From 3cd7e2b9721dbbf24cd4a5f9135236418a9c0cfa Mon Sep 17 00:00:00 2001 From: Rolf Eike Beer Date: Tue, 19 May 2020 16:16:07 +0200 Subject: [PATCH] mail-mta/netqmail-1.06-r13: revbump for CVE-2005-1513, CVE-2005-1514, CVE-2005-1515 Bug: https://bugs.gentoo.org/721566 Signed-off-by: Rolf Eike Beer Closes: https://github.com/gentoo/gentoo/pull/15881 Signed-off-by: Thomas Deutschmann --- .../files/netqmail-1.06-CVE-2005-1513.patch | 66 ++++++ .../files/netqmail-1.06-CVE-2005-1514.patch | 39 +++ .../files/netqmail-1.06-CVE-2005-1515.patch | 64 +++++ .../files/netqmail-1.06-overflows.patch | 223 ++++++++++++++++++ mail-mta/netqmail/netqmail-1.06-r13.ebuild | 203 ++++++++++++++++ 5 files changed, 595 insertions(+) create mode 100644 mail-mta/netqmail/files/netqmail-1.06-CVE-2005-1513.patch create mode 100644 mail-mta/netqmail/files/netqmail-1.06-CVE-2005-1514.patch create mode 100644 mail-mta/netqmail/files/netqmail-1.06-CVE-2005-1515.patch create mode 100644 mail-mta/netqmail/files/netqmail-1.06-overflows.patch create mode 100644 mail-mta/netqmail/netqmail-1.06-r13.ebuild diff --git a/mail-mta/netqmail/files/netqmail-1.06-CVE-2005-1513.patch b/mail-mta/netqmail/files/netqmail-1.06-CVE-2005-1513.patch new file mode 100644 index 000000000000..58af5a9cee11 --- /dev/null +++ b/mail-mta/netqmail/files/netqmail-1.06-CVE-2005-1513.patch @@ -0,0 +1,66 @@ +From bb92ea678c2a2a524d2ee6e9d598275a659168d2 Mon Sep 17 00:00:00 2001 +From: Rolf Eike Beer +Date: Mon, 11 May 2020 18:30:13 +0200 +Subject: [PATCH 3/4] mimimum fix for CVE-2005-1513 + +The first allocation at the tail of the function is not changed as that +one starts with a small number of elements and grows only on +subsequent call.s +--- + gen_allocdefs.h | 27 ++++++++++++++++++++++----- + 1 file changed, 22 insertions(+), 5 deletions(-) + +diff --git a/gen_allocdefs.h b/gen_allocdefs.h +index 783a9b1..0588441 100644 +--- a/gen_allocdefs.h ++++ b/gen_allocdefs.h +@@ -4,24 +4,41 @@ + #define GEN_ALLOC_ready(ta,type,field,len,a,i,n,x,base,ta_ready) \ + int ta_ready(x,n) register ta *x; register unsigned int n; \ + { register unsigned int i; \ ++ unsigned int nlen; \ + if (x->field) { \ + i = x->a; \ + if (n > i) { \ +- x->a = base + n + (n >> 3); \ +- if (alloc_re(&x->field,i * sizeof(type),x->a * sizeof(type))) return 1; \ ++ unsigned int nnum; \ ++ if (__builtin_add_overflow(base, n, &nlen)) \ ++ return 0; \ ++ if (__builtin_add_overflow(nlen, n >> 3, &nlen)) \ ++ return 0; \ ++ if (__builtin_mul_overflow(nlen, sizeof(type), &nnum)) \ ++ return 0; \ ++ x->a = nlen; \ ++ if (alloc_re(&x->field,i * sizeof(type),nnum)) return 1; \ + x->a = i; return 0; } \ + return 1; } \ + x->len = 0; \ + return !!