Imported Debian patch 8.9.3-26.1debian/8.9.3-26.1

13 files changed, 799 insertions, 5 deletions

diff --git a/contrib/doublebounce.pl b/contrib/doublebounce.pl
index a853ec1..2a7934e 100644
--- a/contrib/doublebounce.pl
+++ b/contrib/doublebounce.pl
@@ -26,6 +26,7 @@
 
 
 use Socket;
+use Fcntl;
 
 # look for debug flag
 #
@@ -45,7 +46,7 @@ $tmp = "/tmp/doubb$$";
 #	I thought about reading it into a buffer here, but some messages
 #	are 10+Mb so a buffer may not be a good idea
 #
-if (! open(MSG, "+> $tmp")) {
+if (! sysopen(MSG, "$tmp", O_RDWR|O_CREAT|O_EXCL, 0600)) {
 	# can't open temp file -- send message to local postmaster
 	# open(MAIL, "| /usr/sbin/sendmail -oeq postmaster");
 	print MAIL <STDIN>;
diff --git a/contrib/expn.pl b/contrib/expn.pl
index 57f8515..7e2f730 100755
--- a/contrib/expn.pl
+++ b/contrib/expn.pl
@@ -8,6 +8,7 @@
 
 use 5.001;
 use IO::Socket;
+use Fcntl;
 
 # system requirements:
 # 	must have 'nslookup' and 'hostname' programs.
@@ -999,7 +1000,7 @@ sub mxlookup
 	}
 
 	$0 = "$av0 - nslookup of $server";
-	open(T,">/tmp/expn$$") || die "open > /tmp/expn$$: $!\n";
+	sysopen(T,"/tmp/expn$$",O_RDWR|O_CREAT|O_EXCL,0600) || die "open > /tmp/expn$$: $!\n";
 	print T "set querytype=MX\n";
 	print T "$server\n";
 	close(T);
diff --git a/debian/changelog b/debian/changelog
index 684ecff..485e1be 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,46 @@
+sendmail (8.9.3-26.1) oldstable-security; urgency=high
+
+  * Non-maintainer upload by the Security Team
+  * Create temporary files securely
+    Report and patches from Paul Szabo <psz@maths.usyd.edu.au>
+    [debian/checksendmail/checksendmail.perl,
+     contrib/doublebounce.pl,
+     contrib/expn.pl]
+    (Closes: #173243)
+
+ -- Matt Zimmerman <mdz@debian.org>  Thu, 24 Apr 2003 12:57:36 -0400
+
+sendmail (8.9.3-26) oldstable-security; urgency=high
+
+   * Buffer overflow in parsing routines             closes: #186768
+   Claus Assmann <ca+announce@sendmail.org> writes:
+   > We apologize for releasing this information today (2003-03-29) but
+   > we were forced to do so by an e-mail on a public mailing list (that
+   > has been sent by an irresponsible individual) which contains
+   > information about the security flaw.
+   [...]
+   >       SECURITY: Fix a buffer overflow in address parsing due to
+   >               a char to int conversion problem which is potentially
+   >               remotely exploitable.  Problem found by Michal Zalewski.
+   >               Note: an MTA that is not patched might be vulnerable to
+   >               data that it receives from untrusted sources, which
+   >               includes DNS.
