diff options
Diffstat (limited to 'mail-mta/postfix/files/postfix-2.4.7-CVE-2008-2937.patch')
-rw-r--r-- | mail-mta/postfix/files/postfix-2.4.7-CVE-2008-2937.patch | 481 |
1 files changed, 481 insertions, 0 deletions
diff --git a/mail-mta/postfix/files/postfix-2.4.7-CVE-2008-2937.patch b/mail-mta/postfix/files/postfix-2.4.7-CVE-2008-2937.patch new file mode 100644 index 0000000..af38319 --- /dev/null +++ b/mail-mta/postfix/files/postfix-2.4.7-CVE-2008-2937.patch @@ -0,0 +1,481 @@ +diff --git a/HISTORY b/HISTORY +index 73db63f..bfc98a1 100644 +--- a/HISTORY ++++ b/HISTORY +@@ -13599,3 +13599,9 @@ Apologies for any names omitted. + prevent dovecot-auth memory wastage. Timo Sirainen. File: + xsasl/xsasl_dovecot_server.c. + ++20080725 ++ ++ Paranoia: defer delivery when a mailbox file is not owned ++ by the recipient. Requested by Sebastian Krahmer, SuSE. ++ Specify "strict_mailbox_ownership=no" to ignore ownership ++ discrepancies. Files: local/mailbox.c, virtual/mailbox.c. +diff --git a/RELEASE_NOTES b/RELEASE_NOTES +index cf371e5..fb5f4cd 100644 +--- a/RELEASE_NOTES ++++ b/RELEASE_NOTES +@@ -11,6 +11,14 @@ instead, a new snapshot is released. + The mail_release_date configuration parameter (format: yyyymmdd) + specifies the release date of a stable release or snapshot release. + ++Incompatibility with Postfix 2.4.7 ++================================== ++ ++When a mailbox file is not owned by its recipient, the local and ++virtual delivery agents now log a warning and defer delivery. ++Specify "strict_mailbox_ownership = no" to ignore such ownership ++discrepancies. ++ + Incompatibility with Postfix 2.4.4 + ================================== + +diff --git a/html/local.8.html b/html/local.8.html +index de3fd4f..9cece01 100644 +--- a/html/local.8.html ++++ b/html/local.8.html +@@ -394,6 +394,12 @@ LOCAL(8) LOCAL(8) + attempt; do not update the Delivered-To: address + while expanding aliases or .forward files. + ++ Available in Postfix version 2.4.7-r1 and later: ++ ++ <b><a href="postconf.5.html#strict_mailbox_ownership">strict_mailbox_ownership</a> (yes)</b> ++ Defer delivery when a mailbox file is not owned by ++ its recipient. ++ + <b>DELIVERY METHOD CONTROLS</b> + The precedence of <a href="local.8.html"><b>local</b>(8)</a> delivery methods from high to + low is: aliases, .forward files, <a href="postconf.5.html#mailbox_transport_maps">mailbox_transport_maps</a>, +@@ -532,6 +538,12 @@ LOCAL(8) LOCAL(8) + agent allows in $name expansions of $<a href="postconf.5.html#command_execution_directory">command_execu</a>- + <a href="postconf.5.html#command_execution_directory">tion_directory</a>. + ++ Available in Postfix version 2.4.7-r1 and later: ++ ++ <b><a href="postconf.5.html#strict_mailbox_ownership">strict_mailbox_ownership</a> (yes)</b> ++ Defer delivery when a mailbox file is not owned by ++ its recipient. ++ + <b>MISCELLANEOUS CONTROLS</b> + <b><a href="postconf.5.html#config_directory">config_directory</a> (see 'postconf -d' output)</b> + The default location of the Postfix <a href="postconf.5.html">main.cf</a> and +diff --git a/html/postconf.5.html b/html/postconf.5.html +index a19b6b3..7952563 100644 +--- a/html/postconf.5.html ++++ b/html/postconf.5.html +@@ -11602,6 +11602,17 @@ This feature is available in Postfix 2.0 and later. + + </DD> + ++<DT><b><a name="strict_mailbox_ownership">strict_mailbox_ownership</a> ++(default: yes)</b></DT><DD> ++ ++<p> Defer delivery when a mailbox file is not owned by its