Prereq: "2.5.11" diff -cr --new-file /var/tmp/postfix-2.5.11/src/global/mail_version.h ./src/global/mail_version.h *** /var/tmp/postfix-2.5.11/src/global/mail_version.h Tue Nov 23 11:21:53 2010 --- ./src/global/mail_version.h Tue Mar 1 14:24:55 2011 *************** *** 20,27 **** * Patches change both the patchlevel and the release date. Snapshots have no * patchlevel; they change the release date only. */ ! #define MAIL_RELEASE_DATE "20101123" ! #define MAIL_VERSION_NUMBER "2.5.11" #ifdef SNAPSHOT # define MAIL_VERSION_DATE "-" MAIL_RELEASE_DATE --- 20,27 ---- * Patches change both the patchlevel and the release date. Snapshots have no * patchlevel; they change the release date only. */ ! #define MAIL_RELEASE_DATE "20110303" ! #define MAIL_VERSION_NUMBER "2.5.12" #ifdef SNAPSHOT # define MAIL_VERSION_DATE "-" MAIL_RELEASE_DATE diff -cr --new-file /var/tmp/postfix-2.5.11/HISTORY ./HISTORY *** /var/tmp/postfix-2.5.11/HISTORY Tue Nov 23 11:23:06 2010 --- ./HISTORY Sun Feb 27 16:04:55 2011 *************** *** 14571,14576 **** --- 14571,14588 ---- 2821 (and 5321) is vague about the VRFY request format, but spends lots of text on the reply format. File: smtpd/smtpd.c. + 20100422 + + Workaround (introduced: postfix-19990906 a.k.a. Postfix + 0.8.0). The Postfix local delivery agent did not properly + distinguish between "address has no extension" and "address + has an extension, but the extension is invalid". In both + cases it would run only the full recipient local-part through + the alias maps. Instead, it now drops the faulty extension + from the recipient address local-part (it would be too + error-prone to replace all tests for "no extension" by tests + for "no valid extension". File: local/recipient.c. + 20100610 Bugfix (introduced Postfix 2.2): Postfix no longer appends *************** *** 14610,14612 **** --- 14622,14680 ---- compliance. We now make an exception for "final" replies, as permitted by RFC. Solution by Victor Duchovni. File: smtpd/smtpd.c. + + 20101201 + + Workaround: BSD-ish mkdir() ignores the effective GID and + copies group ownership from the parent directory. File: + util/make_dirs.c. + + 20101202 + + Cleanup: the cleanup server now reports a temporary delivery + error when it reaches the virtual_alias_expansion_limit or + virtual_alias_recursion_limit. Previously, it would silently + ignore the excess recipients and deliver the message. File: + cleanup/cleanup_map1n.c. + + 20110105 + + Bugfix (introduced with the Postfix TLS patch): discard + plaintext following the STARTTLS command or response. This + matters only for the minority of SMTP clients that actually + verify server certificates. Files: smtpd/smtpd.c, + smtp/smtp_proto.c. + + This vulnerability is also known as CVE-2011-0411. + + 20110109 + + Bugfix (introduced Postfix 2.4): on Solaris the Postfix + event engine was deaf for SIGHUP and SIGALRM signals after + the switch to /dev/poll. Symptoms were delayed "postfix + reload" response, and killed processes when the watchdog + timeout was less than max_idle. The fix is to set up SIGHUP + and SIGALRM handlers that write to a pipe, and to monitor + that pipe for read events via the Postfix event engine. + Files: master/master_sig.c, util/watchdog.c, util/sys_defs.h. + + 20110117 + + Bugfix (introduced Postfix alpha, or thereabouts): on HP-UX + the Postfix event engine was deaf for