(x->field = (type *) alloc((x->a = n) * sizeof(type))); } + + #define GEN_ALLOC_readyplus(ta,type,field,len,a,i,n,x,base,ta_rplus) \ +-int ta_rplus(x,n) register ta *x; register unsigned int n; \ ++int ta_rplus(x,n) register ta *x; unsigned int n; \ + { register unsigned int i; \ + if (x->field) { \ + i = x->a; n += x->len; \ ++ if (__builtin_add_overflow(n, x->len, &n)) \ ++ return 0; \ + if (n > i) { \ +- x->a = base + n + (n >> 3); \ +- if (alloc_re(&x->field,i * sizeof(type),x->a * sizeof(type))) return 1; \ ++ unsigned int nlen, nnum; \ ++ if (__builtin_add_overflow(base, n, &nlen)) \ ++ return 0; \ ++ if (__builtin_add_overflow(nlen, n >> 3, &nlen)) \ ++ return 0; \ ++ if (__builtin_mul_overflow(nlen, sizeof(type), &nnum)) \ ++ return 0; \ ++ x->a = nlen; \ ++ if (alloc_re(&x->field,i * sizeof(type),nnum)) return 1; \ + x->a = i; return 0; } \ + return 1; } \ + x->len = 0; \ +-- +2.26.1 + diff --git a/mail-mta/netqmail/files/netqmail-1.06-CVE-2005-1514.patch b/mail-mta/netqmail/files/netqmail-1.06-CVE-2005-1514.patch new file mode 100644 index 000000000000..3876c290b676 --- /dev/null +++ b/mail-mta/netqmail/files/netqmail-1.06-CVE-2005-1514.patch @@ -0,0 +1,39 @@ +From dc617a2f2d31e4c448b806791b3f8736cf9d1ffb Mon Sep 17 00:00:00 2001 +From: Rolf Eike Beer +Date: Tue, 12 May 2020 20:06:38 +0200 +Subject: [PATCH 2/4] fix possible signed integer overflow in commands() + (CVE-2005-1514) + +Fix it as suggested by the Qualys Security Advisory team. +--- + commands.c | 7 ++++--- + 1 file changed, 4 insertions(+), 3 deletions(-) + +diff --git a/commands.c b/commands.c +index b0d3f61..90a50c9 100644 +--- a/commands.c ++++ b/commands.c +@@ -10,16 +10,17 @@ int commands(ss,c) + substdio *ss; + struct commands *c; + { +- int i; ++ unsigned int i; + char *arg; + + for (;;) { + if (!stralloc_copys(&cmd,"")) return -1; + + for (;;) { ++ int j; + if (!stralloc_readyplus(&cmd,1)) return -1; +- i = substdio_get(ss,cmd.s + cmd.len,1); +- if (i != 1) return i; ++ j = substdio_get(ss,cmd.s + cmd.len,1); ++ if (j != 1) return j; + if (cmd.s[cmd.len] == '\n') break; + ++cmd.len; + } +-- +2.26.1 + diff --git a/mail-mta/netqmail/files/netqmail-1.06-CVE-2005-1515.patch b/mail-mta/netqmail/files/netqmail-1.06-CVE-2005-1515.patch new file mode 100644 index 000000000000..f1df70022e17 --- /dev/null +++ b/mail-mta/netqmail/files/netqmail-1.06-CVE-2005-1515.patch @@ -0,0 +1,64 @@ +From 5540e1b47ac043033e6661b4e04dcaf958db0110 Mon Sep 17 00:00:00 2001 +From: Rolf Eike Beer +Date: Mon, 11 May 2020 18:55:11 +0200 +Subject: [PATCH 1/4] fix signedness wraparound in substdio_put() + (CVE-2005-1515) + +--- + qmail.c | 2 +- + substdo.c | 14 ++++++++------ + 2 files changed, 9 insertions(+), 7 deletions(-) + +diff --git a/qmail.c b/qmail.c +index 186c092..7c86a04 100644 +--- a/qmail.c ++++ b/qmail.c +@@ -61,7 +61,7 @@ void qmail_fail(qq) struct qmail *qq; + qq->flagerr = 1; + } + +-void qmail_put(qq,s,len) struct qmail *qq; char *s; int len; ++void qmail_put(qq,s,len) struct qmail *qq; char *s; unsigned int len; + { + if (!qq->flagerr) if (substdio_put(&qq->ss,s,len) == -1) qq->flagerr = 1; + } +diff --git a/substdo.c b/substdo.c +index fb616f7..bccf0d6 100644 +--- a/substdo.c ++++ b/substdo.c +@@ -7,7 +7,7 @@ static int allwrite(op,fd,buf,len) + register int (*op)(); + register int fd; + register char *buf; +-register