recipient. ++The default setting is not backwards compatible. </p> ++ ++<p> This feature is available in Postfix 2.4.7-r1 and later. </p> ++ ++ ++</DD> ++ + <DT><b><a name="strict_mime_encoding_domain">strict_mime_encoding_domain</a> + (default: no)</b></DT><DD> + +diff --git a/html/virtual.8.html b/html/virtual.8.html +index 3d7e526..0341911 100644 +--- a/html/virtual.8.html ++++ b/html/virtual.8.html +@@ -200,9 +200,15 @@ VIRTUAL(8) VIRTUAL(8) + destination for final delivery to domains listed + with $<a href="postconf.5.html#virtual_mailbox_domains">virtual_mailbox_domains</a>. + ++ Available in Postfix version 2.4.7-r1 and later: ++ ++ <b><a href="postconf.5.html#strict_mailbox_ownership">strict_mailbox_ownership</a> (yes)</b> ++ Defer delivery when a mailbox file is not owned by ++ its recipient. ++ + <b>LOCKING CONTROLS</b> + <b><a href="postconf.5.html#virtual_mailbox_lock">virtual_mailbox_lock</a> (see 'postconf -d' output)</b> +- How to lock a UNIX-style <a href="virtual.8.html"><b>virtual</b>(8)</a> mailbox before ++ How to lock a UNIX-style <a href="virtual.8.html"><b>virtual</b>(8)</a> mailbox before + attempting delivery. + + <b><a href="postconf.5.html#deliver_lock_attempts">deliver_lock_attempts</a> (20)</b> +@@ -210,41 +216,41 @@ VIRTUAL(8) VIRTUAL(8) + sive lock on a mailbox file or <a href="bounce.8.html"><b>bounce</b>(8)</a> logfile. + + <b><a href="postconf.5.html#deliver_lock_delay">deliver_lock_delay</a> (1s)</b> +- The time between attempts to acquire an exclusive ++ The time between attempts to acquire an exclusive + lock on a mailbox file or <a href="bounce.8.html"><b>bounce</b>(8)</a> logfile. + + <b><a href="postconf.5.html#stale_lock_time">stale_lock_time</a> (500s)</b> +- The time after which a stale exclusive mailbox ++ The time after which a stale exclusive mailbox + lockfile is removed. + + <b>RESOURCE AND RATE CONTROLS</b> + <b><a href="postconf.5.html#virtual_destination_concurrency_limit">virtual_destination_concurrency_limit</a> ($<a href="postconf.5.html#default_destination_concurrency_limit">default_destina</a>-</b> + <b><a href="postconf.5.html#default_destination_concurrency_limit">tion_concurrency_limit</a>)</b> +- The maximal number of parallel deliveries to the +- same destination via the virtual message delivery ++ The maximal number of parallel deliveries to the ++ same destination via the virtual message delivery + transport. + + <b><a href="postconf.5.html#virtual_destination_recipient_limit">virtual_destination_recipient_limit</a> ($<a href="postconf.5.html#default_destination_recipient_limit">default_destina</a>-</b> + <b><a href="postconf.5.html#default_destination_recipient_limit">tion_recipient_limit</a>)</b> +- The maximal number of recipients per delivery via ++ The maximal number of recipients per delivery via + the virtual message delivery transport. + + <b><a href="postconf.5.html#virtual_mailbox_limit">virtual_mailbox_limit</a> (51200000)</b> +- The maximal size in bytes of an individual mailbox ++ The maximal size in bytes of an individual mailbox + or maildir file, or zero (no limit). + + <b>MISCELLANEOUS CONTROLS</b> + <b><a href="postconf.5.html#config_directory">config_directory</a> (see 'postconf -d' output)</b> +- The default location of the Postfix <a href="postconf.5.html">main.cf</a> and ++ The default location of the Postfix <a href="postconf.5.html">main.cf</a> and + <a href="master.5.html">master.cf</a> configuration files. + + <b><a