diffstat for exim4-4.90.1 exim4-4.90.1

 changelog                                 |   44 +++++++++++++++++++++++++
 control                                   |    5 +-
 patches/CVE-2019-10149.patch              |   48 +++++++++++++++++++++++++++
 patches/eximstats_unitialized_value.patch |   20 +++++++++++
 patches/fix_smtp_banner.patch             |   52 ++++++++++++++++++++++++++++++
 patches/series                            |    3 +
 6 files changed, 170 insertions(+), 2 deletions(-)

diff -Nru exim4-4.90.1/debian/changelog exim4-4.90.1/debian/changelog
--- exim4-4.90.1/debian/changelog	2018-02-10 12:45:40.000000000 +0000
+++ exim4-4.90.1/debian/changelog	2019-06-04 18:44:51.000000000 +0000
@@ -1,3 +1,28 @@
+exim4 (4.90.1-1ubuntu1.2) bionic-security; urgency=medium
+
+  * SECURITY UPDATE: remote command execution
+    - debian/patches/CVE-2019-10149.patch: fix parsing logic in
+      src/deliver.c.
+    - CVE-2019-10149
+
+ -- Marc Deslauriers <marc.deslauriers@ubuntu.com>  Tue, 04 Jun 2019 14:44:51 -0400
+
+exim4 (4.90.1-1ubuntu1.1) bionic; urgency=medium
+
+  * d/p/eximstats_unitialized_value.patch: Fix uninitialized value error in
+    eximstats. (LP: #1786508)
+
+ -- Andreas Hasenack <andreas@canonical.com>  Wed, 10 Oct 2018 15:25:04 -0300
+
+exim4 (4.90.1-1ubuntu1) bionic; urgency=medium
+
+  * Merge from Debian testing, Remaining changes:
+    - Show Ubuntu distribution in SMTP banner
+      - Build-Depends on lsb-release to detect Distribution.
+      - d/p/fix_smtp_banner.patch: Show Ubuntu distribution in SMTP banner.
+
+ -- Christian Ehrhardt <christian.ehrhardt@canonical.com>  Wed, 14 Feb 2018 17:01:14 +0100
+
 exim4 (4.90.1-1) unstable; urgency=high
 
   * New upstream version, fixing CVE-2018-6789. Closes: #890000
@@ -192,6 +217,15 @@
 
  -- Andreas Metzler <ametzler@debian.org>  Sat, 25 Nov 2017 11:43:24 +0100
 
+exim4 (4.89-9ubuntu1) bionic; urgency=medium
+
+  * Merge from Debian unstable, Remaining changes:
+    - Show Ubuntu distribution in SMTP banner
+      - Build-Depends on lsb-release to detect Distribution.
+      - d/p/fix_smtp_banner.patch: Show Ubuntu distribution in SMTP banner.
+
+ -- Christian Ehrhardt <christian.ehrhardt@canonical.com>  Thu, 16 Nov 2017 10:02:23 +0100
+
 exim4 (4.89-9) unstable; urgency=medium
 
   * Upload to unstable.
@@ -234,6 +268,16 @@
 
  -- Andreas Metzler <ametzler@debian.org>  Sat, 09 Sep 2017 15:29:39 +0200
 
+exim4 (4.89-5ubuntu1) artful; urgency=medium
+
+  * Merge from Debian testing.
+    Remaining changes:
+    - Show Ubuntu distribution in SMTP banner
+      - Build-Depends on lsb-release to detect Distribution.
+      - d/p/fix_smtp_banner.patch: Show Ubuntu distribution in SMTP banner.
+
+ -- Christian Ehrhardt <christian.ehrhardt@canonical.com>  Wed, 16 Aug 2017 15:42:47 +0200
+
 exim4 (4.89-5) unstable; urgency=medium
 