SIGALRM signals. + Symptoms were killed processes when the watchdog timeout + was less than max_idle. The fix is the same as Solaris fix + 20110109. Since we can't know what other systems need this, + the workaround is enabled by default. Files: util/sys_defs.h. + + 20110225 + + Workaround (problem introduced with IPv6 support in Postfix + 2.2): the SMTP client did not support mail to [ipv6:ipv6addr]. + Fix based on a patch by Gurusamy Sarathy (Sophos). File: + util/host_port.c and regression test files. + + 20110227 + + Portability: FreeBSD closefrom() support time window. Sahil + Tandon. File: util/sys_defs.h. diff -cr --new-file /var/tmp/postfix-2.5.11/makedefs ./makedefs *** /var/tmp/postfix-2.5.11/makedefs Mon Mar 22 16:03:51 2010 --- ./makedefs Sat Jan 15 18:16:36 2011 *************** *** 214,219 **** --- 214,225 ---- done ;; AIX.*) case "`uname -v`" in + 6) SYSTYPE=AIX6 + case "$CC" in + cc|*/cc|xlc|*/xlc) CCARGS="$CCARGS -w -blibpath:/usr/lib:/lib:/usr/local/lib";; + esac + CCARGS="$CCARGS -D_ALL_SOURCE -DHAS_POSIX_REGEXP" + ;; 5) SYSTYPE=AIX5 case "$CC" in cc|*/cc|xlc|*/xlc) CCARGS="$CCARGS -w -blibpath:/usr/lib:/lib:/usr/local/lib";; diff -cr --new-file /var/tmp/postfix-2.5.11/src/cleanup/cleanup_map1n.c ./src/cleanup/cleanup_map1n.c *** /var/tmp/postfix-2.5.11/src/cleanup/cleanup_map1n.c Thu May 29 12:49:02 2003 --- ./src/cleanup/cleanup_map1n.c Sun Dec 5 18:53:37 2010 *************** *** 15,27 **** /* This module implements one-to-many table mapping via table lookup. /* Table lookups are done with quoted (externalized) address forms. /* The process is recursive. The recursion terminates when the ! /* left-hand side appears in its own expansion, or when a maximal ! /* nesting level is reached. /* /* cleanup_map1n_internal() is the interface for addresses in /* internal (unquoted) form. /* DIAGNOSTICS ! /* Recoverable errors: the global \fIcleanup_errs\fR flag is updated. /* SEE ALSO /* mail_addr_map(3) address mappings /* mail_addr_find(3) address lookups --- 15,32 ---- /* This module implements one-to-many table mapping via table lookup. /* Table lookups are done with quoted (externalized) address forms. /* The process is recursive. The recursion terminates when the ! /* left-hand side appears in its own expansion. /* /* cleanup_map1n_internal() is the interface for addresses in /* internal (unquoted) form. /* DIAGNOSTICS ! /* When the maximal expansion or recursion limit is reached, ! /* the alias is not expanded and the CLEANUP_STAT_DEFER error ! /* is raised with reason "4.6.0 Alias expansion error". ! /* ! /* When table lookup fails, the alias is not expanded and the ! /* CLEANUP_STAT_WRITE error is raised with reason "4.6.0 Alias ! /* expansion error". /* SEE ALSO /* mail_addr_map(3) address mappings /* mail_addr_find(3) address lookups *************** *** 93,107 **** * must index the array explicitly, instead of running along it with a * pointer. */ ! #define UPDATE(ptr,new) { myfree(ptr); ptr = mystrdup(new); } #define STR vstring_str ! #define RETURN(x) { been_here_free(been_here); return (x); } for (arg = 0; arg < argv->argc; arg++) { if (argv->argc > var_virt_expan_limit) { ! msg_warn("%s: unreasonable %s map expansion size for %s", state->queue_id, maps->title, addr); ! break; } for (count = 0; /* void */ ; count++) { --- 98,123 ---- * must index the array explicitly, instead of running