From 4c9325d8655e362fee1eebb5e49db461d4aea8c7 Mon Sep 17 00:00:00 2001 From: adrianp Date: Wed, 14 Jun 2006 18:53:53 +0000 Subject: Bump PKGREVISION. A malformed MIME structure with many parts can cause sendmail to crash while trying to send a mail due to a stack overflow, e.g., if the stack size is limited (ulimit -s). This happens because the recursion of the function mime8to7() was not restricted. The function is called for MIME 8 to 7 bit conversion and also to enforce MaxMimeHeaderLength. To work around this problem, recursive calls are limited to a depth of MAXMIMENESTING (20); message content after this limit is treated as opaque and is not checked further. --- mail/sendmail/Makefile | 4 +- mail/sendmail/distinfo | 6 ++- mail/sendmail/patches/patch-aj | 22 +++++++++ mail/sendmail/patches/patch-ak | 103 +++++++++++++++++++++++++++++++++++++++++ mail/sendmail/patches/patch-al | 21 +++++++++ mail/sendmail/patches/patch-am | 8 ++++ 6 files changed, 161 insertions(+), 3 deletions(-) create mode 100644 mail/sendmail/patches/patch-aj create mode 100644 mail/sendmail/patches/patch-ak create mode 100644 mail/sendmail/patches/patch-al create mode 100644 mail/sendmail/patches/patch-am (limited to 'mail/sendmail') diff --git a/mail/sendmail/Makefile b/mail/sendmail/Makefile index 40c76fad996..8729ee3b57e 100644 --- a/mail/sendmail/Makefile +++ b/mail/sendmail/Makefile @@ -1,9 +1,9 @@ -# $NetBSD: Makefile,v 1.89 2006/06/07 14:48:28 joerg Exp $ +# $NetBSD: Makefile,v 1.90 2006/06/14 18:53:54 adrianp Exp $ .include "../../mail/sendmail/Makefile.common" PKGNAME= sendmail-${DIST_VERS} -PKGREVISION= 2 +PKGREVISION= 3 COMMENT= The well known Mail Transport Agent CONFLICTS+= courier-mta-[0-9]* fastforward>=0.51nb2 postfix-[0-9]* diff --git a/mail/sendmail/distinfo b/mail/sendmail/distinfo index 4a8aec23812..921c3c04b4e 100644 --- a/mail/sendmail/distinfo +++ b/mail/sendmail/distinfo @@ -1,4 +1,4 @@ -$NetBSD: distinfo,v 1.29 2006/06/07 14:48:28 joerg Exp $ +$NetBSD: distinfo,v 1.30 2006/06/14 18:53:54 adrianp Exp $ SHA1 (sendmail.8.13.6.tar.gz) = 6c35f4780bd9fc5f8982977ad699752e2ccb26d0 RMD160 (sendmail.8.13.6.tar.gz) = cbb0649b5dec8e4b4850c76ad4a132a15335df3b @@ -12,3 +12,7 @@ SHA1 (patch-af) = d26481845328adad6d46fdf797785ec2ad003e28 SHA1 (patch-ag) = 672c3e8a0c897f2c721d45393d85d4ea819d55a6 SHA1 (patch-ah) = e6be09008b9230ffdd1560aaacbdbb2ee4fb8028 SHA1 (patch-ai) = 8ade5888074ad9a328f87d66836c04eacf7785d5 +SHA1 (patch-aj) = 5dbceffb6397e28beb0c9350398238877928ead8 +SHA1 (patch-ak) = 0688b603018fc58510174a012ca7d2425665a7cd +SHA1 (patch-al) = 9527aa7046a6b4be63c12108b5e03d6b13009d2d +SHA1 (patch-am) = 6a7e14410ddc619a08142b90bd15f55eb23d32b8 diff --git a/mail/sendmail/patches/patch-aj b/mail/sendmail/patches/patch-aj new file mode 100644 index 00000000000..74389d9c065 --- /dev/null +++ b/mail/sendmail/patches/patch-aj @@ -0,0 +1,22 @@ +$NetBSD: patch-aj,v 1.3 2006/06/14 18:53:53 adrianp Exp $ + +--- sendmail/deliver.c.orig 2006-03-02 01:37:39.000000000 +0000 ++++ sendmail/deliver.c +@@ -4623,7 +4623,7 @@ putbody(mci, e, separator) + /* now do the hard work */ + boundaries[0] = NULL; + mci->mci_flags |= MCIF_INHEADER; +- if (mime8to7(mci, e->e_header, e, boundaries, M87F_OUTER) == ++ if (mime8to7(mci, e->e_header, e, boundaries, M87F_OUTER, 0) == + SM_IO_EOF) + goto writeerr; + } +@@ -4654,7 +4654,7 @@ putbody(mci, e, separator) + SuprErrs = true; + + if (mime8to7(mci, e->e_header, e, boundaries, +- M87F_OUTER|M87F_NO8TO7) == SM_IO_EOF) ++ M87F_OUTER|M87F_NO8TO7, 0) == SM_IO_EOF) + goto writeerr; + + /* restore SuprErrs */ diff --git a/mail/sendmail/patches/patch-ak b/mail/sendmail/patches/patch-ak new file mode 100644 index 00000000000..92ac4b5b253 --- /dev/null +++ b/mail/sendmail/patches/patch-ak @@ -0,0 +1,103 @@ +$NetBSD: patch-ak,v 1.3 2006/06/14 18:53:53 adrianp Exp $ + +--- sendmail/mime.c.orig 2006-03-01 18:07:45.000000000 +0000 ++++ sendmail/mime.c +@@ -80,6 +80,7 @@ static bool MapNLtoCRLF; + ** boundaries -- the currently pending message boundaries. + ** NULL if we are processing the outer