int len; ++register unsigned int len; + { + register int w; + +@@ -55,16 +55,18 @@ register int len; + int substdio_put(s,buf,len) + register substdio *s; + register char *buf; +-register int len; ++register unsigned int len; + { +- register int n; ++ register unsigned int n = s->n; /* how many bytes to write in next chunk */ + +- n = s->n; +- if (len > n - s->p) { ++ /* check if the input would fit in the buffer without flushing */ ++ if (len > n - (unsigned int)s->p) { + if (substdio_flush(s) == -1) return -1; + /* now s->p == 0 */ + if (n < SUBSTDIO_OUTSIZE) n = SUBSTDIO_OUTSIZE; +- while (len > s->n) { ++ /* as long as the remainder would not fit into s->x write it directly ++ * from buf to s->fd. */ ++ while (len > (unsigned int)s->n) { + if (n > len) n = len; + if (allwrite(s->op,s->fd,buf,n) == -1) return -1; + buf += n; +-- +2.26.1 + diff --git a/mail-mta/netqmail/files/netqmail-1.06-overflows.patch b/mail-mta/netqmail/files/netqmail-1.06-overflows.patch new file mode 100644 index 000000000000..d9932df972c4 --- /dev/null +++ b/mail-mta/netqmail/files/netqmail-1.06-overflows.patch @@ -0,0 +1,223 @@ +From e8a1e037afc8729bd65d4bda36dedf444f301c0f Mon Sep 17 00:00:00 2001 +From: Rolf Eike Beer +Date: Mon, 11 May 2020 18:30:13 +0200 +Subject: [PATCH 4/4] fix additional length overflows + +--- + Makefile | 6 +++--- + alloc.c | 21 ++++++++++++++------- + qmail-local.c | 3 ++- + qmail-pop3d.c | 3 ++- + quote.c | 10 +++++++++- + stralloc_catb.c | 8 +++++++- + stralloc_opyb.c | 8 +++++++- + substdo.c | 4 ++-- + 8 files changed, 46 insertions(+), 17 deletions(-) + +diff --git a/Makefile b/Makefile +index 0f0e31a..4b592c6 100644 +--- a/Makefile ++++ b/Makefile +@@ -1673,7 +1673,7 @@ qsutil.h + ./compile qsutil.c + + quote.o: \ +-compile quote.c stralloc.h gen_alloc.h str.h quote.h ++compile quote.c stralloc.h gen_alloc.h str.h quote.h error.h + ./compile quote.c + + rcpthosts.o: \ +@@ -1965,7 +1965,7 @@ compile stralloc_cat.c byte.h stralloc.h gen_alloc.h + ./compile stralloc_cat.c + + stralloc_catb.o: \ +-compile stralloc_catb.c stralloc.h gen_alloc.h byte.h ++compile stralloc_catb.c stralloc.h gen_alloc.h byte.h error.h + ./compile stralloc_catb.c + + stralloc_cats.o: \ +@@ -1982,7 +1982,7 @@ gen_allocdefs.h + ./compile stralloc_eady.c + + stralloc_opyb.o: \ +-compile stralloc_opyb.c stralloc.h gen_alloc.h byte.h ++compile stralloc_opyb.c stralloc.h gen_alloc.h byte.h error.h + ./compile stralloc_opyb.c + + stralloc_opys.o: \ +diff --git a/alloc.c b/alloc.c +index c661453..3ab5f6f 100644 +--- a/alloc.c ++++ b/alloc.c +@@ -1,7 +1,6 @@ ++#include + #include "alloc.h" + #include "error.h" +-extern char *malloc(); +-extern void free(); + + #define ALIGNMENT 16 /* XXX: assuming that this alignment is enough */ + #define SPACE 4096 /* must be multiple of ALIGNMENT */ +@@ -11,15 +10,23 @@ static aligned realspace[SPACE / ALIGNMENT]; + #define space ((char *) realspace) + static unsigned int avail = SPACE; /* multiple of ALIGNMENT; 0<=avail<=SPACE */ + ++static