along it with a * pointer. */ ! #define UPDATE(ptr,new) do { \ ! if (ptr) myfree(ptr); ptr = mystrdup(new); \ ! } while (0) #define STR vstring_str ! #define RETURN(x) do { \ ! been_here_free(been_here); return (x); \ ! } while (0) ! #define UNEXPAND(argv, addr) do { \ ! argv_truncate((argv), 0); argv_add((argv), (addr), (char *) 0); \ ! } while (0) for (arg = 0; arg < argv->argc; arg++) { if (argv->argc > var_virt_expan_limit) { ! msg_warn("%s: unreasonable %s map expansion size for %s -- " ! "deferring delivery", state->queue_id, maps->title, addr); ! state->errs |= CLEANUP_STAT_DEFER; ! UPDATE(state->reason, "4.6.0 Alias expansion error"); ! UNEXPAND(argv, addr); ! RETURN(argv); } for (count = 0; /* void */ ; count++) { *************** *** 111,119 **** if (been_here_check_fixed(been_here, argv->argv[arg]) != 0) break; if (count >= var_virt_recur_limit) { ! msg_warn("%s: unreasonable %s map nesting for %s", state->queue_id, maps->title, addr); ! break; } quote_822_local(state->temp1, argv->argv[arg]); if ((lookup = mail_addr_map(maps, STR(state->temp1), propagate)) != 0) { --- 127,139 ---- if (been_here_check_fixed(been_here, argv->argv[arg]) != 0) break; if (count >= var_virt_recur_limit) { ! msg_warn("%s: unreasonable %s map nesting for %s -- " ! "deferring delivery", state->queue_id, maps->title, addr); ! state->errs |= CLEANUP_STAT_DEFER; ! UPDATE(state->reason, "4.6.0 Alias expansion error"); ! UNEXPAND(argv, addr); ! RETURN(argv); } quote_822_local(state->temp1, argv->argv[arg]); if ((lookup = mail_addr_map(maps, STR(state->temp1), propagate)) != 0) { *************** *** 136,144 **** myfree(saved_lhs); argv_free(lookup); } else if (dict_errno != 0) { ! msg_warn("%s: %s map lookup problem for %s", state->queue_id, maps->title, addr); state->errs |= CLEANUP_STAT_WRITE; RETURN(argv); } else { break; --- 156,167 ---- myfree(saved_lhs); argv_free(lookup); } else if (dict_errno != 0) { ! msg_warn("%s: %s map lookup problem for %s -- " ! "deferring delivery", state->queue_id, maps->title, addr); state->errs |= CLEANUP_STAT_WRITE; + UPDATE(state->reason, "4.6.0 Alias expansion error"); + UNEXPAND(argv, addr); RETURN(argv); } else { break; diff -cr --new-file /var/tmp/postfix-2.5.11/src/local/recipient.c ./src/local/recipient.c *** /var/tmp/postfix-2.5.11/src/local/recipient.c Sun Apr 22 11:40:41 2007 --- ./src/local/recipient.c Thu Feb 17 20:15:07 2011 *************** *** 287,292 **** --- 287,296 ---- /* * Address extension management. + * + * XXX Fix 20100422, finalized 20100529: it is too error-prone to + * distinguish between "no extension" and "no valid extension", so we + * drop an invalid extension from the recipient address local-part. */ state.msg_attr.user = mystrdup(state.msg_attr.local); if (*var_rcpt_delim) { *************** *** 296,301 **** --- 300,308 ---- msg_warn("%s: address with illegal extension: %s", state.msg_attr.queue_id, state.msg_attr.local); state.msg_attr.extension = 0; + /* XXX Can't myfree + mystrdup, must truncate instead. */ + state.msg_attr.local[strlen(state.msg_attr.user)] = 0; + /* Truncating is safe. The code below rejects null usernames. */ } } else state.msg_attr.extension = 0; diff -cr --new-file /var/tmp/postfix-2.5.11/src/master/master_sig.c ./src/master/master_sig.c *** /var/tmp/postfix-2.5.11/src/master/master_sig.c Wed Dec 6 20:47:58 2006 --- ./src/master/master_sig.c