+
+ -- Richard A Nelson (Rick) <cowboy@debian.org>  Sun, 30 Mar 2003 13:10:00 -0500
+
+sendmail (8.9.3-25) oldstable-security; urgency=high
+
+  * -O0 (to get past ARM)
+  * Remote exploit (CERT Advisory CA-2003-07)
+
+ -- Richard A Nelson (Rick) <cowboy@debian.org>  Mon, 03 Mar 2003 19:50:00 -0500
+
+sendmail (8.9.3-24) oldstable-security; urgency=high
+
+  * Remote exploit (CERT Advisory CA-2003-07)
+
+ -- Richard A Nelson (Rick) <cowboy@debian.org>  Mon, 03 Mar 2003 18:00:00 -0500
+ 
 sendmail (8.9.3-23) frozen; urgency=low
 
   * Release manager - All these bugs are capable of stopping an upgrade
diff --git a/debian/checksendmail/checksendmail.perl b/debian/checksendmail/checksendmail.perl
index a8e9e11..14f4c14 100644
--- a/debian/checksendmail/checksendmail.perl
+++ b/debian/checksendmail/checksendmail.perl
@@ -24,6 +24,12 @@
 	$cffile   = "/etc/sendmail.cf";
 	$sendmail   = "/usr/sbin/sendmail";
 
+# Pre-create tmp files (so can use safely)
+use Fcntl;
+foreach ("/tmp/csm$$", "/tmp/csm.in$$") {
+  die "Can't pre-create $_" unless sysopen(T,$_,O_RDWR|O_CREAT|O_EXCL,0600) and close(T);
+}
+
 sub usage {
 	die "Usage: checksendmail [-C cffile.cf] [-r resolve_addrs_file [-T one\@test.addr\n";
 }
diff --git a/debian/control b/debian/control
index e82bfae..61fc5c5 100644
--- a/debian/control
+++ b/debian/control
@@ -6,7 +6,6 @@ Standards-Version: 3.1.1
 
 Package: sendmail
 Architecture: any
-Build-Depends: debhelper, netbase (<< 3.16-1) | libwrap0-dev, m4
 Depends: ${shlibs:Depends}, dpkg (>= 1.4.1.17), m4, awk, procmail | deliver
 Recommends: mail-reader, ${perl:Depends} | perl
 Conflicts: mail-transport-agent, smail, postfix
diff --git a/debian/local/site.config.m4.in b/debian/local/site.config.m4.in
index 9df1cee..b2eab3e 100644
--- a/debian/local/site.config.m4.in
+++ b/debian/local/site.config.m4.in
@@ -25,7 +25,7 @@ APPENDDEF(`confENVDEF', `-D_PATH_SENDMAIL=\"/usr/sbin/sendmail\"')dnl
 #
 # compilation
 define(`confCC',	`gcc')dnl
-define(`confOPTIMIZE',  `-O2 -g -Wall')dnl
+define(`confOPTIMIZE',  `-O0 -g -Wall')dnl
 #
 # Database maps, based upon presence of NISPLUS from autoconf
 define(`ac_cv_header_rpcsvc_nis_h', `@ac_cv_header_rpcsvc_nis_h@')dnl
diff --git a/debian/patches/Makefile b/debian/patches/Makefile
index b0eff7d..847f7a9 100644
--- a/debian/patches/Makefile
+++ b/debian/patches/Makefile
@@ -27,6 +27,8 @@ patch:
 	cd src && patch -p0 --version-control=never < ../debian/patches/patch.DOS
 	patch -p0 --version-control=never -l < debian/patches/cf.mailer.cyrus.m4
 	patch -p0 --version-control=never -l < debian/patches/patch.mail.local
+	patch -p0 --version-control=never -l < debian/patches/sendmail.8.9.3.security.cr.patch
+	patch -p1 --version-control=never -l < debian/patches/prescan.8.9.3.patch
 
 
 unpatch:
@@ -41,7 +43,8 @@ unpatch:
 	cd src && patch -R -p0 --version-control=never < ../debian/patches/patch.DOS
 	patch -R -p0 --version-control=never -l < debian/patches/cf.mailer.cyrus.m4
 	patch -R -p0 --version-control=never -l < debian/patches/patch.mail.local
-
+	patch -R -p0 --version-control=never -l < debian/patches/sendmail.8.9.3.security.cr.patch
+	patch -R -p1 --version-control=never -l < debian/patches/prescan.8.9.3.patch
 
 #-------------
 binary: binary-indep binary-arch
diff --git a/debian/patches/align.893.p1 b/debian/patches/align.893.p1
new file mode 100644
index 0000000..ff6add3
--- /dev/null
+++ b/debian/patches/align.893.p1
@@ -0,0 +1,17 @@
+--- ./src/main.c.ORIG	Sun Jan 10 00:31:13 1999
++++ sendmail-8.9.3/src/main.c	Sat Oct 30 04:29:25 1999
+@@ -528,10 +528,12 @@
+ 		{
+ 			for (i = 0; hp->h_addr_list[i] != NULL; i++)
+ 			{
++				struct in_addr ia;
+ 				char ipbuf[103];
+ 
++				bcopy(hp->h_addr_list[i], &ia, INADDRSZ);
+ 				snprintf(ipbuf, sizeof ipbuf, "[%.100s]",
