Added CVE-2010-1132 patch from:

 https://bugzilla.redhat.com/attachment.cgi?id=401011

4 files changed, 233 insertions, 7 deletions

diff --git a/mail/spamass-milter/Makefile b/mail/spamass-milter/Makefile
index b714b39f833..d9a6ae88eab 100644
--- a/mail/spamass-milter/Makefile
+++ b/mail/spamass-milter/Makefile
@@ -1,7 +1,8 @@
-# $NetBSD: Makefile,v 1.26 2008/06/20 01:09:24 joerg Exp $
+# $NetBSD: Makefile,v 1.27 2010/04/17 21:11:18 tez Exp $
 #
 
 DISTNAME=	spamass-milter-0.3.1
+PKGREVISION=	1
 CATEGORIES=	mail
 MASTER_SITES=	http://savannah.nongnu.org/download/spamass-milt/
 
diff --git a/mail/spamass-milter/distinfo b/mail/spamass-milter/distinfo
index 0243666fb66..de6826a8a26 100644
--- a/mail/spamass-milter/distinfo
+++ b/mail/spamass-milter/distinfo
@@ -1,6 +1,7 @@
-$NetBSD: distinfo,v 1.6 2006/10/12 12:19:09 obache Exp $
+$NetBSD: distinfo,v 1.7 2010/04/17 21:11:18 tez Exp $
 
 SHA1 (spamass-milter-0.3.1.tar.gz) = dd488eb9ab1f230440fba8a729bee80550f2fbff
 RMD160 (spamass-milter-0.3.1.tar.gz) = 5db6af6b31de1bf83eafbd9713d81cdc957b5033
 Size (spamass-milter-0.3.1.tar.gz) = 141144 bytes
-SHA1 (patch-aa) = a1eaf9d3d2dad72f7fa08628293f80cc15374800
+SHA1 (patch-aa) = c69afbafaba72ec59f77f024e2421b2df077a2ee
+SHA1 (patch-ab) = 5e7188cc212cc0b06671853fb13921e2e0f38c8c
diff --git a/mail/spamass-milter/patches/patch-aa b/mail/spamass-milter/patches/patch-aa
index 9aaf029f303..0e54216e9ed 100644
--- a/mail/spamass-milter/patches/patch-aa
+++ b/mail/spamass-milter/patches/patch-aa
@@ -1,8 +1,148 @@
-$NetBSD: patch-aa,v 1.2 2006/10/12 12:19:09 obache Exp $
+$NetBSD: patch-aa,v 1.3 2010/04/17 21:11:18 tez Exp $
+Added CVE-2010-1132 patch from:
+ https://bugzilla.redhat.com/attachment.cgi?id=401011
 
