From 2d5de741292ebb4122d07d0acc457715907d161e Mon Sep 17 00:00:00 2001
From: Andreas Metzler <ametzler@debian.org>
Date: Sat, 28 Sep 2024 16:49:26 +0200
Subject: [PATCH] Import Debian changes 4.96-15+deb12u6

---
 debian/changelog                              |   7 +
 ...z-crash-on-zero-length-datum.-Bug-30.patch | 141 ++++++++++++++++++
 debian/patches/series                         |   1 +
 3 files changed, 149 insertions(+)
 create mode 100644 debian/patches/80_Lookups-fix-dbmnz-crash-on-zero-length-datum.-Bug-30.patch

diff --git a/debian/changelog b/debian/changelog
index 797ed89..5068749 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,10 @@
+exim4 (4.96-15+deb12u6) bookworm; urgency=medium
+
+  * Fix crash in dbmnz when looking up keys with no content.
+    Closes: #1080472
+
+ -- Andreas Metzler <ametzler@debian.org>  Sat, 28 Sep 2024 16:49:26 +0200
+
 exim4 (4.96-15+deb12u5) bookworm-security; urgency=high
 
   * Fix parsing of multiline RFC 2231 header filename parameter in mime ACL.
diff --git a/debian/patches/80_Lookups-fix-dbmnz-crash-on-zero-length-datum.-Bug-30.patch b/debian/patches/80_Lookups-fix-dbmnz-crash-on-zero-length-datum.-Bug-30.patch
new file mode 100644
index 0000000..97e2e6e
--- /dev/null
+++ b/debian/patches/80_Lookups-fix-dbmnz-crash-on-zero-length-datum.-Bug-30.patch
@@ -0,0 +1,141 @@
+From a7e6ad0ba38cf088e841c321042f81966d846b4b Mon Sep 17 00:00:00 2001
+From: Jeremy Harris <jgh146exb@wizmail.org>
+Date: Sat, 16 Mar 2024 13:50:45 +0000
+Subject: [PATCH] Lookups: fix dbmnz crash on zero-length datum.  Bug 3079
+
+Broken-by: 6d2c02560e5c
+---
+ doc/ChangeLog                |   3 +++
+ src/dbfn.c                       |  12 +++++++-----
+ src/exim_dbutil.c                |  12 +++++++-----
+ src/lookups/dbmdb.c              |   5 ++++-
+ test/aux-fixed/2302.emptydbmnzlookup | Bin 0 -> 12288 bytes
+ test/confs/2302                      |   3 +++
+ test/scripts/2300-DBM/2302           |   4 ++++
+ test/stdout/2302                     |   1 +
+ 8 files changed, 29 insertions(+), 11 deletions(-)
+ create mode 100644 test/aux-fixed/2302.emptydbmnzlookup
+ create mode 100644 test/confs/2302
+ create mode 100644 test/scripts/2300-DBM/2302
+ create mode 100644 test/stdout/2302
+
+--- a/doc/ChangeLog
++++ b/doc/ChangeLog
+@@ -64,10 +64,13 @@ JH/20 Fix TLSA lookups.  Previously dns_
+ 
+ JH/23 Fix crash in string expansions. Previously, if an empty variable was
+       immediately followed by an expansion operator, a null-indirection read
+       was done, killing the process.
+ 
++JH/25 Bug 3079: Fix crash in dbmnz.  When a key was present for zero-length
++      data a null pointer was followed.  Find and testcase by Sebastian Bugge.
++
+ JH/27 Fix ${srs_encode ..}.  Previously it would give a bad result for one day
+       every 1024 days.
+ 
+ JH/28 Bug 2996: Fix a crash in the smtp transport.  When finding that the
+       message being considered for delivery was already being handled by
+--- a/src/dbfn.c
++++ b/src/dbfn.c
+@@ -236,16 +236,17 @@ Arguments:
+ Returns: a pointer to the retrieved record, or
+          NULL if the record is not found
+ */
+ 
+ void *
+-dbfn_read_with_length(open_db *dbblock, const uschar *key, int *length)
++dbfn_read_with_length(open_db * dbblock, const uschar * key, int * length)
+ {
+-void *yield;
++void * yield;
+ EXIM_DATUM key_datum, result_datum;
+ int klen = Ustrlen(key) + 1;
+ uschar * key_copy = store_get(klen, key);
++unsigned dlen;
+ 
+ memcpy(key_copy, key, klen);
+ 
+ DEBUG(D_hints_lookup) debug_printf_indent("dbfn_read: key=%s\n", key);