+-					inet_ntoa(*((struct in_addr *) hp->h_addr_list[i])));
++					inet_ntoa(ia));
+ 				if (tTd(0, 4))
+ 					printf("\ta.k.a.: %s\n", ipbuf);
+ 				setclass('w', ipbuf);
+
diff --git a/debian/patches/prescan.8.9.3.patch b/debian/patches/prescan.8.9.3.patch
new file mode 100644
index 0000000..03bb80c
--- /dev/null
+++ b/debian/patches/prescan.8.9.3.patch
@@ -0,0 +1,122 @@
+Index: conf.c
+===================================================================
+RCS file: /cvs/sendmail/conf.c,v
+retrieving revision 8.456
+retrieving revision 8.456.2.2
+diff -c -r8.456 -r8.456.2.2
+*** sendmail-8.9.3/src/conf.c	7 Feb 1999 07:26:35 -0000	8.456
+--- conf.c	28 Mar 2003 06:03:22 -0000	8.456.2.2
+***************
+*** 286,291 ****
+--- 286,293 ----
+  	DontLockReadFiles = TRUE;
+  	DoubleBounceAddr = "postmaster";
+  	MaxHeadersLength = MAXHDRSLEN;
++ 	MaxMimeHeaderLength = MAXLINE;
++ 	MaxMimeFieldLength = MaxMimeHeaderLength / 2;
+  	snprintf(buf, sizeof buf, "%s%sdead.letter",
+  		_PATH_VARTMP,
+  		_PATH_VARTMP[sizeof _PATH_VARTMP - 2] == '/' ? "" : "/");
+Index: parseaddr.c
+===================================================================
+RCS file: /cvs/sendmail/parseaddr.c,v
+retrieving revision 8.159
+retrieving revision 8.159.2.3
+diff -c -r8.159 -r8.159.2.3
+*** sendmail-8.9.3/src/parseaddr.c	7 Feb 1999 07:26:40 -0000	8.159
+--- parseaddr.c	27 Mar 2003 19:42:23 -0000	8.159.2.3
+***************
+*** 403,409 ****
+  };
+  
+  
+! # define NOCHAR		-1	/* signal nothing in lookahead token */
+  
+  char **
+  prescan(addr, delim, pvpbuf, pvpbsize, delimptr, toktab)
+--- 403,409 ----
+  };
+  
+  
+! # define NOCHAR		(-1)	/* signal nothing in lookahead token */
+  
+  char **
+  prescan(addr, delim, pvpbuf, pvpbsize, delimptr, toktab)
+***************
+*** 486,491 ****
+--- 486,492 ----
+  				/* see if there is room */
+  				if (q >= &pvpbuf[pvpbsize - 5])
+  				{
++ 	addrtoolong:
+  					usrerr("553 Address too long");
+  					if (strlen(addr) > (SIZE_T) MAXNAME)
+  						addr[MAXNAME] = '\0';
+***************
+*** 497,507 ****
+  				}
+  
+  				/* squirrel it away */
+  				*q++ = c;
+  			}
+  
+  			/* read a new input character */
+! 			c = *p++;
+  			if (c == '\0')
+  			{
+  				/* diagnose and patch up bad syntax */
+--- 498,512 ----
+  				}
+  
+  				/* squirrel it away */
++ #if !ALLOW_255
++ 				if ((char) c == (char) -1 && !tTd(82, 101))
++ 					c &= 0x7f;
++ #endif /* !ALLOW_255 */
+  				*q++ = c;
+  			}
+  
+  			/* read a new input character */
+! 			c = (*p++) & 0x00ff;
+  			if (c == '\0')
+  			{
+  				/* diagnose and patch up bad syntax */
+***************
+*** 556,561 ****
+--- 561,569 ----
+  				}
+  				else if (c != '!' || state == QST)
+  				{
++ 					/* see if there is room */
++ 					if (q >= &pvpbuf[pvpbsize - 5])
++ 						goto addrtoolong;
+  					*q++ = '\\';
+  					continue;
+  				}
+***************
+*** 637,642 ****
+--- 645,653 ----
+  		/* new token */
+  		if (tok != q)
+  		{
++ 			/* see if there is room */
++ 			if (q >= &pvpbuf[pvpbsize - 5])
++ 				goto addrtoolong;
+  			*q++ = '\0';
+  			if (tTd(22, 36))
+  			{
+Index: version.c
+===================================================================
+*** sendmail-8.9.3/src/version.c	Thu Feb  4 16:38:46 1999
+--- version.c	Wed Mar 19 16:33:35 2003
+***************
+*** 14,17 ****
+  static char sccsid[] = "@(#)version.c	8.9.3.1 (Berkeley) 2/4/1999";
+  #endif /* not lint */
+  
+! char	Version[] = "8.9.3";
+--- 14,17 ----
+  static char sccsid[] = "@(#)version.c	8.9.3.1 (Berkeley) 2/4/1999";
+  #endif /* not lint */
+  
+! char	Version[] = "8.9.3p2";
diff --git a/debian/patches/proto.m4.8.9.3 b/debian/patches/proto.m4.8.9.3
new file mode 100644
index 0000000..fec4494
--- /dev/null
+++ b/debian/patches/proto.m4.8.9.3
@@ -0,0 +1,13 @@
