1 files changed, 487 insertions, 0 deletions
diff --git a/debian/patches/sendmail.8.9.3.security.cr.patch b/debian/patches/sendmail.8.9.3.security.cr.patch
new file mode 100644
index 0000000..394ddf6
--- /dev/null
+++ b/debian/patches/sendmail.8.9.3.security.cr.patch
@@ -0,0 +1,487 @@
+Index: headers.c
+===================================================================
+RCS file: /cvs/sendmail/headers.c,v
+retrieving revision 8.139
+retrieving revision 8.139.2.1
+diff -u -w -r8.139 -r8.139.2.1
+--- src/headers.c	7 Feb 1999 07:26:37 -0000	8.139
++++ src/headers.c	20 Jan 2003 18:51:34 -0000	8.139.2.1
+@@ -501,9 +501,10 @@
+ 			{
+ 				if (bitset(H_FROM, h->h_flags))
+ 				{
+-					extern char *crackaddr __P((char *));
++					extern char *crackaddr __P((char *, ENVELOPE *));
+ 
+-					expand(crackaddr(buf), buf, sizeof buf, e);
++					expand(crackaddr(buf, e), buf,
++					       sizeof buf, e);
+ 				}
+ 				h->h_value = newstr(buf);
+ 				h->h_flags &= ~H_DEFAULT;
+@@ -803,7 +804,11 @@
+ **	it and replaces it with "$g".  The parse is totally ad hoc
+ **	and isn't even guaranteed to leave something syntactically
+ **	identical to what it started with.  However, it does leave
+-**	something semantically identical.
++**	something semantically identical if possible, else at least
++**	syntactically correct.
++**
++**	For example, it changes "Real Name <real@example.com> (Comment)"
++**	to "Real Name <$g> (Comment)".
+ **
+ **	This algorithm has been cleaned up to handle a wider range
+ **	of cases -- notably quoted and backslash escaped strings.
+@@ -812,6 +817,7 @@
+ **
+ **	Parameters:
+ **		addr -- the address to be cracked.
++**		e -- the current envelope.
+ **
+ **	Returns:
+ **		a pointer to the new version.
+@@ -824,28 +830,50 @@
+ **		be copied if it is to be reused.
+ */
+ 
++#define SM_HAVE_ROOM		((bp < buflim) && (buflim <= bufend))
++
++/*
++**  Append a character to bp if we have room.
++**  If not, punt and return $g.
++*/
++
++#define SM_APPEND_CHAR(c)					\
++	do							\
++	{							\
++		if (SM_HAVE_ROOM)				\
++			*bp++ = (c);				\
++		else						\
++			goto returng;				\
++	} while (0)
++
++#if MAXNAME < 10
++ERROR MAXNAME must be at least 10
++#endif /* MAXNAME < 10 */
++
+ char *
+-crackaddr(addr)
++crackaddr(addr, e)
+ 	register char *addr;
++	ENVELOPE *e;
+ {
+ 	register char *p;
+ 	register char c;
+-	int cmtlev;
+-	int realcmtlev;
+-	int anglelev, realanglelev;
+-	int copylev;
+-	int bracklev;
+-	bool qmode;
+-	bool realqmode;
+-	bool skipping;
+-	bool putgmac = FALSE;
+-	bool quoteit = FALSE;
+-	bool gotangle = FALSE;
+-	bool gotcolon = FALSE;
++	int cmtlev;			/* comment level in input string */
++	int realcmtlev;			/* comment level in output string */
++	int anglelev;			/* angle level in input string */
++	int copylev;			/* 0 == in address, >0 copying */
++	int bracklev;			/* bracket level for IPv6 addr check */
++	bool addangle;			/* put closing angle in output */
++	bool qmode;			/* quoting in original string? */
++	bool realqmode;			/* quoting in output string? */
++	bool putgmac = FALSE;		/* already wrote $g */
++	bool quoteit = FALSE;		/* need to quote next character */
++	bool gotangle = FALSE;		/* found first '<' */
++	bool gotcolon = FALSE;		/* found a ':' */
+ 	register char *bp;
+ 	char *buflim;
+ 	char *bufhead;
+ 	char *addrhead;
++	char *bufend;
+ 	static char buf[MAXNAME + 1];
+ 
+ 	if (tTd(33, 1))
+@@ -860,25 +888,22 @@
+ 	**  adjusted later if we find them.
