From 0e07b731832cd9a3af33e681f86f6da7c1c179b7 Mon Sep 17 00:00:00 2001 From: joerg Date: Mon, 6 Mar 2006 22:49:16 +0000 Subject: [PATCH] Fix parsing of IPv6 address possibly result in privilege escalation. --- mail/exim3/Makefile | 4 ++-- mail/exim3/distinfo | 4 +++- mail/exim3/patches/patch-ao | 13 +++++++++++++ mail/exim3/patches/patch-ap | 24 ++++++++++++++++++++++++ 4 files changed, 42 insertions(+), 3 deletions(-) create mode 100644 mail/exim3/patches/patch-ao create mode 100644 mail/exim3/patches/patch-ap diff --git a/mail/exim3/Makefile b/mail/exim3/Makefile index 4ff46c8c2a4b..e55ee2009205 100644 --- a/mail/exim3/Makefile +++ b/mail/exim3/Makefile @@ -1,7 +1,7 @@ -# $NetBSD: Makefile,v 1.30 2006/02/13 23:20:32 joerg Exp $ +# $NetBSD: Makefile,v 1.31 2006/03/06 22:49:16 joerg Exp $ DISTNAME= exim-3.36 -PKGREVISION= 6 +PKGREVISION= 7 CATEGORIES= mail net MASTER_SITES= ftp://ftp.csx.cam.ac.uk/pub/software/email/exim/exim3/ \ http://public.planetmirror.com.au/pub/exim/exim3/ diff --git a/mail/exim3/distinfo b/mail/exim3/distinfo index 4e9eb9946ad4..8a42aa17b647 100644 --- a/mail/exim3/distinfo +++ b/mail/exim3/distinfo @@ -1,4 +1,4 @@ -$NetBSD: distinfo,v 1.8 2006/02/13 23:20:32 joerg Exp $ +$NetBSD: distinfo,v 1.9 2006/03/06 22:49:16 joerg Exp $ SHA1 (exim-3.36.tar.bz2) = 2a06a2858ebf8cdedf2e41fa3f258b5e468e270d RMD160 (exim-3.36.tar.bz2) = 2654601eaf54fc15c1ebeabfee53c828f2fd22dd @@ -17,3 +17,5 @@ SHA1 (patch-ak) = 59ec9e8726c00237d631349cf963b2a5112d75d6 SHA1 (patch-al) = dd1263e5d8dd18c6ea1bfbe79cee74d3bc76f4c4 SHA1 (patch-am) = 26f66062bb133340ed2b336008673a78bd017e9e SHA1 (patch-an) = 7d40d720613b88772bb69993ffbfc754c9310acb +SHA1 (patch-ao) = b96e99cf56f205a7273759a2f090c1eed188cc36 +SHA1 (patch-ap) = bba7a0412976e7c022a48ed47207e9d9b42f073f diff --git a/mail/exim3/patches/patch-ao b/mail/exim3/patches/patch-ao new file mode 100644 index 000000000000..735d6f43d7bf --- /dev/null +++ b/mail/exim3/patches/patch-ao @@ -0,0 +1,13 @@ +$NetBSD: patch-ao,v 1.1 2006/03/06 22:49:16 joerg Exp $ + +--- src/lookups/dnsdb.c.orig 2006-02-14 16:38:38.000000000 +0100 ++++ src/lookups/dnsdb.c +@@ -116,7 +116,7 @@ if (equals != NULL) + /* If the type is PTR, we have to construct the relevant magic lookup + key. */ + +-if (type == T_PTR) ++if (type == T_PTR && string_is_ip_address(keystring, NULL)) + { + char *p = keystring + (int)strlen(keystring); + char *pp = buffer; diff --git a/mail/exim3/patches/patch-ap b/mail/exim3/patches/patch-ap new file mode 100644 index 000000000000..49c700a553f0 --- /dev/null +++ b/mail/exim3/patches/patch-ap @@ -0,0 +1,24 @@ +$NetBSD: patch-ap,v 1.1 2006/03/06 22:49:16 joerg Exp $ + +--- src/host.c.orig 2006-02-14 16:41:01.000000000 +0100 ++++ src/host.c +@@ -620,12 +620,18 @@ if (strchr(address, ':') != NULL) + + if (*p == ':') p++; + +- /* Split the address into components separated by colons. */ ++ /* Split the address into components separated by colons. The input address ++ is supposed to be checked for syntax. There was a case where this was ++ overlooked; to guard against that happening again, check here and crash if ++ there is a violation. */ + + while (*p != 0) + { + int len = strcspn(p, ":"); + if (len == 0) nulloffset = ci; ++ if (ci > 7) log_write(0, LOG_MAIN|LOG_PANIC_DIE, ++ "Internal error: invalid IPv6 address \"%s\" passed to host_aton()", ++ address); + component[ci++] = p; + p += len; + if (*p == ':') p++;