+*** ./sendmail-8.9.3/cf/m4/proto.m4	Tue Feb  2 15:21:30 1999
+--- proto.m4.n	Tue Dec  3 15:32:38 2002
+***************
+*** 1100,1105 ****
+--- 1100,1107 ----
+  
+  ifdef(`ACCESS_TABLE', `dnl
+  R$+ $| $+		$: $>LookUpDomain < $1 > <?> < $2 >
++ # empty client_name
++ R   $| $+		$: $>LookUpAddress < $1 > <?> < $1 >
+  R<?> < $+ >		$: $>LookUpAddress < $1 > <?> < $1 >
+  R<?> < $+ >		$: $1
+  R<OK> < $* >		$@ OK
diff --git a/debian/patches/sendmail.8.9.3.security.cr.patch b/debian/patches/sendmail.8.9.3.security.cr.patch
new file mode 100644
index 0000000..394ddf6
--- /dev/null
+++ b/debian/patches/sendmail.8.9.3.security.cr.patch
@@ -0,0 +1,487 @@
+Index: headers.c
+===================================================================
+RCS file: /cvs/sendmail/headers.c,v
+retrieving revision 8.139
+retrieving revision 8.139.2.1
+diff -u -w -r8.139 -r8.139.2.1
+--- src/headers.c	7 Feb 1999 07:26:37 -0000	8.139
++++ src/headers.c	20 Jan 2003 18:51:34 -0000	8.139.2.1
+@@ -501,9 +501,10 @@
+ 			{
+ 				if (bitset(H_FROM, h->h_flags))
+ 				{
+-					extern char *crackaddr __P((char *));
++					extern char *crackaddr __P((char *, ENVELOPE *));
+ 
+-					expand(crackaddr(buf), buf, sizeof buf, e);
++					expand(crackaddr(buf, e), buf,
++					       sizeof buf, e);
+ 				}
+ 				h->h_value = newstr(buf);
+ 				h->h_flags &= ~H_DEFAULT;
+@@ -803,7 +804,11 @@
+ **	it and replaces it with "$g".  The parse is totally ad hoc
+ **	and isn't even guaranteed to leave something syntactically
+ **	identical to what it started with.  However, it does leave
+-**	something semantically identical.
++**	something semantically identical if possible, else at least
++**	syntactically correct.
++**
++**	For example, it changes "Real Name <real@example.com> (Comment)"
++**	to "Real Name <$g> (Comment)".
+ **
+ **	This algorithm has been cleaned up to handle a wider range
+ **	of cases -- notably quoted and backslash escaped strings.
+@@ -812,6 +817,7 @@
+ **
+ **	Parameters:
+ **		addr -- the address to be cracked.
++**		e -- the current envelope.
+ **
+ **	Returns:
+ **		a pointer to the new version.
+@@ -824,28 +830,50 @@
+ **		be copied if it is to be reused.
+ */
+ 
++#define SM_HAVE_ROOM		((bp < buflim) && (buflim <= bufend))
++
++/*
++**  Append a character to bp if we have room.
++**  If not, punt and return $g.
++*/
++
++#define SM_APPEND_CHAR(c)					\
++	do							\
++	{							\
++		if (SM_HAVE_ROOM)				\
++			*bp++ = (c);				\
++		else						\
++			goto returng;				\
++	} while (0)
++
++#if MAXNAME < 10
++ERROR MAXNAME must be at least 10
++#endif /* MAXNAME < 10 */
++
+ char *
+-crackaddr(addr)
++crackaddr(addr, e)
+ 	register char *addr;
++	ENVELOPE *e;
+ {
+ 	register char *p;
+ 	register char c;
+-	int cmtlev;
+-	int realcmtlev;
+-	int anglelev, realanglelev;
+-	int copylev;
+-	int bracklev;
+-	bool qmode;
+-	bool realqmode;
+-	bool skipping;
+-	bool putgmac = FALSE;
+-	bool quoteit = FALSE;
+-	bool gotangle = FALSE;
+-	bool gotcolon = FALSE;
++	int cmtlev;			/* comment level in input string */
++	int realcmtlev;			/* comment level in output string */
++	int anglelev;			/* angle level in input string */
++	int copylev;			/* 0 == in address, >0 copying */
++	int bracklev;			/* bracket level for IPv6 addr check */
++	bool addangle;			/* put closing angle in output */
++	bool qmode;			/* quoting in original string? */
++	bool realqmode;			/* quoting in output string? */
++	bool putgmac = FALSE;		/* already wrote $g */
++	bool quoteit = FALSE;		/* need to quote next character */
++	bool gotangle = FALSE;		/* found first '<' */
++	bool gotcolon = FALSE;		/* found a ':' */
+ 	register char *bp;
+ 	char *buflim;
+ 	char *bufhead;
+ 	char *addrhead;
++	char *bufend;
+ 	static char buf[MAXNAME + 1];
+ 
+ 	if (tTd(33, 1))
+@@ -860,25 +888,22 @@
+ 	**  adjusted later if we find them.
