diff options
-rw-r--r-- | mail-mta/opensmtpd/files/opensmtpd-6.0.3_p1-security-fixes.patch | 91 | ||||
-rw-r--r-- | mail-mta/opensmtpd/opensmtpd-6.0.3_p1-r2.ebuild (renamed from mail-mta/opensmtpd/opensmtpd-6.0.3_p1-r1.ebuild) | 3 |
2 files changed, 93 insertions, 1 deletions
diff --git a/mail-mta/opensmtpd/files/opensmtpd-6.0.3_p1-security-fixes.patch b/mail-mta/opensmtpd/files/opensmtpd-6.0.3_p1-security-fixes.patch new file mode 100644 index 000000000000..58f3ed8c38b1 --- /dev/null +++ b/mail-mta/opensmtpd/files/opensmtpd-6.0.3_p1-security-fixes.patch @@ -0,0 +1,91 @@ +diff -ru OpenSMTPD-opensmtpd-6.0.3/smtpd/mta_session.c OpenSMTPD-opensmtpd-6.0.3-fixed/smtpd/mta_session.c +--- OpenSMTPD-opensmtpd-6.0.3/smtpd/mta_session.c 2018-01-04 23:24:01.000000000 +0100 ++++ OpenSMTPD-opensmtpd-6.0.3-fixed/smtpd/mta_session.c 2020-01-29 09:47:24.607457717 +0100 +@@ -1290,40 +1290,20 @@ + break; + + case IO_ERROR: ++ case IO_TLSERROR: + log_debug("debug: mta: %p: IO error: %s", s, io_error(io)); +- if (!s->ready) { +- mta_error(s, "IO Error: %s", io_error(io)); +- mta_connect(s); +- break; +- } +- else if (!(s->flags & (MTA_FORCE_TLS|MTA_FORCE_SMTPS|MTA_FORCE_ANYSSL))) { +- /* error in non-strict SSL negotiation, downgrade to plain */ +- if (s->flags & MTA_TLS) { +- log_info("smtp-out: Error on session %016"PRIx64 +- ": opportunistic TLS failed, " +- "downgrading to plain", s->id); +- s->flags &= ~MTA_TLS; +- s->flags |= MTA_DOWNGRADE_PLAIN; +- mta_connect(s); +- break; +- } +- } +- mta_error(s, "IO Error: %s", io_error(io)); +- mta_free(s); +- break; + +- case IO_TLSERROR: +- log_debug("debug: mta: %p: TLS IO error: %s", s, io_error(io)); +- if (!(s->flags & (MTA_FORCE_TLS|MTA_FORCE_SMTPS|MTA_FORCE_ANYSSL))) { ++ if (s->state == MTA_STARTTLS && s->use_smtp_tls) { + /* error in non-strict SSL negotiation, downgrade to plain */ +- log_info("smtp-out: TLS Error on session %016"PRIx64 +- ": TLS failed, " ++ log_info("smtp-out: Error on session %016"PRIx64 ++ ": opportunistic TLS failed, " + "downgrading to plain", s->id); + s->flags &= ~MTA_TLS; + s->flags |= MTA_DOWNGRADE_PLAIN; + mta_connect(s); + break; + } ++ + mta_error(s, "IO Error: %s", io_error(io)); + mta_free(s); + break; +diff -ru OpenSMTPD-opensmtpd-6.0.3/smtpd/smtp_session.c OpenSMTPD-opensmtpd-6.0.3-fixed/smtpd/smtp_session.c +--- OpenSMTPD-opensmtpd-6.0.3/smtpd/smtp_session.c 2018-01-04 23:24:01.000000000 +0100 ++++ OpenSMTPD-opensmtpd-6.0.3-fixed/smtpd/smtp_session.c 2020-01-29 09:47:24.610791335 +0100 +@@ -2004,25 +2004,23 @@ + memmove(maddr->user, p, strlen(p) + 1); + } + +- if (!valid_localpart(maddr->user) || +- !valid_domainpart(maddr->domain)) { +- /* accept empty return-path in MAIL FROM, required for bounces */ +- if (mailfrom && maddr->user[0] == '\0' && maddr->domain[0] == '\0') +- return (1); ++ /* accept empty return-path in MAIL FROM, required for bounces */ ++ if (mailfrom && maddr->user[0] == '\0' && maddr->domain[0] == '\0') ++ return (1); + +- /* no user-part, reject */ +- if (maddr->user[0] == '\0') +- return (0); +- +- /* no domain, local user */ +- if (maddr->domain[0] == '\0') { +- (void)strlcpy(maddr->domain, domain, +- sizeof(maddr->domain)); +- return (1); +- } ++ /* no or invalid user-part, reject */ ++ if (maddr->user[0] == '\0' || !valid_localpart(maddr->user)) + return (0); ++ ++ /* no domain part, local user */ ++ if (maddr->domain[0] == '\0') { ++ (void)strlcpy(maddr->domain, domain, ++ sizeof(maddr->domain)); + } + ++ if (!valid_domainpart(maddr->domain)) ++ return (0); ++ + return (1); + } + diff --git a/mail-mta/opensmtpd/opensmtpd-6.0.3_p1-r1.ebuild b/mail-mta/opensmtpd/opensmtpd-6.0.3_p1-r2.ebuild index bd087d961d5c..bed05258e9c5 100644 --- a/mail-mta/opensmtpd/opensmtpd-6.0.3_p1-r1.ebuild +++ b/mail-mta/opensmtpd/opensmtpd-6.0.3_p1-r2.ebuild @@ -1,4 +1,4 @@ -# Copyright 1999-2019 Gentoo Authors +# Copyright 1999-2020 Gentoo Authors # Distributed under the terms of the GNU General Public License v2 EAPI=7 @@ -42,6 +42,7 @@ S=${WORKDIR}/${P/_} PATCHES=( "${FILESDIR}/${P}-fix-crash-on-auth.patch" "${FILESDIR}/${P}-openssl_1.1.patch" + "${FILESDIR}/${P}-security-fixes.patch" ) src_configure() { |