Sun Jan 9 14:53:28 2011 *************** *** 53,61 **** #ifdef USE_SIG_RETURN #include ! #endif ! ! #ifndef USE_SIG_RETURN #define USE_SIG_PIPE #endif --- 53,60 ---- #ifdef USE_SIG_RETURN #include ! #undef USE_SIG_PIPE ! #else #define USE_SIG_PIPE #endif *************** *** 76,81 **** --- 75,82 ---- int master_gotsigchld; int master_gotsighup; + #ifdef USE_SIG_RETURN + /* master_sighup - register arrival of hangup signal */ static void master_sighup(int sig) *************** *** 92,99 **** /* master_sigchld - register arrival of child death signal */ - #ifdef USE_SIG_RETURN - static void master_sigchld(int sig, int code, struct sigcontext * scp) { --- 93,98 ---- *************** *** 116,122 **** #else ! #ifdef USE_SIG_PIPE /* master_sigchld - force wakeup from select() */ --- 115,139 ---- #else ! /* master_sighup - register arrival of hangup signal */ ! ! static void master_sighup(int sig) ! { ! int saved_errno = errno; ! ! /* ! * WARNING WARNING WARNING. ! * ! * This code runs at unpredictable moments, as a signal handler. Don't put ! * any code here other than for setting a global flag, or code that is ! * intended to be run within a signal handler. Restore errno in case we ! * are interrupting the epilog of a failed system call. ! */ ! master_gotsighup = sig; ! if (write(SIG_PIPE_WRITE_FD, "", 1) != 1) ! msg_warn("write to SIG_PIPE_WRITE_FD failed: %m"); ! errno = saved_errno; ! } /* master_sigchld - force wakeup from select() */ *************** *** 132,137 **** --- 149,155 ---- * intended to be run within a signal handler. Restore errno in case we * are interrupting the epilog of a failed system call. */ + master_gotsigchld = 1; if (write(SIG_PIPE_WRITE_FD, "", 1) != 1) msg_warn("write to SIG_PIPE_WRITE_FD failed: %m"); errno = saved_errno; *************** *** 145,168 **** while (read(SIG_PIPE_READ_FD, c, 1) > 0) /* void */ ; - master_gotsigchld = 1; } - #else - - static void master_sigchld(int sig) - { - - /* - * WARNING WARNING WARNING. - * - * This code runs at unpredictable moments, as a signal handler. Don't put - * any code here other than for setting a global flag. - */ - master_gotsigchld = sig; - } - - #endif #endif /* master_sigdeath - die, women and children first */ --- 163,170 ---- diff -cr --new-file /var/tmp/postfix-2.5.11/src/smtp/smtp_proto.c ./src/smtp/smtp_proto.c *** /var/tmp/postfix-2.5.11/src/smtp/smtp_proto.c Tue Apr 28 16:00:34 2009 --- ./src/smtp/smtp_proto.c Sat Jan 8 19:28:38 2011 *************** *** 811,816 **** --- 811,819 ---- SMTP_RESP_FAKE(&fake, "4.7.5"), "Server certificate not verified")); + /* At this point there must not be any pending plaintext. */ + vstream_fpurge(session->stream, VSTREAM_PURGE_BOTH); + /* * At this point we have to re-negotiate the "EHLO" to reget the * feature-list. diff -cr --new-file /var/tmp/postfix-2.5.11/src/smtpd/smtpd.c ./src/smtpd/smtpd.c *** /var/tmp/postfix-2.5.11/src/smtpd/smtpd.c Mon Nov 22 15:58:59 2010 --- ./src/smtpd/smtpd.c Sat Jan 8 19:23:53 2011 *************** *** 3911,3916 **** --- 3911,3918 ---- smtpd_chat_reply(state, "220 2.0.0 Ready to start TLS"); /* Flush before we switch the stream's read/write routines. */ smtp_flush(state->client); + /* At this point there must not be any pending plaintext. */ + vstream_fpurge(state->client, VSTREAM_PURGE_BOTH); /* * Reset all inputs to the initial state. diff -cr --new-file /var/tmp/postfix-2.5.11/src/util/host_port.c ./src/util/host_port.c *** /var/tmp/postfix-2.5.11/src/util/host_port.c Tue Jan 18 20:22:18 2005 --- ./src/util/host_port.c Fri Feb 25 11:32:12 2011 *************** *** 95,116 **** #include /* host_port - parse string into host and port, destroy string */ const char *host_port(char *buf, char **host, char *def_host, char **port, char *def_service) { char *cp = buf; /* * [host]:port, [host]:, [host]. */ if (*cp == '[') { ! *host = ++cp; if ((cp = split_at(cp, ']')) == 0) return ("missing \"]\""); if (*cp && *cp++ != ':') return ("garbage after \"]\""); *port = *cp ? cp : def_service; } --- 95,135 ---- #include + /* + * Point-fix workaround. The libutil library should be email agnostic, but + * we can't rip up the library APIs in the stable releases. + */ + #include + #ifdef STRCASECMP_IN_STRINGS_H + #include + #endif + #define IPV6_COL "IPv6:" /* RFC 2821 */ + #define IPV6_COL_LEN (sizeof(IPV6_COL) - 1) + #define HAS_IPV6_COL(str) (strncasecmp((str), IPV6_COL, IPV6_COL_LEN) == 0) + /* host_port - parse string into host and port, destroy string */ const char *host_port(char *buf, char **host, char *def_host, char **port, char *def_service) { char *cp = buf; + int ipv6 = 0; /* * [host]:port, [host]:, [host]. + * [ipv6:ipv6addr]:port, [ipv6:ipv6addr]:, [ipv6:ipv6addr]. */ if (*cp == '[') { ! ++cp; ! if ((ipv6 = HAS_IPV6_COL(cp)) != 0) ! cp += IPV6_COL_LEN; ! *host = cp; if ((cp = split_at(cp, ']')) == 0) return ("missing \"]\""); if (*cp && *cp++ != ':') return ("garbage after \"]\""); + if (ipv6 && !valid_ipv6_hostaddr(*host, DONT_GRIPE)) + return ("malformed IPv6 address"); *port = *cp ? cp : def_service; } diff -cr --new-file /var/tmp/postfix-2.5.11/src/util/make_dirs.c ./src/util/make_dirs.c *** /var/tmp/postfix-2.5.11/src/util/make_dirs.c Tue Jan 18 20:22:19 2005 --- ./src/util/make_dirs.c Sat Jan 8 18:53:50 2011 *************** *** 37,42 **** --- 37,43 ---- #include #include #include + #include /* Utility library. */ *************** *** 49,60 **** --- 50,63 ---- int make_dirs(const char *path, int perms) { + const char *myname = "make_dirs"; char *saved_path; unsigned char *cp; int saved_ch; struct stat st; int ret; mode_t saved_mode = 0; + gid_t egid = -1; /* * Initialize. Make a copy of the path that we can safely clobber. *************** *** 117,122 **** --- 120,140 ---- break; } } + + /* + * Fix directory ownership when mkdir() ignores the effective + * GID. Don't change the effective UID for doing this. + */ + if ((ret = stat(saved_path, &st)) < 0) { + msg_warn("%s: stat %s: %m", myname, saved_path); + break; + } + if (egid == -1) + egid = getegid(); + if (st.st_gid != egid && (ret = chown(saved_path, -1, egid)) < 0) { + msg_warn("%s: chgrp %s: %m", myname, saved_path); + break; + } } if (saved_ch != 0) *cp = saved_ch; diff -cr --new-file /var/tmp/postfix-2.5.11/src/util/sys_defs.h ./src/util/sys_defs.h *** /var/tmp/postfix-2.5.11/src/util/sys_defs.h Mon Mar 22 16:03:29 2010 --- ./src/util/sys_defs.h Sun Feb 27 15:59:05 2011 *************** *** 111,117 **** #define HAS_DUPLEX_PIPE /* 4.1 breaks with kqueue(2) */ #endif ! #if __FreeBSD_version >= 800098 /* commit: r194262 */ #define HAS_CLOSEFROM #endif --- 111,118 ---- #define HAS_DUPLEX_PIPE /* 4.1 breaks with kqueue(2) */ #endif ! #if (__FreeBSD_version >= 702104 && __FreeBSD_version <= 800000) \ ! || __FreeBSD_version >= 