Package: release.debian.org Severity: normal Tags: bookworm X-Debbugs-Cc: ex...@packages.debian.org Control: affects -1 + src:exim4 User: release.debian....@packages.debian.org Usertags: pu
Hello,
I would like to fix a exim regression in bookworm (introduced in 4.96):
* Fix crash in dbmnz when looking up keys with no content.
Closes: #1080472
https://bugs.exim.org/show_bug.cgi?id=3079
The backport has been requested by a user, it was fixed in unstable in
4.97-7.
[ Checklist ]
[x] *all* changes are documented in the d/changelog
[x] I reviewed all changes and I approve them
[x] attach debdiff against the package in (old)stable
[x] the issue is verified as fixed in unstable
cu Andreas
--
`What a good friend you are to him, Dr. Maturin. His other friends are
so grateful to you.'
`I sew his ears on from time to time, sure'
diff -Nru exim4-4.96/debian/changelog exim4-4.96/debian/changelog
--- exim4-4.96/debian/changelog 2024-07-09 10:53:35.000000000 +0200
+++ exim4-4.96/debian/changelog 2024-09-28 16:49:26.000000000 +0200
@@ -1,3 +1,10 @@
+exim4 (4.96-15+deb12u6) bookworm; urgency=medium
+
+ * Fix crash in dbmnz when looking up keys with no content.
+ Closes: #1080472
+
+ -- Andreas Metzler <ametz...@debian.org> Sat, 28 Sep 2024 16:49:26 +0200
+
exim4 (4.96-15+deb12u5) bookworm-security; urgency=high
* Fix parsing of multiline RFC 2231 header filename parameter in mime ACL.
diff -Nru exim4-4.96/debian/patches/80_Lookups-fix-dbmnz-crash-on-zero-length-datum.-Bug-30.patch exim4-4.96/debian/patches/80_Lookups-fix-dbmnz-crash-on-zero-length-datum.-Bug-30.patch
--- exim4-4.96/debian/patches/80_Lookups-fix-dbmnz-crash-on-zero-length-datum.-Bug-30.patch 1970-01-01 01:00:00.000000000 +0100
+++ exim4-4.96/debian/patches/80_Lookups-fix-dbmnz-crash-on-zero-length-datum.-Bug-30.patch 2024-09-28 16:46:44.000000000 +0200
@@ -0,0 +1,141 @@
+From a7e6ad0ba38cf088e841c321042f81966d846b4b Mon Sep 17 00:00:00 2001
+From: Jeremy Harris <jgh146...@wizmail.org>
+Date: Sat, 16 Mar 2024 13:50:45 +0000
+Subject: [PATCH] Lookups: fix dbmnz crash on zero-length datum. Bug 3079
+
+Broken-by: 6d2c02560e5c
+---
+ doc/ChangeLog | 3 +++
+ src/dbfn.c | 12 +++++++-----
+ src/exim_dbutil.c | 12 +++++++-----
+ src/lookups/dbmdb.c | 5 ++++-
+ test/aux-fixed/2302.emptydbmnzlookup | Bin 0 -> 12288 bytes
+ test/confs/2302 | 3 +++
+ test/scripts/2300-DBM/2302 | 4 ++++
+ test/stdout/2302 | 1 +
+ 8 files changed, 29 insertions(+), 11 deletions(-)
+ create mode 100644 test/aux-fixed/2302.emptydbmnzlookup
+ create mode 100644 test/confs/2302
+ create mode 100644 test/scripts/2300-DBM/2302
+ create mode 100644 test/stdout/2302
+
+--- a/doc/ChangeLog
++++ b/doc/ChangeLog
+@@ -64,10 +64,13 @@ JH/20 Fix TLSA lookups. Previously dns_
+
+ JH/23 Fix crash in string expansions. Previously, if an empty variable was
+ immediately followed by an expansion operator, a null-indirection read
+ was done, killing the process.
+
++JH/25 Bug 3079: Fix crash in dbmnz. When a key was present for zero-length
++ data a null pointer was followed. Find and testcase by Sebastian Bugge.
++
+ JH/27 Fix ${srs_encode ..}. Previously it would give a bad result for one day
+ every 1024 days.
