exim4 upload to stable (dovecot stability / and optionally spf quoting)

Sat Jan 5 13:20:06 UTC 2013

Hello,

I would like to push this change to stable:

|------------------------------------------
| http://git.exim.org/exim.git/commit/3f1df0e341c4ddc4add38fa97d9d34972655a6c7
| 
| Dovecot: robustness; better msg on missing mech.
| 
| If the dovecot protocol response doesn't include the MECH message for
| the SMTP AUTH protocol the client has requested, that's not a protocol
| failure, don't log it as such.  Instead, explicitly log that it didn't
| advertise the mechanism we're looking for.  This lets administrators
| fix either their Exim or their Dovecot configurations.
| 
| Also: make the Dovecot handling more resistant to bad data from the
| auth server; handle too many fields with debug-log message to explain
| what's going on, permit lines of 8192 length per spec and detect if
| the line is too long, so that we can fail auth instead of becoming
| unsynchronised.
| 
| Stop using the CUID from the server as the AUTH id counter.  They're
| different, by my reading of the spec.
|------------------------------------------

This fixes an exim segfault when accessing a malicious dovecot AUTH
server. I have already talked with the security team, Moritz agrees
that this should be fixed in a point release. Testing already has the
fix since 4.80-6.


On top of this I would like to discuss whether it is acceptable to fix
http://bugs.debian.org/697057 in stable, too. [ I definitily want o
get the fix into testing - #697444.] The Debian configuration
optionally allows to use spfquery to run SPF-checks on incoming mail.
Due to insufficient quoting it is possible to pass on arbitrary
arguments to spfquery and therefore bypass SPF checks. The fix is not
invasive, but it changes dpkg conffiles.

-------------------------------

diff --git a/debian/debconf/conf.d/acl/30_exim4-config_check_rcpt b/debian/debconf/conf.d/acl/30_exim4-config_check_rcpt
index ac347aa..4949587 100644
--- a/debian/debconf/conf.d/acl/30_exim4-config_check_rcpt
+++ b/debian/debconf/conf.d/acl/30_exim4-config_check_rcpt
@@ -265,10 +265,10 @@ acl_check_rcpt:
     log_message = SPF check failed.
     !acl = acl_local_deny_exceptions
     condition = ${run{/usr/bin/spfquery.mail-spf-perl --ip \
-                   \"$sender_host_address\" --identity \
+                   ${quote:$sender_host_address} --identity \
                    ${if def:sender_address_domain \
-                       {--scope mfrom  --identity \"$sender_address\"}\
-                       {--scope helo --identity  \"$sender_helo_name\"}}}\
+                       {--scope mfrom  --identity ${quote:$sender_address}}\
+                       {--scope helo --identity ${quote:$sender_helo_name}}}}\
                    {no}{${if eq {$runrc}{1}{yes}{no}}}}
 
   defer
-------------------------------

thanks, cu andreas

-- 
`What a good friend you are to him, Dr. Maturin. His other friends are
so grateful to you.'
`I sew his ears on from time to time, sure'
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 198 bytes
Desc: Digital signature
URL: <http://lists.alioth.debian.org/pipermail/pkg-exim4-maintainers/attachments/20130105/ee1ffb1e/attachment.pgp>