char *m_alloc(unsigned int n) ++{ ++ char *x = malloc(n); ++ if (!x) errno = error_nomem; ++ return x; ++} ++ + /*@null@*//*@out@*/char *alloc(n) + unsigned int n; + { +- char *x; +- n = ALIGNMENT + n - (n & (ALIGNMENT - 1)); /* XXX: could overflow */ ++ if (n >= SPACE) ++ return m_alloc(n); ++ /* Round it up to the next multiple of alignment. Could overflow if n is ++ * close to 2**32, but by the check above this is already ruled out. */ ++ n = ALIGNMENT + n - (n & (ALIGNMENT - 1)); + if (n <= avail) { avail -= n; return space + avail; } +- x = malloc(n); +- if (!x) errno = error_nomem; +- return x; ++ return m_alloc(n); + } + + void alloc_free(x) +diff --git a/qmail-local.c b/qmail-local.c +index 6fec288..f5e33fd 100644 +--- a/qmail-local.c ++++ b/qmail-local.c +@@ -1,5 +1,6 @@ + #include + #include ++#include + #include "readwrite.h" + #include "sig.h" + #include "env.h" +@@ -633,7 +634,7 @@ char **argv; + i = j + 1; + } + +- recips = (char **) alloc((numforward + 1) * sizeof(char *)); ++ recips = (char **) calloc(numforward + 1, sizeof(char *)); + if (!recips) temp_nomem(); + numforward = 0; + +diff --git a/qmail-pop3d.c b/qmail-pop3d.c +index 0ca4f9c..1916433 100644 +--- a/qmail-pop3d.c ++++ b/qmail-pop3d.c +@@ -1,5 +1,6 @@ + #include + #include ++#include + #include "commands.h" + #include "sig.h" + #include "getln.h" +@@ -131,7 +132,7 @@ void getlist() + if (maildir_scan(&pq,&filenames,1,1) == -1) die_scan(); + + numm = pq.p ? pq.len : 0; +- m = (struct message *) alloc(numm * sizeof(struct message)); ++ m = (struct message *) calloc(numm, sizeof(struct message)); + if (!m) die_nomem(); + + for (i = 0;i < numm;++i) { +diff --git a/quote.c b/quote.c +index 659cfcd..73b7214 100644 +--- a/quote.c ++++ b/quote.c +@@ -1,3 +1,4 @@ ++#include "error.h" + #include "stralloc.h" + #include "str.h" + #include "quote.h" +@@ -23,8 +24,15 @@ stralloc *sain; + char ch; + int i; + int j; ++ unsigned int nlen; + +- if (!stralloc_ready(saout,sain->len * 2 + 2)) return 0; ++ /* make sure the size calculation below does not overflow */ ++ if (__builtin_mul_overflow(sain->len, 2, &nlen) || ++ __builtin_add_overflow(nlen, 2, &nlen)) { ++ errno = error_nomem; ++ return 0; ++ } ++ if (!stralloc_ready(saout,nlen)) return 0; + j = 0; + saout->s[j++] = '"'; + for (i = 0;i < sain->len;++i) +diff --git a/stralloc_catb.c b/stralloc_catb.c +index 67dbcc0..a315810 100644 +--- a/stralloc_catb.c ++++ b/stralloc_catb.c +@@ -1,13 +1,19 @@ + #include "stralloc.h" + #include "byte.h" ++#include "error.h" + + int stralloc_catb(sa,s,n) + stralloc *sa; + char *s; + unsigned int n; + { ++ unsigned int i; + if (!sa->s) return stralloc_copyb(sa,s,n); +- if (!stralloc_readyplus(sa,n + 1)) return 0; ++ if (__builtin_add_overflow(n, 1, &i)) { ++ errno = error_nomem; ++ return 0; ++ } ++ if (!stralloc_readyplus(sa,i)) return 0; + byte_copy(sa->s + sa->len,n,s); + sa->len += n; + sa->s[sa->len] = 'Z'; /* ``offensive programming'' */ +diff --git a/stralloc_opyb.c b/stralloc_opyb.c +index ac258b3..8a6f305 