href="postconf.5.html#daemon_timeout">daemon_timeout</a> (18000s)</b> +- How much time a Postfix daemon process may take to +- handle a request before it is terminated by a ++ How much time a Postfix daemon process may take to ++ handle a request before it is terminated by a + built-in watchdog timer. + + <b><a href="postconf.5.html#delay_logging_resolution_limit">delay_logging_resolution_limit</a> (2)</b> +- The maximal number of digits after the decimal ++ The maximal number of digits after the decimal + point when logging sub-second delay values. + + <b><a href="postconf.5.html#ipc_timeout">ipc_timeout</a> (3600s)</b> +@@ -252,33 +258,33 @@ VIRTUAL(8) VIRTUAL(8) + over an internal communication channel. + + <b><a href="postconf.5.html#max_idle">max_idle</a> (100s)</b> +- The maximum amount of time that an idle Postfix +- daemon process waits for an incoming connection ++ The maximum amount of time that an idle Postfix ++ daemon process waits for an incoming connection + before terminating voluntarily. + + <b><a href="postconf.5.html#max_use">max_use</a> (100)</b> +- The maximal number of incoming connections that a +- Postfix daemon process will service before termi- ++ The maximal number of incoming connections that a ++ Postfix daemon process will service before termi- + nating voluntarily. + + <b><a href="postconf.5.html#process_id">process_id</a> (read-only)</b> +- The process ID of a Postfix command or daemon ++ The process ID of a Postfix command or daemon + process. + + <b><a href="postconf.5.html#process_name">process_name</a> (read-only)</b> +- The process name of a Postfix command or daemon ++ The process name of a Postfix command or daemon + process. + + <b><a href="postconf.5.html#queue_directory">queue_directory</a> (see 'postconf -d' output)</b> +- The location of the Postfix top-level queue direc- ++ The location of the Postfix top-level queue direc- + tory. + + <b><a href="postconf.5.html#syslog_facility">syslog_facility</a> (mail)</b> + The syslog facility of Postfix logging. + + <b><a href="postconf.5.html#syslog_name">syslog_name</a> (postfix)</b> +- The mail system name that is prepended to the +- process name in syslog records, so that "smtpd" ++ The mail system name that is prepended to the ++ process name in syslog records, so that "smtpd" + becomes, for example, "postfix/smtpd". + + <b>SEE ALSO</b> +@@ -291,20 +297,20 @@ VIRTUAL(8) VIRTUAL(8) + <a href="VIRTUAL_README.html">VIRTUAL_README</a>, domain hosting howto + + <b>LICENSE</b> +- The Secure Mailer license must be distributed with this ++ The Secure Mailer license must be distributed with this + software. + + <b>HISTORY</b> +- This delivery agent was originally based on the Postfix +- local delivery agent. Modifications mainly consisted of +- removing code that either was not applicable or that was +- not safe in this context: aliases, ~user/.forward files, ++ This delivery agent was originally based on the Postfix ++ local delivery agent. Modifications mainly consisted of ++ removing code that either was not applicable or that was ++ not safe in this context: aliases, ~user/.forward files, + delivery to "|command" or to /file/name. + + The <b>Delivered-To:</b> message header appears in the <b>qmail</b> sys- + tem by Daniel Bernstein. + +- The <b>maildir</b> structure appears in the <b>qmail</b> system by ++ The <b>maildir</b> structure appears in the <b>qmail</b> system by + Daniel Bernstein. + + <b>AUTHOR(S)</b> +diff --git a/man/man5/postconf.5 b/man/man5/postconf.5 +index 7af763b..ba9f36a 100644 +--- a/man/man5/postconf.5 ++++ b/man/man5/postconf.5 +@@ -7062,6 +7062,11 @@ This feature should not be enabled on a general purpose mail server, + because it is likely to reject legitimate email. + .PP + This feature is available in Postfix 2.0 and later. ++.SH strict_mailbox_ownership (default: yes) ++Defer delivery when a mailbox file is not owned by its recipient. ++The default setting is not backwards compatible. ++.PP ++This feature is available in Postfix 2.4.7-r1 and later. + .SH strict_mime_encoding_domain (default: no) + Reject mail with invalid Content-Transfer-Encoding: information + for the message/* or multipart/* MIME content types. This blocks +diff --git a/man/man8/local.8 b/man/man8/local.8 +index 4452007..5af15a9 100644 +--- a/man/man8/local.8 ++++ b/man/man8/local.8 +@@ -412,6 +412,10 @@ Update the \fBlocal\fR(8) delivery agent's idea of the Delivered-To: + address (see prepend_delivered_header) only once, at the start of + a delivery attempt; do not update the Delivered-To: address while + expanding aliases or .forward files. ++.PP ++Available in Postfix version 2.4.7-r1 and later: ++.IP "\fBstrict_mailbox_ownership (yes)\fR" ++Defer delivery when a mailbox file is not owned by its recipient. + .SH "DELIVERY METHOD CONTROLS" + .na + .nf +@@ -510,7 +514,7 @@ Restrict \fBlocal\fR(8) mail delivery to external commands. + Restrict \fBlocal\fR(8) mail delivery to external files. + .IP "\fBcommand_expansion_filter (see 'postconf -d' output)\fR" + Restrict the characters that the \fBlocal\fR(8) delivery agent allows in +-$name expansions of $mailbox_command. ++$name expansions of $mailbox_command and $command_execution_directory. + .IP "\fBdefault_privs (nobody)\fR" + The default rights used by the \fBlocal\fR(8) delivery agent for delivery + to external file or command. +@@ -522,6 +526,10 @@ Available in Postfix version 2.2 and later: + .IP "\fBexecution_directory_expansion_filter (see 'postconf -d' output)\fR" + Restrict the characters that the \fBlocal\fR(8) delivery agent allows + in $name expansions of $command_execution_directory. ++.PP ++Available in Postfix version 2.4.7-r1 and later: ++.IP "\fBstrict_mailbox_ownership (yes)\fR" ++Defer delivery when a mailbox file is not owned by its recipient. + .SH "MISCELLANEOUS CONTROLS" + .na + .nf +diff --git a/man/man8/virtual.8 b/man/man8/virtual.8 +index b45ac26..22e41b5 100644 +--- a/man/man8/virtual.8 ++++ b/man/man8/virtual.8 +@@ -213,6 +213,10 @@ mail is delivered via the $virtual_transport mail delivery transport. + .IP "\fBvirtual_transport (virtual)\fR" + The default mail delivery transport and next-hop destination for + final delivery to domains listed with $virtual_mailbox_domains. ++.PP ++Available in Postfix version 2.4.7-r1 and later: ++.IP "\fBstrict_mailbox_ownership (yes)\fR" ++Defer delivery when a mailbox file is not owned by its recipient. + .SH "LOCKING CONTROLS" + .na + .nf +diff --git a/mantools/postlink b/mantools/postlink +index b4771d9..e2503ca 100755 +--- a/mantools/postlink ++++ b/mantools/postlink +@@ -496,6 +496,7 @@ while (<>) { + s;\bstrict_8bitmime\b;<a href="postconf.5.html#strict_8bitmime">$&</a>;g; + s;\bstrict_8bitmime_body\b;<a href="postconf.5.html#strict_8bitmime_body">$&</a>;g; + s;\bstrict_mime_encoding_domain\b;<a href="postconf.5.html#strict_mime_encoding_domain">$&</a>;g; ++ s;\bstrict_mailbox_ownership\b;<a href="postconf.5.html#strict_mailbox_ownership">$&</a>;g; + s;\bstrict_rfc821_envelopes\b;<a