+ 	*/
+ 
++	buflim = bufend = &buf[sizeof(buf) - 1];
+ 	bp = bufhead = buf;
+-	buflim = &buf[sizeof buf - 7];
+ 	p = addrhead = addr;
+-	copylev = anglelev = realanglelev = cmtlev = realcmtlev = 0;
++	copylev = anglelev = cmtlev = realcmtlev = 0;
+ 	bracklev = 0;
+-	qmode = realqmode = FALSE;
++	qmode = realqmode = addangle = FALSE;
+ 
+ 	while ((c = *p++) != '\0')
+ 	{
+ 		/*
+-		**  If the buffer is overful, go into a special "skipping"
+-		**  mode that tries to keep legal syntax but doesn't actually
+-		**  output things.
++		**  Try to keep legal syntax using spare buffer space
++		**  (maintained by buflim).
+ 		*/
+ 
+-		skipping = bp >= buflim;
+-
+-		if (copylev > 0 && !skipping)
+-			*bp++ = c;
++		if (copylev > 0)
++			SM_APPEND_CHAR(c);
+ 
+ 		/* check for backslash escapes */
+ 		if (c == '\\')
+@@ -893,8 +918,8 @@
+ 				p--;
+ 				goto putg;
+ 			}
+-			if (copylev > 0 && !skipping)
+-				*bp++ = c;
++			if (copylev > 0)
++				SM_APPEND_CHAR(c);
+ 			goto putg;
+ 		}
+ 
+@@ -902,8 +927,14 @@
+ 		if (c == '"' && cmtlev <= 0)
+ 		{
+ 			qmode = !qmode;
+-			if (copylev > 0 && !skipping)
++			if (copylev > 0 && SM_HAVE_ROOM)
++			{
++				if (realqmode)
++					buflim--;
++				else
++					buflim++;
+ 				realqmode = !realqmode;
++			}
+ 			continue;
+ 		}
+ 		if (qmode)
+@@ -915,15 +946,15 @@
+ 			cmtlev++;
+ 
+ 			/* allow space for closing paren */
+-			if (!skipping)
++			if (SM_HAVE_ROOM)
+ 			{
+ 				buflim--;
+ 				realcmtlev++;
+ 				if (copylev++ <= 0)
+ 				{
+ 					if (bp != bufhead)
+-						*bp++ = ' ';
+-					*bp++ = c;
++						SM_APPEND_CHAR(' ');
++					SM_APPEND_CHAR(c);
+ 				}
+ 			}
+ 		}
+@@ -933,7 +964,7 @@
+ 			{
+ 				cmtlev--;
+ 				copylev--;
+-				if (!skipping)
++				if (SM_HAVE_ROOM)
+ 				{
+ 					realcmtlev--;
+ 					buflim++;
+@@ -944,7 +975,7 @@
+ 		else if (c == ')')
+ 		{
+ 			/* syntax error: unmatched ) */
+-			if (copylev > 0 && !skipping)
++			if (copylev > 0 && SM_HAVE_ROOM)
+ 				bp--;
+ 		}
+ 
+@@ -962,7 +993,7 @@
+ 
+ 			/*
+ 			**  Check for DECnet phase IV ``::'' (host::user)
+-			**  or **  DECnet phase V ``:.'' syntaxes.  The latter
++			**  or DECnet phase V ``:.'' syntaxes.  The latter
+ 			**  covers ``user@DEC:.tay.myhost'' and
+ 			**  ``DEC:.tay.myhost::user'' syntaxes (bletch).
