1 files changed, 77 insertions, 0 deletions
diff --git a/debian/patches/75_83-Re-fix-live-variable-value-free.-The-inital-fix-resu.patch b/debian/patches/75_83-Re-fix-live-variable-value-free.-The-inital-fix-resu.patch
new file mode 100644
index 0000000..0cfc69e
--- /dev/null
+++ b/debian/patches/75_83-Re-fix-live-variable-value-free.-The-inital-fix-resu.patch
@@ -0,0 +1,77 @@
+From 21b172df101c2c52faf0cc56a502395451975be9 Mon Sep 17 00:00:00 2001
+From: Jeremy Harris <jgh146exb@wizmail.org>
+Date: Thu, 24 Aug 2023 15:51:21 +0100
+Subject: [PATCH 2/2] Re-fix live variable $value free.  The inital fix
+ resulted in $value from ${run...} not being available later, which is a
+ documented feature.
+
+Broken=by: cf3fecb9e873
+---
+ doc/doc-docbook/spec.xfpt |  1 +
+ doc/ChangeLog     |  4 ++--
+ src/exim.c            |  3 ++-
+ test/confs/0635           |  1 +
+ test/log/0635             |  1 +
+ test/mail/0635.CALLER     | 13 +++++++++++++
+ 6 files changed, 20 insertions(+), 3 deletions(-)
+ create mode 100644 test/mail/0635.CALLER
+
+--- a/doc/ChangeLog
++++ b/doc/ChangeLog
+@@ -76,10 +76,13 @@ JH/31 Bug 2998: Fix ${utf8clean:...} to
+       editor insists on emitting only valid UTF-8.
+ 
+ JH/32 Fix "tls_dhparam = none" under GnuTLS.  At least with 3.7.9 this gave
+       a null-indireciton SIGSEGV for the receive process.
+ 
++JH/33 Fix free for live variable $value created by a ${run ...} expansion during
++      -bh use.  Internal checking would spot this and take a panic.
++
+ JH/34 Bug 3013: Fix use of $recipients within arguments for ${run...}.
+       In 4.96 this would expand to empty.
+ 
+ JH/35 Bug 3014: GnuTLS: fix expiry date for an auto-generated server
+       certificate.  Find and fix by Andreas Metzler.
+--- a/src/exim.c
++++ b/src/exim.c
+@@ -5754,11 +5754,11 @@ for (BOOL more = TRUE; more; )
+     for (int i = 0; i < count; i++)
+       {
+       int start, end, domain;
+       uschar * errmess;
+       /* There can be multiple addresses, so EXIM_DISPLAYMAIL_MAX (tuned for 1) is too short.
+-       * We'll still want to cap it to something, just in case. */
++      We'll still want to cap it to something, just in case. */
+       uschar * s = string_copy_taint(
+ 	exim_str_fail_toolong(list[i], BIG_BUFFER_SIZE, "address argument"),
+ 	GET_TAINTED);
+ 
+       /* Loop for each comma-separated address */
+@@ -6089,10 +6089,11 @@ MORELOOP:
+   callout_address = NULL;
+   sending_ip_address = NULL;
+   deliver_localpart_data = deliver_domain_data =
+   recipient_data = sender_data = NULL;
+   acl_var_m = NULL;
++  lookup_value = NULL;                            /* Can be set by ACL */
+ 
+   store_reset(reset_point);
+   }
+ 
+ exim_exit(EXIT_SUCCESS);   /* Never returns */
+--- a/doc/spec.txt
++++ b/doc/spec.txt
+@@ -9650,10 +9650,13 @@ ${run <options> {<command arg list>}{<st
+     If the command requires shell idioms, such as the > redirect operator, the
+     shell must be invoked directly, such as with:
+ 
+     ${run{/bin/bash -c "/usr/bin/id >/tmp/id"}{yes}{yes}}
+ 
++    Note that $value will not persist beyond the reception of a single
++    message.
++
+     The return code from the command is put in the variable $runrc, and this
+     remains set afterwards, so in a filter file you can do things like this:
+ 
+     if "${run{x y z}{}}$runrc" is 1 then ...
+       elif $runrc is 2 then ...