diffstat for exim4-4.82 exim4-4.82 changelog | 296 +++++++++++++++++ control | 11 debconf/conf.d/main/02_exim4-config_options | 10 exim4-config.NEWS | 15 patches/CVE-2014-2972.patch | 75 ++++ patches/CVE-2016-1531-2.patch | 53 +++ patches/CVE-2016-1531-3.patch | 103 ++++++ patches/CVE-2016-1531-4.patch | 93 +++++ patches/CVE-2016-1531.patch | 475 ++++++++++++++++++++++++++++ patches/CVE-2016-9963.patch | 66 +++ patches/CVE-2017-1000368.patch | 56 +++ patches/CVE-2018-6789.patch | 59 +++ patches/fix_smtp_banner.patch | 60 +++ patches/series | 9 tests/control | 2 15 files changed, 1377 insertions(+), 6 deletions(-) diff -Nru exim4-4.82/debian/changelog exim4-4.82/debian/changelog --- exim4-4.82/debian/changelog 2013-11-27 18:51:32.000000000 +0000 +++ exim4-4.82/debian/changelog 2018-02-10 19:19:43.000000000 +0000 @@ -1,3 +1,75 @@ +exim4 (4.82-3ubuntu2.4) trusty-security; urgency=medium + + * SECURITY UPDATE: Buffer overflow in base64d() + - debian/patches/CVE-2018-6789.patch: fix overflow in + src/auths/b64decode.c. + - CVE-2018-6789 + + -- Marc Deslauriers Sat, 10 Feb 2018 14:19:43 -0500 + +exim4 (4.82-3ubuntu2.3) trusty-security; urgency=medium + + * SECURITY UPDATE: memory leak + - debian/patches/CVE-2017-1000368.patch: free -p argument if + allocation was required. + - CVE-2017-1000368 + + -- Steve Beattie Fri, 02 Jun 2017 22:44:35 -0700 + +exim4 (4.82-3ubuntu2.2) trusty-security; urgency=medium + + * SECURITY UPDATE: DKIM information leakage + - debian/patches/CVE-2016-9963.patch: fix information leakage in + src/dkim.c, src/transports/smtp.c. + - CVE-2016-9963 + + -- Marc Deslauriers Thu, 05 Jan 2017 08:31:06 -0500 + +exim4 (4.82-3ubuntu2.1) trusty-security; urgency=medium + + * SECURITY UPDATE: privilege escalation via crafted lookup value + - debian/patches/CVE-2014-2972.patch: only expand integers for integer + math once. + - CVE-2014-2972 + * SECURITY UPDATE: privilege escalation when used with perl_startup + - debian/patches/CVE-2016-1531.patch: add new add_environment and + keep_environment configuration options. + - debian/patches/CVE-2016-1531-2.patch: don't issue env warning if env + is empty. + - debian/patches/CVE-2016-1531-3.patch: store the initial working + directory, expand $initial_cwd. + - debian/patches/CVE-2016-1531-4.patch: delay chdir(/) until we opened + the main config. + - Add macros MAIN_KEEP_ENVIRONMENT and MAIN_ADD_ENVIRONMENT to set the + new options. Set "keep_environment =" by default to avoid a runtime + warning. + - Bump exim4-config Breaks to exim4-daemon-* (<< 4.82-3ubuntu2.1). + - debian/exim4-config.NEWS: Add entry to warn of potential breakage. + - CVE-2016-1531 + * WARNING: This update may break existing installations. + + -- Marc Deslauriers Mon, 14 Mar 2016 12:57:00 -0400 + +exim4 (4.82-3ubuntu2) trusty; urgency=medium + + * debian/tests/control: Add missing python test dependency, as + debian/tests/security calls python. + + -- Martin Pitt Tue, 25 Feb 2014 17:33:13 +0100 + +exim4 (4.82-3ubuntu1) trusty; urgency=low + + * Merge from Debian unstable (LP: #1259620). Remaining changes: + - Show Ubuntu distribution on smtp: + + debian/patches/fix_smtp_banner.patch: updated SMTP banner + with Ubuntu distribution + + debian/control: added lsb-release build dependency + - Don't provide default-mta; in Ubuntu, we want postfix to be the + default. + - Build-depend on db5.3. + + -- Yolanda Robla Tue, 10 Dec 2013 17:07:20 +0000 + exim4 (4.82-3) unstable; urgency=low * Upload to unstable. @@ -78,6 +150,21 @@ -- Andreas Metzler Sun, 29 Sep 2013 14:43:25 +0200 +exim4 (4.80-9ubuntu2) trusty; urgency=low + + * Build-depend on libdb5.3-dev, instead of libdb5.1-dev. + + -- Dmitrijs Ledkovs Mon, 04 Nov 2013 12:14:54 +0000 + +exim4 (4.80-9ubuntu1) trusty; urgency=low + + * Resynchronise with Debian. Remaining changes: + - Don't provide default-mta; in Ubuntu, we want postfix to be the + default. + - Add "Ubuntu" to SMTP banner. + + -- Colin Watson Mon, 28 Oct 2013 11:55:21 -0700 + exim4 (4.80-9) unstable; urgency=low * Upload to unstable. @@ -124,6 +211,34 @@ -- Andreas Metzler Sun, 01 Sep 2013 15:58:49 +0200 +exim4 (4.80-7ubuntu4) trusty; urgency=low + + * Rebuild for Perl 5.18. + + -- Colin Watson Wed, 23 Oct 2013 10:24:08 +0100 + +exim4 (4.80-7ubuntu3) saucy; urgency=low + + * debian/patches/fix_smtp_banner.patch: updated SMTP banner + with Ubuntu distribution + * debian/control: added lsb-release build dependency + + -- Yolanda Robla Tue, 18 Jun 2013 19:17:43 +0200 + +exim4 (4.80-7ubuntu2) saucy; urgency=low + + * debian/tests: Add autopkgtest. + + -- Yolanda Mon, 27 May 2013 11:31:35 +0200 + +exim4 (4.80-7ubuntu1) raring; urgency=low + + * Merge from Debian unstable (LP: #1166383). Remaining changes: + - debian/control: Don't declare a Provides: default-mta; in Ubuntu, + we want postfix to be the default. + + -- Robie Basak Mon, 08 Apr 2013 18:13:15 +0100 + exim4 (4.80-7) unstable; urgency=low * Use exim's ${quote:xxx} operator when invoking spfquery to disallow @@ -143,6 +258,14 @@ -- Andreas Metzler Wed, 21 Nov 2012 19:08:53 +0100 +exim4 (4.80-5.1ubuntu1) raring; urgency=low + + * Merge from Debian. Remaining changes: + - debian/control: Don't declare a Provides: default-mta; in Ubuntu, + we want postfix to be the default. + + -- Oussama Bounaim Sun, 11 Nov 2012 07:11:06 +0100 + exim4 (4.80-5.1) unstable; urgency=high * Non-maintainer upload by the Security Team. @@ -170,6 +293,23 @@ -- Andreas Metzler Sat, 23 Jun 2012 18:35:03 +0200 +exim4 (4.80-3ubuntu1.1) quantal-security; urgency=low + + * SECURITY UPDATE: arbitrary code execution via dns decode logic + - debian/patches/CVE-2012-5671.patch: adjust max length and validate + against it in src/pdkim/pdkim.h, src/dkim.c. + - CVE-2012-5671 + + -- Marc Deslauriers Thu, 25 Oct 2012 08:22:46 -0400 + +exim4 (4.80-3ubuntu1) quantal; urgency=low + + * Merge from Debian unstable. Remaining changes: + - debian/control: Don't declare a Provides: default-mta; in Ubuntu, + we want postfix to be the default. + + -- Clint Byrum Thu, 14 Jun 2012 15:28:08 -0700 + exim4 (4.80-3) unstable; urgency=low * Pull 75_openssl_sni.diff from upstream. - Segfault caused by NULL @@ -317,6 +457,26 @@ -- Andreas Metzler Sat, 24 Sep 2011 18:36:08 +0200 +exim4 (4.76-3ubuntu3) precise; urgency=low + + * Rebuild for libmysqlclient transition + + -- Clint Byrum Wed, 23 Nov 2011 23:29:35 -0800 + +exim4 (4.76-3ubuntu2) precise; urgency=low + + * Rebuild for Perl 5.14. + + -- Colin Watson Wed, 16 Nov 2011 01:22:39 +0000 + +exim4 (4.76-3ubuntu1) precise; urgency=low + + * Merge from debian unstable. Remaining changes: + - debian/control: Don't declare a Provides: default-mta; in Ubuntu, + we want postfix to be the default. + + -- Stéphane Graber Thu, 20 Oct 2011 11:29:07 -0400 + exim4 (4.76-3) unstable; urgency=low * [exim4-base.cron.daily] Correct invocation of mail(1), options need to be @@ -337,6 +497,14 @@ -- Andreas Metzler Sun, 18 Sep 2011 11:49:13 +0200 +exim4 (4.76-2ubuntu1) oneiric; urgency=low + + * Merge from debian unstable. Remaining changes: + - debian/control: Don't declare a Provides: default-mta; in Ubuntu, + we want postfix to be the default. + + -- Stéphane Graber Mon, 30 May 2011 17:48:56 -0400 + exim4 (4.76-2) unstable; urgency=low * debian/rules: Remove test/ and test-stamp on clean. @@ -349,6 +517,14 @@ -- Andreas Metzler Sun, 29 May 2011 18:21:03 +0200 +exim4 (4.76-1ubuntu1) oneiric; urgency=low + + * Merge from debian unstable. Remaining changes (LP: #779391): + - debian/control: Don't declare a Provides: default-mta; in Ubuntu, + we want postfix to be the default. + + -- Stéphane Graber Mon, 23 May 2011 12:37:30 -0400 + exim4 (4.76-1) unstable; urgency=low * New upstream version. @@ -395,6 +571,14 @@ -- Andreas Metzler Fri, 06 May 2011 20:08:51 +0200 +exim4 (4.75-2ubuntu1) oneiric; urgency=low + + * Merge from debian unstable. Remaining changes: + - debian/control: Don't declare a Provides: default-mta; in Ubuntu, + we want postfix to be the default. + + -- Stéphane Graber Fri, 06 May 2011 14:51:28 -0400 + exim4 (4.75-2) unstable; urgency=low * clamav socket on Debian is clamd:/var/run/clamav/clamd.ctl, fix @@ -437,6 +621,24 @@ -- Andreas Metzler Thu, 24 Feb 2011 19:02:07 +0100 +exim4 (4.74-1ubuntu1) natty; urgency=low + + * Merge from debian experimental. Remaining changes: (LP: #713855) + - debian/patches/71_exiq_grep_error_on_messages_without_size.patch: + + Improve handling of broken messages when "exim4 -bp" (mailq) + reports lines without size info. (Closes: #528625) + - debian/control: Don't declare a Provides: default-mta; in Ubuntu, + we want postfix to be the default. + - debian/{control,rules}: Add and enable hardened build for PIE. + (Closes: #542726) + * Update 71_exiq_grep_error_on_messages_without_size.patch to get way + which upstream has fixed it. Probably it can be dropped with next + upstream release. + * This upload fixes CVE: (LP: #708023) + - CVE-2011-0017 + + -- Artur Rona Wed, 09 Feb 2011 21:31:35 +0100 + exim4 (4.74-1) experimental; urgency=low * 4.74 release, should build on hurd again. @@ -462,6 +664,20 @@ -- Andreas Metzler Sun, 23 Jan 2011 14:02:36 +0100 +exim4 (4.73~rc1-1ubuntu1) natty; urgency=low + + * Merge from debian unstable. Remaining changes: (LP: #697934) + - debian/patches/71_exiq_grep_error_on_messages_without_size.patch: + + Improve handling of broken messages when "exim4 -bp" (mailq) + reports lines without size info. + - debian/control: Don't declare a Provides: default-mta; in Ubuntu, + we want postfix to be the default. + - debian/{control,rules}: Add and enable hardened build for PIE. + (Closes: #542726) + * Drop B-D on libmysqlclient15-dev, resolved in Debian. + + -- Artur Rona Tue, 28 Dec 2010 22:20:17 +0100 + exim4 (4.73~rc1-1) experimental; urgency=low * New upstream release candidate. @@ -557,6 +773,20 @@ -- Andreas Metzler Sun, 26 Dec 2010 15:13:08 +0100 +exim4 (4.72-2ubuntu1) natty; urgency=low + + * Merge from debian unstable. Remaining changes: (LP: #671615) + - debian/patches/71_exiq_grep_error_on_messages_without_size.dpatch: + Improve handling of broken messages when "exim4 -bp" (mailq) reports + lines without size info. + - Don't declare a Provides: default-mta; in Ubuntu, we want postfix to be + the default. + - debian/control: Change build dependencies to MySQL 5.1. + - debian/{control,rules}: add and enable hardened build for PIE + (Closes: #542726). + + -- Artur Rona Fri, 05 Nov 2010 21:05:47 +0100 + exim4 (4.72-2) unstable; urgency=low [ Marc Haber ] @@ -580,6 +810,20 @@ -- Andreas Metzler Sat, 30 Oct 2010 13:38:26 +0200 +exim4 (4.72-1ubuntu1) maverick; urgency=low + + * Merge with Debian unstable (LP: #609620). Remaining changes: + + debian/patches/71_exiq_grep_error_on_messages_without_size.dpatch: + Improve handling of broken messages when "exim4 -bp" (mailq) reports + lines without size info. + + Don't declare a Provides: default-mta; in Ubuntu, we want postfix to be + the default. + + debian/control: Change build dependencies to MySQL 5.1. + + debian/{control,rules}: add and enable hardened build for PIE + (Closes: #542726). + + -- Artur Rona Sun, 25 Jul 2010 02:00:42 +0200 + exim4 (4.72-1) unstable; urgency=low * New upstream release. (Identical to the git snapshot previously @@ -631,6 +875,20 @@ -- Andreas Metzler Thu, 25 Mar 2010 17:34:30 +0100 +exim4 (4.71-3ubuntu1) lucid; urgency=low + + * Merge with Debian unstable (lp: #501657). Remaining changes: + + debian/patches/71_exiq_grep_error_on_messages_without_size.dpatch: + Improve handling of broken messages when "exim4 -bp" (mailq) reports + lines without size info. + + Don't declare a Provides: default-mta; in Ubuntu, we want postfix to be + the default. + + debian/control: Change build dependencies to MySQL 5.1. + + debian/{control,rules}: add and enable hardened build for PIE + (Debian bug 542726). + + -- Michael Bienia Fri, 01 Jan 2010 16:28:19 +0100 + exim4 (4.71-3) unstable; urgency=low * exim4-base.cron.daily: Do not run exim_tidydb on Berkeley DB logfiles. @@ -745,6 +1003,35 @@ -- Andreas Metzler Sat, 17 Oct 2009 14:26:54 +0200 +exim4 (4.69-11ubuntu4) karmic; urgency=low + + * debian/{control,rules}: add and enable hardened build for PIE + (Debian bug 542726). + + -- Kees Cook Thu, 20 Aug 2009 17:33:26 -0700 + +exim4 (4.69-11ubuntu3) karmic; urgency=low + + * debian/control: Change build dependencies to MySQL 5.1. + + -- Mathias Gug Mon, 17 Aug 2009 17:57:26 -0400 + +exim4 (4.69-11ubuntu2) karmic; urgency=low + + * Don't declare a Provides: default-mta; in Ubuntu, we want postfix to be + the default. + + -- Steve Langasek Wed, 03 Jun 2009 15:39:14 +0000 + +exim4 (4.69-11ubuntu1) karmic; urgency=low + + * Merge from debian unstable (LP: #375923), remaining changes: + - debian/patches/71_exiq_grep_error_on_messages_without_size.dpatch: + Improve handling of broken messages when "exim4 -bp" (mailq) reports + lines without size info + + -- Thierry Carrez Wed, 13 May 2009 12:15:29 +0200 + exim4 (4.69-11) unstable; urgency=medium * Build-Depend on lynx-cur|lynx instead of lynx. (lynx is just a dummy @@ -802,6 +1089,15 @@ -- Andreas Metzler Sat, 02 May 2009 09:05:56 +0200 +exim4 (4.69-9ubuntu1) jaunty; urgency=low + + [ Daniel van Eeden ] + * debian/patches/71_exiq_grep_error_on_messages_without_size.dpatch: + Improve handling of broken messages when "exim4 -bp" (mailq) reports lines + w/o size info, LP: #18194 + + -- Dustin Kirkland Wed, 11 Feb 2009 06:43:52 -0600 + exim4 (4.69-9) unstable; urgency=medium * [update-exim4.conf]: Use POSIX character classes [:alnum:] or explicit diff -Nru exim4-4.82/debian/control exim4-4.82/debian/control --- exim4-4.82/debian/control 2013-11-27 18:50:43.000000000 +0000 +++ exim4-4.82/debian/control 2016-03-14 16:57:59.000000000 +0000 @@ -1,7 +1,8 @@ Source: exim4 Section: mail Priority: standard -Maintainer: Exim4 Maintainers +Maintainer: Ubuntu Developers +XSBC-Original-Maintainer: Exim4 Maintainers Uploaders: Andreas Metzler ,Marc Haber Homepage: http://www.exim.org/ Standards-Version: 3.9.5 @@ -11,9 +12,9 @@ Vcs-Browser: http://anonscm.debian.org/gitweb/?p=pkg-exim4/exim4.git Build-Depends: debhelper (>= 7.0.15), po-debconf, docbook-xsl, xsltproc, lynx-cur | lynx, docbook-xml, libpcre3-dev, libldap2-dev, libpam0g-dev, - libident-dev, libdb5.1-dev, libxmu-dev, libxt-dev, libxext-dev, libx11-dev, + libident-dev, libdb5.3-dev, libxmu-dev, libxt-dev, libxext-dev, libx11-dev, libxaw7-dev, libpq-dev, libmysqlclient-dev | libmysqlclient15-dev, - libsqlite3-dev, libperl-dev, libgnutls-dev, libsasl2-dev + libsqlite3-dev, libperl-dev, libgnutls-dev, libsasl2-dev, lsb-release XS-Testsuite: autopkgtest Package: exim4-base @@ -57,7 +58,7 @@ Package: exim4-config Architecture: all -Breaks: exim4-daemon-light (<<4.82~rc1), exim4-daemon-heavy (<<4.82~rc1) +Breaks: exim4-daemon-light (<< 4.82-3ubuntu2.1), exim4-daemon-heavy (<< 4.82-3ubuntu2.1) Provides: exim4-config-2 Conflicts: exim, exim-tls, exim4-config, exim4-config-2, ${MTA-Conflicts} Depends: ${shlibs:Depends}, ${misc:Depends}, adduser @@ -91,7 +92,7 @@ Package: exim4-daemon-light Architecture: any -Provides: mail-transport-agent, exim4-localscanapi-1.0, exim4-localscanapi-1.1, default-mta +Provides: mail-transport-agent, exim4-localscanapi-1.0, exim4-localscanapi-1.1 Conflicts: mail-transport-agent Replaces: mail-transport-agent, exim4-base (<= 4.61-1) Depends: exim4-base (>= ${Upstream-Version}), ${shlibs:Depends}, ${misc:Depends} diff -Nru exim4-4.82/debian/debconf/conf.d/main/02_exim4-config_options exim4-4.82/debian/debconf/conf.d/main/02_exim4-config_options --- exim4-4.82/debian/debconf/conf.d/main/02_exim4-config_options 2013-08-06 17:19:04.000000000 +0000 +++ exim4-4.82/debian/debconf/conf.d/main/02_exim4-config_options 2016-03-14 16:57:24.000000000 +0000 @@ -198,3 +198,13 @@ # SMTP Banner. The example includes the Debian version in the SMTP dialog # MAIN_SMTP_BANNER = "${primary_hostname} ESMTP Exim ${version_number} (Debian package MAIN_PACKAGE_VERSION) ${tod_full}" # smtp_banner = $smtp_active_hostname ESMTP Exim $version_number $tod_full + +.ifdef MAIN_KEEP_ENVIRONMENT +keep_environment = MAIN_KEEP_ENVIRONMENT +.else +# set option to empty value to avoid warning. +keep_environment = +.endif +.ifdef MAIN_ADD_ENVIRONMENT +add_environment = MAIN_ADD_ENVIRONMENT +.endif diff -Nru exim4-4.82/debian/exim4-config.NEWS exim4-4.82/debian/exim4-config.NEWS --- exim4-4.82/debian/exim4-config.NEWS 2012-09-23 10:07:23.000000000 +0000 +++ exim4-4.82/debian/exim4-config.NEWS 2016-03-14 16:58:25.000000000 +0000 @@ -1,3 +1,18 @@ +exim4 (4.82-3ubuntu2.1) trusty-security; urgency=medium + + The security fix for CVE-2016-1531 now cleans the complete environment + on startup including any subprocesses such as transports that call + other programs. + + This change may break existing installations. + + Two new configuration options were introduced to change the new default + behaviour, keep_environment and add_environment. The debian + configuration adds the macros MAIN_KEEP_ENVIRONMENT and + MAIN_ADD_ENVIRONMENT to easily set the options. + + -- Marc Deslauriers Mon, 14 Mar 2016 11:26:13 -0400 + exim4 (4.68-1) unstable; urgency=low In order to fix #420217, the handling of incoming messages to diff -Nru exim4-4.82/debian/patches/CVE-2014-2972.patch exim4-4.82/debian/patches/CVE-2014-2972.patch --- exim4-4.82/debian/patches/CVE-2014-2972.patch 1970-01-01 00:00:00.000000000 +0000 +++ exim4-4.82/debian/patches/CVE-2014-2972.patch 2016-03-14 16:46:28.000000000 +0000 @@ -0,0 +1,75 @@ +Backport of: + +From 7685ce68148a083d7759e78d01aa5198fc099c44 Mon Sep 17 00:00:00 2001 +From: Tony Finch +Date: Wed, 16 Jul 2014 06:13:39 -0700 +Subject: [PATCH] Only expand integers for integer math once + +--- + src/src/expand.c | 31 ++++++++++++++++++++++++++++--- + 1 file changed, 28 insertions(+), 3 deletions(-) + +Index: exim4-4.82/src/expand.c +=================================================================== +--- exim4-4.82.orig/src/expand.c 2016-03-14 12:46:04.239712357 -0400 ++++ exim4-4.82/src/expand.c 2016-03-14 12:46:20.555906816 -0400 +@@ -14,6 +14,7 @@ + /* Recursively called function */ + + static uschar *expand_string_internal(uschar *, BOOL, uschar **, BOOL, BOOL); ++static int_eximarith_t expanded_string_integer(uschar *, BOOL); + + #ifdef STAND_ALONE + #ifndef SUPPORT_CRYPTEQ +@@ -2325,7 +2326,7 @@ + } + else + { +- num[i] = expand_string_integer(sub[i], FALSE); ++ num[i] = expanded_string_integer(sub[i], FALSE); + if (expand_string_message != NULL) return NULL; + } + } +@@ -6305,7 +6306,7 @@ + int_eximarith_t max; + uschar *s; + +- max = expand_string_integer(sub, TRUE); ++ max = expanded_string_integer(sub, TRUE); + if (expand_string_message != NULL) + goto EXPAND_FAILED; + s = string_sprintf("%d", vaguely_random_number((int)max)); +@@ -6502,8 +6503,32 @@ + int_eximarith_t + expand_string_integer(uschar *string, BOOL isplus) + { ++return expanded_string_integer(expand_string(string), isplus); ++} ++ ++ ++/************************************************* ++ * Interpret string as an integer * ++ *************************************************/ ++ ++/* Convert a string (that has already been expanded) into an integer. ++ ++This function is used inside the expansion code. ++ ++Arguments: ++ s the string to be expanded ++ isplus TRUE if a non-negative number is expected ++ ++Returns: the integer value, or ++ -1 if string is NULL (which implies an expansion error) ++ -2 for an integer interpretation error ++ expand_string_message is set NULL for an OK integer ++*/ ++ ++static int_eximarith_t ++expanded_string_integer(uschar *s, BOOL isplus) ++{ + int_eximarith_t value; +-uschar *s = expand_string(string); + uschar *msg = US"invalid integer \"%s\""; + uschar *endptr; + diff -Nru exim4-4.82/debian/patches/CVE-2016-1531-2.patch exim4-4.82/debian/patches/CVE-2016-1531-2.patch --- exim4-4.82/debian/patches/CVE-2016-1531-2.patch 1970-01-01 00:00:00.000000000 +0000 +++ exim4-4.82/debian/patches/CVE-2016-1531-2.patch 2016-03-14 16:54:52.000000000 +0000 @@ -0,0 +1,53 @@ +Backport of: + +From ce0cc17e69f8018341c65618aa87cdff3f329074 Mon Sep 17 00:00:00 2001 +From: "Heiko Schlittermann (HS12-RIPE)" +Date: Fri, 11 Mar 2016 23:44:53 +0100 +Subject: [PATCH] Don't issue env warning if env is empty + +keep_environment needs to be mentioned in the runtime config. +Setting add_environment isn't enough to suppress the warning. + +(cherry picked from commit 8e58ed807c77febfde61d3cf47928302f93cc99c) +--- + doc/doc-docbook/spec.xfpt | 7 ++++--- + src/src/readconf.c | 6 +++--- + test/confs/0615 | 1 + + test/stderr/0615 | 20 ++++++++------------ + 4 files changed, 16 insertions(+), 18 deletions(-) + +Index: exim4-4.82/doc/spec.txt +=================================================================== +--- exim4-4.82.orig/doc/spec.txt 2016-03-14 12:54:49.637976215 -0400 ++++ exim4-4.82/doc/spec.txt 2016-03-14 12:54:49.633976167 -0400 +@@ -13307,8 +13307,10 @@ + You may work around this using a regular expression that does not match the + macro name: ^[F]OO_HOME$. + +-Current versions of Exim issue a warning during startupif you do not mention +-keep_environment or add_environment in your runtime configuration file. ++Current versions of Exim issue a warning during startup if you do not mention ++keep_environment in your runtime configuration file and if there is ++anything in your environment. Future versions may not issue that warning ++anymore. + + +--------------+---------+----------+-----------+ + |keep_malformed|Use: main|Type: time|Default: 4d| +Index: exim4-4.82/src/readconf.c +=================================================================== +--- exim4-4.82.orig/src/readconf.c 2016-03-14 12:54:49.637976215 -0400 ++++ exim4-4.82/src/readconf.c 2016-03-14 12:54:49.633976167 -0400 +@@ -3397,10 +3397,10 @@ + } + #endif + +-if ((!add_environment || *add_environment == '\0') && !keep_environment) ++if (!keep_environment && environ && *environ) + log_write(0, LOG_MAIN, +- "WARNING: purging the environment.\n" +- " Suggested action: use keep_environment and add_environment.\n"); ++ "Warning: purging the environment.