diff options
Diffstat (limited to 'debian/patches/84_11-CVE-2020-28015-28021-New-line-injection-into-spool-h.patch')
| -rw-r--r-- | debian/patches/84_11-CVE-2020-28015-28021-New-line-injection-into-spool-h.patch | 69 |
1 files changed, 69 insertions, 0 deletions
diff --git a/debian/patches/84_11-CVE-2020-28015-28021-New-line-injection-into-spool-h.patch b/debian/patches/84_11-CVE-2020-28015-28021-New-line-injection-into-spool-h.patch new file mode 100644 index 0000000..1d2cc7e --- /dev/null +++ b/debian/patches/84_11-CVE-2020-28015-28021-New-line-injection-into-spool-h.patch @@ -0,0 +1,69 @@ +From ac8f49ef90e768a63ed3dca50e2b2c6e8d333bfd Mon Sep 17 00:00:00 2001 +From: Qualys Security Advisory <qsa@qualys.com> +Date: Sun, 21 Feb 2021 21:26:53 -0800 +Subject: [PATCH 11/29] CVE-2020-28015+28021: New-line injection into spool + header file + +--- + src/spool_out.c | 21 +++++++++++++++++---- + 1 file changed, 17 insertions(+), 4 deletions(-) + +diff --git a/src/spool_out.c b/src/spool_out.c +index d55895202..9394393d5 100644 +--- a/src/spool_out.c ++++ b/src/spool_out.c +@@ -108,6 +108,18 @@ return fd; + * Write the header spool file * + *************************************************/ + ++static const uschar * ++zap_newlines(const uschar *s) ++{ ++uschar *z, *p; ++ ++if (Ustrchr(s, '\n') == NULL) return s; ++ ++p = z = string_copy(s); ++while ((p = Ustrchr(p, '\n')) != NULL) *p++ = ' '; ++return z; ++} ++ + /* Returns the size of the file for success; zero for failure. The file is + written under a temporary name, and then renamed. It's done this way so that it + works with re-writing the file on message deferral as well as for the initial +@@ -210,7 +222,7 @@ if (body_zerocount > 0) fprintf(fp, "-body_zerocount %d\n", body_zerocount); + if (authenticated_id) + fprintf(fp, "-auth_id %s\n", authenticated_id); + if (authenticated_sender) +- fprintf(fp, "-auth_sender %s\n", authenticated_sender); ++ fprintf(fp, "-auth_sender %s\n", zap_newlines(authenticated_sender)); + + if (f.allow_unqualified_recipient) fprintf(fp, "-allow_unqualified_recipient\n"); + if (f.allow_unqualified_sender) fprintf(fp, "-allow_unqualified_sender\n"); +@@ -283,19 +295,20 @@ fprintf(fp, "%d\n", recipients_count); + for (i = 0; i < recipients_count; i++) + { + recipient_item *r = recipients_list + i; ++ const uschar *address = zap_newlines(r->address); + + DEBUG(D_deliver) debug_printf("DSN: Flags :%d\n", r->dsn_flags); + + if (r->pno < 0 && r->errors_to == NULL && r->dsn_flags == 0) +- fprintf(fp, "%s\n", r->address); ++ fprintf(fp, "%s\n", address); + else + { +- uschar * errors_to = r->errors_to ? r->errors_to : US""; ++ const uschar * errors_to = r->errors_to ? zap_newlines(r->errors_to) : US""; + /* for DSN SUPPORT extend exim 4 spool in a compatible way by + adding new values upfront and add flag 0x02 */ + uschar * orcpt = r->orcpt ? r->orcpt : US""; + +- fprintf(fp, "%s %s %d,%d %s %d,%d#3\n", r->address, orcpt, Ustrlen(orcpt), ++ fprintf(fp, "%s %s %d,%d %s %d,%d#3\n", address, orcpt, Ustrlen(orcpt), + r->dsn_flags, errors_to, Ustrlen(errors_to), r->pno); + } + +-- +2.30.2 + |