Skip to content
GitLab
Explore
Sign in
Register
Primary navigation
Search or go to…
Project
E
exim4
Manage
Activity
Members
Labels
Code
Merge requests
Repository
Branches
Commits
Tags
Repository graph
Compare revisions
Snippets
Build
Pipelines
Jobs
Pipeline schedules
Artifacts
Deploy
Releases
Package Registry
Model registry
Operate
Environments
Terraform modules
Analyze
Value stream analytics
Contributor analytics
CI/CD analytics
Repository analytics
Model experiments
Help
Help
Support
GitLab documentation
Compare GitLab plans
Community forum
Contribute to GitLab
Provide feedback
Terms and privacy
Keyboard shortcuts
?
Snippets
Groups
Projects
Show more breadcrumbs
pkg
exim4
Commits
2d5de741
Commit
2d5de741
authored
6 months ago
by
Andreas Metzler
Committed by
Dylan Aïssi
4 months ago
Browse files
Options
Downloads
Patches
Plain Diff
Import Debian changes 4.96-15+deb12u6
parent
fadf3753
No related branches found
Branches containing commit
Tags
apertis/4.96-15+deb12u3+apertis0
Tags containing commit
4 merge requests
!14
Merge changes from apertis/v2024-updates into apertis/v2024
,
!13
Backport v2024 <- v2025: Update from debian/bookworm
,
!12
Backport v2025 <- v2026dev1: Update from debian/bookworm
,
!11
Update from debian/bookworm for apertis/v2026dev1
Pipeline
#856379
canceled
3 weeks ago
Stage: build-env
Stage: update
Stage: merge
Changes
3
Pipelines
3
Hide whitespace changes
Inline
Side-by-side
Showing
3 changed files
debian/changelog
+7
-0
7 additions, 0 deletions
debian/changelog
debian/patches/80_Lookups-fix-dbmnz-crash-on-zero-length-datum.-Bug-30.patch
+141
-0
141 additions, 0 deletions
...ookups-fix-dbmnz-crash-on-zero-length-datum.-Bug-30.patch
debian/patches/series
+1
-0
1 addition, 0 deletions
debian/patches/series
with
149 additions
and
0 deletions
debian/changelog
+
7
−
0
View file @
2d5de741
exim4 (4.96-15+deb12u6) bookworm; urgency=medium
* Fix crash in dbmnz when looking up keys with no content.
Closes: #1080472
-- Andreas Metzler <ametzler@debian.org> Sat, 28 Sep 2024 16:49:26 +0200
exim4 (4.96-15+deb12u5) bookworm-security; urgency=high
* Fix parsing of multiline RFC 2231 header filename parameter in mime ACL.
...
...
This diff is collapsed.
Click to expand it.
debian/patches/80_Lookups-fix-dbmnz-crash-on-zero-length-datum.-Bug-30.patch
0 → 100644
+
141
−
0
View file @
2d5de741
From a7e6ad0ba38cf088e841c321042f81966d846b4b Mon Sep 17 00:00:00 2001
From: Jeremy Harris <jgh146exb@wizmail.org>
Date: Sat, 16 Mar 2024 13:50:45 +0000
Subject: [PATCH] Lookups: fix dbmnz crash on zero-length datum. Bug 3079
Broken-by: 6d2c02560e5c
---
doc/ChangeLog | 3 +++
src/dbfn.c | 12 +++++++-----
src/exim_dbutil.c | 12 +++++++-----
src/lookups/dbmdb.c | 5 ++++-
test/aux-fixed/2302.emptydbmnzlookup | Bin 0 -> 12288 bytes
test/confs/2302 | 3 +++
test/scripts/2300-DBM/2302 | 4 ++++
test/stdout/2302 | 1 +
8 files changed, 29 insertions(+), 11 deletions(-)
create mode 100644 test/aux-fixed/2302.emptydbmnzlookup
create mode 100644 test/confs/2302
create mode 100644 test/scripts/2300-DBM/2302
create mode 100644 test/stdout/2302
--- a/doc/ChangeLog
+++ b/doc/ChangeLog
@@ -64,10 +64,13 @@
JH/20 Fix TLSA lookups. Previously dns_
JH/23 Fix crash in string expansions. Previously, if an empty variable was
immediately followed by an expansion operator, a null-indirection read
was done, killing the process.
+JH/25 Bug 3079: Fix crash in dbmnz. When a key was present for zero-length
+ data a null pointer was followed. Find and testcase by Sebastian Bugge.
+
JH/27 Fix ${srs_encode ..}. Previously it would give a bad result for one day
every 1024 days.