portion. + ** flags -- to tweak processing. ++** level -- recursion level. + ** + ** Returns: + ** An indicator of what terminated the message part: +@@ -96,12 +97,13 @@ struct args + }; + + int +-mime8to7(mci, header, e, boundaries, flags) ++mime8to7(mci, header, e, boundaries, flags, level) + register MCI *mci; + HDR *header; + register ENVELOPE *e; + char **boundaries; + int flags; ++ int level; + { + register char *p; + int linelen; +@@ -122,6 +124,18 @@ mime8to7(mci, header, e, boundaries, fla + char pvpbuf[MAXLINE]; + extern unsigned char MimeTokenTab[256]; + ++ if (level > MAXMIMENESTING) ++ { ++ if (!bitset(EF_TOODEEP, e->e_flags)) ++ { ++ if (tTd(43, 4)) ++ sm_dprintf("mime8to7: too deep, level=%d\n", ++ level); ++ usrerr("mime8to7: recursion level %d exceeded", ++ level); ++ e->e_flags |= EF_DONT_MIME|EF_TOODEEP; ++ } ++ } + if (tTd(43, 1)) + { + sm_dprintf("mime8to7: flags = %x, boundaries =", flags); +@@ -242,7 +256,9 @@ mime8to7(mci, header, e, boundaries, fla + */ + + if (sm_strcasecmp(type, "multipart") == 0 && +- (!bitset(M87F_NO8BIT, flags) || bitset(M87F_NO8TO7, flags))) ++ (!bitset(M87F_NO8BIT, flags) || bitset(M87F_NO8TO7, flags)) && ++ !bitset(EF_TOODEEP, e->e_flags) ++ ) + { + + if (sm_strcasecmp(subtype, "digest") == 0) +@@ -286,10 +302,13 @@ mime8to7(mci, header, e, boundaries, fla + } + if (i >= MAXMIMENESTING) + { +- usrerr("mime8to7: multipart nesting boundary too deep"); ++ if (tTd(43, 4)) ++ sm_dprintf("mime8to7: too deep, i=%d\n", i); ++ if (!bitset(EF_TOODEEP, e->e_flags)) ++ usrerr("mime8to7: multipart nesting boundary too deep"); + + /* avoid bounce loops */ +- e->e_flags |= EF_DONT_MIME; ++ e->e_flags |= EF_DONT_MIME|EF_TOODEEP; + } + else + { +@@ -333,7 +352,8 @@ mime8to7(mci, header, e, boundaries, fla + goto writeerr; + if (tTd(43, 101)) + putline("+++after putheader", mci); +- bt = mime8to7(mci, hdr, e, boundaries, flags); ++ bt = mime8to7(mci, hdr, e, boundaries, flags, ++ level + 1); + if (bt == SM_IO_EOF) + goto writeerr; + } +@@ -374,7 +394,8 @@ mime8to7(mci, header, e, boundaries, fla + + if (sm_strcasecmp(type, "message") == 0) + { +- if (!wordinclass(subtype, 's')) ++ if (!wordinclass(subtype, 's') || ++ bitset(EF_TOODEEP, e->e_flags)) + { + flags |= M87F_NO8BIT; + } +@@ -397,7 +418,8 @@ mime8to7(mci, header, e, boundaries, fla + !bitset(M87F_NO8TO7, flags) && + !putline("MIME-Version: 1.0", mci)) + goto writeerr; +- bt = mime8to7(mci, hdr, e, boundaries, flags); ++ bt = mime8to7(mci, hdr, e, boundaries, flags, ++ level + 1); + mci->mci_flags &= ~MCIF_INMIME; + return bt; + } diff --git a/mail/sendmail/patches/patch-al b/mail/sendmail/patches/patch-al new file mode 100644 index 00000000000..ceb096e6d5a --- /dev/null +++ b/mail/sendmail/patches/patch-al @@ -0,0 +1,21 @@ +$NetBSD: patch-al,v 1.3 2006/06/14 18:53:53 adrianp Exp $ + +--- sendmail/sendmail.h.orig 2006-02-27 17:49:09.000000000 +0000 ++++ sendmail/sendmail.h +@@ -942,6 +942,7 @@ struct envelope + #define EF_TOOBIG 0x02000000L /* message is too big */ + #define EF_SPLIT 0x04000000L /* envelope has been split */ + #define EF_UNSAFE 0x08000000L /* unsafe: read from untrusted source */ ++#define EF_TOODEEP 0x10000000L /* message is nested too deep */ + + #define DLVR_NOTIFY 0x01 + #define DLVR_RETURN 0x02 +@@ -1655,7 +1656,7 @@ EXTERN unsigned long PrivacyFlags; /* pr + + /* functions */ + extern bool mime7to8 __P((MCI *, HDR *, ENVELOPE *)); +-extern int mime8to7 __P((MCI *, HDR *, ENVELOPE *, char **, int)); ++extern int mime8to7 __P((MCI *, HDR *, ENVELOPE *, char **, int, int)); + + /* + ** Flags passed to returntosender. diff --git a/mail/sendmail/patches/patch-am b/mail/sendmail/patches/patch-am new file mode 100644 index 00000000000..6c0a628abc1 --- /dev/null +++ b/mail/sendmail/patches/patch-am @@ -0,0 +1,8 @@ +$NetBSD: patch-am,v 1.1 2006/06/14 18:53:53 adrianp Exp $ + +--- sendmail/version.c.orig 2006-03-08 19:21:21.000000000 +0000 ++++ sendmail/version.c +@@ -17,2 +17,2 @@ SM_RCSID("@(#)$Id: version.c,v 8.160 200 + +-char Version[] = "8.13.6"; ++char Version[] = "8.13.6.20060614"; -- cgit v1.2.3