100644 +--- a/stralloc_opyb.c ++++ b/stralloc_opyb.c +@@ -1,12 +1,18 @@ + #include "stralloc.h" + #include "byte.h" ++#include "error.h" + + int stralloc_copyb(sa,s,n) + stralloc *sa; + char *s; + unsigned int n; + { +- if (!stralloc_ready(sa,n + 1)) return 0; ++ unsigned int i; ++ if (__builtin_add_overflow(n, 1, &i)) { ++ errno = error_nomem; ++ return 0; ++ } ++ if (!stralloc_ready(sa,i)) return 0; + byte_copy(sa->s,n,s); + sa->len = n; + sa->s[n] = 'Z'; /* ``offensive programming'' */ +diff --git a/substdo.c b/substdo.c +index bccf0d6..ad7232a 100644 +--- a/substdo.c ++++ b/substdo.c +@@ -38,9 +38,9 @@ register substdio *s; + int substdio_bput(s,buf,len) + register substdio *s; + register char *buf; +-register int len; ++register unsigned int len; + { +- register int n; ++ register unsigned int n; + + while (len > (n = s->n - s->p)) { + byte_copy(s->x + s->p,n,buf); s->p += n; buf += n; len -= n; +-- +2.26.1 + diff --git a/mail-mta/netqmail/netqmail-1.06-r13.ebuild b/mail-mta/netqmail/netqmail-1.06-r13.ebuild new file mode 100644 index 000000000000..56be4e1891ca --- /dev/null +++ b/mail-mta/netqmail/netqmail-1.06-r13.ebuild @@ -0,0 +1,203 @@ +# Copyright 1999-2020 Gentoo Authors +# Distributed under the terms of the GNU General Public License v2 + +EAPI=7 + +GENQMAIL_PV=20191010 +QMAIL_SPP_PV=0.42 + +QMAIL_TLS_PV=20190114 +QMAIL_TLS_F=${PN}-1.05-tls-smtpauth-${QMAIL_TLS_PV}.patch +QMAIL_TLS_CVE=vu555316.patch + +QMAIL_BIGTODO_PV=103 +QMAIL_BIGTODO_F=big-todo.${QMAIL_BIGTODO_PV}.patch + +QMAIL_LARGE_DNS='qmail-103.patch' + +QMAIL_SMTPUTF8='qmail-smtputf8.patch' + +inherit qmail + +DESCRIPTION="qmail -- a secure, reliable, efficient, simple message transfer agent" +HOMEPAGE=" + http://netqmail.org + https://cr.yp.to/qmail.html + http://qmail.org +" +SRC_URI="mirror://qmail/${P}.tar.gz + https://github.com/DerDakon/genqmail/releases/download/genqmail-${GENQMAIL_PV}/${GENQMAIL_F} + https://www.ckdhr.com/ckd/${QMAIL_LARGE_DNS} + !vanilla? ( + highvolume? ( mirror://qmail/${QMAIL_BIGTODO_F} ) + qmail-spp? ( mirror://sourceforge/qmail-spp/${QMAIL_SPP_F} ) + ssl? ( + https://mirror.alexh.name/qmail/netqmail/${QMAIL_TLS_F} + http://inoa.net/qmail-tls/${QMAIL_TLS_CVE} + https://arnt.gulbrandsen.priv.no/qmail/qmail-smtputf8.patch + ) + ) +" + +LICENSE="public-domain" +SLOT="0" +KEYWORDS="~alpha amd64 ~arm hppa ~ia64 ~mips ~ppc ~ppc64 ~s390 sparc ~x86" +IUSE="authcram gencertdaily highvolume libressl pop3 qmail-spp ssl vanilla" +REQUIRED_USE="vanilla? ( !ssl !qmail-spp !highvolume )" +RESTRICT="test" + +DEPEND=" + acct-group/nofiles + acct-group/qmail + acct-user/alias + acct-user/qmaild + acct-user/qmaill + acct-user/qmailp + acct-user/qmailq + acct-user/qmailr + acct-user/qmails + net-dns/libidn2 + net-mail/queue-repair + sys-apps/gentoo-functions + sys-apps/groff + ssl? ( + !libressl? ( >=dev-libs/openssl-1.1:0= ) + libressl? ( dev-libs/libressl:= ) + ) +" +RDEPEND="${DEPEND} + sys-apps/ucspi-tcp + virtual/checkpassword + virtual/daemontools + authcram? ( >=net-mail/cmd5checkpw-0.30 ) + ssl? ( + pop3? ( sys-apps/ucspi-ssl ) + ) + !mail-mta/courier + !mail-mta/esmtp + !mail-mta/exim + !mail-mta/mini-qmail + !mail-mta/msmtp[mta] + !mail-mta/nullmailer + !mail-mta/opensmtpd + !mail-mta/postfix + !mail-mta/qmail-ldap + !mail-mta/sendmail + !mail-mta/ssmtp[mta] +" + +pkg_setup() { + if [[ -n "${QMAIL_PATCH_DIR}" ]]; then + eerror + eerror "The QMAIL_PATCH_DIR variable for custom patches" + eerror "has been removed from ${PN}. If you need custom patches" + eerror "see 'user patches' in the portage manual." + eerror + die "QMAIL_PATCH_DIR is not supported anymore" + fi +} + +src_unpack() { + genqmail_src_unpack + use qmail-spp && qmail_spp_src_unpack + + unpack ${P}.tar.gz +} + +PATCHES=( + "${FILESDIR}/${PV}-exit.patch" + "${FILESDIR}/${PV}-readwrite.patch" + "${DISTDIR}/${QMAIL_LARGE_DNS}" + "${FILESDIR}/${PV}-fbsd-utmpx.patch" + "${FILESDIR}/${P}-ipme-multiple.patch" + "${FILESDIR}/${P}-any-to-cname.patch" + "${FILESDIR}/${P}-CVE-2005-1513.patch" + "${FILESDIR}/${P}-CVE-2005-1514.patch" + "${FILESDIR}/${P}-CVE-2005-1515.patch" + "${FILESDIR}/${P}-overflows.patch" +) + +src_prepare() { + if ! use vanilla; then + if use ssl; then + # This patch contains relative paths and needs to be cleaned up. + sed 's~^--- \.\./\.\./~--- ~g' \ + < "${DISTDIR}"/${QMAIL_TLS_F} \ + > "${T}"/${QMAIL_TLS_F} || die + PATCHES+=( "${T}/${QMAIL_TLS_F}" + "${DISTDIR}/${QMAIL_TLS_CVE}" + "${FILESDIR}/qmail-smtputf8.patch" + "${FILESDIR}/qmail-smtputf8-crlf-fix.patch" + ) + fi + if use highvolume; then + PATCHES+=( "${DISTDIR}/${QMAIL_BIGTODO_F}" ) + fi + + if use qmail-spp; then + if use ssl; then + SPP_PATCH="${QMAIL_SPP_S}/qmail-spp-smtpauth-tls-20060105.diff" + else + SPP_PATCH="${QMAIL_SPP_S}/netqmail-spp.diff" + fi + # make the patch work with "-p1" + sed -e 's#^--- \([Mq]\)#--- a/\1#' -e 's#^+++ \([Mq]\)#+++ b/\1#' -i ${SPP_PATCH} || die + + PATCHES+=( "${SPP_PATCH}" ) + fi + fi + + default + + qmail_src_postunpack + + # Fix bug #33818 but for netqmail (Bug 137015) + if ! use authcram; then + einfo "Disabled CRAM_MD5 support" + sed -e 's,^#define CRAM_MD5$,/*&*/,' -i "${S}"/qmail-smtpd.c || die + else + einfo "Enabled CRAM_MD5 support" + fi + + ht_fix_file Makefile* +} + +src_compile() { + qmail_src_compile + use qmail-spp && qmail_spp_src_compile +} + +src_install() { + qmail_src_install +} + +pkg_postinst() { + qmail_queue_setup + qmail_rootmail_fixup + qmail_tcprules_build + + qmail_config_notice + qmail_supervise_config_notice + elog + elog "If you are looking for documentation, check those links:" + elog "https://wiki.gentoo.org/wiki/Virtual_mail_hosting_with_qmail" + elog " -- qmail/vpopmail Virtual Mail Hosting System Guide" + elog "http://www.lifewithqmail.com/" + elog " -- Life with qmail" + elog +} + +pkg_preinst() { + qmail_tcprules_fixup +} + +pkg_config() { + # avoid some weird locale problems + export LC_ALL=C + + qmail_config_fast + qmail_tcprules_config + qmail_tcprules_build + + use ssl && qmail_ssl_generate +} -- 2.26.2