 13:52:27.432036402 -0400 ++++ exim4-4.76/src/exim.c 2016-03-14 13:52:27.428036353 -0400 +@@ -3421,14 +3421,11 @@ + + /* Read the main runtime configuration data; this gives up if there + is a failure. It leaves the configuration file open so that the subsequent +-configuration data for delivery can be read if needed. */ ++configuration data for delivery can be read if needed. + +-/* To be safe: change the working directory to /. */ +-if (Uchdir("/") < 0) +- { +- perror("exim: chdir `/': "); +- exit(EXIT_FAILURE); +- } ++NOTE: immediatly after opening the configuration file we change the working ++directory to "/"! Later we change to $spool_directory. We do it there, because ++during readconf_main() some expansion takes place already. */ + + /* Store the initial cwd before we change directories */ + if ((initial_cwd = getcwd(NULL, 0)) == NULL) +@@ -3439,6 +3436,8 @@ + + readconf_main(); + ++/* Now in directory "/" */ ++ + if (cleanup_environment() == FALSE) + log_write(0, LOG_PANIC_DIE, "Can't cleanup environment"); + +Index: exim4-4.76/src/readconf.c +=================================================================== +--- exim4-4.76.orig/src/readconf.c 2016-03-14 13:52:27.432036402 -0400 ++++ exim4-4.76/src/readconf.c 2016-03-14 13:52:27.432036402 -0400 +@@ -2835,14 +2835,6 @@ + != NULL) + { + +- /* To avoid confusion: Exim changes to / at the very beginning and +- * and to $spool_directory later. */ +- if (filename[0] != '/') +- { +- fprintf(stderr, "-C %s: only absolute names are allowed\n", filename); +- exit(EXIT_FAILURE); +- } +- + /* Cut out all the fancy processing unless specifically wanted */ + + #if defined(CONFIGURE_FILE_USE_NODE) || defined(CONFIGURE_FILE_USE_EUID) +@@ -2896,6 +2888,15 @@ + if (config_file != NULL || errno != ENOENT) break; + } + ++/* Now, once we found and opened our configuration file, we change the directory ++to a safe place. Later we change to $spool_directory. */ ++ ++if (Uchdir("/") < 0) ++ { ++ perror("exim: chdir `/': "); ++ exit(EXIT_FAILURE); ++ } ++ + /* On success, save the name for verification; config_filename is used when + logging configuration errors (it changes for .included files) whereas + config_main_filename is the name shown by -bP. Failure to open a configuration diff -Nru exim4-4.76/debian/patches/CVE-2016-1531.patch exim4-4.76/debian/patches/CVE-2016-1531.patch --- exim4-4.76/debian/patches/CVE-2016-1531.patch 1970-01-01 00:00:00.000000000 +0000 +++ exim4-4.76/debian/patches/CVE-2016-1531.patch 2016-03-14 18:03:48.000000000 +0000 @@ -0,0 +1,463 @@ +Description: fix privilege escalation via perl_startup +Origin: backport, http://git.exim.org/exim.git/commitdiff/43ba2742c700d625dcdcdaf7bbadc2f72776854a +Origin: backport, http://git.exim.org/exim.git/commitdiff/dd90c19962a63fe966e17c75b4a36639302d1e67 +Origin: backport, http://git.exim.org/exim.git/commitdiff/fec27df097c8d16b4decfc62bc83bf873e58f310 +Origin: backport, http://git.exim.org/exim.git/commit/f2cb6292ba93101c1e8eff8933df6157cfe05fd8 + +Index: exim4-4.76/OS/Makefile-Base +=================================================================== +--- exim4-4.76.orig/OS/Makefile-Base 2016-03-14 13:51:47.475548874 -0400 ++++ exim4-4.76/OS/Makefile-Base 2016-03-14 13:51:47.463548728 -0400 +@@ -312,7 +312,7 @@ + os.o parse.o queue.o \ + rda.o readconf.o receive.o retry.o rewrite.o rfc2047.o \ + route.o search.o sieve.o