Pullup ticket 1701 - requested by adrianp

security fix for sendmail812

Patch provided by the submitter.

   Module Name:		pkgsrc
   Committed By:	adrianp
   Date:		Wed Jun 14 18:57:34 UTC 2006

   Modified Files:
   	pkgsrc/mail/sendmail812: Makefile distinfo
   Added Files:
   	pkgsrc/mail/sendmail812/patches: patch-ah patch-ai patch-aj patch-ak

   Log Message:
   Bump PKGREVISION.
   A malformed MIME structure with many parts can cause sendmail to
   crash while trying to send a mail due to a stack overflow,
   e.g., if the stack size is limited (ulimit -s).  This
   happens because the recursion of the function mime8to7()
   was not restricted.  The function is called for MIME 8 to
   7 bit conversion and also to enforce MaxMimeHeaderLength.
   To work around this problem, recursive calls are limited to
   a depth of MAXMIMENESTING (20); message content after this
   limit is treated as opaque and is not checked further.

6 files changed, 161 insertions, 3 deletions

diff --git a/mail/sendmail812/Makefile b/mail/sendmail812/Makefile
index 2849997eb0a..d02a92dca2c 100644
--- a/mail/sendmail812/Makefile
+++ b/mail/sendmail812/Makefile
@@ -1,10 +1,10 @@
-# $NetBSD: Makefile,v 1.8 2006/03/22 21:19:06 tv Exp $
+# $NetBSD: Makefile,v 1.8.2.1 2006/06/14 21:07:23 salo Exp $
 
 .include "options.mk"
 .include "../../mail/sendmail812/Makefile.common"
 
 PKGNAME=	sendmail-${DIST_VERS}
-PKGREVISION=	2
+PKGREVISION=	3
 COMMENT=	The well known Mail Transport Agent
 
 CONFLICTS+=	postfix-[0-9]* fastforward>=0.51nb2
diff --git a/mail/sendmail812/distinfo b/mail/sendmail812/distinfo
index 6a1b3530cb5..a0763147199 100644
--- a/mail/sendmail812/distinfo
+++ b/mail/sendmail812/distinfo
@@ -1,4 +1,4 @@
-$NetBSD: distinfo,v 1.4 2006/03/22 21:19:06 tv Exp $
+$NetBSD: distinfo,v 1.4.2.1 2006/06/14 21:07:23 salo Exp $
 