   * Update to exim-4_89+fixes branch:
diff -Nru exim4-4.90.1/debian/control exim4-4.90.1/debian/control
--- exim4-4.90.1/debian/control	2018-01-28 17:16:00.000000000 +0000
+++ exim4-4.90.1/debian/control	2018-10-10 18:25:04.000000000 +0000
@@ -1,7 +1,8 @@
 Source: exim4
 Section: mail
 Priority: standard
-Maintainer: Exim4 Maintainers <pkg-exim4-maintainers@lists.alioth.debian.org>
+Maintainer: Ubuntu Developers <ubuntu-devel-discuss@lists.ubuntu.com>
+XSBC-Original-Maintainer: Exim4 Maintainers <pkg-exim4-maintainers@lists.alioth.debian.org>
 Uploaders: Andreas Metzler <ametzler@debian.org>,Marc Haber <mh+debian-packages@zugschlus.de>
 Homepage: https://www.exim.org/
 Standards-Version: 4.1.3
@@ -11,7 +12,7 @@
   lynx, docbook-xml, libpcre3-dev, libldap2-dev, libpam0g-dev,
   libident-dev, libdb5.3-dev, libxmu-dev, libxt-dev, libxext-dev, libx11-dev,
   libxaw7-dev, libpq-dev, default-libmysqlclient-dev,
-  libsqlite3-dev, libperl-dev, libgnutls28-dev, libsasl2-dev
+  libsqlite3-dev, libperl-dev, libgnutls28-dev, libsasl2-dev, lsb-release
 