smtp_in.o smtp_out.o spool_in.o spool_out.o \ +- store.o string.o tls.o tod.o transport.o tree.o verify.o \ ++ store.o string.o tls.o tod.o transport.o tree.o verify.o environment.o \ + lookups/lf_quote.o lookups/lf_check_file.o lookups/lf_sqlperform.o \ + local_scan.o $(EXIM_PERL) $(OBJ_WITH_CONTENT_SCAN) \ + $(OBJ_WITH_OLD_DEMIME) $(OBJ_EXPERIMENTAL) +@@ -546,6 +546,7 @@ + enq.o: $(HDRS) enq.c + exim.o: $(HDRS) exim.c + expand.o: $(HDRS) expand.c ++environment.o: $(HDRS) environment.c + filter.o: $(HDRS) filter.c + filtertest.o: $(HDRS) filtertest.c + globals.o: $(HDRS) globals.c +Index: exim4-4.76/doc/exim.8 +=================================================================== +--- exim4-4.76.orig/doc/exim.8 2016-03-14 13:51:47.475548874 -0400 ++++ exim4-4.76/doc/exim.8 2016-03-14 13:51:47.463548728 -0400 +@@ -407,6 +407,10 @@ + settings can be obtained by using \fBrouters\fP, \fBtransports\fP, or + \fBauthenticators\fP. + .sp ++If \fBenvironment\fP is given as an argument, the set of environment ++variables is output, line by line. Using the \fB\-n\fP flag supresses the value of the ++variables. ++.sp + If invoked by an admin user, then \fBmacro\fP, \fBmacro_list\fP and \fBmacros\fP + are available, similarly to the drivers. Because macros are sometimes used + for storing passwords, this option is restricted. +@@ -682,6 +686,8 @@ + file that exists is used. Failure to open an existing file stops Exim from + proceeding any further along the list, and an error is generated. + .sp ++The file names need to be absolute names. ++.sp + When this option is used by a caller other than root, and the list is different + from the compiled\-in list, Exim gives up its root privilege immediately, and + runs with the real and effective uid and gid set to those of the caller. +Index: exim4-4.76/doc/spec.txt +=================================================================== +--- exim4-4.76.orig/doc/spec.txt 2016-03-14 13:51:47.475548874 -0400 ++++ exim4-4.76/doc/spec.txt 2016-03-14 13:51:47.471548825 -0400 +@@ -2955,6 +2955,10 @@ + authenticator_list, and a complete list of all drivers with their option + settings can be obtained by using routers, transports, or authenticators. + ++ If environment is given as an argument, the set of environment variables is ++ output, line by line. Using the -n flag supresses the value of the ++ variables. ++ + If invoked by an admin user, then macro, macro_list and macros are + available, similarly to the drivers. Because macros are sometimes used for + storing passwords, this option is restricted. The output format is one item +@@ -3246,6 +3250,8 @@ + first file that exists is used. Failure to open an existing file stops Exim + from proceeding any further along the list, and an error is generated. + ++ The file names need to be absolute names. ++ + When this option is used by a caller other than root, and the list is + different from the compiled-in list, Exim gives up its root privilege + immediately, and runs with the real and effective uid and gid set to those +@@ -11825,6 +11831,14 @@ + This option defines the ACL that is run when an SMTP VRFY command is received. + See chapter 40 for further details. + +++---------------+---------+-----------------+--------------+ ++|add_environment|Use: main|Type: string list|Default: empty| +++---------------+---------+-----------------+--------------+ ++ ++This option allows to set individual environment variables that the currently ++linked libraries and programs in child processes use. The default list is ++empty, ++ + +------------+---------+------------------+--------------+ + |admin_groups|Use: main|Type: string list*|Default: unset| + +------------+---------+------------------+--------------+ +@@ -12855,6 +12869,29 @@ + + See ignore_fromline_hosts above. + +++----------------+---------+-----------------+--------------+ ++|keep_environment|Use: main|Type: string list|Default: unset| +++----------------+---------+-----------------+--------------+ ++ ++This option contains a string list of environment variables to keep. You have ++to trust these variables or you have to be sure that these variables do not ++impose any security risk. Keep in mind that during the startup phase Exim is ++running with an effective UID 0 in most installations. As the default value is ++an empty list, the default environment for using libraries, running embedded ++Perl code, or running external binaries is empty, and does not not even contain ++PATH or HOME. ++ ++Actually the list is interpreted as a list of patterns (10.1), except that it ++is not expanded first. ++ ++WARNING: Macro substitution is still done first, so having a macro FOO and ++having FOO_HOME in your keep_environment option may have unexpected results. ++You may work around this using a regular expression that does not match the ++macro name: ^[F]OO_HOME$. ++ ++Current versions of Exim issue a warning during startupif you do not mention ++keep_environment or add_environment in your runtime configuration file. ++ + +--------------+---------+----------+-----------+ + |keep_malformed|Use: main|Type: time|Default: 4d| + +--------------+---------+----------+-----------+ +@@ -13800,6 +13837,14 @@ + sender_unqualified_hosts, or if the message was submitted locally (not using + TCP/IP), and the -bnq option was not set. + +++---------------+---------+-----------------+--------------+ ++|set_environment|Use: main|Type: string list|Default: empty| +++---------------+---------+-----------------+--------------+ ++ ++This option allows to set individual environment variables that the currently ++linked libraries and programs in child processes use. The default list is ++empty, ++ + +---------------------+---------+-------------+-------------+ + |smtp_accept_keepalive|Use: main|Type: boolean|Default: true| + +---------------------+---------+-------------+-------------+ +Index: exim4-4.76/scripts/MakeLinks +=================================================================== +--- exim4-4.76.orig/scripts/MakeLinks 2016-03-14 13:51:47.475548874 -0400 ++++ exim4-4.76/scripts/MakeLinks 2016-03-14 13:51:47.471548825 -0400 +@@ -197,6 +197,7 @@ + ln -s ../src/drtables.c drtables.c + ln -s ../src/dummies.c dummies.c + ln -s ../src/enq.c enq.c ++ln -s ../src/environment.c environment.c + ln -s ../src/exim.c exim.c + ln -s ../src/exim_dbmbuild.c exim_dbmbuild.c + ln -s ../src/exim_dbutil.c exim_dbutil.c +Index: exim4-4.76/src/environment.c +=================================================================== +--- /dev/null 1970-01-01 00:00:00.000000000 +0000 ++++ exim4-4.76/src/environment.c 2016-03-14 13:51:47.471548825 -0400 +@@ -0,0 +1,71 @@ ++/************************************************* ++* Exim - an Internet mail transport agent * ++*************************************************/ ++ ++/* Copyright (c) Heiko Schlittermann 2016 ++ * hs@schlittermann.de ++ * See the file NOTICE for conditions of use and distribution. ++ */ ++ ++#include "exim.h" ++ ++extern char **environ; ++ ++/* The cleanup_environment() function is used during the startup phase ++of the Exim process, right after reading the configurations main ++part, before any expansions take place. It retains the environment ++variables we trust (via the keep_environment option) and allows to ++set additional variables (via add_environment). ++ ++Returns: TRUE if successful ++ FALSE otherwise ++*/ ++ ++BOOL ++cleanup_environment() ++{ ++if (!keep_environment || *keep_environment == '\0') ++ { ++ /* From: https://github.com/dovecot/core/blob/master/src/lib/env-util.c#L55 ++ Try to clear the environment. ++ a) environ = NULL crashes on OS X. ++ b) *environ = NULL doesn't work on FreeBSD 7.0. ++ c) environ = emptyenv doesn't work on Haiku OS ++ d) environ = calloc() should work everywhere */ ++ ++ if (environ) *environ = NULL; ++ ++ } ++else if (Ustrcmp(keep_environment, "*") != 0) ++ { ++ uschar **p; ++ if (environ) for (p = USS environ; *p; /* see below */) ++ { ++ /* It's considered broken if we do not find the '=', according to ++ Florian Weimer. For now we ignore such strings. unsetenv() would complain, ++ getenv() would complain. */ ++ uschar *eqp = Ustrchr(*p, '='); ++ ++ if (eqp) ++ { ++ uschar *name = string_copyn(*p, eqp - *p); ++ if (OK != match_isinlist(name, USS &keep_environment, ++ 0, NULL, NULL, MCL_NOEXPAND, FALSE, NULL)) ++ if (unsetenv(CS name) < 0) return FALSE; ++ else p = USS environ; /* RESTART from the beginning */ ++ else p++; ++ store_reset(name); ++ } ++ } ++ } ++if (add_environment) ++ { ++ uschar *p; ++ int sep = 0; ++ uschar* envlist = add_environment; ++ while ((p = string_nextinlist(&envlist, &sep, NULL, 0))) ++ putenv(CS p); ++ } ++ ++ return TRUE; ++} +Index: exim4-4.76/src/exim.c +=================================================================== +--- exim4-4.76.orig/src/exim.c 2016-03-14 13:51:47.475548874 -0400 ++++ exim4-4.76/src/exim.c 2016-03-14 13:51:47.471548825 -0400 +@@ -3423,8 +3423,19 @@ + is a failure. It leaves the configuration file open so that the subsequent + configuration data for delivery can be read if needed. */ + ++/* To be safe: change the working directory to /. */ ++if (Uchdir("/") < 0) ++ { ++ perror("exim: chdir `/': "); ++ exit(EXIT_FAILURE); ++ } ++ + readconf_main(); + ++if (cleanup_environment() == FALSE) ++ log_write(0, LOG_PANIC_DIE, "Can't cleanup environment"); ++ ++ + /* Handle the decoding of logging options. */ + + decode_bits(&log_write_selector, &log_extra_selector, 0, 0, +@@ -3492,7 +3503,7 @@ + #ifdef TMPDIR + { + uschar **p; +- for (p = USS environ; *p != NULL; p++) ++ if (environ) for (p = USS environ; *p != NULL; p++) + { + if (Ustrncmp(*p, "TMPDIR=", 7) == 0 && + Ustrcmp(*p+7, TMPDIR) != 0) +@@ -3532,10 +3543,10 @@ + uschar **new; + uschar **newp; + int count = 0; +- while (*p++ != NULL) count++; ++ if (environ) while (*p++ != NULL) count++; + if (envtz == NULL) count++; + newp = new = malloc(sizeof(uschar *) * (count + 1)); +- for (p = USS environ; *p != NULL; p++) ++ if (environ) for (p = USS environ; *p != NULL; p++) + { + if (Ustrncmp(*p, "TZ=", 3) == 0) continue; + *newp++ = *p; +@@ -4171,7 +4182,8 @@ + (Ustrcmp(argv[i], "router") == 