+ 	*/
+ 
++	buflim = bufend = &buf[sizeof(buf) - 1];
+ 	bp = bufhead = buf;
+-	buflim = &buf[sizeof buf - 7];
+ 	p = addrhead = addr;
+-	copylev = anglelev = realanglelev = cmtlev = realcmtlev = 0;
++	copylev = anglelev = cmtlev = realcmtlev = 0;
+ 	bracklev = 0;
+-	qmode = realqmode = FALSE;
++	qmode = realqmode = addangle = FALSE;
+ 
+ 	while ((c = *p++) != '\0')
+ 	{
+ 		/*
+-		**  If the buffer is overful, go into a special "skipping"
+-		**  mode that tries to keep legal syntax but doesn't actually
+-		**  output things.
++		**  Try to keep legal syntax using spare buffer space
++		**  (maintained by buflim).
+ 		*/
+ 
+-		skipping = bp >= buflim;
+-
+-		if (copylev > 0 && !skipping)
+-			*bp++ = c;
++		if (copylev > 0)
++			SM_APPEND_CHAR(c);
+ 
+ 		/* check for backslash escapes */
+ 		if (c == '\\')
+@@ -893,8 +918,8 @@
+ 				p--;
+ 				goto putg;
+ 			}
+-			if (copylev > 0 && !skipping)
+-				*bp++ = c;
++			if (copylev > 0)
++				SM_APPEND_CHAR(c);
+ 			goto putg;
+ 		}
+ 
+@@ -902,8 +927,14 @@
+ 		if (c == '"' && cmtlev <= 0)
+ 		{
+ 			qmode = !qmode;
+-			if (copylev > 0 && !skipping)
++			if (copylev > 0 && SM_HAVE_ROOM)
++			{
++				if (realqmode)
++					buflim--;
++				else
++					buflim++;
+ 				realqmode = !realqmode;
++			}
+ 			continue;
+ 		}
+ 		if (qmode)
+@@ -915,15 +946,15 @@
+ 			cmtlev++;
+ 
+ 			/* allow space for closing paren */
+-			if (!skipping)
++			if (SM_HAVE_ROOM)
+ 			{
+ 				buflim--;
+ 				realcmtlev++;
+ 				if (copylev++ <= 0)
+ 				{
+ 					if (bp != bufhead)
+-						*bp++ = ' ';
+-					*bp++ = c;
++						SM_APPEND_CHAR(' ');
++					SM_APPEND_CHAR(c);
+ 				}
+ 			}
+ 		}
+@@ -933,7 +964,7 @@
+ 			{
+ 				cmtlev--;
+ 				copylev--;
+-				if (!skipping)
++				if (SM_HAVE_ROOM)
+ 				{
+ 					realcmtlev--;
+ 					buflim++;
+@@ -944,7 +975,7 @@
+ 		else if (c == ')')
+ 		{
+ 			/* syntax error: unmatched ) */
+-			if (copylev > 0 && !skipping)
++			if (copylev > 0 && SM_HAVE_ROOM)
+ 				bp--;
+ 		}
+ 
+@@ -962,7 +993,7 @@
+ 
+ 			/*
+ 			**  Check for DECnet phase IV ``::'' (host::user)
+-			**  or **  DECnet phase V ``:.'' syntaxes.  The latter
++			**  or DECnet phase V ``:.'' syntaxes.  The latter
+ 			**  covers ``user@DEC:.tay.myhost'' and
+ 			**  ``DEC:.tay.myhost::user'' syntaxes (bletch).