\n" ++ " Suggested action: use keep_environment."); + } + + diff -Nru exim4-4.82/debian/patches/CVE-2016-1531-3.patch exim4-4.82/debian/patches/CVE-2016-1531-3.patch --- exim4-4.82/debian/patches/CVE-2016-1531-3.patch 1970-01-01 00:00:00.000000000 +0000 +++ exim4-4.82/debian/patches/CVE-2016-1531-3.patch 2016-03-14 16:55:30.000000000 +0000 @@ -0,0 +1,103 @@ +Backport of: + +From f1ff8cb17d215a94986d0bc9e8bd4bec73333838 Mon Sep 17 00:00:00 2001 +From: "Heiko Schlittermann (HS12-RIPE)" +Date: Wed, 9 Mar 2016 11:13:42 +0100 +Subject: [PATCH] Store the initial working directory, expand $initial_cwd. Bug + 1805 + +(cherry picked from commit 3615fa9a06356891367c66ed284cef9db5cefca3) +--- + doc/doc-docbook/spec.xfpt | 6 ++++++ + doc/doc-txt/NewStuff | 2 ++ + src/src/exim.c | 12 ++++++++++-- + src/src/expand.c | 1 + + src/src/globals.c | 1 + + src/src/globals.h | 1 + + 6 files changed, 21 insertions(+), 2 deletions(-) + +Index: exim4-4.82/doc/spec.txt +=================================================================== +--- exim4-4.82.orig/doc/spec.txt 2016-03-14 12:55:03.890146186 -0400 ++++ exim4-4.82/doc/spec.txt 2016-03-14 12:55:03.878146042 -0400 +@@ -10282,6 +10282,13 @@ + + See $host_lookup_deferred. + ++$initial_cwd ++ ++ This variable contains the full path name of the initial working ++ directory of the current Exim process. This may differ from the current ++ working directory, as Exim changes this to "/" during early startup, and ++ to $spool_directory later. ++ + $inode + + The only time this variable is set is while expanding the directory_file +Index: exim4-4.82/src/exim.c +=================================================================== +--- exim4-4.82.orig/src/exim.c 2016-03-14 12:55:03.890146186 -0400 ++++ exim4-4.82/src/exim.c 2016-03-14 12:55:03.882146089 -0400 +@@ -3655,6 +3655,13 @@ + exit(EXIT_FAILURE); + } + ++/* Store the initial cwd before we change directories */ ++if ((initial_cwd = getcwd(NULL, 0)) == NULL) ++ { ++ perror("exim: can't get the current working directory"); ++ exit(EXIT_FAILURE); ++ } ++ + readconf_main(); + + if (cleanup_environment() == FALSE) +@@ -3931,9 +3938,10 @@ + { + int i; + uschar *p = big_buffer; +- char * dummy; + Ustrcpy(p, "cwd= (failed)"); +- dummy = /* quieten compiler */ getcwd(CS p+4, big_buffer_size - 4); ++ ++ Ustrncpy(p + 4, initial_cwd, big_buffer_size-5); ++ + while (*p) p++; + (void)string_format(p, big_buffer_size - (p - big_buffer), " %d args:", argc); + while (*p) p++; +Index: exim4-4.82/src/expand.c +=================================================================== +--- exim4-4.82.orig/src/expand.c 2016-03-14 12:55:03.890146186 -0400 ++++ exim4-4.82/src/expand.c 2016-03-14 12:55:23.502380085 -0400 +@@ -488,6 +488,7 @@ + { "host_data", vtype_stringptr, &host_data }, + { "host_lookup_deferred",vtype_int, &host_lookup_deferred }, + { "host_lookup_failed", vtype_int, &host_lookup_failed }, ++ { "initial_cwd", vtype_stringptr, &initial_cwd }, + { "inode", vtype_ino, &deliver_inode }, + { "interface_address", vtype_stringptr, &interface_address }, + { "interface_port", vtype_int, &interface_port }, +Index: exim4-4.82/src/globals.c +=================================================================== +--- exim4-4.82.orig/src/globals.c 2016-03-14 12:55:03.890146186 -0400 ++++ exim4-4.82/src/globals.c 2016-03-14 12:55:03.886146138 -0400 +@@ -736,6 +736,7 @@ + uschar *ignore_fromline_hosts = NULL; + BOOL inetd_wait_mode = FALSE; + int inetd_wait_timeout = -1; ++uschar *initial_cwd = NULL; + uschar *interface_address = NULL; + int interface_port = -1; + BOOL is_inetd = FALSE; +Index: exim4-4.82/src/globals.h +=================================================================== +--- exim4-4.82.orig/src/globals.h 2016-03-14 12:55:03.890146186 -0400 ++++ exim4-4.82/src/globals.h 2016-03-14 12:55:03.886146138 -0400 +@@ -469,6 +469,7 @@ + extern uschar *ignore_fromline_hosts; /* Hosts permitted to send "From " */ + extern BOOL inetd_wait_mode; /* Whether running in inetd wait mode */ + extern int inetd_wait_timeout; /* Timeout for inetd wait mode */ ++extern uschar *initial_cwd; /* The directory we where in at startup */ + extern BOOL is_inetd; /* True for inetd calls */ + extern uschar *iterate_item; /* Item from iterate list */ + diff -Nru exim4-4.82/debian/patches/CVE-2016-1531-4.patch exim4-4.82/debian/patches/CVE-2016-1531-4.patch --- exim4-4.82/debian/patches/CVE-2016-1531-4.patch 1970-01-01 00:00:00.000000000 +0000 +++ exim4-4.82/debian/patches/CVE-2016-1531-4.patch 2016-03-14 16:55:44.000000000 +0000 @@ -0,0 +1,93 @@ +Backport of: + +From 3de973a29de6852d61ba9bf1845835d08ca5a5ab Mon Sep 17 00:00:00 2001 +From: "Heiko Schlittermann (HS12-RIPE)" +Date: Wed, 2 Mar 2016 22:07:45 +0100 +Subject: [PATCH] Delay chdir(/) until we opened the main config + +--- + doc/doc-docbook/spec.xfpt | 2 -- + src/src/exim.c | 13 ++++++------- + src/src/readconf.c | 17 +++++++++-------- + 3 files changed, 15 insertions(+), 17 deletions(-) + +Index: exim4-4.82/doc/spec.txt +=================================================================== +--- exim4-4.82.orig/doc/spec.txt 2016-03-14 12:55:41.574595622 -0400 ++++ exim4-4.82/doc/spec.txt 2016-03-14 12:55:41.566595527 -0400 +@@ -3362,8 +3362,6 @@ + first file that exists is used. Failure to open an existing file stops Exim + from proceeding any further along the list, and an error is generated. + +- The file names need to be absolute names. +- + When this option is used by a caller other than root, and the list is + different from the compiled-in list, Exim gives up its root privilege + immediately, and runs with the real and effective uid and gid set to those +Index: exim4-4.82/src/exim.c +=================================================================== +--- exim4-4.82.orig/src/exim.c 2016-03-14 12:55:41.574595622 -0400 ++++ exim4-4.82/src/exim.c 2016-03-14 12:55:41.566595527 -0400 +@@ -3646,14 +3646,11 @@ + + /* Read the main runtime configuration data; this gives up if there + is a failure. It leaves the configuration file open so that the subsequent +-configuration data for delivery can be read if needed. */ ++configuration data for delivery can be read if needed. + +-/* To be safe: change the working directory to /. */ +-if (Uchdir("/") < 0) +- { +- perror("exim: chdir `/': "); +- exit(EXIT_FAILURE); +- } ++NOTE: immediatly after opening the configuration file we change the working ++directory to "/"! Later we change to $spool_directory. We do it there, because ++during readconf_main() some expansion takes place already. */ + + /* Store the initial cwd before we change directories */ + if ((initial_cwd = getcwd(NULL, 0)) == NULL) +@@ -3664,6 +3661,8 @@ + + readconf_main(); + ++/* Now in directory "/" */ ++ + if (cleanup_environment() == FALSE) + log_write(0, LOG_PANIC_DIE, "Can't cleanup environment"); + +Index: exim4-4.82/src/readconf.c +=================================================================== +--- exim4-4.82.orig/src/readconf.c 2016-03-14 12:55:41.574595622 -0400 ++++ exim4-4.82/src/readconf.c 2016-03-14 12:55:41.570595575 -0400 +@@ -2953,14 +2953,6 @@ + != NULL) + { + +- /* To avoid confusion: Exim changes to / at the very beginning and +- * and to $spool_directory later. */ +- if (filename[0] != '/') +- { +- fprintf(stderr, "-C %s: only absolute names are allowed\n", filename); +- exit(EXIT_FAILURE); +- } +- + /* Cut out all the fancy processing unless specifically wanted */ + + #if defined(CONFIGURE_FILE_USE_NODE) || defined(CONFIGURE_FILE_USE_EUID) +@@ -3014,6 +3006,15 @@ + if (config_file != NULL || errno != ENOENT) break; + } + ++/* Now, once we found and opened our configuration file, we change the directory ++to a safe place. Later we change to $spool_directory. */ ++ ++if (Uchdir("/") < 