From f64bbe9873be9d6ca1d063e8bb054bee73a29f60 Mon Sep 17 00:00:00 2001 From: sev Date: Tue, 2 Jan 2024 18:36:11 -0600 Subject: [PATCH] testing/exim-openldap: upgrade to 4.97.1 --- testing/exim-openldap/APKBUILD | 25 +++++-- testing/exim-openldap/bounce-charset.patch | 38 +++++----- testing/exim-openldap/dnsdb-multi-chunk.patch | 71 +++++++++++++++++++ testing/exim-openldap/exim.Makefile | 3 +- 4 files changed, 110 insertions(+), 27 deletions(-) create mode 100644 testing/exim-openldap/dnsdb-multi-chunk.patch diff --git a/testing/exim-openldap/APKBUILD b/testing/exim-openldap/APKBUILD index d955122..5eb4087 100644 --- a/testing/exim-openldap/APKBUILD +++ b/testing/exim-openldap/APKBUILD @@ -3,12 +3,13 @@ # Contributor: Valery Kartel # Contributor: Łukasz Jendrysik # Contributor: Jesse Young -# Maintainer: Jesse Young +# Contributor: Celeste +# Maintainer: sev pkgname=exim-openldap _pkgname=exim provides=$_pkgname -pkgver=4.95 -pkgrel=1 +pkgver=4.97.1 +pkgrel=0 pkgdesc="Replacement package for exim with built-in OpenLDAP support" url="https://www.exim.org/" arch="all" @@ -18,18 +19,29 @@ pkgusers="$_pkgname" pkggroups="$_pkgname mail" depends="ca-certificates exim-openrc" makedepends="bash tdb-dev gawk libidn-dev libspf2-dev linux-headers - mariadb-connector-c-dev openssl1.1-compat-dev pcre-dev perl libpq-dev sqlite-dev + mariadb-connector-c-dev openssl-dev>3 pcre2-dev perl + perl-file-fcntllock libpq-dev sqlite-dev openldap-dev " install="$pkgname.pre-install" source="https://ftp.exim.org/pub/exim/exim4/exim-$pkgver.tar.xz bounce-charset.patch + dnsdb-multi-chunk.patch exim.Makefile exim.logrotate " builddir="$srcdir/$_pkgname-$pkgver" # secfixes: +# 4.97.1-r0: +# - CVE-2023-51766 +# 4.96.2-r0: +# - CVE-2023-42117 +# - CVE-2023-42119 +# 4.96.1-r0: +# - CVE-2023-42114 +# - CVE-2023-42115 +# - CVE-2023-42116 # 4.94.2-r0: # - CVE-2021-27216 # - CVE-2020-28007 @@ -82,6 +94,7 @@ prepare() { } build() { + export CFLAGS="$CFLAGS -DNO_EXECINFO" make makefile make } @@ -107,8 +120,8 @@ package() { } sha512sums=" -93d09c20d99f27da5edbe3e6dc7d25aa4548faa2b67ca26f2cc0b4aeaf58398dd468e0263714fcf0df97531f05d16fcd3f1f0e9d0656ead7858a66b248a44a65 exim-4.95.tar.xz +dc9f6a114e64ac826489edff88d50a24195b64714428e691c10a7bfb119b3ebb6455bf80cbb34dfd0a4e2e44cbde72effb009357a8e0a6065e512fe32092e3ed exim-4.96.2.tar.xz 691df92954f015711398350963ea321d143127bc731a985bcacc5364c71b6df84b6c21a2e8dc3cc2048fcd3dd02def3dc8015f4d84dd672f23d5a41348e72dc7 bounce-charset.patch -4d2a33d2d9399c2d9485155585a180f1314fdc6f0ea164f3ebd74dbafa0b968f0edfbdd6d6ed7cdb4bc63696073b66f25e03317cc304192457e40fa30a12e207 exim.Makefile +c1d430ab5175ba24eacd1b0c2586eb543045ff0bb71f73425ed290320463daa7cb710d1c61610a4c4c21591ed7204392c9cb4f69271e0b83082da59fa6a1352e exim.Makefile 28e748693a6a72d9943fa9c342ff041fe650fa6977f468dee127e845e6c2a91872ce33fb6f5698838906bde3ed92de7a91cdb0349cedc40b806261867e8c06cb exim.logrotate " diff --git a/testing/exim-openldap/bounce-charset.patch b/testing/exim-openldap/bounce-charset.patch index 5143328..5ddc841 100644 --- a/testing/exim-openldap/bounce-charset.patch +++ b/testing/exim-openldap/bounce-charset.patch @@ -1,6 +1,24 @@ --- a/src/deliver.c +++ b/src/deliver.c -@@ -7373,7 +7373,7 @@ +@@ -5696,7 +5696,7 @@ + + /* output human readable part as text/plain section */ + fprintf(fp, "--%s\n" +- "Content-type: text/plain; charset=us-ascii\n\n", ++ "Content-type: text/plain; charset=utf-8\n\n", + bound); + + if ((emf_text = next_emf(emf, US"intro"))) +@@ -6066,7 +6066,7 @@ + + /* output human readable part as text/plain section */ + fprintf(f, "--%s\n" +- "Content-type: text/plain; charset=us-ascii\n\n", ++ "Content-type: text/plain; charset=utf-8\n\n", + bound); + + if ((wmf_text = next_emf(wmf, US"intro"))) +@@ -6281,7 +6281,7 @@ "MIME-Version: 1.0\n\n" "--%s\n" @@ -9,21 +27,3 @@ "This message was created automatically by mail delivery software.