+ 
+@@ -257,13 +258,14 @@ exim_datum_size_set(&key_datum, klen);
+ if (!exim_dbget(dbblock->dbptr, &key_datum, &result_datum)) return NULL;
+ 
+ /* Assume the data store could have been tainted.  Properly, we should
+ store the taint status with the data. */
+ 
+-yield = store_get(exim_datum_size_get(&result_datum), GET_TAINTED);
+-memcpy(yield, exim_datum_data_get(&result_datum), exim_datum_size_get(&result_datum));
+-if (length) *length = exim_datum_size_get(&result_datum);
++dlen = exim_datum_size_get(&result_datum);
++yield = store_get(dlen, GET_TAINTED);
++memcpy(yield, exim_datum_data_get(&result_datum), dlen);
++if (length) *length = dlen;
+ 
+ exim_datum_free(&result_datum);    /* Some DBM libs require freeing */
+ return yield;
+ }
+ 
+--- a/src/exim_dbutil.c
++++ b/src/exim_dbutil.c
+@@ -401,16 +401,17 @@ Arguments:
+ Returns: a pointer to the retrieved record, or
+          NULL if the record is not found
+ */
+ 
+ void *
+-dbfn_read_with_length(open_db *dbblock, const uschar *key, int *length)
++dbfn_read_with_length(open_db * dbblock, const uschar * key, int * length)
+ {
+-void *yield;
++void * yield;
+ EXIM_DATUM key_datum, result_datum;
+ int klen = Ustrlen(key) + 1;
+ uschar * key_copy = store_get(klen, key);
++unsigned dlen;
+ 
+ memcpy(key_copy, key, klen);
+ 
+ exim_datum_init(&key_datum);         /* Some DBM libraries require the datum */
+ exim_datum_init(&result_datum);      /* to be cleared before use. */
+@@ -420,13 +421,14 @@ exim_datum_size_set(&key_datum, klen);
+ if (!exim_dbget(dbblock->dbptr, &key_datum, &result_datum)) return NULL;
+ 
+ /* Assume for now that anything stored could have been tainted. Properly
+ we should store the taint status along with the data. */
+ 
+-yield = store_get(exim_datum_size_get(&result_datum), GET_TAINTED);
+-memcpy(yield, exim_datum_data_get(&result_datum), exim_datum_size_get(&result_datum));
+-if (length) *length = exim_datum_size_get(&result_datum);
++dlen = exim_datum_size_get(&result_datum);
++yield = store_get(dlen, GET_TAINTED);
++memcpy(yield, exim_datum_data_get(&result_datum), dlen);
++if (length) *length = dlen;
+ 
+ exim_datum_free(&result_datum);    /* Some DBM libs require freeing */
+ return yield;
+ }
+ 
+--- a/src/lookups/dbmdb.c
++++ b/src/lookups/dbmdb.c
+@@ -99,11 +99,12 @@ exim_datum_data_set(&key,
+   memcpy(store_get(length, keystring), keystring, length)); /* key can have embedded NUL */
+ exim_datum_size_set(&key, length);
+ 
+ if (exim_dbget(d, &key, &data))
+   {
+-  *result = string_copyn(exim_datum_data_get(&data), exim_datum_size_get(&data));
++  unsigned len = exim_datum_size_get(&data);
++  *result = len > 0 ? string_copyn(exim_datum_data_get(&data), len) : US"";
+   exim_datum_free(&data);            /* Some DBM libraries need a free() call */
+   return OK;
+   }
+ return FAIL;
+ }
+@@ -280,5 +281,7 @@ lookup_info dbmjz_lookup_info = {
+ 
+ static lookup_info *_lookup_list[] = { &dbm_lookup_info, &dbmz_lookup_info, &dbmjz_lookup_info };
+ lookup_module_info dbmdb_lookup_module_info = { LOOKUP_MODULE_INFO_MAGIC, _lookup_list, 3 };
+ 
+ /* End of lookups/dbmdb.c */
++/* vi: aw ai sw=2
++*/
diff --git a/debian/patches/series b/debian/patches/series
index 877c5ab..c9d5953 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -53,4 +53,5 @@
 78_01-Fix-MIME-parsing-of-filenames-specified-using-multip.patch
 78_02-MIME-support-RFC-2331-for-name-.-Bug-3099.patch
 78_03-Compiler-quietening.patch
+80_Lookups-fix-dbmnz-crash-on-zero-length-datum.-Bug-30.patch
 90_localscan_dlopen.dpatch
-- 
GitLab