#0 fmtmsg (to=0x8de4b0 "testuser", num=num@entry=0x4a1e43 "550", enhsc=0x0,
eno=eno@entry=0, fmt=fmt@entry=0x4a2871 "%s", ap=ap@entry=0x7ffde99f8358,
eb=0x76be20 <MsgBuf> "")
at err.c:920
#1 0x0000000000430416 in usrerr (fmt=fmt@entry=0x4a2871 "%s") at err.c:299
#2 0x0000000000476614 in smtp (nullserver=nullserver@entry=0x0,
d_flags=d_flags@entry=0x765238 <Daemons+152>, e=e@entry=0x6c8b40
<MainEnvelope>) at srvrsmtp.c:3065
#3 0x000000000040a6b6 in main (argc=6, argv=0x7ffde9a00148, envp=<optimized
out>) at main.c:2711
caused by debian/patches/format-security.patch which turns
usrerr("451 4.7.1 Greylisting in action, please come back in 00:30:00")
into
usrerr("%s", "451 4.7.1 Greylisting in action, please come back in 00:30:00")
and "%s" does not start with a smtp status code ... resulting in "550" from
"num"
parameter being used instead.
Help would be welcome for a proper fix. From a hardening POV this patch is
needed
- we cannot pass an untrusted string (the status string returned by
milter-greylist)
as a format string to printf.
Andreas
