1 files changed, 41 insertions, 0 deletions

diff --git a/debian/patches/84_15-Security-Safeguard-against-relative-names-for-msglog.patch b/debian/patches/84_15-Security-Safeguard-against-relative-names-for-msglog.patch
new file mode 100644
index 0000000..7b2607a
--- /dev/null
+++ b/debian/patches/84_15-Security-Safeguard-against-relative-names-for-msglog.patch
@@ -0,0 +1,41 @@
+From 0d5d8fc918c4b999a2d5b025d94e25e43680377d Mon Sep 17 00:00:00 2001
+From: Qualys Security Advisory <qsa@qualys.com>
+Date: Sun, 21 Feb 2021 22:00:31 -0800
+Subject: [PATCH 15/29] Security: Safeguard against relative names for msglog
+ files.
+
+Based on Heiko Schlittermann's commit 4f0ac4ad. This fixes:
+
+3/ In src/deliver.c:
+
+ 333 static int
+ 334 open_msglog_file(uschar *filename, int mode, uschar **error)
+ 335 {
+ 336 if (Ustrstr(filename, US"/../"))
+ 337   log_write(0, LOG_MAIN|LOG_PANIC,
+ 338     "Attempt to open msglog file path with upward-traversal: '%s'\n", filename);
+
+Should this be LOG_PANIC_DIE instead of LOG_PANIC? Right now it will log
+the /../ attempt but will open the file anyway.
+---
+ src/deliver.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+diff --git a/src/deliver.c b/src/deliver.c
+index d4ed8af08..279672ce0 100644
+--- a/src/deliver.c
++++ b/src/deliver.c
+@@ -331,6 +331,10 @@ open_msglog_file(uschar *filename, int mode, uschar **error)
+ {
+ int fd, i;
+ 
++if (Ustrstr(filename, US"/../"))
++  log_write(0, LOG_MAIN|LOG_PANIC_DIE,
++      "Attempt to open msglog file path with upward-traversal: '%s'", filename);
++
+ for (i = 2; i > 0; i--)
+   {
+   fd = Uopen(filename,
+-- 
+2.30.2
+