diff options
Diffstat (limited to '')
-rw-r--r-- | debian/patches/75_07-Fix-crash-from-SRV-lookup-hitting-a-CNAME.patch | 69 |
1 files changed, 69 insertions, 0 deletions
diff --git a/debian/patches/75_07-Fix-crash-from-SRV-lookup-hitting-a-CNAME.patch b/debian/patches/75_07-Fix-crash-from-SRV-lookup-hitting-a-CNAME.patch new file mode 100644 index 0000000..cfdbe51 --- /dev/null +++ b/debian/patches/75_07-Fix-crash-from-SRV-lookup-hitting-a-CNAME.patch @@ -0,0 +1,69 @@ +From 09720dd9506176294154dad7152f5f40554046a4 Mon Sep 17 00:00:00 2001 +From: Jeremy Harris <jgh146exb@wizmail.org> +Date: Thu, 14 Mar 2019 12:26:34 +0000 +Subject: [PATCH 3/5] Fix crash from SRV lookup hitting a CNAME + +(cherry picked from commit 14bc9cf085aff7bd5147881e5b7068769a29b026) +--- + doc/ChangeLog | 4 ++++ + src/dns.c | 10 +++++++--- + 2 files changed, 11 insertions(+), 3 deletions(-) + +diff --git a/doc/ChangeLog b/doc/ChangeLog +index 419c1061..0f8d05b2 100644 +--- a/doc/ChangeLog ++++ b/doc/ChangeLog +@@ -19,10 +19,14 @@ JH/07 GnuTLS: Our use of late (post-handshake) certificate verification, under + suitably configured). + + JB/01 Bug 2375: fix expansions of 822 addresses having comments in local-part + and/or domain. Found and fixed by Jason Betts. + ++JH/08 Add hardening against SRV & TLSA lookups the hit CNAMEs (a nonvalid ++ configuration). If a CNAME target was not a wellformed name pattern, a ++ crash could result. ++ + + Exim version 4.92 + ----------------- + + JH/01 Remove code calling the customisable local_scan function, unless a new +diff --git a/src/dns.c b/src/dns.c +index 0f0b435d..b7978c52 100644 +--- a/src/dns.c ++++ b/src/dns.c +@@ -714,11 +714,15 @@ regex has substrings that are used - the default uses a conditional. + This test is omitted for PTR records. These occur only in calls from the dnsdb + lookup, which constructs the names itself, so they should be OK. Besides, + bitstring labels don't conform to normal name syntax. (But the aren't used any + more.) + +-For SRV records, we omit the initial _smtp._tcp. components at the start. */ ++For SRV records, we omit the initial _smtp._tcp. components at the start. ++The check has been seen to bite on the destination of a SRV lookup that ++initiall hit a CNAME, for which the next name had only two components. ++RFC2782 makes no mention of the possibiility of CNAMES, but the Wikipedia ++article on SRV says they are not a valid configuration. */ + + #ifndef STAND_ALONE /* Omit this for stand-alone tests */ + + if (check_dns_names_pattern[0] != 0 && type != T_PTR && type != T_TXT) + { +@@ -730,12 +734,12 @@ if (check_dns_names_pattern[0] != 0 && type != T_PTR && type != T_TXT) + /* For an SRV lookup, skip over the first two components (the service and + protocol names, which both start with an underscore). */ + + if (type == T_SRV || type == T_TLSA) + { +- while (*checkname++ != '.'); +- while (*checkname++ != '.'); ++ while (*checkname && *checkname++ != '.') ; ++ while (*checkname && *checkname++ != '.') ; + } + + if (pcre_exec(regex_check_dns_names, NULL, CCS checkname, Ustrlen(checkname), + 0, PCRE_EOPT, ovector, nelem(ovector)) < 0) + { +-- +2.20.1 + |