JH/28 Bug 2996: Fix a crash in the smtp transport. When finding that the
message being considered for delivery was already being handled by
--- a/src/dbfn.c
+++ b/src/dbfn.c
@@ -236,16 +236,17 @@
Arguments:
Returns: a pointer to the retrieved record, or
NULL if the record is not found
*/
void *
-dbfn_read_with_length(open_db *dbblock, const uschar *key, int *length)
+dbfn_read_with_length(open_db * dbblock, const uschar * key, int * length)
{
-void *yield;
+void * yield;
EXIM_DATUM key_datum, result_datum;
int klen = Ustrlen(key) + 1;
uschar * key_copy = store_get(klen, key);
+unsigned dlen;
memcpy(key_copy, key, klen);
DEBUG(D_hints_lookup) debug_printf_indent("dbfn_read: key=%s\n", key);
@@ -257,13 +258,14 @@
exim_datum_size_set(&key_datum, klen);
if (!exim_dbget(dbblock->dbptr, &key_datum, &result_datum)) return NULL;
/* Assume the data store could have been tainted. Properly, we should
store the taint status with the data. */
-yield = store_get(exim_datum_size_get(&result_datum), GET_TAINTED);
-memcpy(yield, exim_datum_data_get(&result_datum), exim_datum_size_get(&result_datum));
-if (length) *length = exim_datum_size_get(&result_datum);
+dlen = exim_datum_size_get(&result_datum);
+yield = store_get(dlen, GET_TAINTED);
+memcpy(yield, exim_datum_data_get(&result_datum), dlen);
+if (length) *length = dlen;
exim_datum_free(&result_datum); /* Some DBM libs require freeing */
return yield;
}
--- a/src/exim_dbutil.c
+++ b/src/exim_dbutil.c
@@ -401,16 +401,17 @@
Arguments:
Returns: a pointer to the retrieved record, or
NULL if the record is not found
*/
void *
-dbfn_read_with_length(open_db *dbblock, const uschar *key, int *length)
+dbfn_read_with_length(open_db * dbblock, const uschar * key, int * length)
{
-void *yield;
+void * yield;
EXIM_DATUM key_datum, result_datum;
int klen = Ustrlen(key) + 1;
uschar * key_copy = store_get(klen, key);
+unsigned dlen;
memcpy(key_copy, key, klen);
exim_datum_init(&key_datum); /* Some DBM libraries require the datum */
exim_datum_init(&result_datum); /* to be cleared before use. */
@@ -420,13 +421,14 @@
exim_datum_size_set(&key_datum, klen);
if (!exim_dbget(dbblock->dbptr, &key_datum, &result_datum)) return NULL;
/* Assume for now that anything stored could have been tainted. Properly
we should store the taint status along with the data. */
-yield = store_get(exim_datum_size_get(&result_datum), GET_TAINTED);
-memcpy(yield, exim_datum_data_get(&result_datum), exim_datum_size_get(&result_datum));
-if (length) *length = exim_datum_size_get(&result_datum);
+dlen = exim_datum_size_get(&result_datum);
+yield = store_get(dlen, GET_TAINTED);
+memcpy(yield, exim_datum_data_get(&result_datum), dlen);
+if (length) *length = dlen;
exim_datum_free(&result_datum); /* Some DBM libs require freeing */
return yield;
}
--- a/src/lookups/dbmdb.c
+++ b/src/lookups/dbmdb.c
@@ -99,11 +99,12 @@
exim_datum_data_set(&key,
memcpy(store_get(length, keystring), keystring, length)); /* key can have embedded NUL */
exim_datum_size_set(&key, length);
if (exim_dbget(d, &key, &data))
{
- *result = string_copyn(exim_datum_data_get(&data), exim_datum_size_get(&data));
+ unsigned len = exim_datum_size_get(&data);
+ *result = len > 0 ? string_copyn(exim_datum_data_get(&data), len) : US"";
exim_datum_free(&data); /* Some DBM libraries need a free() call */
return OK;
}
return FAIL;
}
@@ -280,5 +281,7 @@
lookup_info dbmjz_lookup_info = {
static lookup_info *_lookup_list[] = { &dbm_lookup_info, &dbmz_lookup_info, &dbmjz_lookup_info };
lookup_module_info dbmdb_lookup_module_info = { LOOKUP_MODULE_INFO_MAGIC, _lookup_list, 3 };
/* End of lookups/dbmdb.c */
+/* vi: aw ai sw=2
+*/
This diff is collapsed.
Click to expand it.
debian/patches/series
+
1
−
0
View file @
2d5de741
...
...
@@ -53,4 +53,5 @@
78_01-Fix-MIME-parsing-of-filenames-specified-using-multip.patch
78_02-MIME-support-RFC-2331-for-name-.-Bug-3099.patch
78_03-Compiler-quietening.patch
80_Lookups-fix-dbmnz-crash-on-zero-length-datum.-Bug-30.patch
90_localscan_dlopen.dpatch
This diff is collapsed.
Click to expand it.
Preview
0%
Loading
Try again
or
attach a new file
.
Cancel
You are about to add
0
people
to the discussion. Proceed with caution.
Finish editing this message first!
Save comment
Cancel
Please
register
or
sign in
to comment