+ 			*/
+@@ -971,10 +1002,10 @@
+ 			{
+ 				if (cmtlev <= 0 && !qmode)
+ 					quoteit = TRUE;
+-				if (copylev > 0 && !skipping)
++				if (copylev > 0)
+ 				{
+-					*bp++ = c;
+-					*bp++ = *p;
++					SM_APPEND_CHAR(c);
++					SM_APPEND_CHAR(*p);
+ 				}
+ 				p++;
+ 				goto putg;
+@@ -985,41 +1016,43 @@
+ 			bp = bufhead;
+ 			if (quoteit)
+ 			{
+-				*bp++ = '"';
++				SM_APPEND_CHAR('"');
+ 
+ 				/* back up over the ':' and any spaces */
+ 				--p;
+-				while (isascii(*--p) && isspace(*p))
++				while (p > addr &&
++				       isascii(*--p) && isspace(*p))
+ 					continue;
+ 				p++;
+ 			}
+ 			for (q = addrhead; q < p; )
+ 			{
+ 				c = *q++;
+-				if (bp < buflim)
+-				{
+ 					if (quoteit && c == '"')
+-						*bp++ = '\\';
+-					*bp++ = c;
++				{
++					SM_APPEND_CHAR('\\');
++					SM_APPEND_CHAR(c);
+ 				}
++				else
++					SM_APPEND_CHAR(c);
+ 			}
+ 			if (quoteit)
+ 			{
+ 				if (bp == &bufhead[1])
+ 					bp--;
+ 				else
+-					*bp++ = '"';
++					SM_APPEND_CHAR('"');
+ 				while ((c = *p++) != ':')
+-				{
+-					if (bp < buflim)
+-						*bp++ = c;
+-				}
+-				*bp++ = c;
++					SM_APPEND_CHAR(c);
++				SM_APPEND_CHAR(c);
+ 			}
+ 
+ 			/* any trailing white space is part of group: */
+-			while (isascii(*p) && isspace(*p) && bp < buflim)
+-				*bp++ = *p++;
++			while (isascii(*p) && isspace(*p))
++			{
++				SM_APPEND_CHAR(*p);
++				p++;
++			}
+ 			copylev = 0;
+ 			putgmac = quoteit = FALSE;
+ 			bufhead = bp;
+@@ -1028,10 +1061,7 @@
+ 		}
+ 
+ 		if (c == ';' && copylev <= 0 && !ColonOkInAddr)
+-		{
+-			if (bp < buflim)
+-				*bp++ = c;
+-		}
++			SM_APPEND_CHAR(c);
+ 
+ 		/* check for characters that may have to be quoted */
+ 		if (strchr(MustQuoteChars, c) != NULL)
+@@ -1059,42 +1089,45 @@
+ 
+ 			/* oops -- have to change our mind */
+ 			anglelev = 1;
+-			if (!skipping)
+-				realanglelev = 1;
++			if (SM_HAVE_ROOM)
++			{
++				if (!addangle)
++					buflim--;
++				addangle = TRUE;
++			}
+ 
+ 			bp = bufhead;
+ 			if (quoteit)
+ 			{
+-				*bp++ = '"';
++				SM_APPEND_CHAR('"');
+ 
+ 				/* back up over the '<' and any spaces */
+ 				--p;
+-				while (isascii(*--p) && isspace(*p))
++				while (p > addr &&
++				       isascii(*--p) && isspace(*p))
+ 					continue;
+ 				p++;
+ 			}
+ 			for (q = addrhead; q < p; )
+ 			{
+ 				c = *q++;
+-				if (bp < buflim)
+-				{
+ 					if (quoteit && c == '"')
+-						*bp++ = '\\';
+-					*bp++ = c;
++				{
++					SM_APPEND_CHAR('\\');
++					SM_APPEND_CHAR(c);
+ 				}
++				else
++					SM_APPEND_CHAR(c);
+ 			}
+ 			if (quoteit)
+ 			{
+ 				if (bp == &buf[1])
+ 					bp--;
+ 				else
+-					*bp++ = '"';
++					SM_APPEND_CHAR('"');
+ 				while ((c = *p++) != '<')
+-				{
+-					if (bp < buflim)
+-						*bp++ = c;
+-				}
+-				*bp++ = c;
++					SM_APPEND_CHAR(c);
++				SM_APPEND_CHAR(c);
+ 			}
+ 			copylev = 0;
+ 			putgmac = quoteit = FALSE;
+@@ -1106,13 +1139,14 @@
+ 			if (anglelev > 0)
+ 			{
+ 				anglelev--;
+-				if (!skipping)
++				if (SM_HAVE_ROOM)
+ 				{
+-					realanglelev--;
++					if (addangle)
+ 					buflim++;