---- spamass-milter.cpp.orig	2006-03-23 21:41:36.000000000 +0000
-+++ spamass-milter.cpp
-@@ -2033,7 +2033,7 @@ cmp_nocase_partial(const string& s, cons
+--- spamass-milter.cpp.orig	2010-04-17 16:04:59.724786300 -0500
++++ spamass-milter.cpp	2010-04-17 16:05:04.755469800 -0500
+@@ -171,10 +171,6 @@
+ bool flag_expand = false;	/* alias/virtusertable expansion */
+ bool warnedmacro = false;	/* have we logged that we couldn't fetch a macro? */
+ 
+-#if defined(__FreeBSD__) /* popen bug - see PR bin/50770 */
+-static pthread_mutex_t popen_mutex = PTHREAD_MUTEX_INITIALIZER;
+-#endif
+-
+ // {{{ main()
+ 
+ int
+@@ -461,59 +457,24 @@
+ 			   send another copy.  The milter API will not let you send the
+ 			   message AND return a failure code to the sender, so this is
+ 			   the only way to do it. */
+-#if defined(__FreeBSD__)
+-			int rv;
+-#endif
+-			
+-#if defined(HAVE_ASPRINTF)
+-			char *buf;
+-#else
+-			char buf[1024];
+-#endif
+-			char *fmt="%s \"%s\"";
++			char *popen_argv[3];
+ 			FILE *p;
+ 
+-#if defined(HAVE_ASPRINTF)
+-			asprintf(&buf, fmt, SENDMAIL, spambucket);
+-#else
+-#if defined(HAVE_SNPRINTF)
+-			snprintf(buf, sizeof(buf)-1, fmt, SENDMAIL, spambucket);
+-#else
+-			/* XXX possible buffer overflow here */
+-			sprintf(buf, fmt, SENDMAIL, spambucket);
+-#endif
+-#endif
+-
+-			debug(D_COPY, "calling %s", buf);
+-#if defined(__FreeBSD__) /* popen bug - see PR bin/50770 */
+-			rv = pthread_mutex_lock(&popen_mutex);
+-			if (rv)
+-			{
+-				debug(D_ALWAYS, "Could not lock popen mutex: %s", strerror(rv));
+-				abort();
+-			}		
+-#endif
+-			p = popen(buf, "w");
++			popen_argv[0] = SENDMAIL;
++			popen_argv[1] = spambucket;
++			popen_argv[2] = NULL;
++			
++			debug(D_COPY, "calling %s %s", SENDMAIL, spambucket);
++			p = popenv(popen_argv, "w");
+ 			if (!p)
+ 			{
+-				debug(D_COPY, "popen failed(%s).  Will not send a copy to spambucket", strerror(errno));
++				debug(D_COPY, "popenv failed(%s).  Will not send a copy to spambucket", strerror(errno));
+ 			} else
+ 			{
+ 				// Send message provided by SpamAssassin
+ 				fwrite(assassin->d().c_str(), assassin->d().size(), 1, p);
+-				pclose(p); p = NULL;
++				fclose(p); p = NULL;
+ 			}
+-#if defined(__FreeBSD__)
+-			rv = pthread_mutex_unlock(&popen_mutex);
+-			if (rv)
+-			{
+-				debug(D_ALWAYS, "Could not unlock popen mutex: %s", strerror(rv));
+-				abort();
+-			}		
+-#endif
+-#if defined(HAVE_ASPRINTF)
+-			free(buf);
+-#endif 
+ 		}
+ 		return SMFIS_REJECT;
+ 	}
+@@ -842,30 +803,19 @@
+ 		/* open a pipe to sendmail so we can do address expansion */
+ 
+ 		char buf[1024];
+-		char *fmt="%s -bv \"%s\" 2>&1";
+-
+-#if defined(HAVE_SNPRINTF)
+-		snprintf(buf, sizeof(buf)-1, fmt, SENDMAIL, envrcpt[0]);
+-#else
+-		/* XXX possible buffer overflow here */
+-		sprintf(buf, fmt, SENDMAIL, envrcpt[0]);
+-#endif
++		char *popen_argv[4];
++		
++		popen_argv[0] = SENDMAIL;
++		popen_argv[1] = "-bv";
++		popen_argv[2] = envrcpt[0];
++		popen_argv[3] = NULL;
+ 
+-		debug(D_RCPT, "calling %s", buf);
++		debug(D_RCPT, "calling %s -bv %s", SENDMAIL, envrcpt[0]);
+ 
+-#if defined(__FreeBSD__) /* popen bug - see PR bin/50770 */
+-		rv = pthread_mutex_lock(&popen_mutex);
+-		if (rv)
+-		{
+-			debug(D_ALWAYS, "Could not lock popen mutex: %s", strerror(rv));
+-			abort();
+-		}		
+-#endif
+-
+-		p = popen(buf, "r");
++		p = popenv(popen_argv, "r");
+ 		if (!p)
+ 		{
+-			debug(D_RCPT, "popen failed(%s).  Will not expand aliases", strerror(errno));
++			debug(D_RCPT, "popenv failed(%s).  Will not expand aliases", strerror(errno));
+ 			assassin->expandedrcpt.push_back(envrcpt[0]);
+ 		} else
+ 		{
+@@ -890,16 +840,8 @@
+ 					assassin->expandedrcpt.push_back(p+7);
+ 				}
+ 			}
+-			pclose(p); p = NULL;
++			fclose(p); p = NULL;
+ 		}
+-#if defined(__FreeBSD__)
+-		rv = pthread_mutex_unlock(&popen_mutex);
+-		if (rv)
+-		{
+-			debug(D_ALWAYS, "Could not unlock popen mutex: %s", strerror(rv));
+-			abort();
+-		}		
+-#endif
+ 	} else
+ 	{
+ 		assassin->expandedrcpt.push_back(envrcpt[0]);
+@@ -2033,7 +1975,7 @@
    string::const_iterator p=s.begin();
    string::const_iterator p2=s2.begin();
  