0) ++ { ++ perror("exim: chdir `/': "); ++ exit(EXIT_FAILURE); ++ } ++ + /* On success, save the name for verification; config_filename is used when + logging configuration errors (it changes for .included files) whereas + config_main_filename is the name shown by -bP. Failure to open a configuration diff -Nru exim4-4.82/debian/patches/CVE-2016-1531.patch exim4-4.82/debian/patches/CVE-2016-1531.patch --- exim4-4.82/debian/patches/CVE-2016-1531.patch 1970-01-01 00:00:00.000000000 +0000 +++ exim4-4.82/debian/patches/CVE-2016-1531.patch 2016-03-14 17:22:49.000000000 +0000 @@ -0,0 +1,475 @@ +Description: fix privilege escalation via perl_startup +Origin: backport, http://git.exim.org/exim.git/commitdiff/43ba2742c700d625dcdcdaf7bbadc2f72776854a +Origin: backport, http://git.exim.org/exim.git/commitdiff/dd90c19962a63fe966e17c75b4a36639302d1e67 +Origin: backport, http://git.exim.org/exim.git/commitdiff/fec27df097c8d16b4decfc62bc83bf873e58f310 +Origin: backport, http://git.exim.org/exim.git/commit/f2cb6292ba93101c1e8eff8933df6157cfe05fd8 + +Index: exim4-4.82/OS/Makefile-Base +=================================================================== +--- exim4-4.82.orig/OS/Makefile-Base 2016-03-14 13:04:31.368915884 -0400 ++++ exim4-4.82/OS/Makefile-Base 2016-03-14 13:04:31.356915740 -0400 +@@ -313,6 +313,7 @@ + rda.o readconf.o receive.o retry.o rewrite.o rfc2047.o \ + route.o search.o sieve.o smtp_in.o smtp_out.o spool_in.o spool_out.o \ + std-crypto.o store.o string.o tls.o tod.o transport.o tree.o verify.o \ ++ environment.o \ + $(OBJ_LOOKUPS) \ + local_scan.o $(EXIM_PERL) $(OBJ_WITH_CONTENT_SCAN) \ + $(OBJ_WITH_OLD_DEMIME) $(OBJ_EXPERIMENTAL) +@@ -549,6 +550,7 @@ + enq.o: $(HDRS) enq.c + exim.o: $(HDRS) exim.c + expand.o: $(HDRS) expand.c ++environment.o: $(HDRS) environment.c + filter.o: $(HDRS) filter.c + filtertest.o: $(HDRS) filtertest.c + globals.o: $(HDRS) globals.c +Index: exim4-4.82/doc/exim.8 +=================================================================== +--- exim4-4.82.orig/doc/exim.8 2016-03-14 13:04:31.368915884 -0400 ++++ exim4-4.82/doc/exim.8 2016-03-14 13:04:31.356915740 -0400 +@@ -452,6 +452,10 @@ + settings can be obtained by using \fBrouters\fP, \fBtransports\fP, or + \fBauthenticators\fP. + .sp ++If \fBenvironment\fP is given as an argument, the set of environment ++variables is output, line by line. Using the \fB\-n\fP flag supresses the value of the ++variables. ++.sp + If invoked by an admin user, then \fBmacro\fP, \fBmacro_list\fP and \fBmacros\fP + are available, similarly to the drivers. Because macros are sometimes used + for storing passwords, this option is restricted. +@@ -723,6 +727,8 @@ + file that exists is used. Failure to open an existing file stops Exim from + proceeding any further along the list, and an error is generated. + .sp ++The file names need to be absolute names. ++.sp + When this option is used by a caller other than root, and the list is different + from the compiled\-in list, Exim gives up its root privilege immediately, and + runs with the real and effective uid and gid set to those of the caller. +Index: exim4-4.82/doc/spec.txt +=================================================================== +--- exim4-4.82.orig/doc/spec.txt 2016-03-14 13:04:31.368915884 -0400 ++++ exim4-4.82/doc/spec.txt 2016-03-14 13:04:31.360915788 -0400 +@@ -3070,6 +3070,10 @@ + authenticator_list, and a complete list of all drivers with their option + settings can be obtained by using routers, transports, or authenticators. + ++ If environment is given as an argument, the set of environment variables is ++ output, line by line. Using the -n flag supresses the value of the ++ variables. ++ + If invoked by an admin user, then macro, macro_list and macros are + available, similarly to the drivers. Because macros are sometimes used for + storing passwords, this option is restricted. The output format is one item +@@ -3358,6 +3362,8 @@ + first file that exists is used. Failure to open an existing file stops Exim + from proceeding any further along the list, and an error is generated. + ++ The file names need to be absolute names. ++ + When this option is used by a caller other than root, and the list is + different from the compiled-in list, Exim gives up its root privilege + immediately, and runs with the real and effective uid and gid set to those +@@ -12247,6 +12253,14 @@ + This option defines the ACL that is run when an SMTP VRFY command is received. + See chapter 42 for further details. + +++---------------+---------+-----------------+--------------+ ++|add_environment|Use: main|Type: string list|Default: empty| +++---------------+---------+-----------------+--------------+ ++ ++This option allows to set individual environment variables that the currently ++linked libraries and programs in child processes use. The default list is ++empty, ++ + +------------+---------+------------------+--------------+ + |admin_groups|Use: main|Type: string list*|Default: unset| + +------------+---------+------------------+--------------+ +@@ -13273,6 +13287,29 @@ + + See ignore_fromline_hosts above. + +++----------------+---------+-----------------+--------------+ ++|keep_environment|Use: main|Type: string list|Default: unset| +++----------------+---------+-----------------+--------------+ ++ ++This option contains a string list of environment variables to keep. You have ++to trust these variables or you have to be sure that these variables do not ++impose any security risk. Keep in mind that during the startup phase Exim is ++running with an effective UID 0 in most installations. As the default value is ++an empty list, the default environment for using libraries, running embedded ++Perl code, or running external binaries is empty, and does not not even contain ++PATH or HOME. ++ ++Actually the list is interpreted as a list of patterns (10.1), except that it ++is not expanded first. ++ ++WARNING: Macro substitution is still done first, so having a macro FOO and ++having FOO_HOME in your keep_environment option may have unexpected results. ++You may work around this using a regular expression that does not match the ++macro name: ^[F]OO_HOME$. ++ ++Current versions of Exim issue a warning during startupif you do not mention ++keep_environment or add_environment in your runtime configuration file. ++ + +--------------+---------+----------+-----------+ + |keep_malformed|Use: main|Type: time|Default: 4d| + +--------------+---------+----------+-----------+ +@@ -14287,6 +14324,14 @@ + sender_unqualified_hosts, or if the message was submitted locally (not using + TCP/IP), and the -bnq option was not set. + +++---------------+---------+-----------------+--------------+ ++|set_environment|Use: main|Type: string list|Default: empty| +++---------------+---------+-----------------+--------------+ ++ ++This option allows to set individual environment variables that the currently ++linked libraries and programs in child processes use. The default list is ++empty, ++ + +---------------------+---------+-------------+-------------+ + |smtp_accept_keepalive|Use: main|Type: boolean|Default: true| + +---------------------+---------+-------------+-------------+ +Index: exim4-4.82/scripts/MakeLinks +=================================================================== +--- exim4-4.82.orig/scripts/MakeLinks 2016-03-14 13:04:31.368915884 -0400 ++++ exim4-4.82/scripts/MakeLinks 2016-03-14 13:04:31.364915836 -0400 +@@ -198,6 +198,7 @@ + ln -s ../src/drtables.c drtables.c + ln -s ../src/dummies.c dummies.c + ln -s ../src/enq.c enq.c ++ln -s ../src/environment.c environment.c + ln -s ../src/exim.c exim.c + ln -s ../src/exim_dbmbuild.c exim_dbmbuild.c + ln -s ../src/exim_dbutil.c exim_dbutil.c +Index: exim4-4.82/src/environment.c +=================================================================== +--- /dev/null 1970-01-01 00:00:00.000000000 +0000 ++++ exim4-4.82/src/environment.c 2016-03-14 13:04:31.364915836 -0400 +@@ -0,0 +1,71 @@ ++/************************************************* ++* Exim - an Internet mail transport agent * ++*************************************************/ ++ ++/* Copyright (c) Heiko Schlittermann 2016 ++ * hs@schlittermann.de ++ * See the file NOTICE for conditions of use and distribution. ++ */ ++ ++#include "exim.h" ++ ++extern char **environ; ++ ++/* The cleanup_environment() function is used during the startup phase ++of the Exim process, right after reading the configurations main ++part, before any expansions take place. It retains the environment ++variables we trust (via the keep_environment option) and allows to ++set additional variables (via add_environment). ++ ++Returns: TRUE if successful ++ FALSE otherwise ++*/ ++ ++BOOL ++cleanup_environment() ++{ ++if (!keep_environment || *keep_environment == '\0') ++ { ++ /* From: https://github.com/dovecot/core/blob/master/src/lib/env-util.c#L55 ++ Try to clear the environment. ++ a) environ = NULL crashes on OS X. ++ b) *environ = NULL doesn't work on FreeBSD 7.0. ++ c) environ = emptyenv doesn't work on Haiku OS ++ d) environ = calloc() should work everywhere */ ++ ++ if (environ) *environ = NULL; ++ ++ } ++else if (Ustrcmp(keep_environment, "*") != 0) ++ { ++ uschar **p; ++ if (environ) for (p = USS environ; *p; /* see below */) ++ { ++ /* It's considered broken if we do not find the '=', according to ++ Florian Weimer. For now we ignore such strings. unsetenv() would complain, ++ getenv() would complain. */ ++ uschar *eqp = Ustrchr(*p, '='); ++ ++ if (eqp) ++ { ++ uschar *name = string_copyn(*p, eqp - *p); ++ if (OK != match_isinlist(name, USS &keep_environment, ++ 0, NULL, NULL, MCL_NOEXPAND, FALSE, NULL)) ++ if (unsetenv(CS name) < 0) return FALSE; ++ else p = USS environ; /* RESTART from the beginning */ ++ else p++; ++ store_reset(name); ++ } ++ } ++ } ++if (add_environment) ++ { ++ uschar *p; ++ int sep = 0; ++ uschar* envlist = add_environment; ++ while ((p = string_nextinlist(&envlist, &sep, NULL, 0))) ++ putenv(CS p); ++ } ++ ++ return TRUE; ++} +Index: exim4-4.82/src/exim.c +=================================================================== +--- exim4-4.82.orig/src/exim.c 2016-03-14 13:04:31.368915884 -0400 ++++ exim4-4.82/src/exim.c 2016-03-14 13:04:31.364915836 -0400 +@@ -3648,8 +3648,19 @@ + is a failure. It leaves the configuration file open so that the subsequent + configuration data for delivery can be read if needed. */ + ++/* To be safe: change the working directory to /. */ ++if (Uchdir("/") < 0) ++ { ++ perror("exim: chdir `/': "); ++ exit(EXIT_FAILURE); ++ } ++ + readconf_main(); + ++if (cleanup_environment() == FALSE) ++ log_write(0, LOG_PANIC_DIE, "Can't cleanup environment"); ++ ++ + /* If an action on specific messages is requested, or if a daemon or queue + runner is being started, we need to know if Exim was called by an admin user. + This is the case if the real user is root or exim, or if the real group is +@@ -3795,7 +3806,7 @@ + #ifdef TMPDIR + { + uschar **p; +- for (p = USS environ; *p != NULL; p++) ++ if (environ) for (p = USS environ; *p != NULL; p++) + { + if (Ustrncmp(*p, "TMPDIR=", 7) == 0 && + Ustrcmp(*p+7, TMPDIR) != 0) +@@ -3835,10 +3846,10 @@ + uschar **new; + uschar **newp; + int count = 0; +- while (*p++ != NULL) count++; ++ if (environ) while (*p++ != NULL) count++; + if (envtz == NULL) count++; + newp = new = malloc(sizeof(uschar *) * (count + 1)); +- for (p = USS environ; *p != NULL; p++) ++ if (environ) for (p = USS environ; *p != NULL; p++) + { + if (Ustrncmp(*p, "TZ=", 3) == 0) continue; + *newp++ = *p; +@@ -4428,7 +4439,8 @@ + (Ustrcmp(argv[i], "router") == 0 || + Ustrcmp(argv[i], "transport") == 0 || + Ustrcmp(argv[i], "authenticator") == 0 || +- Ustrcmp(argv[i], "macro") == 0)) ++ Ustrcmp(argv[i], "macro") == 0 || ++ Ustrcmp(argv[i], "environment") == 0)) + { + readconf_print(argv[i+1], argv[i], flag_n); + i++; +Index: exim4-4.82/src/functions.h +=================================================================== +--- exim4-4.82.orig/src/functions.h 2016-03-14 13:04:31.368915884 -0400 ++++ exim4-4.82/src/functions.h 2016-03-14 13:04:31.364915836 -0400 +@@ -76,6 +76,7 @@ + extern uschar **child_exec_exim(int, BOOL, int *, BOOL, int, ...); + extern pid_t child_open_uid(uschar **, uschar **, int, uid_t *, gid_t *, + int *, int *, uschar *, BOOL); ++extern BOOL cleanup_environment(void); + extern uschar *cutthrough_finaldot(void); + extern BOOL cutthrough_flush_send(void); + extern BOOL cutthrough_headers_send(void); +@@ -350,6 +351,7 @@ + extern uschar *string_append(uschar *, int *, int *, int, ...); + extern uschar *string_base62(unsigned long int); + extern uschar *string_cat(uschar *, int *, int *, const uschar *, int); ++extern int string_compare_by_pointer(const void *, const void *); + extern uschar *string_copy_dnsdomain(uschar *); + extern uschar *string_copy_malloc(uschar *); + extern uschar *string_copylc(uschar *); +Index: exim4-4.82/src/globals.c +=================================================================== +--- exim4-4.82.orig/src/globals.c 2016-03-14 13:04:31.368915884 -0400 ++++ exim4-4.82/src/globals.c 2016-03-14 13:04:31.364915836 -0400 +@@ -299,6 +299,7 @@ + BOOL active_local_sender_retain = FALSE; + int body_8bitmime = 0; + BOOL accept_8bitmime = TRUE; /* deliberately not RFC compliant */ ++uschar *add_environment = NULL; + address_item *addr_duplicate = NULL; + + address_item address_defaults = { +@@ -742,6 +743,8 @@ + + int journal_fd = -1; + ++uschar *keep_environment = NULL; ++ + int keep_malformed = 4*24*60*60; /* 4 days */ + + uschar *eldap_dn = NULL; +Index: exim4-4.82/src/globals.h +=================================================================== +--- exim4-4.82.orig/src/globals.h 2016-03-14 13:04:31.368915884 -0400 ++++ exim4-4.82/src/globals.h 2016-03-14 13:04:31.364915836 -0400 +@@ -140,6 +140,7 @@ + /* General global variables */ + + extern BOOL accept_8bitmime; /* Allow *BITMIME incoming */ ++extern uschar *add_environment; /* List of environment variables to add */ + extern int body_8bitmime; /* sender declared BODY= ; 7=7BIT, 8=8BITMIME */ + extern header_line *acl_added_headers; /* Headers added by an ACL */ + extern tree_node *acl_anchor; /* Tree of named ACLs */ +@@ -473,6 +474,7 @@ + + extern int journal_fd; /* Fd for journal file */ + ++extern uschar *keep_environment; /* Whitelist for environment variables */ + extern int keep_malformed; /* Time to keep malformed messages */ + + extern uschar *eldap_dn; /* Where LDAP DNs are left */ +Index: exim4-4.82/src/readconf.c +=================================================================== +--- exim4-4.82.orig/src/readconf.c 2016-03-14 13:04:31.368915884 -0400 ++++ exim4-4.82/src/readconf.c 2016-03-14 13:04:31.364915836 -0400 +@@ -11,6 +11,8 @@ + + #include "exim.h" + ++extern char **environ; ++ + #define CSTATE_STACK_SIZE 10 + + +@@ -162,6 +164,7 @@ + { "acl_smtp_starttls", opt_stringptr, &acl_smtp_starttls }, + #endif + { "acl_smtp_vrfy", opt_stringptr, &acl_smtp_vrfy }, ++ { "add_environment", opt_stringptr, &add_environment }, + { "admin_groups", opt_gidlist, &admin_groups }, + { "allow_domain_literals", opt_bool, &allow_domain_literals }, + { "allow_mx_to_ip", opt_bool, &allow_mx_to_ip }, +@@ -270,6 +273,7 @@ + { "ignore_bounce_errors_after", opt_time, &ignore_bounce_errors_after }, + { "ignore_fromline_hosts", opt_stringptr, &ignore_fromline_hosts }, + { "ignore_fromline_local", opt_bool, &ignore_fromline_local }, ++ { "keep_environment", opt_stringptr, &keep_environment }, + { "keep_malformed", opt_time, &keep_malformed }, + #ifdef LOOKUP_LDAP + { "ldap_ca_cert_dir", opt_stringptr, &eldap_ca_cert_dir }, +@@ -2476,6 +2480,7 @@ + macro_list print a list of macro names + +name print a named list item + local_scan print the local_scan options ++ environment print the used execution environment + + If the second argument is not NULL, it must be one of "router", "transport", + "authenticator" or "macro" in which case the first argument identifies the +@@ -2617,6 +2622,23 @@ + names_only = TRUE; + } + ++ else if (Ustrcmp(name, "environment") == 0) ++ { ++ if (environ) ++ { ++ uschar **p; ++ for (p = USS environ; *p; p++) ; ++ qsort(environ, p - USS environ, sizeof(*p), string_compare_by_pointer); ++ ++ for (p = USS environ; *p; p++) ++ { ++ if (no_labels) *(Ustrchr(*p, '=')) = '\0'; ++ puts(CS *p); ++ } ++ } ++ return; ++ } ++ + else + { + print_ol(find_option(name, optionlist_config, optionlist_config_size), +@@ -2930,6 +2952,15 @@ + while((filename = string_nextinlist(&list, &sep, big_buffer, big_buffer_size)) + != NULL) + { ++ ++ /* To avoid confusion: Exim changes to / at the very beginning and ++ * and to $spool_directory later. */ ++ if (filename[0] != '/') ++ { ++ fprintf(stderr, "-C %s: only absolute names are allowed\n", filename); ++ exit(EXIT_FAILURE); ++ } ++ + /* Cut out all the fancy processing unless specifically wanted */ + + #if defined(CONFIGURE_FILE_USE_NODE) || defined(CONFIGURE_FILE_USE_EUID) +@@ -3365,6 +3396,11 @@ + # endif + } + #endif ++ ++if ((!add_environment || *add_environment == '\0') && !keep_environment) ++ log_write(0, LOG_MAIN, ++ "WARNING: purging the environment.\n" ++ " Suggested action: use keep_environment and add_environment.\n"); + } + + +Index: exim4-4.82/src/string.c +=================================================================== +--- exim4-4.82.orig/src/string.c 2016-03-14 13:04:31.368915884 -0400 ++++ exim4-4.82/src/string.c 2016-03-14 13:04:31.368915884 -0400 +@@ -1589,6 +1589,17 @@ + #endif /* COMPILE_UTILITY */ + + ++#ifndef COMPILE_UTILITY ++/* qsort(3), currently used to sort the environment variables ++for -bP environment output, needs a function to compare two pointers to string ++pointers. Here it is. */ ++ ++int ++string_compare_by_pointer(const void *a, const void *b) ++{ ++return Ustrcmp(* CUSS a, * CUSS b); ++} ++#endif /* COMPILE_UTILITY */ + + + +Index: exim4-4.82/src/tls-openssl.c +=================================================================== +--- exim4-4.82.orig/src/tls-openssl.c 2016-03-14 13:04:31.368915884 -0400 ++++ exim4-4.82/src/tls-openssl.c 2016-03-14 13:04:31.368915884 -0400 +@@ -574,7 +574,7 @@ + { + extern char ** environ; + uschar ** p; +- for (p = USS environ; *p != NULL; p++) ++ if (environ) for (p = USS environ; *p != NULL; p++) + if (Ustrncmp(*p, "EXIM_TESTHARNESS_DISABLE_OCSPVALIDITYCHECK", 42) == 0) + { + DEBUG(D_tls) debug_printf("Supplying known bad OCSP response\n"); +Index: exim4-4.82/src/mytypes.h +=================================================================== +--- exim4-4.82.orig/src/mytypes.h 2013-10-24 20:46:27.000000000 -0400 ++++ exim4-4.82/src/mytypes.h 2016-03-14 13:04:50.065138978 -0400 +@@ -66,6 +66,7 @@ + #define US (unsigned char *) + #define CUS (const unsigned char *) + #define USS (unsigned char **) ++#define CUSS (const unsigned char **) + + /* The C library string functions expect "char *" arguments. Use macros to + avoid having to write a cast each time. We do this for string and file diff -Nru exim4-4.82/debian/patches/CVE-2016-9963.patch exim4-4.82/debian/patches/CVE-2016-9963.patch --- exim4-4.82/debian/patches/CVE-2016-9963.patch 1970-01-01 00:00:00.000000000 +0000 +++ exim4-4.82/debian/patches/CVE-2016-9963.patch 2017-01-05 13:29:56.000000000 +0000 @@ -0,0 +1,66 @@ +From 31c02defdc5118834e801d4fe8f11c1d9b5ebadf Mon Sep 17 00:00:00 2001 +From: Jeremy Harris +Date: Fri, 16 Dec 2016 20:36:39 +0000 +Subject: [PATCH] Fix DKIM information leakage + +Cherry picked from exim-4_87 .. exim-4_87_1 +--- + doc/doc-txt/ChangeLog | 7 +++ + doc/doc-txt/cve-2016-9663 | 86 +++++++++++++++++++++++++++++++++ + src/src/dkim.c | 1 + + src/src/transports/smtp.c | 4 +- + test/confs/4510 | 71 +++++++++++++++++++++++++++ + test/log/4510 | 20 ++++++++ + test/mail/4510.store | 58 ++++++++++++++++++++++ + test/runtest | 8 +++ + test/scripts/4510-DKIM-Bounces/4510 | 15 ++++++ + test/scripts/4510-DKIM-Bounces/REQUIRES | 2 + + 10 files changed, 271 insertions(+), 1 deletion(-) + create mode 100644 doc/doc-txt/cve-2016-9663 + create mode 100644 test/confs/4510 + create mode 100644 test/log/4510 + create mode 100644 test/mail/4510.store + create mode 100644 test/scripts/4510-DKIM-Bounces/4510 + create mode 100644 test/scripts/4510-DKIM-Bounces/REQUIRES + +Index: exim4-4.82/src/dkim.c +=================================================================== +--- exim4-4.82.orig/src/dkim.c 2017-01-05 08:29:53.296740016 -0500 ++++ exim4-4.82/src/dkim.c 2017-01-05 08:29:53.292739971 -0500 +@@ -519,6 +519,7 @@ + (char *)dkim_signing_selector, + (char *)dkim_private_key_expanded + ); ++ dkim_private_key_expanded[0] = '\0'; + + pdkim_set_debug_stream(ctx,debug_file); + +Index: exim4-4.82/src/transports/smtp.c +=================================================================== +--- exim4-4.82.orig/src/transports/smtp.c 2017-01-05 08:29:53.296740016 -0500 ++++ exim4-4.82/src/transports/smtp.c 2017-01-05 08:29:53.292739971 -0500 +@@ -248,6 +248,7 @@ + static uschar *smtp_command; /* Points to last cmd for error messages */ + static uschar *mail_command; /* Points to MAIL cmd for error messages */ + static BOOL update_waiting; /* TRUE to update the "wait" database */ ++static uschar *data_command = US""; /* Points to DATA cmd for error messages */ + + + /************************************************* +@@ -1826,6 +1827,7 @@ + case -1: goto END_OFF; /* Timeout on RCPT */ + default: goto RESPONSE_FAILED; /* I/O error, or any MAIL/DATA error */ + } ++ data_command = string_copy(big_buffer); /* Save for later error message */ + } + + /* Save the first address of the next batch. */ +@@ -2011,7 +2013,7 @@ + #else + "LMTP error after %s: %s", + #endif +- big_buffer, string_printing(buffer)); ++ data_command, string_printing(buffer)); + setflag(addr, af_pass_message); /* Allow message to go to user */ + if (buffer[0] == '5') + addr->transport_return = FAIL; diff -Nru exim4-4.82/debian/patches/CVE-2017-1000368.patch exim4-4.82/debian/patches/CVE-2017-1000368.patch --- exim4-4.82/debian/patches/CVE-2017-1000368.patch 1970-01-01 00:00:00.000000000 +0000 +++ exim4-4.82/debian/patches/CVE-2017-1000368.patch 2017-06-03 05:44:13.000000000 +0000 @@ -0,0 +1,56 @@ +Description: Do not leak memory if multiple -p arguments are given +Author: Steve Beattie + +This approach of keeping track of when allocations occurred and freeing +them on multiple occurrances of the -p argument