++					addangle = FALSE;
+ 				}
+ 			}
+-			else if (!skipping)
++			else if (SM_HAVE_ROOM)
+ 			{
+ 				/* syntax error: unmatched > */
+ 				if (copylev > 0)
+@@ -1121,7 +1155,7 @@
+ 				continue;
+ 			}
+ 			if (copylev++ <= 0)
+-				*bp++ = c;
++				SM_APPEND_CHAR(c);
+ 			continue;
+ 		}
+ 
+@@ -1129,30 +1163,42 @@
+ 	putg:
+ 		if (copylev <= 0 && !putgmac)
+ 		{
+-			if (bp > bufhead && bp[-1] == ')')
+-				*bp++ = ' ';
+-			*bp++ = MACROEXPAND;
+-			*bp++ = 'g';
++			if (bp > buf && bp[-1] == ')')
++				SM_APPEND_CHAR(' ');
++			SM_APPEND_CHAR(MACROEXPAND);
++			SM_APPEND_CHAR('g');
+ 			putgmac = TRUE;
+ 		}
+ 	}
+ 
+ 	/* repair any syntactic damage */
+-	if (realqmode)
++	if (realqmode && bp < bufend)
+ 		*bp++ = '"';
+-	while (realcmtlev-- > 0)
++	while (realcmtlev-- > 0 && bp < bufend)
+ 		*bp++ = ')';
+-	while (realanglelev-- > 0)
++	if (addangle && bp < bufend)
+ 		*bp++ = '>';
+-	*bp++ = '\0';
++	*bp = '\0';
++	if (bp < bufend)
++		goto success;
+ 
++ returng:
++	/* String too long, punt */
++	buf[0] = '<';
++	buf[1] = MACROEXPAND;
++	buf[2]= 'g';
++	buf[3] = '>';
++	buf[4]= '\0';
++	sm_syslog(LOG_ALERT, e->e_id,
++		  "Dropped invalid comments from header address");
++
++ success:
+ 	if (tTd(33, 1))
+ 	{
+ 		printf("crackaddr=>`");
+ 		xputs(buf);
+ 		printf("'\n");
+ 	}
+-
+ 	return (buf);
+ }
+ /*
+Index: main.c
+===================================================================
+RCS file: /cvs/sendmail/main.c,v
+retrieving revision 8.326
+retrieving revision 8.326.2.2
+diff -u -w -r8.326 -r8.326.2.2
+--- src/main.c	7 Feb 1999 07:43:59 -0000	8.326
++++ src/main.c	20 Jan 2003 18:51:34 -0000	8.326.2.2
+@@ -2349,7 +2349,7 @@
+ 	static int tryflags = RF_COPYNONE;
+ 	char exbuf[MAXLINE];
+ 	extern bool invalidaddr __P((char *, char *));
+-	extern char *crackaddr __P((char *));
++	extern char *crackaddr __P((char *, ENVELOPE *));
+ 	extern void dump_class __P((STAB *, int));
+ 	extern void translate_dollars __P((char *));
+ 	extern void help __P((char *));
+@@ -2671,7 +2671,7 @@
+ 				printf("Usage: /parse address\n");
+ 				return;
+ 			}
+-			q = crackaddr(p);
++			q = crackaddr(p, e);
+ 			printf("Cracked address = ");
+ 			xputs(q);
+ 			printf("\nParsing %s %s address\n",
+Index: parseaddr.c
+===================================================================
+RCS file: /cvs/sendmail/parseaddr.c,v
+retrieving revision 8.159
+retrieving revision 8.159.2.1
+diff -u -w -r8.159 -r8.159.2.1
+--- src/parseaddr.c	7 Feb 1999 07:26:40 -0000	8.159
++++ src/parseaddr.c	20 Jan 2003 18:51:35 -0000	8.159.2.1
+@@ -2053,7 +2053,7 @@
+ 	static char buf[MAXNAME + 1];
+ 	char lbuf[MAXNAME + 1];
+ 	char pvpbuf[PSBUFSIZE];
+-	extern char *crackaddr __P((char *));
++	extern char *crackaddr __P((char *, ENVELOPE *));
+ 
+ 	if (tTd(12, 1))
+ 		printf("remotename(%s)\n", name);
+@@ -2076,7 +2076,7 @@
+ 	if (bitset(RF_CANONICAL, flags) || bitnset(M_NOCOMMENT, m->m_flags))
+ 		fancy = "\201g";
+ 	else
+-		fancy = crackaddr(name);
++		fancy = crackaddr(name, e);
+ 
+ 	/*
+ 	**  Turn the name into canonical form.