 SHA1 (sendmail.8.12.11.tar.gz) = ce1ba0e50740c548f8555f1a905d8514e6637f95
 RMD160 (sendmail.8.12.11.tar.gz) = a80ceccbe3425ea01ce6cb89f2226f83b3562b64
@@ -13,3 +13,7 @@ SHA1 (patch-ad) = 7232cc7ceb46a2dbf631d61185e4c6ca4af18a13
 SHA1 (patch-ae) = ae06caa125fe4d4fc85123dc0a5d0016cd099ebd
 SHA1 (patch-af) = d26481845328adad6d46fdf797785ec2ad003e28
 SHA1 (patch-ag) = 4e84e709338eecc0dc14a6df42d8071fee1938a3
+SHA1 (patch-ah) = b876e92147bce47fee5f77106c2a1b281fac743f
+SHA1 (patch-ai) = d17bc0a551fa5efd59f4822ca59049e166e59d86
+SHA1 (patch-aj) = 6901b3efacf02ba5f71fbfb6056b1eced9d4c037
+SHA1 (patch-ak) = 12e2d44366920ee3c5f697d0e2f15fcd02d2d64f
diff --git a/mail/sendmail812/patches/patch-ah b/mail/sendmail812/patches/patch-ah
new file mode 100644
index 00000000000..9b829c3e651
--- /dev/null
+++ b/mail/sendmail812/patches/patch-ah
@@ -0,0 +1,22 @@
+$NetBSD: patch-ah,v 1.1.2.2 2006/06/14 21:07:23 salo Exp $
+
+--- sendmail/deliver.c.orig	2006-06-13 21:35:58.000000000 +0100
++++ sendmail/deliver.c
+@@ -4566,7 +4566,7 @@ putbody(mci, e, separator)
+ 		/* now do the hard work */
+ 		boundaries[0] = NULL;
+ 		mci->mci_flags |= MCIF_INHEADER;
+-		if (mime8to7(mci, e->e_header, e, boundaries, M87F_OUTER) ==
++		if (mime8to7(mci, e->e_header, e, boundaries, M87F_OUTER, 0) ==
+ 								SM_IO_EOF)
+ 			goto writeerr;
+ 	}
+@@ -4597,7 +4597,7 @@ putbody(mci, e, separator)
+ 			SuprErrs = true;
+ 
+ 		if (mime8to7(mci, e->e_header, e, boundaries,
+-				M87F_OUTER|M87F_NO8TO7) == SM_IO_EOF)
++				M87F_OUTER|M87F_NO8TO7, 0) == SM_IO_EOF)
+ 			goto writeerr;
+ 
+ 		/* restore SuprErrs */
diff --git a/mail/sendmail812/patches/patch-ai b/mail/sendmail812/patches/patch-ai
new file mode 100644
index 00000000000..32d617f1a7d
--- /dev/null
+++ b/mail/sendmail812/patches/patch-ai
@@ -0,0 +1,103 @@
+$NetBSD: patch-ai,v 1.1.2.2 2006/06/14 21:07:23 salo Exp $
+
+--- sendmail/mime.c.orig	2006-06-13 21:35:58.000000000 +0100
++++ sendmail/mime.c
+@@ -80,6 +80,7 @@ static bool	MapNLtoCRLF;
+ **		boundaries -- the currently pending message boundaries.
+ **			NULL if we are processing the outer portion.
+ **		flags -- to tweak processing.
++**		level -- recursion level.
+ **
+ **	Returns:
+ **		An indicator of what terminated the message part:
+@@ -96,12 +97,13 @@ struct args
+ };
+ 
+ int
+-mime8to7(mci, header, e, boundaries, flags)
++mime8to7(mci, header, e, boundaries, flags, level)
+ 	register MCI *mci;
+ 	HDR *header;
+ 	register ENVELOPE *e;
+ 	char **boundaries;
+ 	int flags;
++	int level;
+ {
+ 	register char *p;
+ 	int linelen;
+@@ -122,6 +124,18 @@ mime8to7(mci, header, e, boundaries, fla
+ 	char pvpbuf[MAXLINE];
+ 	extern unsigned char MimeTokenTab[256];
+ 
++	if (level > MAXMIMENESTING)
++	{
++		if (!bitset(EF_TOODEEP, e->e_flags))
++		{
++			if (tTd(43, 4))
++				sm_dprintf("mime8to7: too deep, level=%d\n",
++					   level);
++			usrerr("mime8to7: recursion level %d exceeded",
++				level);
++			e->e_flags |= EF_DONT_MIME|EF_TOODEEP;
++		}
++	}
+ 	if (tTd(43, 1))
+ 	{
+ 		sm_dprintf("mime8to7: flags = %x, boundaries =", flags);
+@@ -242,7 +256,9 @@ mime8to7(mci, header, e, boundaries, fla
+ 	*/
+ 
+ 	if (sm_strcasecmp(type, "multipart") == 0 &&