800100 #define HAS_CLOSEFROM #endif *************** *** 506,512 **** * AIX: a SYSV-flavored hybrid. NB: fcntl() and flock() access the same * underlying locking primitives. */ ! #ifdef AIX5 #define SUPPORTED #include #define UINT32_TYPE unsigned int --- 507,513 ---- * AIX: a SYSV-flavored hybrid. NB: fcntl() and flock() access the same * underlying locking primitives. */ ! #if defined(AIX5) || defined(AIX6) #define SUPPORTED #include #define UINT32_TYPE unsigned int *************** *** 1264,1269 **** --- 1265,1281 ---- #endif /* + * Workaround: after a watchdog alarm signal, wake up from select/poll/etc. + * by writing to a pipe. Solaris needs this, and HP-UX apparently, too. The + * run-time cost is negligible so we just turn it on for all systems. As a + * side benefit, making this code system-independent will simplify the + * detection of bit-rot problems. + */ + #ifndef NO_WATCHDOG_PIPE + #define USE_WATCHDOG_PIPE + #endif + + /* * Defaults for systems without kqueue, /dev/poll or epoll support. * master/multi-server.c and *qmgr/qmgr_transport.c depend on this. */ diff -cr --new-file /var/tmp/postfix-2.5.11/src/util/watchdog.c ./src/util/watchdog.c *** /var/tmp/postfix-2.5.11/src/util/watchdog.c Wed Dec 6 20:32:46 2006 --- ./src/util/watchdog.c Mon Jan 17 09:55:24 2011 *************** *** 119,124 **** --- 119,149 ---- */ static WATCHDOG *watchdog_curr; + /* + * Workaround for systems where the alarm signal does not wakeup the event + * machinery, and therefore does not restart the watchdog timer in the + * single_server etc. skeletons. The symptom is that programs abort when the + * watchdog timeout is less than the max_idle time. + */ + #ifdef USE_WATCHDOG_PIPE + #include + #include + #include + + static int watchdog_pipe[2]; + + /* watchdog_read - read event pipe */ + + static void watchdog_read(int unused_event, char *unused_context) + { + char ch; + + while (read(watchdog_pipe[0], &ch, 1) > 0) + /* void */ ; + } + + #endif /* USE_WATCHDOG_PIPE */ + /* watchdog_event - handle timeout event */ static void watchdog_event(int unused_sig) *************** *** 137,142 **** --- 162,175 ---- if (msg_verbose > 1) msg_info("%s: %p %d", myname, (void *) wp, wp->trip_run); if (++(wp->trip_run) < WATCHDOG_STEPS) { + #ifdef USE_WATCHDOG_PIPE + int saved_errno = errno; + + /* Wake up the events(3) engine. */ + if (write(watchdog_pipe[1], "", 1) != 1) + msg_warn("%s: write watchdog_pipe: %m", myname); + errno = saved_errno; + #endif alarm(wp->timeout); } else { if (wp->action) *************** *** 177,182 **** --- 210,224 ---- msg_fatal("%s: sigaction(SIGALRM): %m", myname); if (msg_verbose > 1) msg_info("%s: %p %d", myname, (void *) wp, timeout); + #ifdef USE_WATCHDOG_PIPE + if (watchdog_curr == 0) { + if (pipe(watchdog_pipe) < 0) + msg_fatal("%s: pipe: %m", myname); + non_blocking(watchdog_pipe[0], NON_BLOCKING); + non_blocking(watchdog_pipe[1], NON_BLOCKING); + event_enable_read(watchdog_pipe[0], watchdog_read, (char *) 0); + } + #endif return (watchdog_curr = wp); } *************** *** 193,198 **** --- 235,247 ---- if (wp->saved_time) alarm(wp->saved_time); myfree((char *) wp); + #ifdef USE_WATCHDOG_PIPE + if (watchdog_curr == 0) { + event_disable_readwrite(watchdog_pipe[0]); + (void) close(watchdog_pipe[0]); + (void) close(watchdog_pipe[1]); + } + #endif if (msg_verbose > 1) msg_info("%s: %p", myname, (void *) wp); }