+ 			*/
+@@ -971,10 +1002,10 @@
+ 			{
+ 				if (cmtlev <= 0 && !qmode)
+ 					quoteit = TRUE;
+-				if (copylev > 0 && !skipping)
++				if (copylev > 0)
+ 				{
+-					*bp++ = c;
+-					*bp++ = *p;
++					SM_APPEND_CHAR(c);
++					SM_APPEND_CHAR(*p);
+ 				}
+ 				p++;
+ 				goto putg;
+@@ -985,41 +1016,43 @@
+ 			bp = bufhead;
+ 			if (quoteit)
+ 			{
+-				*bp++ = '"';
++				SM_APPEND_CHAR('"');
+ 
+ 				/* back up over the ':' and any spaces */
+ 				--p;
+-				while (isascii(*--p) && isspace(*p))
++				while (p > addr &&
++				       isascii(*--p) && isspace(*p))
+ 					continue;
+ 				p++;
+ 			}
+ 			for (q = addrhead; q < p; )
+ 			{
+ 				c = *q++;
+-				if (bp < buflim)
+-				{
+ 					if (quoteit && c == '"')
+-						*bp++ = '\\';
+-					*bp++ = c;
++				{
++					SM_APPEND_CHAR('\\');
++					SM_APPEND_CHAR(c);
+ 				}
++				else
++					SM_APPEND_CHAR(c);
+ 			}
+ 			if (quoteit)
+ 			{
+ 				if (bp == &bufhead[1])
+ 					bp--;
+ 				else
+-					*bp++ = '"';
++					SM_APPEND_CHAR('"');
+ 				while ((c = *p++) != ':')
+-				{
+-					if (bp < buflim)
+-						*bp++ = c;
+-				}
+-				*bp++ = c;
++					SM_APPEND_CHAR(c);
++				SM_APPEND_CHAR(c);
+ 			}
+ 
+ 			/* any trailing white space is part of group: */
+-			while (isascii(*p) && isspace(*p) && bp < buflim)
+-				*bp++ = *p++;
++			while (isascii(*p) && isspace(*p))
++			{
++				SM_APPEND_CHAR(*p);
++				p++;
++			}
+ 			copylev = 0;
+ 			putgmac = quoteit = FALSE;
+ 			bufhead = bp;
+@@ -1028,10 +1061,7 @@
+ 		}
+ 
+ 		if (c == ';' && copylev <= 0 && !ColonOkInAddr)
+-		{
+-			if (bp < buflim)
+-				*bp++ = c;
+-		}
++			SM_APPEND_CHAR(c);
+ 
+ 		/* check for characters that may have to be quoted */
+ 		if (strchr(MustQuoteChars, c) != NULL)
+@@ -1059,42 +1089,45 @@
+ 
+ 			/* oops -- have to change our mind */
+ 			anglelev = 1;
+-			if (!skipping)
+-				realanglelev = 1;
++			if (SM_HAVE_ROOM)
++			{
++				if (!addangle)
++					buflim--;
++				addangle = TRUE;
++			}
+ 
+ 			bp = bufhead;
+ 			if (quoteit)
+ 			{
+-				*bp++ = '"';
++				SM_APPEND_CHAR('"');
+ 
+ 				/* back up over the '<' and any spaces */
+ 				--p;
+-				while (isascii(*--p) && isspace(*p))
++				while (p > addr &&
++				       isascii(*--p) && isspace(*p))
+ 					continue;
+ 				p++;
+ 			}
+ 			for (q = addrhead; q < p; )
+ 			{
+ 				c = *q++;
+-				if (bp < buflim)
+-				{
+ 					if (quoteit && c == '"')
+-						*bp++ = '\\';
+-					*bp++ = c;
++				{
++					SM_APPEND_CHAR('\\');
++					SM_APPEND_CHAR(c);
+ 				}
++				else
++					SM_APPEND_CHAR(c);
+ 			}
+ 			if (quoteit)
+ 			{
+ 				if (bp == &buf[1])
+ 					bp--;
+ 				else
+-					*bp++ = '"';
++					SM_APPEND_CHAR('"');
+ 				while ((c = *p++) != '<')
+-				{
+-					if (bp < buflim)
+-						*bp++ = c;
+-				}
+-				*bp++ = c;
++					SM_APPEND_CHAR(c);
++				SM_APPEND_CHAR(c);
+ 			}
+ 			copylev = 0;
+ 			putgmac = quoteit = FALSE;
+@@ -1106,13 +1139,14 @@
+ 			if (anglelev > 0)
+ 			{
+ 				anglelev--;
+-				if (!skipping)
++				if (SM_HAVE_ROOM)
+ 				{
+-					realanglelev--;
++					if (addangle)
+ 					buflim++;