0 || + Ustrcmp(argv[i], "transport") == 0 || + Ustrcmp(argv[i], "authenticator") == 0 || +- Ustrcmp(argv[i], "macro") == 0)) ++ Ustrcmp(argv[i], "macro") == 0 || ++ Ustrcmp(argv[i], "environment") == 0)) + { + readconf_print(argv[i+1], argv[i]); + i++; +Index: exim4-4.76/src/functions.h +=================================================================== +--- exim4-4.76.orig/src/functions.h 2016-03-14 13:51:47.475548874 -0400 ++++ exim4-4.76/src/functions.h 2016-03-14 13:51:47.471548825 -0400 +@@ -65,7 +65,7 @@ + extern uschar **child_exec_exim(int, BOOL, int *, BOOL, int, ...); + extern pid_t child_open_uid(uschar **, uschar **, int, uid_t *, gid_t *, + int *, int *, uschar *, BOOL); +- ++extern BOOL cleanup_environment(void); + extern void daemon_go(void); + + #ifdef EXPERIMENTAL_DCC +@@ -316,6 +316,7 @@ + extern uschar *string_append(uschar *, int *, int *, int, ...); + extern uschar *string_base62(unsigned long int); + extern uschar *string_cat(uschar *, int *, int *, const uschar *, int); ++extern int string_compare_by_pointer(const void *, const void *); + extern uschar *string_copy_dnsdomain(uschar *); + extern uschar *string_copy_malloc(uschar *); + extern uschar *string_copylc(uschar *); +Index: exim4-4.76/src/globals.c +=================================================================== +--- exim4-4.76.orig/src/globals.c 2016-03-14 13:51:47.475548874 -0400 ++++ exim4-4.76/src/globals.c 2016-03-14 13:51:47.471548825 -0400 +@@ -249,6 +249,7 @@ + BOOL active_local_from_check = FALSE; + BOOL active_local_sender_retain = FALSE; + BOOL accept_8bitmime = FALSE; ++uschar *add_environment = NULL; + address_item *addr_duplicate = NULL; + + address_item address_defaults = { +@@ -666,6 +667,8 @@ + + int journal_fd = -1; + ++uschar *keep_environment = NULL; ++ + int keep_malformed = 4*24*60*60; /* 4 days */ + + uschar *eldap_dn = NULL; +Index: exim4-4.76/src/globals.h +=================================================================== +--- exim4-4.76.orig/src/globals.h 2016-03-14 13:51:47.475548874 -0400 ++++ exim4-4.76/src/globals.h 2016-03-14 13:51:47.471548825 -0400 +@@ -126,6 +126,7 @@ + /* General global variables */ + + extern BOOL accept_8bitmime; /* Allow *BITMIME incoming */ ++extern uschar *add_environment; /* List of environment variables to add */ + extern header_line *acl_added_headers; /* Headers added by an ACL */ + extern tree_node *acl_anchor; /* Tree of named ACLs */ + extern uschar *acl_not_smtp; /* ACL run for non-SMTP messages */ +@@ -428,6 +429,7 @@ + + extern int journal_fd; /* Fd for journal file */ + ++extern uschar *keep_environment; /* Whitelist for environment variables */ + extern int keep_malformed; /* Time to keep malformed messages */ + + extern uschar *eldap_dn; /* Where LDAP DNs are left */ +Index: exim4-4.76/src/readconf.c +=================================================================== +--- exim4-4.76.orig/src/readconf.c 2016-03-14 13:51:47.475548874 -0400 ++++ exim4-4.76/src/readconf.c 2016-03-14 13:52:02.411731128 -0400 +@@ -13,6 +13,8 @@ + + #include "exim.h" + ++extern char **environ; ++ + #define CSTATE_STACK_SIZE 10 + + +@@ -161,6 +163,7 @@ + { "acl_smtp_starttls", opt_stringptr, &acl_smtp_starttls }, + #endif + { "acl_smtp_vrfy", opt_stringptr, &acl_smtp_vrfy }, ++ { "add_environment", opt_stringptr, &add_environment }, + { "admin_groups", opt_gidlist, &admin_groups }, + { "allow_domain_literals", opt_bool, &allow_domain_literals }, + { "allow_mx_to_ip", opt_bool, &allow_mx_to_ip }, +@@ -261,6 +264,7 @@ + { "ignore_bounce_errors_after", opt_time, &ignore_bounce_errors_after }, + { "ignore_fromline_hosts", opt_stringptr, &ignore_fromline_hosts }, + { "ignore_fromline_local", opt_bool, &ignore_fromline_local }, ++ { "keep_environment", opt_stringptr, &keep_environment }, + { "keep_malformed", opt_time, &keep_malformed }, + #ifdef LOOKUP_LDAP + { "ldap_ca_cert_dir", opt_stringptr, &eldap_ca_cert_dir }, +@@ -2430,6 +2434,7 @@ + macro_list print a list of macro names + +name print a named list item + local_scan print the local_scan options ++ environment print the used execution environment + + If the second argument is not NULL, it must be one of "router", "transport", + "authenticator" or "macro" in which case the first argument identifies the +@@ -2565,6 +2570,22 @@ + names_only = TRUE; + } + ++ else if (Ustrcmp(name, "environment") == 0) ++ { ++ if (environ) ++ { ++ uschar **p; ++ for (p = USS environ; *p; p++) ; ++ qsort(environ, p - USS environ, sizeof(*p), string_compare_by_pointer); ++ ++ for (p = USS environ; *p; p++) ++ { ++ puts(CS *p); ++ } ++ } ++ return; ++ } ++ + else + { + print_ol(find_option(name, optionlist_config, optionlist_config_size), +@@ -2813,6 +2834,15 @@ + while((filename = string_nextinlist(&list, &sep, big_buffer, big_buffer_size)) + != NULL) + { ++ ++ /* To avoid confusion: Exim changes to / at the very beginning and ++ * and to $spool_directory later. */ ++ if (filename[0] != '/') ++ { ++ fprintf(stderr, "-C %s: only absolute names are allowed\n", filename); ++ exit(EXIT_FAILURE); ++ } ++ + /* Cut out all the fancy processing unless specifically wanted */ + + #if defined(CONFIGURE_FILE_USE_NODE) || defined(CONFIGURE_FILE_USE_EUID) +@@ -3226,6 +3256,11 @@ + # endif + } + #endif ++ ++if ((!add_environment || *add_environment == '\0') && !keep_environment) ++ log_write(0, LOG_MAIN, ++ "WARNING: purging the environment.\n" ++ " Suggested action: use keep_environment and add_environment.\n"); + } + + +Index: exim4-4.76/src/string.c +=================================================================== +--- exim4-4.76.orig/src/string.c 2016-03-14 13:51:47.475548874 -0400 ++++ exim4-4.76/src/string.c 2016-03-14 13:51:47.475548874 -0400 +@@ -1517,6 +1517,17 @@ + #endif /* COMPILE_UTILITY */ + + ++#ifndef COMPILE_UTILITY ++/* qsort(3), currently used to sort the environment variables ++for -bP environment output, needs a function to compare two pointers to string ++pointers. Here it is. */ ++ ++int ++string_compare_by_pointer(const void *a, const void *b) ++{ ++return Ustrcmp(* CUSS a, * CUSS b); ++} ++#endif /* COMPILE_UTILITY */ + + + +Index: exim4-4.76/src/mytypes.h +=================================================================== +--- exim4-4.76.orig/src/mytypes.h 2016-03-14 13:51:47.475548874 -0400 ++++ exim4-4.76/src/mytypes.h 2016-03-14 13:51:47.475548874 -0400 +@@ -60,6 +60,7 @@ + #define US (unsigned char *) + #define CUS (const unsigned char *) + #define USS (unsigned char **) ++#define CUSS (const unsigned char **) + + /* The C library string functions expect "char *" arguments. Use macros to + avoid having to write a cast each time. We do this for string and file diff -Nru exim4-4.76/debian/patches/CVE-2016-9963.patch exim4-4.76/debian/patches/CVE-2016-9963.patch --- exim4-4.76/debian/patches/CVE-2016-9963.patch 1970-01-01 00:00:00.000000000 +0000 +++ exim4-4.76/debian/patches/CVE-2016-9963.patch 2017-01-05 13:52:08.000000000 +0000 @@ -0,0 +1,66 @@ +From 46672dc8be913fb02f0aa822d79c590fac276182 Mon Sep 17 00:00:00 2001 +From: Jeremy Harris +Date: Fri, 16 Dec 2016 20:36:39 +0000 +Subject: [PATCH] Fix DKIM information leakage + +(Cherry picked from exim-4_84_2..exim-4_84_2+CVE-2016-9963) +--- + doc/doc-txt/cve-2016-9663 | 86 +++++++++++++++++++++++++++++++++ + src/src/dkim.c | 1 + + src/src/transports/smtp.c | 4 +- + test/confs/4510 | 71 +++++++++++++++++++++++++++ + test/log/4510 | 20 ++++++++ + test/mail/4510.store | 58 ++++++++++++++++++++++ + test/runtest | 16 ++++++ + test/scripts/4510-DKIM-Bounces/4510 | 15 ++++++ + test/scripts/4510-DKIM-Bounces/REQUIRES | 2 + + 9 files changed, 272 insertions(+), 1 deletion(-) + create mode 100644 doc/doc-txt/cve-2016-9663 + create mode 100644 test/confs/4510 + create mode 100644 test/log/4510 + create mode 100644 test/mail/4510.store + create mode 100644 test/scripts/4510-DKIM-Bounces/4510 + create mode 100644 test/scripts/4510-DKIM-Bounces/REQUIRES + + +Index: exim4-4.76/src/dkim.c +=================================================================== +--- exim4-4.76.orig/src/dkim.c 2017-01-05 08:52:05.983931244 -0500 ++++ exim4-4.76/src/dkim.c 2017-01-05 08:52:05.967931042 -0500 +@@ -516,6 +516,7 @@ + (char *)dkim_signing_selector, + (char *)dkim_private_key_expanded + ); ++ dkim_private_key_expanded[0] = '\0'; + + pdkim_set_debug_stream(ctx,debug_file); + +Index: exim4-4.76/src/transports/smtp.c +=================================================================== +--- exim4-4.76.orig/src/transports/smtp.c 2017-01-05 08:52:05.983931244 -0500 ++++ exim4-4.76/src/transports/smtp.c 2017-01-05 08:52:05.975931144 -0500 +@@ -211,6 +211,7 @@ + static uschar *smtp_command; /* Points to last cmd for error messages */ + static uschar *mail_command; /* Points to MAIL cmd for error messages */ + static BOOL update_waiting; /* TRUE to update the "wait" database */ ++static uschar *data_command = US""; /* Points to DATA cmd for error messages */ + + + /************************************************* +@@ -1555,6 +1556,7 @@ + case -1: goto END_OFF; /* Timeout on RCPT */ + default: goto RESPONSE_FAILED; /* I/O error, or any MAIL/DATA error */ + } ++ data_command = string_copy(big_buffer); /* Save for later error message */ + } + + /* Save the first address of the next batch. */ +@@ -1703,7 +1705,7 @@ + { + if (errno != 0 || buffer[0] == 0) goto RESPONSE_FAILED; + addr->message = string_sprintf("LMTP error after %s: %s", +- big_buffer, string_printing(buffer)); ++ data_command, string_printing(buffer)); + setflag(addr, af_pass_message); /* Allow message to go to user */ + if (buffer[0] == '5') + addr->transport_return = FAIL; diff -Nru exim4-4.76/debian/patches/series exim4-4.76/debian/patches/series --- exim4-4.76/debian/patches/series 2011-05-09 17:06:16.000000000 +0000 +++ exim4-4.76/debian/patches/series 2017-01-05 13:52:02.000000000 +0000 @@ -9,3 +9,11 @@ 66_enlarge-dh-parameters-size.dpatch 67_unnecessaryCopt.diff 70_remove_exim-users_references.dpatch +CVE-2012-5671.patch +71_increase_smtp_cmd_buffer_size.patch +CVE-2014-2972.patch +CVE-2016-1531.patch +CVE-2016-1531-2.patch +CVE-2016-1531-3.patch +CVE-2016-1531-4.patch +CVE-2016-9963.patch