was chosen over +reporting an error on argument re-use to retain existing behavior (lats +argument given is the one used). This differs from the approach Exim +upstream intends to take. + +CVE-2017-1000368 +--- + src/exim.c | 12 +++++++++++- + 1 file changed, 11 insertions(+), 1 deletion(-) + +Index: b/src/exim.c +=================================================================== +--- a/src/exim.c ++++ b/src/exim.c +@@ -1506,6 +1506,7 @@ int sender_address_domain = 0; + int test_retry_arg = -1; + int test_rewrite_arg = -1; + BOOL arg_queue_only = FALSE; ++BOOL allocated_received_protocol = FALSE; + BOOL bi_option = FALSE; + BOOL checking = FALSE; + BOOL count_queue = FALSE; +@@ -3092,7 +3093,12 @@ for (i = 1; i < argc; i++) + + /* -oMr: Received protocol */ + +- else if (Ustrcmp(argrest, "Mr") == 0) received_protocol = argv[++i]; ++ else if (Ustrcmp(argrest, "Mr") == 0) ++ { ++ if (allocated_received_protocol) store_free(received_protocol); ++ received_protocol = argv[++i]; ++ allocated_received_protocol = FALSE; ++ } + + /* -oMs: Set sender host name */ + +@@ -3191,11 +3197,15 @@ for (i = 1; i < argc; i++) + uschar *hn = Ustrchr(argrest, ':'); + if (hn == NULL) + { ++ if (allocated_received_protocol) store_free(received_protocol); + received_protocol = argrest; ++ allocated_received_protocol = FALSE; + } + else + { ++ if (allocated_received_protocol) store_free(received_protocol); + received_protocol = string_copyn(argrest, hn - argrest); ++ allocated_received_protocol = TRUE; + sender_host_name = hn + 1; + } + } diff -Nru exim4-4.82/debian/patches/CVE-2018-6789.patch exim4-4.82/debian/patches/CVE-2018-6789.patch --- exim4-4.82/debian/patches/CVE-2018-6789.patch 1970-01-01 00:00:00.000000000 +0000 +++ exim4-4.82/debian/patches/CVE-2018-6789.patch 2018-02-10 19:19:36.000000000 +0000 @@ -0,0 +1,59 @@ +Backport of: + +From 062990cc1b2f9e5d82a413b53c8f0569075de700 Mon Sep 17 00:00:00 2001 +From: "Heiko Schlittermann (HS12-RIPE)" +Date: Mon, 5 Feb 2018 22:23:32 +0100 +Subject: [PATCH] Fix base64d() buffer size (CVE-2018-6789) + +Credits for discovering this bug: Meh Chang +--- + doc/doc-txt/ChangeLog | 6 ++++-- + src/src/base64.c | 8 ++++++-- + 2 files changed, 10 insertions(+), 4 deletions(-) + +#diff --git a/doc/doc-txt/ChangeLog b/doc/doc-txt/ChangeLog +#index 6e71f1fbb..970ec0732 100644 +#--- a/doc/doc-txt/ChangeLog +#+++ b/doc/doc-txt/ChangeLog +#@@ -5,8 +5,8 @@ affect Exim's operation, with an unchanged configuration file. For new +# options, and new features, see the NewStuff file next to this ChangeLog. +# +# +#-Since Exim version 4.90 +#------------------ +#+Exim version 4.90.1 +#+------------------- +# +# JH/03 Fix pgsql lookup for multiple result-tuples with a single column. +# Previously only the last row was returned. +#@@ -58,6 +58,8 @@ JH/14 Bug 2174: A timeout on connect for a callout was also erroneously seen as +# was marked defer_ok. Fix to keep the two timeout-detection methods +# separate. +# +#+HS/01 Fix Buffer overflow in base64d() (CVE-2018-6789) +#+ +# JH/16 Fix bug in DKIM verify: a buffer overflow could corrupt the malloc +# metadata, resulting in a crash in free(). +# +Index: exim4-4.86.2/src/auths/b64decode.c +=================================================================== +--- exim4-4.86.2.orig/src/auths/b64decode.c 2018-02-10 14:16:38.950220902 -0500 ++++ exim4-4.86.2/src/auths/b64decode.c 2018-02-10 14:17:48.542303370 -0500 +@@ -42,10 +42,14 @@ static uschar dec64table[] = { + int + auth_b64decode(uschar *code, uschar **ptr) + { +-register int x, y; +-uschar *result = store_get(3*(Ustrlen(code)/4) + 1); + +-*ptr = result; ++int x, y; ++uschar *result; ++ ++{ ++ int l = Ustrlen(code); ++ *ptr = result = store_get(1 + l/4 * 3 + l%4); ++} + + /* Each cycle of the loop handles a quantum of 4 input bytes. For the last + quantum this may decode to 1, 2, or 3 output bytes. */ diff -Nru exim4-4.82/debian/patches/fix_smtp_banner.patch exim4-4.82/debian/patches/fix_smtp_banner.patch --- exim4-4.82/debian/patches/fix_smtp_banner.patch 1970-01-01 00:00:00.000000000 +0000 +++ exim4-4.82/debian/patches/fix_smtp_banner.patch 2014-01-02 02:59:36.000000000 +0000 @@ -0,0 +1,60 @@ +Description: Add EXIM_DISTRIBUTION var to display it on the SMTP banner +Origin: https://blueprints.launchpad.net/ubuntu/+spec/servercloud-s-server-app-banner-updates +Author: Yolanda Robla +Last-Update: 2013-06-20 + +=== modified file 'src/exim.h' +Index: exim4_ubuntu/src/globals.c +=================================================================== +--- exim4_ubuntu.orig/src/globals.c 2013-12-10 17:06:29.194997355 +0000 ++++ exim4_ubuntu/src/globals.c 2013-12-10 17:06:29.190997355 +0000 +@@ -1175,7 +1175,7 @@ + uschar *smtp_active_hostname = NULL; + BOOL smtp_authenticated = FALSE; + uschar *smtp_banner = US"$smtp_active_hostname ESMTP " +- "Exim $version_number $tod_full" ++ "Exim $version_number " EXIM_DISTRIBUTION " $tod_full" + "\0<---------------Space to patch smtp_banner->"; + BOOL smtp_batched_input = FALSE; + BOOL smtp_check_spool_space = TRUE; +Index: exim4_ubuntu/src/config.h.defaults +=================================================================== +--- exim4_ubuntu.orig/src/config.h.defaults 2013-12-10 17:06:29.194997355 +0000 ++++ exim4_ubuntu/src/config.h.defaults 2013-12-10 17:06:29.190997355 +0000 +@@ -196,4 +196,6 @@ + #define SC_EXIM_ARITH "%" SCNi64 /* scanf incl. 0x prefix */ + #define SC_EXIM_DEC "%" SCNd64 /* scanf decimal */ + ++#define EXIM_DISTRIBUTION ++ + /* End of config.h.defaults */ +Index: exim4_ubuntu/scripts/Configure-config.h +=================================================================== +--- exim4_ubuntu.orig/scripts/Configure-config.h 2013-12-10 17:06:29.194997355 +0000 ++++ exim4_ubuntu/scripts/Configure-config.h 2013-12-10 17:06:29.190997355 +0000 +@@ -23,6 +23,12 @@ + if [ "$1" != "" ] ; then MAKE=$1 ; fi + if [ "$MAKE" = "" ] ; then MAKE=make ; fi + ++# exporting distribution to use it in smtp banner ++if test -x /usr/bin/lsb_release && lsb_release -si; then ++ export EXIM_DISTRIBUTION=\"$(lsb_release -si)\" ++else ++ export EXIM_DISTRIBUTION=\"\" ++fi + $MAKE buildconfig || exit 1 + + # BEWARE: tab characters needed in the following sed command. They have had +Index: exim4_ubuntu/src/exim.h +=================================================================== +--- exim4_ubuntu.orig/src/exim.h 2013-12-10 17:06:29.194997355 +0000 ++++ exim4_ubuntu/src/exim.h 2013-12-10 17:06:29.190997355 +0000 +@@ -580,4 +580,8 @@ + #endif + #endif + ++#ifndef EXIM_DISTRIBUTION ++ #define EXIM_DISTRIBUTION "" ++#endif ++ + /* End of exim.h */ diff -Nru exim4-4.82/debian/patches/series exim4-4.82/debian/patches/series --- exim4-4.82/debian/patches/series 2013-11-27 18:50:44.000000000 +0000 +++ exim4-4.82/debian/patches/series 2018-02-10 19:19:36.000000000 +0000 @@ -11,3 +11,12 @@ 75_unbind-ldap-connection.diff 76_fix_ldap_option_setting.diff 77_close-the-server-side-of-TLS.diff +fix_smtp_banner.patch +CVE-2014-2972.patch +CVE-2016-1531.patch +CVE-2016-1531-2.patch +CVE-2016-1531-3.patch +CVE-2016-1531-4.patch +CVE-2016-9963.patch +CVE-2017-1000368.patch +CVE-2018-6789.patch diff -Nru exim4-4.82/debian/tests/control exim4-4.82/debian/tests/control --- exim4-4.82/debian/tests/control 2013-09-01 13:34:49.000000000 +0000 +++ exim4-4.82/debian/tests/control 2014-02-25 16:33:11.000000000 +0000 @@ -1,3 +1,3 @@ Tests: daemon security -Depends: exim4 +Depends: exim4, python Restrictions: needs-root