++					addangle = FALSE;
+ 				}
+ 			}
+-			else if (!skipping)
++			else if (SM_HAVE_ROOM)
+ 			{
+ 				/* syntax error: unmatched > */
+ 				if (copylev > 0)
+@@ -1121,7 +1155,7 @@
+ 				continue;
+ 			}
+ 			if (copylev++ <= 0)
+-				*bp++ = c;
++				SM_APPEND_CHAR(c);
+ 			continue;
+ 		}
+ 
+@@ -1129,30 +1163,42 @@
+ 	putg:
+ 		if (copylev <= 0 && !putgmac)
+ 		{
+-			if (bp > bufhead && bp[-1] == ')')
+-				*bp++ = ' ';
+-			*bp++ = MACROEXPAND;
+-			*bp++ = 'g';
++			if (bp > buf && bp[-1] == ')')
++				SM_APPEND_CHAR(' ');
++			SM_APPEND_CHAR(MACROEXPAND);
++			SM_APPEND_CHAR('g');
+ 			putgmac = TRUE;
+ 		}
+ 	}
+ 
+ 	/* repair any syntactic damage */
+-	if (realqmode)
++	if (realqmode && bp < bufend)
+ 		*bp++ = '"';
+-	while (realcmtlev-- > 0)
++	while (realcmtlev-- > 0 && bp < bufend)
+ 		*bp++ = ')';
+-	while (realanglelev-- > 0)
++	if (addangle && bp < bufend)
+ 		*bp++ = '>';
+-	*bp++ = '\0';
++	*bp = '\0';
++	if (bp < bufend)
++		goto success;
+ 
++ returng:
++	/* String too long, punt */
++	buf[0] = '<';
++	buf[1] = MACROEXPAND;
++	buf[2]= 'g';
++	buf[3] = '>';
++	buf[4]= '\0';
++	sm_syslog(LOG_ALERT, e->e_id,
++		  "Dropped invalid comments from header address");
++
++ success:
+ 	if (tTd(33, 1))
+ 	{
+ 		printf("crackaddr=>`");
+ 		xputs(buf);
+ 		printf("'\n");
+ 	}
+-
+ 	return (buf);
+ }
+ /*
+Index: main.c
+===================================================================
+RCS file: /cvs/sendmail/main.c,v
+retrieving revision 8.326
+retrieving revision 8.326.2.2
+diff -u -w -r8.326 -r8.326.2.2
+--- src/main.c	7 Feb 1999 07:43:59 -0000	8.326
++++ src/main.c	20 Jan 2003 18:51:34 -0000	8.326.2.2
+@@ -2349,7 +2349,7 @@
+ 	static int tryflags = RF_COPYNONE;
+ 	char exbuf[MAXLINE];
+ 	extern bool invalidaddr __P((char *, char *));
+-	extern char *crackaddr __P((char *));
++	extern char *crackaddr __P((char *, ENVELOPE *));
+ 	extern void dump_class __P((STAB *, int));
+ 	extern void translate_dollars __P((char *));
+ 	extern void help __P((char *));
+@@ -2671,7 +2671,7 @@
+ 				printf("Usage: /parse address\n");
+ 				return;
+ 			}
+-			q = crackaddr(p);
++			q = crackaddr(p, e);
+ 			printf("Cracked address = ");
+ 			xputs(q);
+ 			printf("\nParsing %s %s address\n",
+Index: parseaddr.c
+===================================================================
+RCS file: /cvs/sendmail/parseaddr.c,v
+retrieving revision 8.159
+retrieving revision 8.159.2.1
+diff -u -w -r8.159 -r8.159.2.1
+--- src/parseaddr.c	7 Feb 1999 07:26:40 -0000	8.159
++++ src/parseaddr.c	20 Jan 2003 18:51:35 -0000	8.159.2.1
+@@ -2053,7 +2053,7 @@
+ 	static char buf[MAXNAME + 1];
+ 	char lbuf[MAXNAME + 1];
+ 	char pvpbuf[PSBUFSIZE];
+-	extern char *crackaddr __P((char *));
++	extern char *crackaddr __P((char *, ENVELOPE *));
+ 
+ 	if (tTd(12, 1))
+ 		printf("remotename(%s)\n", name);
+@@ -2076,7 +2076,7 @@
+ 	if (bitset(RF_CANONICAL, flags) || bitnset(M_NOCOMMENT, m->m_flags))
+ 		fancy = "\201g";
+ 	else
+-		fancy = crackaddr(name);
++		fancy = crackaddr(name, e);
+ 
+ 	/*
+ 	**  Turn the name into canonical form.