 Package: exim4-base
 Architecture: any
diff -Nru exim4-4.90.1/debian/patches/CVE-2019-10149.patch exim4-4.90.1/debian/patches/CVE-2019-10149.patch
--- exim4-4.90.1/debian/patches/CVE-2019-10149.patch	1970-01-01 00:00:00.000000000 +0000
+++ exim4-4.90.1/debian/patches/CVE-2019-10149.patch	2019-06-04 18:44:49.000000000 +0000
@@ -0,0 +1,48 @@
+From d740d2111f189760593a303124ff6b9b1f83453d Mon Sep 17 00:00:00 2001
+From: Jeremy Harris <jgh146exb@wizmail.org>
+Date: Mon, 27 May 2019 21:57:31 +0100
+Subject: [PATCH 1/1] Fix CVE-2019-10149
+
+---
+ doc/doc-txt/ChangeLog      |  2 ++
+ doc/doc-txt/cve-2019-10149 | 36 ++++++++++++++++++++++++++++++++++++
+ src/src/deliver.c          | 22 ++++++++++++++--------
+ 3 files changed, 52 insertions(+), 8 deletions(-)
+ create mode 100644 doc/doc-txt/cve-2019-10149
+
+Index: exim4-4.90.1/src/deliver.c
+===================================================================
+--- exim4-4.90.1.orig/src/deliver.c	2019-06-04 14:44:46.307317559 -0400
++++ exim4-4.90.1/src/deliver.c	2019-06-04 14:44:46.307317559 -0400
+@@ -6228,17 +6228,23 @@ if (process_recipients != RECIP_IGNORE)
+ 	{
+ 	uschar * save_local =  deliver_localpart;
+ 	const uschar * save_domain = deliver_domain;
++	uschar * addr = new->address, * errmsg = NULL;
++	int start, end, dom;
+ 
+-	deliver_localpart = expand_string(
+-		      string_sprintf("${local_part:%s}", new->address));
+-	deliver_domain =    expand_string(
+-		      string_sprintf("${domain:%s}", new->address));
++	if (!parse_extract_address(addr, &errmsg, &start, &end, &dom, TRUE))
++	  log_write(0, LOG_MAIN|LOG_PANIC,
++                "failed to parse address '%.100s': %s\n", addr, errmsg);
++	else
++	  {
++	  deliver_localpart =
++	    string_copyn(addr+start, dom ? (dom-1) - start : end - start);
++	  deliver_domain = dom ? CUS string_copyn(addr+dom, end - dom) : CUS"";
+ 
+-	(void) event_raise(event_action,
+-		      US"msg:fail:internal", new->message);
++	  event_raise(event_action, US"msg:fail:internal", new->message);
+ 
+-	deliver_localpart = save_local;
+-	deliver_domain =    save_domain;
++	  deliver_localpart = save_local;
++	  deliver_domain = save_domain;
++	  }
+ 	}
+ #endif
+       }
diff -Nru exim4-4.90.1/debian/patches/eximstats_unitialized_value.patch exim4-4.90.1/debian/patches/eximstats_unitialized_value.patch
--- exim4-4.90.1/debian/patches/eximstats_unitialized_value.patch	1970-01-01 00:00:00.000000000 +0000
+++ exim4-4.90.1/debian/patches/eximstats_unitialized_value.patch	2018-10-10 18:25:04.000000000 +0000
@@ -0,0 +1,20 @@
+Description: Fix uninitialized value error in eximstats
+Origin: upstream, https://git.exim.org/exim.git/commitdiff/44de51a174765f7f5ecb250638cdb3fe64ec67dc
+Bug-Debian: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=894501
+Bug-Ubuntu: https://bugs.launchpad.net/ubuntu/+source/exim4/+bug/1786508
+Last-Update: 2018-10-10
+---
+This patch header follows DEP-3: http://dep.debian.net/deps/dep3/
+diff --git a/src/eximstats.src b/src/eximstats.src
+index 76cfe7e9..8eb5cac8 100644
+--- a/src/eximstats.src
++++ b/src/eximstats.src
+@@ -557,7 +557,7 @@ use File::Basename;
+ # use Time::Local;  # PH/FANF
+ use POSIX;
+ 
+-if ($ARGV[0] eq '--version') {
++if (@ARGV and $ARGV[0] eq '--version') {
+     print basename($0) . ": $0\n",
+         "build: EXIM_RELEASE_VERSIONEXIM_VARIANT_VERSION\n",
+         "perl(runtime): $]\n";
diff -Nru exim4-4.90.1/debian/patches/fix_smtp_banner.patch exim4-4.90.1/debian/patches/fix_smtp_banner.patch
--- exim4-4.90.1/debian/patches/fix_smtp_banner.patch	1970-01-01 00:00:00.000000000 +0000
+++ exim4-4.90.1/debian/patches/fix_smtp_banner.patch	2018-10-10 18:25:04.000000000 +0000
@@ -0,0 +1,52 @@
+Description: Add EXIM_DISTRIBUTION var to display it on the SMTP banner
+Origin: https://blueprints.launchpad.net/ubuntu/+spec/servercloud-s-server-app-banner-updates
+Author: Yolanda Robla <yolanda.robla@canonical.com>
+Last-Update: 2015-07-06
+
+--- a/src/globals.c
++++ b/src/globals.c
+@@ -1311,7 +1311,7 @@ int     smtp_accept_reserve    = 0;
+ uschar *smtp_active_hostname   = NULL;
+ BOOL    smtp_authenticated     = FALSE;
+ uschar *smtp_banner            = US"$smtp_active_hostname ESMTP "
+-                             "Exim $version_number $tod_full"
++                             "Exim $version_number " EXIM_DISTRIBUTION " $tod_full"
+                              "\0<---------------Space to patch smtp_banner->";
+ BOOL    smtp_batched_input     = FALSE;
+ BOOL    smtp_check_spool_space = TRUE;
+--- a/src/config.h.defaults
++++ b/src/config.h.defaults
+@@ -210,4 +210,6 @@ for EXIM_ARITH_MAX and _MIN in OS/oh.h-F
+ #define SC_EXIM_ARITH "%" SCNi64		/* scanf incl. 0x prefix */
+ #define SC_EXIM_DEC   "%" SCNd64		/* scanf decimal */
+ 
++#define EXIM_DISTRIBUTION
++
+ /* End of config.h.defaults */
+--- a/scripts/Configure-config.h
++++ b/scripts/Configure-config.h
+@@ -23,6 +23,12 @@
+ if [ "$1" != "" ] ; then MAKE=$1 ; fi
+ if [ "$MAKE" = "" ] ; then MAKE=make ; fi
+ 
++# exporting distribution to use it in smtp banner
++if test -x /usr/bin/lsb_release && lsb_release -si; then
++	export EXIM_DISTRIBUTION=\"$(lsb_release -si)\"
++else
++	export EXIM_DISTRIBUTION=\"\"
++fi
+ $MAKE buildconfig || exit 1
+ 
+ # BEWARE: tab characters needed in the following sed command. They have had
+--- a/src/exim.h
++++ b/src/exim.h
+@@ -603,5 +603,9 @@ default to EDQUOT if it exists, otherwis
+ # define POLLRDHUP (POLLIN | POLLHUP)
+ #endif
+ 
++#ifndef EXIM_DISTRIBUTION
++  #define EXIM_DISTRIBUTION ""
++#endif
++
+ #endif
+ /* End of exim.h */
diff -Nru exim4-4.90.1/debian/patches/series exim4-4.90.1/debian/patches/series
--- exim4-4.90.1/debian/patches/series	2018-02-10 12:45:06.000000000 +0000
+++ exim4-4.90.1/debian/patches/series	2019-06-04 18:44:42.000000000 +0000
@@ -7,3 +7,6 @@
 60_convert4r4.dpatch
 67_unnecessaryCopt.diff
 70_remove_exim-users_references.dpatch
+fix_smtp_banner.patch
+eximstats_unitialized_value.patch
+CVE-2019-10149.patch