+
+ JH/28 Bug 2996: Fix a crash in the smtp transport. When finding that the
+ message being considered for delivery was already being handled by
+--- a/src/dbfn.c
++++ b/src/dbfn.c
+@@ -236,16 +236,17 @@ Arguments:
+ Returns: a pointer to the retrieved record, or
+ NULL if the record is not found
+ */
+
+ void *
+-dbfn_read_with_length(open_db *dbblock, const uschar *key, int *length)
++dbfn_read_with_length(open_db * dbblock, const uschar * key, int * length)
+ {
+-void *yield;
++void * yield;
+ EXIM_DATUM key_datum, result_datum;
+ int klen = Ustrlen(key) + 1;
+ uschar * key_copy = store_get(klen, key);
++unsigned dlen;
+
+ memcpy(key_copy, key, klen);
+
+ DEBUG(D_hints_lookup) debug_printf_indent("dbfn_read: key=%s\n", key);
+
+@@ -257,13 +258,14 @@ exim_datum_size_set(&key_datum, klen);
+ if (!exim_dbget(dbblock->dbptr, &key_datum, &result_datum)) return NULL;
+
+ /* Assume the data store could have been tainted. Properly, we should
+ store the taint status with the data. */
+
+-yield = store_get(exim_datum_size_get(&result_datum), GET_TAINTED);
+-memcpy(yield, exim_datum_data_get(&result_datum), exim_datum_size_get(&result_datum));
+-if (length) *length = exim_datum_size_get(&result_datum);
++dlen = exim_datum_size_get(&result_datum);
++yield = store_get(dlen, GET_TAINTED);
++memcpy(yield, exim_datum_data_get(&result_datum), dlen);
++if (length) *length = dlen;
+
+ exim_datum_free(&result_datum); /* Some DBM libs require freeing */
+ return yield;
+ }
+
+--- a/src/exim_dbutil.c
++++ b/src/exim_dbutil.c
+@@ -401,16 +401,17 @@ Arguments:
+ Returns: a pointer to the retrieved record, or
+ NULL if the record is not found
+ */
+
+ void *
+-dbfn_read_with_length(open_db *dbblock, const uschar *key, int *length)
++dbfn_read_with_length(open_db * dbblock, const uschar * key, int * length)
+ {
+-void *yield;
++void * yield;
+ EXIM_DATUM key_datum, result_datum;
+ int klen = Ustrlen(key) + 1;
+ uschar * key_copy = store_get(klen, key);
++unsigned dlen;
+
+ memcpy(key_copy, key, klen);
+
+ exim_datum_init(&key_datum); /* Some DBM libraries require the datum */
+ exim_datum_init(&result_datum); /* to be cleared before use. */
+@@ -420,13 +421,14 @@ exim_datum_size_set(&key_datum, klen);
+ if (!exim_dbget(dbblock->dbptr, &key_datum, &result_datum)) return NULL;
+
+ /* Assume for now that anything stored could have been tainted. Properly
+ we should store the taint status along with the data. */
+
+-yield = store_get(exim_datum_size_get(&result_datum), GET_TAINTED);
+-memcpy(yield, exim_datum_data_get(&result_datum), exim_datum_size_get(&result_datum));
+-if (length) *length = exim_datum_size_get(&result_datum);
++dlen = exim_datum_size_get(&result_datum);
++yield = store_get(dlen, GET_TAINTED);
++memcpy(yield, exim_datum_data_get(&result_datum), dlen);
++if (length) *length = dlen;
+
+ exim_datum_free(&result_datum); /* Some DBM libs require freeing */
+ return yield;
+ }
+
+--- a/src/lookups/dbmdb.c
++++ b/src/lookups/dbmdb.c
+@@ -99,11 +99,12 @@ exim_datum_data_set(&key,
+ memcpy(store_get(length, keystring), keystring, length)); /* key can have embedded NUL */
+ exim_datum_size_set(&key, length);
+
+ if (exim_dbget(d, &key, &data))
+ {
+- *result = string_copyn(exim_datum_data_get(&data), exim_datum_size_get(&data));
++ unsigned len = exim_datum_size_get(&data);
++ *result = len > 0 ? string_copyn(exim_datum_data_get(&data), len) : US"";
+ exim_datum_free(&data); /* Some DBM libraries need a free() call */
+ return OK;
+ }
+ return FAIL;
+ }
+@@ -280,5 +281,7 @@ lookup_info dbmjz_lookup_info = {
+
+ static lookup_info *_lookup_list[] = { &dbm_lookup_info, &dbmz_lookup_info, &dbmjz_lookup_info };
+ lookup_module_info dbmdb_lookup_module_info = { LOOKUP_MODULE_INFO_MAGIC, _lookup_list, 3 };
+
+ /* End of lookups/dbmdb.c */
++/* vi: aw ai sw=2
++*/
diff -Nru exim4-4.96/debian/patches/series exim4-4.96/debian/patches/series
--- exim4-4.96/debian/patches/series 2024-07-09 10:53:35.000000000 +0200
+++ exim4-4.96/debian/patches/series 2024-09-28 16:46:46.000000000 +0200
@@ -53,4 +53,5 @@
78_01-Fix-MIME-parsing-of-filenames-specified-using-multip.patch
78_02-MIME-support-RFC-2331-for-name-.-Bug-3099.patch
78_03-Compiler-quietening.patch
+80_Lookups-fix-dbmnz-crash-on-zero-length-datum.-Bug-30.patch
90_localscan_dlopen.dpatch
signature.asc
Description: PGP signature