\n" " ----- The following addresses had successful delivery notifications -----\n", -@@ -7644,7 +7644,7 @@ - - /* output human readable part as text/plain section */ - fprintf(fp, "--%s\n" -- "Content-type: text/plain; charset=us-ascii\n\n", -+ "Content-type: text/plain; charset=utf-8\n\n", - bound); - - if ((emf_text = next_emf(emf, US"intro"))) -@@ -8252,7 +8252,7 @@ - - /* output human readable part as text/plain section */ - fprintf(f, "--%s\n" -- "Content-type: text/plain; charset=us-ascii\n\n", -+ "Content-type: text/plain; charset=utf-8\n\n", - bound); - - if ((wmf_text = next_emf(wmf, US"intro"))) diff --git a/testing/exim-openldap/dnsdb-multi-chunk.patch b/testing/exim-openldap/dnsdb-multi-chunk.patch new file mode 100644 index 0000000..9b65a65 --- /dev/null +++ b/testing/exim-openldap/dnsdb-multi-chunk.patch @@ -0,0 +1,71 @@ +Adapted from https://git.exim.org/exim.git/patch/79670d3c32ccb37fe06f25d8192943b58606a32a + +Reference: https://bugs.exim.org/show_bug.cgi?id=3054 +-- +From 79670d3c32ccb37fe06f25d8192943b58606a32a Mon Sep 17 00:00:00 2001 +From: Jeremy Harris +Date: Fri, 17 Nov 2023 16:55:17 +0000 +Subject: [PATCH] Lookups: Fix dnsdb lookup of multi-chunk TXT. Bug 3054 + +Broken=by: f6b1f8e7d642 + +--- a/src/lookups/dnsdb.c ++++ b/src/lookups/dnsdb.c +@@ -387,38 +387,31 @@ while ((domain = string_nextinlist(&keystring, &sep, NULL, 0))) + } + + /* Other kinds of record just have one piece of data each, but there may be +- several of them, of course. */ ++ several of them, of course. TXT & SPF can have data in multiple chunks. */ + + if (yield->ptr) yield = string_catn(yield, outsep, 1); + + if (type == T_TXT || type == T_SPF) +- { +- if (!outsep2) /* output only the first item of data */ ++ for (unsigned data_offset = 0; data_offset + 1 < rr->size; ) + { +- uschar n = (rr->data)[0]; +- /* size byte + data bytes must not excced the RRs length */ +- if (n + 1 <= rr->size) +- yield = string_catn(yield, US (rr->data+1), n); ++ uschar chunk_len = (rr->data)[data_offset]; ++ int remain; ++ ++ if (outsep2 && *outsep2 && data_offset != 0) ++ yield = string_catn(yield, outsep2, 1); ++ ++ /* Apparently there are resolvers that do not check RRs before passing ++ them on, and glibc fails to do so. So every application must... ++ Check for chunk len exceeding RR */ ++ ++ remain = rr->size - ++data_offset; ++ if (chunk_len > remain) ++ chunk_len = remain; ++ yield = string_catn(yield, US ((rr->data) + data_offset), chunk_len); ++ data_offset += chunk_len; ++ ++ if (!outsep2) break; /* output only the first chunk of the RR */ + } +- else +- for (unsigned data_offset = 0; data_offset < rr->size; ) +- { +- uschar chunk_len = (rr->data)[data_offset]; +- int remain = rr->size - data_offset; +- +- /* Apparently there are resolvers that do not check RRs before passing +- them on, and glibc fails to do so. So every application must... +- Check for chunk len exceeding RR */ +- +- if (chunk_len > remain) +- chunk_len = remain; +- +- if (*outsep2 && data_offset != 0) +- yield = string_catn(yield, outsep2, 1); +- yield = string_catn(yield, US ((rr->data) + ++data_offset), --chunk_len); +- data_offset += chunk_len; +- } +- } + else if (type == T_TLSA) + if (rr->size < 3) + continue; diff --git a/testing/exim-openldap/exim.Makefile b/testing/exim-openldap/exim.Makefile index 5ae8863..a6368f2 100644 --- a/testing/exim-openldap/exim.Makefile +++ b/testing/exim-openldap/exim.Makefile @@ -41,8 +41,7 @@ LOOKUP_SQLITE=2 LOOKUP_SQLITE_LIBS=-Wl,--no-as-needed -lsqlite3 MAKE_SHELL=/bin/bash NO_SYMLINK=yes -PCRE_CONFIG=yes -PCRE_LIBS=-lpcre +PCRE2_CONFIG=yes PID_FILE_PATH=/run/exim.pid ROUTER_ACCEPT=yes ROUTER_DNSLOOKUP=yes -- 2.47.0