href="postconf.5.html#strict_rfc821_envelopes">$&</a>;g; + s;\bsun_mailtool_compatibility\b;<a href="postconf.5.html#sun_mailtool_compatibility">$&</a>;g; + s;\bswap_bangpath\b;<a href="postconf.5.html#swap_bangpath">$&</a>;g; +diff --git a/proto/postconf.proto b/proto/postconf.proto +index f5a90ed..7761e7e 100644 +--- a/proto/postconf.proto ++++ b/proto/postconf.proto +@@ -10586,3 +10586,10 @@ to the SASL authcid, but this causes inter-operability problems + with some SMTP servers. </p> + + <p> This feature is available in Postfix 2.4.4 and later. </p> ++ ++%PARAM strict_mailbox_ownership yes ++ ++<p> Defer delivery when a mailbox file is not owned by its recipient. ++The default setting is not backwards compatible. </p> ++ ++<p> This feature is available in Postfix 2.4.7-r1 and later. </p> +diff --git a/src/global/mail_params.h b/src/global/mail_params.h +index 2785921..9cf6216 100644 +--- a/src/global/mail_params.h ++++ b/src/global/mail_params.h +@@ -2783,6 +2783,13 @@ extern char *var_milt_v; + #define DEF_INT_FILT_CLASSES "" + extern char *var_int_filt_classes; + ++ /* ++ * Mailbox ownership. ++ */ ++#define VAR_STRICT_MBOX_OWNER "strict_mailbox_ownership" ++#define DEF_STRICT_MBOX_OWNER 1 ++extern bool var_strict_mbox_owner; ++ + /* LICENSE + /* .ad + /* .fi +diff --git a/src/global/mail_version.h b/src/global/mail_version.h +index ae94ab9..7ceadad 100644 +--- a/src/global/mail_version.h ++++ b/src/global/mail_version.h +@@ -20,8 +20,8 @@ + * Patches change both the patchlevel and the release date. Snapshots have no + * patchlevel; they change the release date only. + */ +-#define MAIL_RELEASE_DATE "20080131" +-#define MAIL_VERSION_NUMBER "2.4.7" ++#define MAIL_RELEASE_DATE "20080726" ++#define MAIL_VERSION_NUMBER "2.4.7-r1" + + #ifdef SNAPSHOT + # define MAIL_VERSION_DATE "-" MAIL_RELEASE_DATE +diff --git a/src/local/local.c b/src/local/local.c +index 557be6f..72ea49f 100644 +--- a/src/local/local.c ++++ b/src/local/local.c +@@ -378,6 +378,10 @@ + /* address (see prepend_delivered_header) only once, at the start of + /* a delivery attempt; do not update the Delivered-To: address while + /* expanding aliases or .forward files. ++/* .PP ++/* Available in Postfix version 2.4.7-r1 and later: ++/* .IP "\fBstrict_mailbox_ownership (yes)\fR" ++/* Defer delivery when a mailbox file is not owned by its recipient. + /* DELIVERY METHOD CONTROLS + /* .ad + /* .fi +@@ -468,7 +472,7 @@ + /* Restrict \fBlocal\fR(8) mail delivery to external files. + /* .IP "\fBcommand_expansion_filter (see 'postconf -d' output)\fR" + /* Restrict the characters that the \fBlocal\fR(8) delivery agent allows in +-/* $name expansions of $mailbox_command. ++/* $name expansions of $mailbox_command and $command_execution_directory. + /* .IP "\fBdefault_privs (nobody)\fR" + /* The default rights used by the \fBlocal\fR(8) delivery agent for delivery + /* to external file or command. +@@ -480,6 +484,10 @@ + /* .IP "\fBexecution_directory_expansion_filter (see 'postconf -d' output)\fR" + /* Restrict the characters that the \fBlocal\fR(8) delivery agent allows + /* in $name expansions of $command_execution_directory. ++/* .PP ++/* Available in Postfix version 2.4.7-r1 and later: ++/* .IP "\fBstrict_mailbox_ownership (yes)\fR" ++/* Defer delivery when a mailbox file is not owned by its recipient. + /* MISCELLANEOUS CONTROLS + /* .ad + /* .fi +@@ -641,6 +649,7 @@ int var_mailtool_compat; + char *var_mailbox_lock; + int var_mailbox_limit; + bool