+-	    (!bitset(M87F_NO8BIT, flags) || bitset(M87F_NO8TO7, flags)))
++	    (!bitset(M87F_NO8BIT, flags) || bitset(M87F_NO8TO7, flags)) &&
++	    !bitset(EF_TOODEEP, e->e_flags)
++	   )
+ 	{
+ 
+ 		if (sm_strcasecmp(subtype, "digest") == 0)
+@@ -286,10 +302,13 @@ mime8to7(mci, header, e, boundaries, fla
+ 		}
+ 		if (i >= MAXMIMENESTING)
+ 		{
+-			usrerr("mime8to7: multipart nesting boundary too deep");
++			if (tTd(43, 4))
++				sm_dprintf("mime8to7: too deep, i=%d\n", i);
++			if (!bitset(EF_TOODEEP, e->e_flags))
++				usrerr("mime8to7: multipart nesting boundary too deep");
+ 
+ 			/* avoid bounce loops */
+-			e->e_flags |= EF_DONT_MIME;
++			e->e_flags |= EF_DONT_MIME|EF_TOODEEP;
+ 		}
+ 		else
+ 		{
+@@ -333,7 +352,8 @@ mime8to7(mci, header, e, boundaries, fla
+ 				goto writeerr;
+ 			if (tTd(43, 101))
+ 				putline("+++after putheader", mci);
+-			bt = mime8to7(mci, hdr, e, boundaries, flags);
++			bt = mime8to7(mci, hdr, e, boundaries, flags,
++				      level + 1);
+ 			if (bt == SM_IO_EOF)
+ 				goto writeerr;
+ 		}
+@@ -374,7 +394,8 @@ mime8to7(mci, header, e, boundaries, fla
+ 
+ 	if (sm_strcasecmp(type, "message") == 0)
+ 	{
+-		if (!wordinclass(subtype, 's'))
++		if (!wordinclass(subtype, 's') ||
++		    bitset(EF_TOODEEP, e->e_flags))
+ 		{
+ 			flags |= M87F_NO8BIT;
+ 		}
+@@ -397,7 +418,8 @@ mime8to7(mci, header, e, boundaries, fla
+ 			    !bitset(M87F_NO8TO7, flags) &&
+ 			    !putline("MIME-Version: 1.0", mci))
+ 				goto writeerr;
+-			bt = mime8to7(mci, hdr, e, boundaries, flags);
++			bt = mime8to7(mci, hdr, e, boundaries, flags,
++				      level + 1);
+ 			mci->mci_flags &= ~MCIF_INMIME;
+ 			return bt;
+ 		}
diff --git a/mail/sendmail812/patches/patch-aj b/mail/sendmail812/patches/patch-aj
new file mode 100644
index 00000000000..5e4d82e2987
--- /dev/null
+++ b/mail/sendmail812/patches/patch-aj
@@ -0,0 +1,21 @@
+$NetBSD: patch-aj,v 1.1.2.2 2006/06/14 21:07:23 salo Exp $
+
+--- sendmail/sendmail.h.orig	2006-06-13 21:35:58.000000000 +0100
++++ sendmail/sendmail.h
+@@ -942,6 +942,7 @@ struct envelope
+ #define EF_TOOBIG	0x02000000L	/* message is too big */
+ #define EF_SPLIT	0x04000000L	/* envelope has been split */
+ #define EF_UNSAFE	0x08000000L	/* unsafe: read from untrusted source */
++#define EF_TOODEEP	0x10000000L	/* message is nested too deep */
+ 
+ #define DLVR_NOTIFY	0x01
+ #define DLVR_RETURN	0x02
+@@ -1592,7 +1593,7 @@ EXTERN unsigned long	PrivacyFlags;	/* pr
+ 
+ /* functions */
+ extern bool	mime7to8 __P((MCI *, HDR *, ENVELOPE *));
+-extern int	mime8to7 __P((MCI *, HDR *, ENVELOPE *, char **, int));
++extern int	mime8to7 __P((MCI *, HDR *, ENVELOPE *, char **, int, int));
+ 
+ /*
+ **  Flags passed to returntosender.
diff --git a/mail/sendmail812/patches/patch-ak b/mail/sendmail812/patches/patch-ak
new file mode 100644
index 00000000000..a383fded77d
--- /dev/null
+++ b/mail/sendmail812/patches/patch-ak
@@ -0,0 +1,8 @@
+$NetBSD: patch-ak,v 1.1.2.2 2006/06/14 21:07:23 salo Exp $
+
+--- sendmail/version.c.orig	2006-06-14 20:31:43.000000000 +0100
++++ sendmail/version.c
+@@ -17,2 +17,2 @@ SM_RCSID("@(#)$Id: version.c,v 8.104.2.2
+ 
+-char	Version[] = "8.12.11.20060308";
++char	Version[] = "8.12.11.20060614";