@@ -11,3 +151,75 @@ $NetBSD: patch-aa,v 1.2 2006/10/12 12:19:09 obache Exp $
      if (toupper(*p) != toupper(*p2))
      {
        debug(D_STR, "c_nc_p: <%s><%s> : miss", s.c_str(), s2.c_str());
+@@ -2157,5 +2099,71 @@
+ 	warnedmacro = true;
+ }
+ 
++/*
++   untrusted-argument-safe popen function - only supports "r" and "w" modes
++   for simplicity, and always reads stdout and stderr in "r" mode.  Call
++   fclose to close the FILE.
++*/
++FILE *popenv(char *const argv[], const char *type)
++{
++	FILE *iop;
++	int pdes[2];
++	int save_errno;
++	if ((*type != 'r' && *type != 'w') || type[1])
++	{
++		errno = EINVAL;
++		return (NULL);
++	}
++	if (pipe(pdes) < 0)
++		return (NULL);
++	switch (fork()) {
++	
++	case -1:			/* Error. */
++		save_errno = errno;
++		(void)close(pdes[0]);
++		(void)close(pdes[1]);
++		errno = save_errno;
++		return (NULL);
++		/* NOTREACHED */
++	case 0:				/* Child. */
++		if (*type == 'r') {
++			/*
++			 * The dup2() to STDIN_FILENO is repeated to avoid
++			 * writing to pdes[1], which might corrupt the
++			 * parent's copy.  This isn't good enough in
++			 * general, since the exit() is no return, so
++			 * the compiler is free to corrupt all the local
++			 * variables.
++			 */
++			(void)close(pdes[0]);
++			(void)dup2(pdes[1], STDOUT_FILENO);
++			(void)dup2(pdes[1], STDERR_FILENO);
++			if (pdes[1] != STDOUT_FILENO && pdes[1] != STDERR_FILENO) {
++				(void)close(pdes[1]);
++			} 
++		} else {
++			if (pdes[0] != STDIN_FILENO) {
++				(void)dup2(pdes[0], STDIN_FILENO);
++				(void)close(pdes[0]);
++			}
++			(void)close(pdes[1]);
++		}
++		execv(argv[0], argv);
++		exit(127);
++		/* NOTREACHED */
++	}
++
++	/* Parent; assume fdopen can't fail. */
++	if (*type == 'r') {
++		iop = fdopen(pdes[0], type);
++		(void)close(pdes[1]);
++	} else {
++		iop = fdopen(pdes[1], type);
++		(void)close(pdes[0]);
++	}
++
++	return (iop);
++}
++
+ // }}}
+ // vim6:ai:noexpandtab
diff --git a/mail/spamass-milter/patches/patch-ab b/mail/spamass-milter/patches/patch-ab
new file mode 100644
index 00000000000..9976beaffeb
--- /dev/null
+++ b/mail/spamass-milter/patches/patch-ab
@@ -0,0 +1,12 @@
+$NetBSD: patch-ab,v 1.1 2010/04/17 21:11:18 tez Exp $
+CVE-2010-1132 patch from https://bugzilla.redhat.com/attachment.cgi?id=401011
+
+--- spamass-milter.h	7 Apr 2005 02:04:24 -0000	1.23
++++ spamass-milter.h	10 Mar 2010 18:52:22 -0000
+@@ -186,5 +186,6 @@
+ void parse_debuglevel(char* string);
+ char *strlwr(char *str);
+ void warnmacro(char *macro, char *scope);
++FILE *popenv(char *const argv[], const char *type);
+ 
+ #endif