var_frozen_delivered; ++bool var_strict_mbox_owner; + + int local_cmd_deliver_mask; + int local_file_deliver_mask; +@@ -887,6 +896,7 @@ int main(int argc, char **argv) + VAR_STAT_HOME_DIR, DEF_STAT_HOME_DIR, &var_stat_home_dir, + VAR_MAILTOOL_COMPAT, DEF_MAILTOOL_COMPAT, &var_mailtool_compat, + VAR_FROZEN_DELIVERED, DEF_FROZEN_DELIVERED, &var_frozen_delivered, ++ VAR_STRICT_MBOX_OWNER, DEF_STRICT_MBOX_OWNER, &var_strict_mbox_owner, + 0, + }; + +diff --git a/src/local/mailbox.c b/src/local/mailbox.c +index 92bd79d..d35ef66 100644 +--- a/src/local/mailbox.c ++++ b/src/local/mailbox.c +@@ -194,6 +194,12 @@ static int deliver_mailbox_file(LOCAL_STATE state, USER_ATTR usr_attr) + vstream_fclose(mp->fp); + dsb_simple(why, "5.2.0", + "destination %s is not a regular file", mailbox); ++ } else if (var_strict_mbox_owner && st.st_uid != usr_attr.uid) { ++ vstream_fclose(mp->fp); ++ dsb_simple(why, "4.2.0", ++ "destination %s is not owned by recipient", mailbox); ++ msg_warn("specify \"%s = no\" to ignore mailbox ownership mismatch", ++ VAR_STRICT_MBOX_OWNER); + } else { + end = vstream_fseek(mp->fp, (off_t) 0, SEEK_END); + mail_copy_status = mail_copy(COPY_ATTR(state.msg_attr), mp->fp, +diff --git a/src/virtual/mailbox.c b/src/virtual/mailbox.c +index 09fc54b..f0ad6eb 100644 +--- a/src/virtual/mailbox.c ++++ b/src/virtual/mailbox.c +@@ -125,6 +125,12 @@ static int deliver_mailbox_file(LOCAL_STATE state, USER_ATTR usr_attr) + msg_warn("recipient %s: destination %s is not a regular file", + state.msg_attr.rcpt.address, usr_attr.mailbox); + dsb_simple(why, "5.3.5", "mail system configuration error"); ++ } else if (var_strict_mbox_owner && st.st_uid != usr_attr.uid) { ++ vstream_fclose(mp->fp); ++ dsb_simple(why, "4.2.0", ++ "destination %s is not owned by recipient", usr_attr.mailbox); ++ msg_warn("specify \"%s = no\" to ignore mailbox ownership mismatch", ++ VAR_STRICT_MBOX_OWNER); + } else { + end = vstream_fseek(mp->fp, (off_t) 0, SEEK_END); + mail_copy_status = mail_copy(COPY_ATTR(state.msg_attr), mp->fp, +diff --git a/src/virtual/virtual.c b/src/virtual/virtual.c +index 7d6e1b8..57b4098 100644 +--- a/src/virtual/virtual.c ++++ b/src/virtual/virtual.c +@@ -183,6 +183,10 @@ + /* .IP "\fBvirtual_transport (virtual)\fR" + /* The default mail delivery transport and next-hop destination for + /* final delivery to domains listed with $virtual_mailbox_domains. ++/* .PP ++/* Available in Postfix version 2.4.7-r1 and later: ++/* .IP "\fBstrict_mailbox_ownership (yes)\fR" ++/* Defer delivery when a mailbox file is not owned by its recipient. + /* LOCKING CONTROLS + /* .ad + /* .fi +@@ -329,6 +333,7 @@ char *var_virt_mailbox_base; + char *var_virt_mailbox_lock; + int var_virt_mailbox_limit; + char *var_mail_spool_dir; /* XXX dependency fix */ ++bool var_strict_mbox_owner; + + /* + * Mappings. +@@ -504,6 +509,10 @@ int main(int argc, char **argv) + VAR_VIRT_MAILBOX_LOCK, DEF_VIRT_MAILBOX_LOCK, &var_virt_mailbox_lock, 1, 0, + 0, + }; ++ static const CONFIG_BOOL_TABLE bool_table[] = { ++ VAR_STRICT_MBOX_OWNER, DEF_STRICT_MBOX_OWNER, &var_strict_mbox_owner, ++ 0, ++ }; + + /* + * Fingerprint executables and core dumps. +@@ -513,6 +522,7 @@ int main(int argc, char **argv) + single_server_main(argc, argv, local_service, + MAIL_SERVER_INT_TABLE, int_table, + MAIL_SERVER_STR_TABLE, str_table, ++ MAIL_SERVER_BOOL_TABLE, bool_table, + MAIL_SERVER_PRE_INIT, pre_init, + MAIL_SERVER_POST_INIT, post_init, + MAIL_SERVER_PRE_ACCEPT, pre_accept, |