diff --git a/debian/patches/src.conf.h.linux b/debian/patches/src.conf.h.linux
new file mode 100644
index 0000000..745cbce
--- /dev/null
+++ b/debian/patches/src.conf.h.linux
@@ -0,0 +1,54 @@
+diff -c './src/conf.h' 'conf.h'
+Index: ./src/conf.h
+Prereq: 	8.385 
+*** sendmail-8.9.3/src/conf.h	Wed Jul 25 12:23:19 2001
+--- ./src/conf.h	Tue Jul 31 16:33:50 2001
+***************
+*** 1274,1280 ****
+  
+  #ifdef __linux__
+  # define BSD		1	/* include BSD defines */
+! # define USESETEUID	0	/* Have it due to POSIX, but doesn't work */
+  # define NEEDGETOPT	1	/* need a replacement for getopt(3) */
+  # define HASUNAME	1	/* use System V uname(2) system call */
+  # define HASUNSETENV	1	/* has unsetenv(3) call */
+--- 1274,1280 ----
+  
+  #ifdef __linux__
+  # define BSD		1	/* include BSD defines */
+! # define USESETEUID	1	/* Have it due to POSIX, but doesn't work */
+  # define NEEDGETOPT	1	/* need a replacement for getopt(3) */
+  # define HASUNAME	1	/* use System V uname(2) system call */
+  # define HASUNSETENV	1	/* has unsetenv(3) call */
+***************
+*** 1283,1289 ****
+  # endif
+  # define ERRLIST_PREDEFINED	/* don't declare sys_errlist */
+  # define GIDSET_T	gid_t	/* from <linux/types.h> */
+! # define HASGETUSERSHELL 0	/* getusershell(3) broken in Slackware 2.0 */
+  # define IP_SRCROUTE	0	/* linux <= 1.2.8 doesn't support IP_OPTIONS */
+  # define USE_SIGLONGJMP	1	/* sigsetjmp needed for signal handling */
+  # ifndef HASFLOCK
+--- 1283,1289 ----
+  # endif
+  # define ERRLIST_PREDEFINED	/* don't declare sys_errlist */
+  # define GIDSET_T	gid_t	/* from <linux/types.h> */
+! # define HASGETUSERSHELL 1	/* getusershell(3) broken in Slackware 2.0 */
+  # define IP_SRCROUTE	0	/* linux <= 1.2.8 doesn't support IP_OPTIONS */
+  # define USE_SIGLONGJMP	1	/* sigsetjmp needed for signal handling */
+  # ifndef HASFLOCK
+***************
+*** 1307,1312 ****
+--- 1307,1318 ----
+  # endif
+  # include <sys/sysmacros.h>
+  # undef atol			/* wounded in <stdlib.h> */
++ #  if !defined(KERNEL_VERSION)  /* not defined in 2.0.x kernel series */
++ #   define KERNEL_VERSION(a,b,c) (((a) << 16) + ((b) << 8) + (c))
++ #  endif /* !defined(KERNEL_VERSION) */
++ #  if (LINUX_VERSION_CODE >= KERNEL_VERSION(2,0,36))
++ #     define HASFCHMOD    1   /* fchmod(2) */
++ #     endif /* (LINUX_VERSION_CODE >= KERNEL_VERSION(2,0,36)) */
+  #endif
+  
+  
diff --git a/debian/patches/util.c.893.patch b/debian/patches/util.c.893.patch
new file mode 100644
index 0000000..fb71fcd
--- /dev/null
+++ b/debian/patches/util.c.893.patch
@@ -0,0 +1,48 @@
+--- ./src/util.c.orig	Fri Jan 22 07:18:40 1999
++++ sendmail-8.9.3/src/util.c	Thu Apr 29 02:34:21 1999
+@@ -2086,6 +2086,8 @@
+ 		ProcListVec = npv;
+ 	}
+ 	ProcListVec[i].proc_pid = pid;
++	if (ProcListVec[i].proc_task != NULL)
++		free(ProcListVec[i].proc_task);
+ 	ProcListVec[i].proc_task = newstr(task);
+ 
+ 	/* if process adding itself, it's not a child */
+@@ -2142,11 +2144,6 @@
+ 		if (ProcListVec[i].proc_pid == pid)
+ 		{
+ 			ProcListVec[i].proc_pid = NO_PID;
+-			if (ProcListVec[i].proc_task != NULL)
+-			{
+-				free(ProcListVec[i].proc_task);
+-				ProcListVec[i].proc_task = NULL;
+-			}
+ 			break;
+ 		}
+ 	}
+@@ -2172,11 +2169,6 @@
+ 	for (i = 1; i < ProcListSize; i++)
+ 	{
+ 		ProcListVec[i].proc_pid = NO_PID;
+-		if (ProcListVec[i].proc_task != NULL)
+-		{
+-			free(ProcListVec[i].proc_task);
+-			ProcListVec[i].proc_task = NULL;
+-		}
+ 	}
+ 	CurChildren = 0;
+ }
+@@ -2207,11 +2199,6 @@
+ 					"proc_list_probe: lost pid %d",
+ 					(int) ProcListVec[i].proc_pid);
+ 			ProcListVec[i].proc_pid = NO_PID;
+-			if (ProcListVec[i].proc_task != NULL)
+-			{
+-				free(ProcListVec[i].proc_task);
+-				ProcListVec[i].proc_task = NULL;
+-			}
+ 			CurChildren--;
+ 		}
+ 	}
+